"Meanwhile, the actual threat landscape evolved in an entirely different direction. Today's attackers aren't sitting at keyboards manually typing password guesses. They're running offline brute force attacks with dedicated GPU rigs that can attempt 100 billion passwords per second against hashing algorithms like MD5 or SHA-1. At that speed, your clever substitution of "@" for "a" buys you microseconds of additional security."
"Their latest digital identity guidelines represent a fundamental shift in how we should think about password security, and it's not what most people expect. NIST's guidance is refreshingly straightforward. Length matters far more than complexity. A password should be at least 15 characters, but those characters don't need to be a cryptic jumble of symbols that you'll inevitably forget (or worse, write on a sticky note)."
Decades of conventional password rules—add a number, include a special character, change passwords every 90 days—have created a false sense of security. Attackers now use offline brute-force attacks with GPU rigs capable of roughly 100 billion guesses per second, rendering common substitutions effectively negligible. The National Institute of Standards and Technology recommends prioritizing password length over complexity. Passwords should be at least 15 characters and use memorable passphrases composed of multiple words rather than cryptic symbol-laden strings. Routine forced password changes and minor character substitutions offer little protection and can reduce overall security by encouraging weak practices.
Read at Fast Company
Unable to calculate read time
Collection
[
|
...
]