Are complex passwords 'out of date'?
This information is based on newly published guidance from the US National Institute of Standards and Technology (NIST), which develops and issues guidance to help organizations protect information systems.
For years, complex passwords, combining uppercase and lowercase letters, numbers, and symbols, have been favored by experts and service providers because they are believed to make passwords harder to guess or crack through brute force attacks.
However, complex passwords are counterproductive and actually weaken security. Complex passwords encourage users to develop bad habits such as choosing simple passwords or reusing old passwords.
In its latest guidelines, NIST has encouraged using longer passwords instead of complex passwords.
The first reason is that people often have trouble remembering complex passwords, which leads them to use passwords that are easy to guess or to use the same password for multiple sites. This is exacerbated by the fact that many organizations require you to change your password every 60 to 90 days, which NIST no longer recommends.
Password strength is often measured by entropy, the number of possible combinations that can be created using the characters in the password. The higher the number of combinations, the harder the password is to crack using brute force or guessing methods.
Length plays a much larger role in the number of possible combinations than complexity. A longer password with more characters has exponentially more possible combinations.
The second reason is that long passwords with many simple words are easier to remember, ensuring users don't resort to unsafe practices like writing down passwords or reusing them.
Additionally, long passwords, due to the large number of possible combinations, are more difficult for complex algorithms to crack than short, complex passwords.
For example, changing a password from 4 digits to 6 digits increases the number of possible combinations from 10,000 to 1,000,000.
NIST recommends that users create passwords that are up to 64 characters long. A password that uses only lowercase letters and words is extremely difficult to crack, while one that includes uppercase letters and symbols becomes mathematically impossible.
You should read it
- How to check password strength
- Complex () function in Python
- Use Password Safe in Windows 7
- How to retrieve a Tik Tok password when it is lost
- How to remove PDF file password
- How to change Snapchat password on phone and computer
- Check the security of the password
- Use an 8-character Windows NTLM password? Congratulations, your password may be unlocked after only 2.5 hours
- 5 best password management apps for iOS
- Has your password been leaked? Please check now
- How to Remove the Password from a Zip File Without Knowing the Password
- Set a password for the USB
Maybe you are interested
This list of common passwords shows how little we understand about online security
More than 60% of passwords are cracked by AI in less than 60 seconds
Create passwords for apps and games on iPhone 6, 5s, 5
Why should you store passwords in Bitwarden?
How to manage saved passwords on Microsoft Edge: View, delete, edit, export
How to sync passwords in the iPhone Password app