We all struggle to keep track of our seemingly endless and growing list of passwords. Trying to follow the so-called rules makes an overwhelming task all but impossible, which is why you’ll be pleased to learn that complexity isn’t guaranteed to make your online accounts safer. As spotted by Forbes, the US National Institute of Standards and Technology (NIST) recently released new guidelines for keeping government information systems secure, and they made some significant changes to long-standing password best practices.
If you’ve ever used Google Chrome’s password generator to create a password for one of your accounts, you must have noticed how ridiculously obtuse it was, loaded with countless random letters, numbers, and symbols you could never hope to memorize.
In its guidelines, NIST makes it clear that the benefit of complexity is usually outweighed by the downsides. You’re likely never going to memorize a password that consists of a random jumble of numbers, letters, and symbols. As a result, you’ll probably end up writing it down or storing it somewhere that a hacker could potentially access in the future.
Therefore, length has become an easier metric than complexity by which to judge an effective password. As the guidelines note, online services require users to create passwords that use a mix of character types, but multiple “analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought.”
You’re much better off using a lengthy string of words that you can actually remember. That way, you are less likely to have to store the password in a note on your phone or reuse it ad nauseam and risk having all of your online accounts breached at once.
Keep in mind that these aren’t actually meant to be guidelines for everyone, but they’re still worth considering. If you reuse the same overly complex password on every website, you’re now at far greater risk than if you used numerous long, memorable passwords.