We've all seen the annoying password requirements: "You must use capital letters, lowercase letters, numbers, and symbols." Supposedly, this makes your password harder to guess. But is it really more secure?
Nope. It's all nonsense.
Where It Came From
The idea sprang from a non-technical government bureaucrat named Bill Burr who was writing technical guidelines in 2003. He thought a mix of character types would "just make sense." Years later, he publicly admitted he was wrong. Unfortunately, we're still plagued with these bogus requirements everywhere.
What Actually Makes a Password Secure
Length. That's it.
A brute-force attack cycles through all possible character combinations. An 8-character password — whether it's "password" or "f+G49&jQ" — takes roughly the same amount of time to crack, because the character count is the same. Every additional character added to a password makes it exponentially harder. A 9-character password takes dramatically longer than an 8-character one. By the time you reach 20 characters, you're talking about centuries of compute time.
The Ideal Password
A great password is:
- Hard for a person to guess — don't use your name, birthday, or anything personal
- Hard for a computer to crack — long, not complex
- Easy for you to remember — if you can't remember it, you'll write it on a sticky note
The best approach: take two hobbies, pick a word from each, and combine them into a phrase. If you like football and woodworking, something like "TouchdownMortiseSafetyLathe" is an excellent password. Throw a number and exclamation point on the end if a site insists on it.
And those requirements to rotate your password every 90 days? Not helpful either. A strong, memorable passphrase you never change beats a complex short one you reset every quarter.