A new concept for passwords: Why random character sets are no longer considered good passwords

It has long been believed that complex passwords consisting of a combination of uppercase and lowercase letters, numbers, and special characters provide the most security. However, the US National Institute of Standards and Technology (NIST) has reconsidered this practice and now considers it obsolete. As Forbes reports, the new NIST SP 800-63-4 guideline on digital identity suggests abandoning complex passwords in favor of long, memorable phrases.

It was previously believed that the more complex the password, the harder it is to guess or crack using software. However, experts have found that excessive password complexity often leads to users using the same passwords across different platforms or creating passwords that are too simple to meet the minimum requirements. For example, passwords like “P@ssw0rd123” are easy to guess despite their apparent complexity.

According to the new recommendations, the key to security is the length of the password, not its complexity. NIST suggests creating long passwords from simple and memorable words. This approach makes passwords easier to remember and reduces the likelihood that users will write them down or repeat them across different resources.

Another important recommendation is to abandon the need to change passwords regularly every 60-90 days. Frequent changes led to users creating weaker passwords or simply changing one character in the old password, which made it easily vulnerable.

Research shows that the strength of a password depends on its entropy - the degree of unpredictability. Although complex passwords can increase entropy, the length of the password plays a much greater role. For example, a phrase like "bigdogsmallratfastcatpurplehatjellobat" will be both secure and easy to remember due to its length and structure.

Modern technology allows attackers to quickly crack short but complex passwords. However, long passwords made of several simple words are much more difficult to crack due to the huge number of possible combinations. An example is the case of New York City Mayor Eric Adams, who replaced his short four-digit code with a six-digit one, increasing the number of possible combinations for hacking by 100 times. As a result, NIST recommends allowing users to create passwords up to 64 characters long. Even if such a password consists only of lowercase letters and simple words, it will provide a high level of protection. If you add uppercase letters and symbols, hacking will become almost impossible.

Related Articles Emily in Paris star reveals why she wouldn't wear her character's clothes in 'real life' Nicole Scherzinger wants to ‘linger’ in summer little bit longer State Department official presents concept of new global market route through Armenia and Azerbaijan Largest database containing 10 billion passwords is published on Internet Apple has new policy: Broken iPhone and Apple Watch screens will no longer be replaced free of charge under warranty