Learning Library

← Back to Library

Password Best Practices: Length Over Complexity

2mUnknown ChannelsecuritytutorialbeginnerWatch on YouTube ↗

Key Points

  • The former “complexity + expiration” rules (mix of cases, numbers, symbols, frequent changes) make passwords harder to remember, prompting users to write them down and actually weaken security.
  • NIST’s updated guidance shifts focus to password **length**—encouraging long pass‑phrases that are easy to recall but hard to crack—while allowing passwords to remain unchanged indefinitely unless a compromise is detected.
  • Password hints displayed on login screens are discouraged because they give unauthenticated attackers useful information.
  • Traditional secret‑question password resets are insecure, as answers are often discoverable on social media; instead, organizations should use out‑of‑band methods such as phone calls or SMS for verification.
  • Adopting these new practices improves both security posture and user experience compared to the legacy policies.

Sections

Full Transcript

# Password Best Practices: Length Over Complexity **Source:** [https://www.youtube.com/watch?v=xUp5S0nBnfc](https://www.youtube.com/watch?v=xUp5S0nBnfc) **Duration:** 00:02:56 ## Summary - The former “complexity + expiration” rules (mix of cases, numbers, symbols, frequent changes) make passwords harder to remember, prompting users to write them down and actually weaken security. - NIST’s updated guidance shifts focus to password **length**—encouraging long pass‑phrases that are easy to recall but hard to crack—while allowing passwords to remain unchanged indefinitely unless a compromise is detected. - Password hints displayed on login screens are discouraged because they give unauthenticated attackers useful information. - Traditional secret‑question password resets are insecure, as answers are often discoverable on social media; instead, organizations should use out‑of‑band methods such as phone calls or SMS for verification. - Adopting these new practices improves both security posture and user experience compared to the legacy policies. ## Sections - [00:00:00](https://www.youtube.com/watch?v=xUp5S0nBnfc&t=0s) **NIST Password Guidance: Length Over Complexity** - The speaker explains that NIST’s latest password recommendations replace complex‑mix rules and frequent expirations with longer passphrases and indefinite lifetimes to improve security. ## Full Transcript
0:00i hate to tell you this but you're 0:01probably doing passwords wrong at least 0:04that's what the national institute of 0:05standards says in the document they 0:07produced a few years ago with password 0:09guidance 0:10that basically says what we've been 0:12doing as an organization with password 0:14strength policies is making security 0:16worse not better 0:17so the old rules let's take a look at 0:19those 0:20it was that there was a formula that you 0:22needed to follow mixture of upper and 0:24lower case characters numbers special 0:26characters things like that 0:29and what that does in combination with 0:32an expiration date is make it so that 0:35users end up with passwords they can't 0:36remember and if they can't remember them 0:39then they have to write them down and if 0:41we make them change them a lot then 0:42they've really got to write them down so 0:45instead of the old rules of a formula 0:47and expiration in fact the new guidance 0:49is 0:50that we should look at at length 0:53length is strength when it comes to 0:54passwords the longer your password the 0:56harder it's going to be to crack and if 0:58you choose something like a pass phrase 1:00something that is something you will 1:02remember maybe even a sentence if you 1:05came up with mary had a little lamb you 1:07can remember that very easily now don't 1:09choose that one because everyone else 1:11will guess it but some phrase like that 1:13is long and hard to crack and easy to 1:16remember 1:17and don't change your password the new 1:19rules say have them last indefinitely 1:22unless there's a particular reason to 1:23change a password leave it in place 1:25because changing them constantly is 1:27causing people to choose bad passwords 1:30and write them down 1:32old rules also said provide hints in 1:35case you can't remember your password 1:36right there on the login screen it might 1:38say something like okay here's a 1:40question to help you remember what your 1:42password is 1:43the new rules say nope no hints because 1:47think about it this way why would we 1:48give a hint to an unauthenticated user 1:51we don't know if it's you or not if 1:53you're the bad guy i don't want to be 1:55making it easier for you to guess what 1:57my password is 1:58and the old rules all relied on secret 2:01questions to reset if i've forgotten my 2:03password and need to come up with a new 2:05one then there's a set of questions that 2:08i'll ask you that presumably only you 2:10would know the answer to 2:12the new rules say 2:13no go out of band for that kind of 2:16connection for that kind of reset in 2:18other words make a phone call make a 2:20text message use some other form of 2:22communication in order to verify that 2:24the user is who they claim to be because 2:26the secret questions turn out not to be 2:28all that secret in fact most of those 2:31answers 2:32that relate to your favorite this or 2:34that or your high school mascot can all 2:36be found on social media 2:38so 2:39old rules lead to more insecure 2:41passwords new rules lead us to a better 2:44user experience and better security 2:47thanks for watching please remember to 2:49like this video and subscribe to this 2:50channel so we can continue to bring you 2:52content that matters to you