FBI recommends passphrases over password complexity

Longer passwords, even consisting of simpler words or constructs, are better than short passwords with special characters.

Long passwords or complex passwords? FBI settles the issue
0:52

For more than a decade now, security experts have had discussions about what's the best way of choosing passwords for online accounts.

There's one camp that argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's the other camp, arguing for password length by making passwords longer.

This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office positioned itself on the side of longer passwords.

"Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said.

"This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."

Passphrases are harder to crack

The idea behind the FBI's advice is that a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.

Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password.

Academic research published in 2015 supports this argument, explaining that "the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity]."

The FBI's advice echoes a now-infamous XKCD webcomic that made the concept of passphrases-over-passwords widely known among internet users.

password-strength.png

Image: XKCD.com/936/

Today, there are web services that will help you generate passphrases in the XKCD style.

There are also open-source libraries that developers can use to add an auto-generate passphrase function in their apps.

Furthermore, NIST password recommendations issued in 2017 have also urged websites and web services to accommodate longer password fields of up to 64 characters for this same reason -- to let users choose passphrases instead of short passwords.

The same NIST guideline also recommended using passphrases over passwords when possible, a recommendation also picked up in a DHS security tip issued in November 2019, also urging users to give passphrases a try.

CorrectHorseBatteryStaple!