Using complex passwords with a combination of different types of characters and regularly changing passwords is recognized by the US National Institute of Standards and Technology (NIST) as an ineffective practice, Forbes reports. Hackers easily crack such passwords. NIST has published new guidance for users and businesses as part of its second public document, NIST SP 800-63-4, on Digital Identity.
For many years, it was believed that to be secure, passwords should be as complex as possible, including uppercase and lowercase letters, numbers and special characters. It was assumed that such passwords would be more difficult to guess or crack using special programs. However, over time, experts came to the conclusion that overly complex passwords have the opposite effect.
According to the new guidance, NIST no longer insists on strict rules regarding password complexity, but instead recommends making them longer. There were several reasons for this. First, research has shown that users have difficulty remembering complex passwords, which often leads them to use the same password on different sites or come up with a combination of characters that is too simple just to meet the minimum requirements. An example would be a password like “P@ssw0rd123”, which technically meets complex conditions, but is easy to guess.
Second, the requirement to change passwords every 60-90 days, which was previously common practice in many organizations, is also no longer recommended. This requirement often only made the situation worse, as it led to the creation of less secure passwords due to the need to change them frequently. NIST recommends ditching complex passwords in favor of long, simple ones, and explains why.
The strength of a password is often measured by the concept of entropy – the amount of unpredictable combination of characters. The higher the entropy, the more difficult it is for attackers to crack the password using brute force methods. Although password complexity can increase entropy, the length of a password’s basic simple characters has been found to play a much more important role.
NIST suggests using long passwords that are easy to remember, particularly phrases consisting of a few simple words. For example, a password in the form of the phrase “bigdogsmallratfastcatpurplehatjellobat” will be both secure and user-friendly for a user who speaks English well. This password combines high entropy with ease of use, helping to avoid unsafe habits such as writing down passwords or reusing them.
Although modern technology has made it much easier to crack short but complex passwords, even the most advanced algorithms still face difficulties when trying to crack long passwords due to the sheer number of possible combinations. A recent example is New York City Mayor Eric Adams changing his password. He replaced his four-digit code with a six-digit code on his personal smartphone before handing it over to law enforcement. This change increased the number of possible character selection combinations from 10 thousand to 1 million.
NIST currently recommends that companies allow users to create passwords of up to 64 characters. Such a long password, even if it only consists of lowercase letters and familiar words, will be extremely difficult to crack. And if you add capital letters and symbols to it, cracking such a password becomes almost impossible. Thus, in the new recommendations, NIST emphasized password length as the main factor in its security.