Passwords Can Be Simpler… Probably
You might be surprised to hear that headline from your IT professionals—I know I would have been a few weeks ago. There are some caveats, of course, but this really is the current expert recommendation. The idea is that instead of crafting a password like P@^SW3rd, you’d use something more like HorseBatteryStaple (IYKYK).
Just to be clear, this post is about passwords and passphrases, which are different from passkeys—and we covered those in a recent post.
The shift in guidance comes from real-world data on cyberattacks. Specifically, it’s based on recommendations from the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce. I couldn’t possibly summarize everything they do—partly because I’d definitely miss something—but they help set standards for everything from IT security to determining what time it is… really.
I came across their guidance while researching best practices for multifactor authentication. What I found was an absolute treasure trove of information—some of it geared toward cybersecurity specialists I hope to become someday, and some of it accessible enough for present‑day Nathan. And it was fascinating.
What NIST has observed is that complex passwords full of special characters and numbers aren’t actually stopping attackers. Their findings show that “many attacks associated with passwords are not affected by password complexity and length.” That shocked me. I can’t think of a major cloud provider that doesn’t require a mix of uppercase, lowercase, numbers, and symbols. So if complexity—and even length—aren’t reliably protecting you, what does?
Password length and multifactor authentication.
Here’s the reality: the more complex a password is, the more likely you are to write it down somewhere someone could find it. But if a password is too simple—or based on easily guessed personal info like your birthday or phone number—it’s just as vulnerable. That’s why multifactor authentication (MFA) is essential, and why NIST strongly recommends it. MFA can include biometrics (FaceID, Windows Hello) or authenticator apps like Microsoft Authenticator and other TOTP tools.
And once you’re using MFA, your password doesn’t need to be bulletproof. It just needs to be good enough and, most importantly, easy to memorize so you don’t write it down. Even better if you can make it unique for each service—so use a password manager (I like this one) and avoid memorizing dozens of them.
So what makes a password “pretty good”? Length! Even though length alone won’t make it unbreakable, it dramatically increases the time required for a computer to guess it. NIST notes that a password of 15 lowercase letters (no symbols, no numbers) would take a computer roughly five hundred years to crack if it were guessing 100 billion passwords per second.
That’s why there’s a shift from passwords to passphrases. Instead of one word with random characters tacked on, you combine several unrelated words into a phrase. The more unusual the combination, the better—something like “BlankCompassLedge” (though don’t use that one now that it’s on the internet). Many providers will still require numbers or special characters for a while, so add them where needed. But you can rest easy knowing you’re following the latest, most effective standard.