insights and news

Do Complicated Passwords Help Us Be More Secure?

14 October 2020

We use passwords everywhere these days, not just on our computers but the various electronic devices and the endless accounts we seem to accumulate. With increased security measures on many websites and accounts to try to protect our sensitive data, we are being asked increasingly to create complex passwords, but are we benefiting?



Where did passwords come from?

Passwords have been around in one form or another for centuries. Its thought that the Roman military used passwords to distinguish friend from foe and there are documented uses of cyphers throughout history.  However, the first use of passwords for computers happened in 1960at MIT. Fernando Corbato developed the password as a way to protect individual files from being accessed by other people on a compatible Time-Sharing System (CTSS) that several researchers had access to. Until the 90’s when the World Wide Web boom happened the need for computer passwords was not a significant issue. Suddenly there needed to be a way to protect the increasing volume of sensitive data that was being collected about people.


When did passwords become complex?

In 2003 the US National Institute of standards and Technology (NIST) released an official guidance that was written by an engineer named Bill Burr. This guidance is the basis on which password requirements are dictated. In his 8 page document Burr outlined the need for passwords to have mix of lower and uppercase, use of numbers and special characters and even that passwords should be of minimum length. He also advised that passwords should be changed regularly.


Did it improve security?

Well there is no doubt that longer more complex passwords are better choice than short easy to guess passwords. There are draw backs to using long passwords. Due to limitations of human memory the ability to recall a long string of letters and numbers can be difficult, which leads most people to either write them down, creating a security issue itself, or they often use the same password to access all their accounts. The problem is that if a hacker guesses the password then they have access to every account. Yet this is still a very common problem. Due to the large number of accounts a person holds they would struggle to create and remember a unique strong complex password for each they create an easy to remember password, which would be fine except that so many people think similarly and use the same password. Research has shown that globally the most popular password is ‘123456’. So the concept was promising but the problem was that most people didn’t understand the reasoning and so just didn’t follow guidance when creating the password and instead opted for convenience.


What is the advice now?

In 2017 NIST overhauled their advice document completely and now actually recommend the use of passphrases that are much harder to guess than a string of non-sense characters that can be more easily decoded by a computer. So using a string of unrelated words will give you better security on your accounts. Although the current trend is moving to using 2-step authentication by way of password and biometric which will see security improved while maintaining the convenience. NIST also no longer recommend||| that passwords should be changed regularly and instead advise that only done so should there be a need e.g. a breach occurs.