That password we thought was so secure might be doing more harm than good

We have become accustomed to thinking that our passwords must be complex, full of symbols, uppercase letters, numbers, and special characters to be secure. However, we might be very wrong by focusing so much on complexity. According to the guidelines published by the National Institute of Standards and Technology (NIST) of the United States, some of the advice we have followed for years might be making us more vulnerable instead of better protecting us.

Apple TV+ SUBSCRIBE

The NIST, responsible for setting security standards for government information systems, has revised its recommendations, making it clear that a long and easy-to-remember password can be much more effective than a complex and hard-to-memorize one. A change that, as users, leads us to completely rethink how we manage the security of our accounts.

The myth of impossible passwords

For years, we have believed that the key to a good password was its complexity. We have dedicated ourselves to creating combinations that mix symbols, numbers, and uppercase and lowercase letters, thinking that these were the only ones capable of withstanding attacks. However, this approach has a major drawback: complex passwords are too difficult to remember.

When we try to memorize unintelligible combinations like “4D$ghT#2!”, we often end up writing them in places where they shouldn’t be—on a post-it stuck to the computer or in an insecure application, for example. This creates a weak point that attackers can exploit with relative ease. According to NIST research, the risks associated with these types of passwords often outweigh the benefits they provide.

Additionally, the analysis of leaked databases with millions of passwords has shown that attackers often resort to tools that test common combinations, regardless of how complex they are. Therefore, a password that is difficult to remember does not necessarily guarantee that it is more secure.

More length, less complexity

In light of this scenario, the new NIST recommendations advocate for a change in strategy: prioritize length over complexity. A password made up of several long and meaningful words—like “whithorsewalkingthroughthevalley”—is easier to remember and also much more difficult to crack through brute force attacks.

This type of password allows us to maintain security without making the mistake of storing them in insecure places. We don’t have to resort to notes or applications that could be compromised. On the other hand, the length provides extra resistance to automated attacks, which need more time to try all possible character combinations.

In this regard, the NIST has also pointed out that the use of strict character combination rules applied by some websites does not have an impact on the actual security of passwords. Therefore, the current recommendation is to allow users greater freedom so that we can create passwords we can remember, as long as they are sufficiently long.

Beyond the password: The importance of variety

Despite these changes in recommendations, there is one that remains the same: do not reuse the same password across multiple services. Even a long password can become a risk if used on multiple accounts. If one of these platforms is targeted by an attack, all other accounts would be exposed.

To avoid this, it is important to use password managers that allow us to generate unique keys for each service. Although at first glance it may seem contradictory to the idea of easily remembering our passwords, these tools free us from the need to memorize them all and help us keep them organized. At the same time, using long passwords that we can memorize allows us—at least with the most important accounts—to access them without the need for a manager that we may not have available at a given moment.

Apple TV+ SUBSCRIBE

Finally, the NIST report states that two-step authentication remains an essential pillar of our security. A system that, like Passkeys, adds an additional layer of protection, ensuring that even if someone obtains a password, they cannot access the accounts without the second verification factor.

The revised NIST recommendations invite us to reflect on how we have managed our security so far. Using longer and easier-to-remember passwords will improve our protection, simplify organization, and allow us to say goodbye to genuine jumbles of letters, numbers, and symbols that do not necessarily enhance our security. Let’s focus, in addition to not repeating any password, on making it long. The longer, the better.