"When attackers steal password hashes from a breach, they brute-force by hashing millions of guesses per second until something matches. The time this takes depends on one thing: how many possible combinations exist. A traditional 8-character "complex" password (P@ssw0rd!) offers roughly 218 trillion combinations. Sounds impressive until you realize modern GPU setups can test those combinations in months, not years. Increase that to 16 characters using only lowercase letters, and you're looking at 26^16 combinations, billions of times harder to crack."
"Fewer resets. When passwords are memorable, users stop writing them on Post-it notes or recycling similar variations across accounts. Your helpdesk tickets drop, which alone should justify the change. Better attack resistance. Attackers optimize for patterns. They test dictionary words with common substitutions (@ for a, 0 for o) because that's what people do. A four-word passphrase sidesteps these patterns entirely - but only when the words are truly random and unrelated."
"The advice didn't change for decades: use complex passwords with uppercase, lowercase, numbers, and symbols. The idea is to make passwords harder for hackers to crack via brute force methods. But more recent guidance shows our focus should be on password length, rather than complexity. Length is the more important security factor, and passphrases are the simplest way to get your users to create (and remember!) longer passwords."
Password length matters more than forced complexity for security. Attackers recover stolen password hashes by hashing millions of guesses per second; cracking time depends on number of combinations. An eight-character complex password yields roughly 218 trillion combinations, which modern GPU setups can test in months. A 16-character lowercase password produces 26^16 combinations, vastly increasing resistance. Effective entropy equals the actual randomness attackers must traverse. Three or four random common words strung together deliver greater entropy and memorability. Memorable passphrases reduce resets, discourage insecure storage and reuse, lower helpdesk load, and avoid common substitution patterns attackers exploit. NIST recommends prioritizing length.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]