Passwords are not necessarily more secure when they are more complex. In recent years, cybersecurity guidance has increasingly favoured a length-first approach, recommending the use of three meaningful yet uncommon words to form a longer passphrase that is both easier to remember and harder to guess.
WASHINGTON, D.C. (MERXWIRE) –Most people have faced standard password setup requirements: include uppercase and lowercase letters, numbers, and symbols, and avoid anything too similar to your previous password. In practice, this often leads to predictable workarounds—writing it down in a note, or recycling the same base password with a new year attached. These “rule-compliant” passwords can actually be easier to guess, as common substitution patterns have long been incorporated into attackers’ automated tools.
In recent years, global cybersecurity thinking has begun to shift. Rather than pushing users to create flashy, hard-to-remember passwords, authoritative institutions increasingly emphasise a more practical principle: the longer the password, the better—so long as it remains memorable. The UK National Cyber Security Centre has actively promoted the “three random words” approach. The logic is straightforward: length dramatically increases the cost of guessing, and truly random combinations are far harder to crack than deliberate character substitutions such as replacing A with @.
Password pain is not only about memorability, but also about reuse. According to recent breach research, stolen credentials remain one of the leading entry points for intrusions. More strikingly, among samples impacted by information-stealing malware, only 49 per cent of a person’s passwords across different services were unique. This means many accounts still share identical or similar passwords, so a single leak can trigger a chain reaction through credential stuffing.
This shift appears in major standards guidance. The US National Institute of Standards and Technology states it is not necessary to enforce composition rules, such as requiring a mix of uppercase and lowercase letters or special characters. Such requirements can steer users into predictable patterns and may not improve security overall—sometimes even producing the opposite effect.
Once “length over complexity” becomes the norm, the next step is to rely less on passwords or avoid them altogether. Microsoft’s security team observed that in 2024, it detected an average of 7,000 password attacks per second, with attackers focusing on accounts that still require manual password entry.
As a result, passwordless sign-in methods such as passkeys are spreading quickly. Major services—including Google, Microsoft, and large e-commerce platforms—now support them. Users no longer need to memorise long strings of characters. Instead, identity can be verified through device-based authentication, such as fingerprint, facial recognition, or device unlock, enabling faster, smoother sign-ins.
Security experts agree that while passwords may remain, the main focus is shifting to easier, more effective methods. Passwords are evolving into readable phrases and backup tools as the primary sign-in experience reduces risks and stress—further proving that length and simplicity drive modern security.