Complex Passwords May Actually Weaken Security? [Im Juhyung's Tech Talk]

Password change window on a domestic website. When setting a new password, most websites recommend creating a complex password by mixing special characters, uppercase and lowercase letters, and numbers. The above photo is unrelated to any specific expression in the article. / Photo by Internet website capture

[Asia Economy Reporter Lim Juhyung] “Please set your password by combining uppercase and lowercase English letters, numbers, and special characters.”

This is a phrase we often see when signing up on websites. Nowadays, most domestic and international websites recommend creating complex passwords by combining letters, numbers, and special characters. However, overly complicated passwords can negatively affect account security. Instead, longer passwords composed of words or phrases that are easier for users to remember can be safer.

The password setting guidelines commonly used worldwide today were actually established in 2003 by the U.S. National Institute of Standards and Technology (NIST). These guidelines were created by Bill Burr, an American researcher who worked as a manager at NIST at the time, and have since become the standard for password policies for all online accounts globally.

The safe password setting rules proposed by Burr at that time included ▲ setting passwords that mix uppercase and lowercase letters, numbers, and special characters so that patterns cannot be easily read ▲ changing passwords regularly. These are very familiar recommendations to us now.

But did you know that these guidelines were partially revoked in June 2017? At that time, NIST removed recommendations for special character input and password expiration from the guidelines, citing that such rules did not significantly help account security.

In August of the same year, Burr explained the reason for deleting these guidelines in an interview with the U.S. media outlet The Wall Street Journal (WSJ). He admitted that the recommendations he made in 2003 were “not good from a security perspective.”

In 2003, IT expert Bill Burr, who worked at the U.S. National Institute of Standards and Technology and created password setting guidelines. / Photo by Online Community Capture

According to Burr, passwords created by combining multiple numbers and characters are difficult even for users to remember, so once a password is set, users tend to use the same password across multiple accounts. Also, when expiration dates are set to force frequent password changes, most users simply change one number slightly.

Because of this, account security actually became more vulnerable. Hackers found it easier to identify password patterns for specific accounts, and once they discovered one password, multiple accounts became simultaneously at risk.

So, what kind of password can better protect your account? Burr advised in the interview that “long passwords composed of words or phrases that you can easily remember might be better.” In other words, he recommended long passwords over complex ones.

Long passwords made up of words or sentences carry the risk that hackers might infer patterns or associations. However, for defending against commonly used hacking techniques today, long passwords can be more suitable than complex ones.

The hacking method mainly used today is called a “brute force attack.” It is a method of cracking passwords by automatically combining various characters using computer programs and trying every possible combination one by one.

If a person were to manually type and try each password, it would take a very long time, but computers can perform thousands of operations simultaneously per second using parallel processing. This makes brute force attacks a very simple yet effective hacking technique.

Brute force attacks, which involve assigning strings thousands of times per second to crack passwords, are one of the commonly used hacking techniques today. / Photo by Yonhap News

The most efficient way to defend against such attacks is to increase the number of possible password combinations. According to NIST recommendations, using passphrases of 15 characters or more can withstand brute force attacks using the latest computer equipment for a long time.

Hackers without advanced parallel processing programs would not even dare to attempt such attacks, so long passwords are relatively safer than merely complex passwords. Of course, adding complex characters to long passwords and regularly updating them would provide an even more secure environment.

The reason Burr withdrew the guidelines he created was that he realized, albeit late, that most people do not put effort into creating difficult passwords.

In other words, truly secure passwords depend on the effort we put into setting and managing them.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.