Rethinking Password Complexity: Favor Length, Managers, and Multi‑Factor Authentication

In the early days of computing, systems were isolated and storage was expensive, leading to the creation of password‑complexity rules as a way to increase entropy in short passwords. Regular password changes were also mandated to keep passwords as moving targets.

Today, computers are constantly connected and storage is cheap, making length a far more effective way to raise password entropy. Long passwords are easier for users to remember than complex, short ones, and they resist dictionary attacks because common short words must be combined.

Instead of frequent password resets, organizations should detect and limit repeated failed login attempts, notifying users and administrators when thresholds are exceeded. This reduces the need for periodic resets and mitigates brute‑force attacks.

Password managers and multi‑factor authentication (MFA) provide stronger security; managers generate and store random passwords, while MFA adds an additional verification layer. Proper user training is essential for adoption.

The article notes that many compliance standards, such as PCI‑DSS, still require regular password changes and complexity rules, but these requirements are increasingly out of step with modern security guidance like NIST SP 800‑63, which recommends longer passwords and MFA instead.

To improve security, the article recommends: understanding the true goal of protecting users rather than obeying outdated rules; configuring applications to limit login attempts and alert on failures; promoting password managers and MFA; and stopping the propagation of harmful advice about password complexity and rotation.