This advice hasn’t changed for decades. Use a complex password that includes uppercase and lowercase letters, numbers, and symbols. The idea is to make it difficult for hackers to crack passwords using brute force techniques. However, more recent guidance indicates that the focus should be on password length rather than password complexity. Length is a more important security factor, and passphrases are the easiest way to force users to create (and remember) long passwords.
important mathematics
When an attacker steals a password hash from a breach, they perform a brute force attack by hashing millions of guesses per second until something matches. The time this takes depends on how many possible combinations there are.
A traditional 8-character “complex” password (P@ssw0rd!) has approximately 218 trillion combinations. Sounds impressive until you realize that modern GPU setups allow you to test these combinations in months instead of years. If you increase this to 16 characters using only lowercase letters, you’ll see 26^16 combinations, billions of times more difficult to decipher.
This is the effective entropy, or the actual randomness that the attacker has to deal with. Stringing three or four random common words together (“carpet-static-pretzel-invoke”) yields far more entropy than cramming symbols into a short string. And users can actually recall them.
Why passphrases are a win all around
The case of passphrases is not theoretical, but operational.
Fewer resets. When passwords are memorable, users stop writing them on post-it notes or reusing similar variations across accounts. The reduction in help desk tickets alone should justify the change.
Increases attack resistance. Attackers optimize for patterns. Test words in the dictionary using common substitutions (@ for a, 0 for o). Because that’s what people do. A four-word passphrase completely avoids these patterns, but only if the words are truly random and unrelated.
Compliant with current guidance. NIST has made it clear that it favors length over forced complexity. The traditional 8 character minimum should really be a thing of the past.
There’s one rule worth following
Stop managing 47 password requirements. Give your users one clear instruction.
Choose 3-4 unrelated common words and mark them with punctuation marks. Avoid song lyrics, proper names, and famous phrases. Do not reuse between accounts.
Example: mango-glacier-laptop-furnace or cricket.highway.mustard.piano
that’s it. There are no required capital letters, no required symbols, and no complex theater. Just length and randomness.
Deploy without confusion
Authentication changes can cause resistance. Here’s how to minimize friction:
Start with a pilot group of 50 to 100 users from different departments. Give them new guidance and monitor (but don’t force) them for two weeks. Be aware of patterns: Are people using pop culture phrases as defaults? Do they consistently meet minimum length requirements?
Then move your entire organization to alert-only mode. If the new passphrase is weak or compromised, the user is alerted but not blocked. This allows you to increase awareness without creating support bottlenecks.
Apply only after measuring:
Passphrase adoption rates Reduced help desk resets Blocked password hits from blocklist User-reported issues
Track these as KPIs. It will tell you if this is working better than the old policy.
Continue to use appropriate policy tools
Three updates to Active Directory password policies are required to properly support passphrases.
Increase the minimum length. Change from 8 characters to 14 or more characters. This accommodates passphrases without causing problems for users who still prefer traditional passwords. Removes forced complexity checking. Stop asking for capital letters, numbers, and symbols. The length reduces user effort and improves security. Block compromised credentials. This is non-negotiable. Even the strongest passphrase is useless if it has already been compromised. Policies require checking submissions against a list of known infringers in real time.
Self-service password reset (SSPR) can help you during migration. Users can securely update their credentials whenever they want, so your help desk isn’t a bottleneck.
Password auditing provides visibility into adoption rates. You can identify accounts that still use short passwords or common patterns and target those users with additional guidance.
Tools like Specops Password Policy handle all three functions: extending policy minimums, blocking over 4 billion compromised passwords, and integrating with SSPR workflows. Policy updates are synced to Active Directory and Azure AD without additional infrastructure, and blocklists are updated daily as new breaches occur.
what actually happens
Imagine that the policy requires 15 characters, but all complexity rules are removed. The user creates an unsall-coaster-fountain-sketch the next time they change their password. Tools like Specops Password Policy check it against compromised password databases. This is clean. It has four concrete images linked together so users remember it without using a password manager. We don’t reuse it because we know it’s unique to this account.
After 6 months, there are no reset requests. No more post-it notes, no more calling the help desk because you accidentally found a symbol. Nothing innovative. Just simple and effective.
The security you really need
Passphrases are not a silver bullet. MFA remains important. Monitoring for compromised credentials remains important. But if you’re spending resources changing password policies, you should be spending those resources on increasing minimum values, simplifying rules, and actually protecting against credential compromise.
Attackers still steal hashes and perform offline brute force attacks. What has changed is our understanding of what actually slows us down. So your next password policy should reflect that. Interested in trying it out? Schedule a live demo of Specops Password Policies.
Source link
