FBI (& More) Recommends Using Passphrases Instead of Passwords

For more than a decade, security experts have had discussions about what's the best way of choosing passwords for online accounts.

One group argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's another group, arguing for password length by making passwords longer.

Recently, the FBI Portland office decided on longer passwords. "Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said.

"This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."

Some sites allow for special characters, such as: !@#$%^&*()<>{}, including spaces, while others do not. Special characters add an additional level of complexity, and safety.


The idea behind the FBI's advice is that a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.

Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password.

Academic research published in 2015 supports this argument, explaining that "the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity]."

Today, there are web services that will help you generate passphrases, Here is the LINK to the LastPass online password generator.

Additionally, NIST (National Institute of Standards & Technology)  password recommendations issued in 2017 have also urged websites and web services to accommodate longer password fields of up to 64 characters for this same reason -- to let users choose passphrases instead of short passwords.

The same NIST guideline also recommended using passphrases over passwords when possible, a recommendation also picked up in a DHS security tip issued in November 2019, also urging users to give passphrases a try.

From ZDNet  By Catalin Cimpanu for Zero Day | February 21, 2020