Password – Complex passwords are no longer the optimal protection method.
The National Institute of Standards and Technology (NIST) has released new guidelines on password management, encouraging the use of long passwords instead of complex passwords. This change marks a significant shift in information security thinking.
The new guidelines, published in September 2024, are part of NIST’s second public draft SP 800-63-4, the latest version of the Digital Identity Guidelines. For many years, the traditional view has encouraged creating complex passwords that combine uppercase letters, lowercase letters, numbers, and special characters. It was believed that this complexity would make passwords harder to guess or crack through brute-force attacks.
However, in practice, this complexity requirement often leads users to develop poor habits. They may reuse passwords or choose overly simple passwords that only minimally meet criteria, such as “P@ssw0rd123”. Over time, NIST has found that focusing on complexity can backfire and actually weaken security.
Password strength is often measured by entropy, a measure of unpredictability.
NIST has shifted from enforcing complex rules to encouraging longer passwords in its latest guidelines. Password strength is typically measured by entropy, a measure of unpredictability. In other words, entropy is the number of combinations that can be generated using the characters in a password. The higher the number of combinations—or entropy—the harder it is for an attacker to crack a password using brute force or guessing.
Studies show that users often have difficulty remembering complex passwords. This leads them to reuse passwords across multiple websites or rely on easily guessable patterns, such as substituting letters with similar-looking numbers or special characters. The requirement to change passwords every 60 to 90 days, which many organizations enforce and NIST no longer recommends, exacerbates this behavior.
While complexity can contribute to entropy, length plays a much more significant role. A longer password with more characters can exponentially increase the number of possible combinations, making it harder for an attacker to guess, even if those characters are simpler. A long, memorable passphrase made up of several simple words is an example. For instance, “bigdogsmallratfastcatpurplehatjellobat” is both secure and user-friendly. Such passwords strike a balance between high entropy and ease of use, ensuring users do not resort to unsafe behaviors like writing down passwords or reusing them.
The advancement of computational power has made cracking short, complex passwords easier. However, even complex algorithms struggle with long passwords due to the immense number of possible combinations. Recently, New York City Mayor Eric Adams announced a change from a four-digit passcode to a six-digit passcode on his personal smartphone before handing it over to law enforcement. This addition of two digits increased the number of possible combinations from 10,000 to 1,000,000.
In the new recommendations, NIST emphasizes allowing users to create passwords up to 64 characters long. A 64-character password using only lowercase letters and real words would be extremely difficult to crack. If it includes uppercase letters and special characters, cracking the password would be nearly impossible mathematically.
