Security experts say it's time to stop using complicated passwords as they make you less safe

Many of us are guilty of creating lengthy and complex passwords to protect our devices from potential data breaches and hacking. This behavior stems from a heightened sense of security, as reassured by experts over the years. However, reports suggest that selecting a complicated password might do more harm than good. According to the US National Institute of Standards and Technology (NIST), passwords that are difficult to remember are no longer recommended. This significant change comes against the backdrop of increasing cyber-attacks globally, according to QBE European Operations.

As part of the widely accepted cybersecurity protocols, individuals and organizations have long been advised to use unique passwords and to replace them with new and better ones regularly. However, the latest guidelines from NIST suggest otherwise, advising people not to change their security codes frequently. Additionally, changing them out on a regular schedule is no longer considered a healthy practice, reported Sprinto. NIST now recommends updating passwords only when there is a good reason, such as when someone asks for it or there is strong evidence that someone might have guessed it.

We often save our passwords on our devices or write them down somewhere to avoid confusion due to their complexity. However, the updated NIST SP 800-63-4 guidelines highlight that, in such cases, we are at an even greater risk. Storing this sensitive information in one place makes the situation more vulnerable, as hackers may target it. To mitigate this risk, people are advised to use simpler passwords that are easy to remember and do not need to be saved. Furthermore, NIST recommends that passwords should be between eight and fifteen characters in length, with less emphasis on including special characters or uppercase letters.

Experts firmly believe there are safer ways to protect your accounts than using predictable patterns, such as capitalizing the first letter or adding a '1' or '!' to the end. Instead, a more effective approach to password protection is relying on a long string of words rather than focusing on complexity. Online services often mandate that users construct passwords using a variety of characters but the NIST's analysis of compromised password databases "shows that the benefit of such rules is less significant than initially thought." NIST, the agency under the US Department of Commerce, further asserts that organizations need not require employees to change their passwords every 60 to 90 days.

Many businesses expect their workforce to keep updating their passwords to avoid potential cyberattacks. Referring to the "Digital Identity Guidelines," NIST states on its official website that it "responds to the changing digital landscape that has emerged since the last major revision" eight years ago. The latest changes incorporate the real-world implications of online risks. Finally, it recommends using a short sentence or sequence of words as passwords that are easier to remember and difficult to guess. These changes also reduce the possibility of storing such passwords in a note on your phone or reusing them, making them more secure than ever. Are you thinking about incorporating these changes?