Tech pros have revealed why having a complicated password for your devices might not be the best approach and actually, could be doing more harm than good.
It’s highly likely you’re having to grapple with a seemingly never-ending list of passwords, whether it’s online banking, to access various emails, or for the many different social media accounts we have. And you probably have dozens more for the devices you use for work, too.
It’s a given that keeping our personal information private is an utmost priority, and companies labor the point to employees out of fear of hackers comprising company data and private information.
The theory is that complex passwords are harder to guess or to crack through cyber attacks.
But memorizing all these passwords, which often ‘require’ a myriad of numbers, letters, and symbols to reach a lengthy character count, can quickly become a burden – and you might be inclined to write a physical list of them all in case you forget.
But according to the US National Institute of Standards and Technology (NIST), which develops guidelines to help organizations safeguard their tech, complex passwords are no longer recommended.
As reported by Forbes, NIST recently published new guidance in keeping government information systems secure and made some notable changes to the long-standing password best practice that has been drilled into us.
If you’ve ever used Google Chrome’s password generator, you’ll have noticed how it automates a password crammed with lower case and capitalized letters, numbers and random symbols that you’re unlikely to ever remember without jotting down or saving them in Google’s Password Manager.
And here’s here where NIST warns a complex password runs the risk of compromising your data and actually weakening your security as a hacker could potentially find your password notebook or, by simply using your device, gain access to all your passwords at once.
NIST advises the length of passwords is an easier and therefore safer way to protect your account compared to complexity.
As the guidance notes, online services require users to create passwords with a mixture of different characters, but ‘analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought’.
What this means is that you’re better off using a long string of words that you will be able to remember in a password than a random jumble – and each password should contain a different string of words.
By using a short sentence or sequence of words, you’re less likely to store the passwords in a note on your phone or reuse the password again for another account, which jeopardizes all your accounts at once.
That, and it’d close to mathematically impossible to be able to crack a password of 64-characters made up of real words with the odd capitalized letter and symbols.
Further fueling our risky password patterns is the requirement that many organizations have enforced to change our company password every 60 to 90 days, which NIST is also no longer recommending.
