Complicated Passwords Make You Less Safe, Experts Now Say

https://www.forbes.com/sites/larsdaniel/2024/10/02/government-experts-say-complicated-passwords-are-making-you-less-safe/

25 Comments

  1. >For years, conventional wisdom advocated for passwords that were highly complex, combining upper and lower case letters, numbers and symbols. This complexity was thought to make passwords harder to guess or crack through brute force attacks.
    >
    >However, these complex requirements often led to users adopting poor habits, such as reusing passwords or choosing overly simple ones that barely met the criteria, like “P*ssw0rd123.’
    >
    >Over time, NIST found that this focus on complexity was counterproductive and actually weakened security in practice.

    Anecdotally, this tracks. Plenty of my colleagues and family members do stuff like this.

    For me, this isn’t a problem since I use a local password manager, but it’s uncertain how much of the general public does so as well. It’ll be interesting to see if there’s more normalization of password managers now that it’s being built into iOS.

  2. I like when companies let you use long phrase with no special characters. Like somewhereovertherainbow those companies get me, and they also get my business.

  3. Password reuse is more problematic than password complexity. 

    Even if you’re using the xkcd method, you can only remember so many gibberish strings, especially for login systems that aren’t compatible with a password manager.

    And once you start reusing them, if one place gets compromised, you’re suddenly vulnerable everywhere. 

  4. Password managers for the win! “But what about when password managers get hacked?” You’re right! Just use the same password everywhere. That way when dildolubewarehouse.com inevitably gets hacked and your omnipresent password is on the dark web, you’ll lose access to everything and won’t have to worry about *any* passwords anymore. Brilliant!

  5. PastLettuce8943 on

    One thing I learned from my high school teacher. Think of a song and select 1 line. Take the first letter of each word in that line and that’s your password. Impossible to guess or brute force.

    But then you can’t do that for 50 websites.

    So I just use BitWarden now.

  6. My company requires long passwords that change every couple of months on about 5 different computer systems and not allowed to reuse similar passwords. They also don’t allow password manager. So I just have sticky notes pasted to my computer monitor.

  7. ibelieveindogs on

    Isn’t already known that the biggest security risk isn’t hacked passwords but social engineering of malware in bogus emails? I know at my last job, every time there was a breach it was because someone clicked what they shouldn’t. 

  8. People who have to change passwords or make them complicated all the time tend to write them down and put them on stick by notes on monitors

  9. Constantly forcing users to change passwords also causes bad habits. Eventually people can’t remember them and are forced to write them down.

  10. Two issues right now, the forcing of so many upper case, lower case, number, symbol while at the same time restricting length to something like 16 characters.

    Let me use “It was the beast of times, it was the wurst of times”

  11. ManyNefariousness237 on

    Honestly, at the rate of frequency websites and companies are being hacked, what’s even the point?

  12. Use a pass-phrase. Easier to remember and much longer than a normal password. More characters makes it safer not what the characters are.

  13. I use entire sentences with number in them and punctuation.. fake example: “Tonight were gonna party like its 1999!”

    Super easy to remember and long as fuck.

  14. sorospaidmetosaythis on

    I can remember long (20-character), nonsensical passwords in mixed case plus numbers and symbols. My memory is not great, but for random shit it is solid. It takes me a few weeks to learn them, but they stick forever. I don’t need to write them down, and I can hold about 5 of them in my head.

    But, then, the IT policy wherever I work requires password changes every 45-75 days, so why even try?