Complicated passwords may not be as effective as you think

Have we finally cracked the code on password security?

A recent update to password best practices from the National Institute of Standards and Technology revealed that longer login credentials indeed boost account security more than shorter, more complex ones — but it’s not all it’s cracked up to be.

Historically, sites have required complicated passwords with a mix of alphanumeric characters and symbols.

Still, the NIST found that “the benefit of such rules is less significant than initially thought” and places a “severe” burden on users’ memory.

“Humans have a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed,” the NIST wrote in the report, adding that, in return, “online services have introduced rules to increase the complexity of these passwords.”

Those rules can frustrate users and, as a result, they “often work around these restrictions counterproductively” by using easily guessed passwords that could make them vulnerable to hacks.

Instead of making users remember a jumble of letters, numbers and symbols, length, the organization said, “is a primary factor in characterizing password strength.”

According to the agency, 64-character passwords provide maximum account security, with eight characters being the minimum.

Additionally, NIST advised against arbitrary password changes, saying that passwords can be left unchanged unless there is evidence of a security breach.

The organization also encouraged users to use a password manager and implement two-factor authentication when possible, as strong passwords are not enough to thwart malicious attackers.

“Many attacks associated with password use are not affected by password complexity and length,” NIST wrote.

“Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy and complex passwords as they are on simple ones.”