Pierluigi Paganini February 24, 2020

The FBI recommends using longer passwords composed of multiple words into a long string of at least 15 characters instead of short passwords including special characters.

Recent guidance from the National Institute of Standards and Technology (NIST) highlights that the password length is much more important than password complexity.

The recommendations are part of the Protected Voices initiative launched by the FBI to help 2020 political campaigns and American voters protect against online foreign interference. The FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence have provided guidance and information as part of the Protected Voices campaign.

Which are the most secure passwords? This is one of the most debated issues when dealing with cyber security.

Some experts believe that increasing the password complexity by adding numbers, uppercase letters, and special characters is the most secure approach, other researchers suggest adopting longer passwords.

The FBI is opting for the first approach.

“If you use a simple password or pattern of characters, it’s considerably easier for an adversary to crack.” reads the advisory published by the FBI.

“Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.”

The feds believe passphrases are harder to crack, even when they have been composed using simple words.

“Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.” recommends the NIST to organizations.

In November 2019, DHS also recommended using passphrases over passwords

“The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (8–64 characters) when you can.” states the DHS. “For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters and includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—for example, some applications limit the length of passwords and some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.”

Pierluigi Paganini

(SecurityAffairs – hacking, passphrases)

[adrotate banner=”5″]

[adrotate banner=”13″]