Overly complex passwords are not just ineffective but dangerously insecure, according to the latest National Institute of Standards and Technology (NIST) guidelines.
Humans often choose easily guessed passwords for the sake of memorability, NIST said, meaning many online services have introduced rules that demand a certain level of complexity.
For example, many services require users to create passwords that contain a mix of character types, such as numbers, uppercase letters, and symbols.
“However, analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought, and the impacts on usability and memorability are severe,” NIST said.
NIST cites research showing that users respond in predictable ways to password composition requirements, therefore undermining the intended security payoff.
“For example, a user who might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number or ‘Password1!’ if a symbol is also required,” NIST said.
Complex passwords also introduce a new vulnerability, NIST warned As they are far less memorable, users are more likely to write them down or store them electronically in an unsafe way.
NIST instead recommends an approach based primarily on password length, though it was keen to emphasize that many attacks associated with passwords are affected by neither complexity nor length, such as phishing or social engineering.
“The complexity of user-chosen passwords has often been characterized using the information theory concept of entropy. While entropy can be readily calculated for data with deterministic distribution functions, estimating the entropy for user-chosen passwords is challenging, and past efforts to do so have not been particularly accurate,” NIST said.
“For this reason, a different and somewhat more straightforward approach based primarily on password length is presented herein,” it added.
As the size of a hashed password is independent of its length, there is no reason to prohibit the use of lengthy passwords, NIST said, though extremely long passwords could take longer to hash. Users should make their passwords as lengthy as they want, it added.
NIST concluded that length and complexity requirements beyond those it recommends only serve to increase user frustration and act counterproductively.
Are passwords on their way out?
This latest move places yet more pressure on users with regard to password security. Some industry stakeholders insist passwords are an increasingly antiquated security measure that can be cracked in a “matter of minutes”.
Research from Kaspersky pointed to this in a report earlier this year which found 45% of passwords could be guessed in under 60 seconds, based on a sample size of 193 million compromised passwords.
Little wonder then that some big names are calling to get rid of them altogether.
A host of big tech firms including Microsoft, Apple and Google have been moving towards a passwordless future for several years now. In particular, these companies have been exploring potential alternatives such as passkeys.
Oracle CTO Larry Ellison recently claimed staff at the cloud computing giant won’t be using passwords a year from now owing to their fundamental insecurity.
“The idea that we use passwords is a ridiculous idea. It's obsolete. It's very dangerous,” he said at the time.
