Passwords are not necessarily more secure when they are more complex. In recent years, cybersecurity guidance has increasingly favoured a length-first approach, recommending the use of three meaningful yet uncommon words to form a longer passphrase that is both easier to remember and harder to guess.
WASHINGTON, D.C. (MERXWIRE) โMost people have faced standard password setup requirements: include uppercase and lowercase letters, numbers, and symbols, and avoid anything too similar to your previous password. In practice, this often leads to predictable workaroundsโwriting it down in a note, or recycling the same base password with a new year attached. These โrule-compliantโ passwords can actually be easier to guess, as common substitution patterns have long been incorporated into attackersโ automated tools.
In recent years, global cybersecurity thinking has begun to shift. Rather than pushing users to create flashy, hard-to-remember passwords, authoritative institutions increasingly emphasise a more practical principle: the longer the password, the betterโso long as it remains memorable. The UK National Cyber Security Centre has actively promoted the โthree random wordsโ approach. The logic is straightforward: length dramatically increases the cost of guessing, and truly random combinations are far harder to crack than deliberate character substitutions such as replacing A with @.
Password pain is not only about memorability, but also about reuse. According to recent breach research, stolen credentials remain one of the leading entry points for intrusions. More strikingly, among samples impacted by information-stealing malware, only 49 per cent of a personโs passwords across different services were unique. This means many accounts still share identical or similar passwords, so a single leak can trigger a chain reaction through credential stuffing.
This shift appears in major standards guidance. The US National Institute of Standards and Technology states it is not necessary to enforce composition rules, such as requiring a mix of uppercase and lowercase letters or special characters. Such requirements can steer users into predictable patterns and may not improve security overallโsometimes even producing the opposite effect.
Once โlength over complexityโ becomes the norm, the next step is to rely less on passwords or avoid them altogether. Microsoftโs security team observed that in 2024, it detected an average of 7,000 password attacks per second, with attackers focusing on accounts that still require manual password entry.
As a result, passwordless sign-in methods such as passkeys are spreading quickly. Major servicesโincluding Google, Microsoft, and large e-commerce platformsโnow support them. Users no longer need to memorise long strings of characters. Instead, identity can be verified through device-based authentication, such as fingerprint, facial recognition, or device unlock, enabling faster, smoother sign-ins.
Security experts agree that while passwords may remain, the main focus is shifting to easier, more effective methods. Passwords are evolving into readable phrases and backup tools as the primary sign-in experience reduces risks and stressโfurther proving that length and simplicity drive modern security.
