>For years, conventional wisdom advocated for passwords that were highly complex, combining upper and lower case letters, numbers and symbols. This complexity was thought to make passwords harder to guess or crack through brute force attacks.
>
>However, these complex requirements often led to users adopting poor habits, such as reusing passwords or choosing overly simple ones that barely met the criteria, like “P*ssw0rd123.’
>
>Over time, NIST found that this focus on complexity was counterproductive and actually weakened security in practice.
Anecdotally, this tracks. Plenty of my colleagues and family members do stuff like this.
For me, this isn’t a problem since I use a local password manager, but it’s uncertain how much of the general public does so as well. It’ll be interesting to see if there’s more normalization of password managers now that it’s being built into iOS.
soulmagic123 on
I like when companies let you use long phrase with no special characters. Like somewhereovertherainbow those companies get me, and they also get my business.
Konukaame on
Password reuse is more problematic than password complexity.
Even if you’re using the xkcd method, you can only remember so many gibberish strings, especially for login systems that aren’t compatible with a password manager.
And once you start reusing them, if one place gets compromised, you’re suddenly vulnerable everywhere.
russbird on
Password managers for the win! “But what about when password managers get hacked?” You’re right! Just use the same password everywhere. That way when dildolubewarehouse.com inevitably gets hacked and your omnipresent password is on the dark web, you’ll lose access to everything and won’t have to worry about *any* passwords anymore. Brilliant!
pterodactylhug on
This title is misleading.
PastLettuce8943 on
One thing I learned from my high school teacher. Think of a song and select 1 line. Take the first letter of each word in that line and that’s your password. Impossible to guess or brute force.
But then you can’t do that for 50 websites.
So I just use BitWarden now.
Forkboy2 on
My company requires long passwords that change every couple of months on about 5 different computer systems and not allowed to reuse similar passwords. They also don’t allow password manager. So I just have sticky notes pasted to my computer monitor.
ibelieveindogs on
Isn’t already known that the biggest security risk isn’t hacked passwords but social engineering of malware in bogus emails? I know at my last job, every time there was a breach it was because someone clicked what they shouldn’t.
gerryf19 on
People who have to change passwords or make them complicated all the time tend to write them down and put them on stick by notes on monitors
dctucker on
Thanks but I’ll take my technology advice from some other publication than Forbes
DanTheMan827 on
Correct horse battery staple
inchrnt on
Constantly forcing users to change passwords also causes bad habits. Eventually people can’t remember them and are forced to write them down.
rgvtim on
Two issues right now, the forcing of so many upper case, lower case, number, symbol while at the same time restricting length to something like 16 characters.
Let me use “It was the beast of times, it was the wurst of times”
ManyNefariousness237 on
Honestly, at the rate of frequency websites and companies are being hacked, what’s even the point?
TehBanzors on
Passkey, biometrics, and/or 2FA need to become the norm.
pdirth on
Use a pass-phrase. Easier to remember and much longer than a normal password. More characters makes it safer not what the characters are.
Jdonavan on
I use entire sentences with number in them and punctuation.. fake example: “Tonight were gonna party like its 1999!”
Super easy to remember and long as fuck.
woodford86 on
My work password is Companyname!CurrentYear
And I guarantee I’m not the only one
littleguy632 on
2FA is da beast
Shreyanshv9417 on
Who wrote this? Hackers or the govt
Alvvays_aWanderer on
Just kill me.
SkinnedIt on
Only if you’re lazy. Your long, complex, unique passwords are fine.
sorospaidmetosaythis on
I can remember long (20-character), nonsensical passwords in mixed case plus numbers and symbols. My memory is not great, but for random shit it is solid. It takes me a few weeks to learn them, but they stick forever. I don’t need to write them down, and I can hold about 5 of them in my head.
But, then, the IT policy wherever I work requires password changes every 45-75 days, so why even try?
mintmouse on
And simple passwords are easily cracked.
snapesnapeseverus on
I hate it here.
hellno_ahole on
Companies not held responsible for our data makes us less safe.
27 Comments
It only took them 13 years to catch up to xkcd
[https://xkcd.com/936/](https://xkcd.com/936/)
🙂
>For years, conventional wisdom advocated for passwords that were highly complex, combining upper and lower case letters, numbers and symbols. This complexity was thought to make passwords harder to guess or crack through brute force attacks.
>
>However, these complex requirements often led to users adopting poor habits, such as reusing passwords or choosing overly simple ones that barely met the criteria, like “P*ssw0rd123.’
>
>Over time, NIST found that this focus on complexity was counterproductive and actually weakened security in practice.
Anecdotally, this tracks. Plenty of my colleagues and family members do stuff like this.
For me, this isn’t a problem since I use a local password manager, but it’s uncertain how much of the general public does so as well. It’ll be interesting to see if there’s more normalization of password managers now that it’s being built into iOS.
I like when companies let you use long phrase with no special characters. Like somewhereovertherainbow those companies get me, and they also get my business.
Password reuse is more problematic than password complexity.
Even if you’re using the xkcd method, you can only remember so many gibberish strings, especially for login systems that aren’t compatible with a password manager.
And once you start reusing them, if one place gets compromised, you’re suddenly vulnerable everywhere.
Password managers for the win! “But what about when password managers get hacked?” You’re right! Just use the same password everywhere. That way when dildolubewarehouse.com inevitably gets hacked and your omnipresent password is on the dark web, you’ll lose access to everything and won’t have to worry about *any* passwords anymore. Brilliant!
This title is misleading.
One thing I learned from my high school teacher. Think of a song and select 1 line. Take the first letter of each word in that line and that’s your password. Impossible to guess or brute force.
But then you can’t do that for 50 websites.
So I just use BitWarden now.
My company requires long passwords that change every couple of months on about 5 different computer systems and not allowed to reuse similar passwords. They also don’t allow password manager. So I just have sticky notes pasted to my computer monitor.
Isn’t already known that the biggest security risk isn’t hacked passwords but social engineering of malware in bogus emails? I know at my last job, every time there was a breach it was because someone clicked what they shouldn’t.
People who have to change passwords or make them complicated all the time tend to write them down and put them on stick by notes on monitors
Thanks but I’ll take my technology advice from some other publication than Forbes
Correct horse battery staple
Constantly forcing users to change passwords also causes bad habits. Eventually people can’t remember them and are forced to write them down.
Two issues right now, the forcing of so many upper case, lower case, number, symbol while at the same time restricting length to something like 16 characters.
Let me use “It was the beast of times, it was the wurst of times”
Honestly, at the rate of frequency websites and companies are being hacked, what’s even the point?
Passkey, biometrics, and/or 2FA need to become the norm.
Use a pass-phrase. Easier to remember and much longer than a normal password. More characters makes it safer not what the characters are.
I use entire sentences with number in them and punctuation.. fake example: “Tonight were gonna party like its 1999!”
Super easy to remember and long as fuck.
My work password is Companyname!CurrentYear
And I guarantee I’m not the only one
2FA is da beast
Who wrote this? Hackers or the govt
Just kill me.
Only if you’re lazy. Your long, complex, unique passwords are fine.
I can remember long (20-character), nonsensical passwords in mixed case plus numbers and symbols. My memory is not great, but for random shit it is solid. It takes me a few weeks to learn them, but they stick forever. I don’t need to write them down, and I can hold about 5 of them in my head.
But, then, the IT policy wherever I work requires password changes every 45-75 days, so why even try?
And simple passwords are easily cracked.
I hate it here.
Companies not held responsible for our data makes us less safe.