Strong passwords? Better sentences, according to the FBI
The FBI issues a statement stating that it’s better to use passwords as passwords rather than short, complex passwords. A matter of ease of storage, but also of greater difficulty in cracking long passwords.
The debate has been going on for some time in the world of security: is it better to use short but complex passwords or long but relatively simple passwords?
The FBI has sided with this second school of thought and officially recommends using multi-word passwords (passphrases in English) instead of short passwords with numbers, capital letters, and special symbols.
Which password to choose? The FBI recommends simple but long passwords.
You have to surrender to the facts: randomly generated passwords such as 4&;{ohnFQr/U*H”3 are impossible to remember. Less difficult in the absolute sense are passwords like 4mpl1f1catore!2, but the difficulty remains to remember what character was used in which position. UnaParolaChiaveLungaAPiacere has a higher entropy level than the randomly generated password (93.51 bits versus 92.34 bits, according to KeePassXC) and is infinitely easier to remember.
Just the ease of remembering passphrases, combined with a high level of security, prompted the FBI to officially recommend the adoption of longer passwords instead of shorter but more complex ones.
The indication, borrowed from the NIST (National Institute for Standards and Technology), is to use passwords of 15 characters or more without particular requirements relating to capital letters, numbers, or special characters. The full list of recommendations is available here.
This fits perfectly into the discourse of a greater simplification of security measures to facilitate the work of people within organizations. It is a topic that has been discussed for some time but, which is now the focus of attention and part of a broader review of approaches to security.
Using longer but easier to remember passwords can significantly increase security within companies and on personal devices and services. As XKCD points out, ” for twenty years, we have successfully taught everyone to use passwords that are difficult for humans to remember but easy for computers to guess. ” It is time to change course.