For years, we were told to construct passwords like a jumbled mess of uppercase letters, lowercase letters, numbers, and symbols. The rationale seemed logical: more variety equals greater difficulty to crack. However, leading security organizations now agree that these outdated rules often cause more harm than good. The modern approach prioritizes length, uniqueness, and robust system-level security.
According to the U.S. National Institute of Standards and Technology (NIST), whose guidelines influence security policy worldwide, forced composition rules should be eliminated. NIST's SP 800-63B Rev. 4, released in July 2025, found that predictable patterns emerge when users are forced to include specific character types. Attackers are well aware of these patterns – such as capitalizing the first letter or adding "1!" at the end – and prioritize them in their cracking tools. (Source: NIST SP 800-63B Rev. 4)
The consensus now emphasizes length and uniqueness over complexity. A fifteen-character passphrase composed of random words offers far greater security than an eight-character jumble of symbols following predictable human patterns. This shift requires a new understanding of key concepts like entropy, hashing, salting, and multi-factor authentication (MFA), all of which contribute to a more resilient defence against modern attack methods.
Password managers are now considered essential tools for generating, storing, and auto-filling strong, unique passwords for every online account. NIST explicitly requires websites to support password managers, including allowing paste in password fields, to encourage their use. (Source: NIST SP 800-63B Rev. 4) By memorizing one strong master password, users can offload the burden of remembering countless unique credentials to a secure application.
The future of authentication is trending toward passkeys, which replace shared secrets with public-key cryptography. Built on the FIDO2 and WebAuthn standards, passkeys offer a phishing-resistant alternative by storing a private key on the user's device and a corresponding public key on the website. Even if a website is breached, attackers cannot impersonate users because there is no secret password to steal. While the transition to passwordless authentication will take time, adopting strong passwords and multi-factor authentication remains crucial in the interim.
For Canadian users and organizations, the Canadian Centre for Cyber Security recommends passphrases of at least four words and 15 characters, aligning with NIST's guidance. Furthermore, Canada's privacy law under PIPEDA defines "personal information" broadly, including account identifiers and authentication data, placing legal obligations on organizations to protect this data with appropriate safeguards. (Source: Canadian Centre for Cyber Security Guidelines; PIPEDA) This includes secure password storage, proper hashing, and robust recovery flows, reinforcing that strong password practices are not only security best practices but also legal requirements.