The advice hasn’t changed for decades: Use complex passwords with uppercase, lowercase, numbers and symbols. The idea is to make it harder for hackers to crack passwords through brute force methods. But recent guidance suggests our focus should be on password length rather than complexity. Length is the more important security factor, and passphrases are the simplest way for your users to create (and remember!) longer passwords.
math that matters
When attackers steal password hashes from a breach, they brute-force them by hashing millions of guesses per second until something matches. The time it takes depends on one thing: how many possible combinations there are.
A traditional 8-character “complex” password (P@ssw0rd!) provides approximately 218 trillion combinations. This sounds impressive until you realize that modern GPU setups can test those combinations over months, not years. Expand this to 16 characters using only lowercase letters, and you’re looking at 26^16 combinations, which are billions of times harder to crack.
This is effective entropy: the actual randomness through which an attacker must work. Three or four random common words strung together (“carpet-static-pretzel-invoke”) provide far more entropy than cramming symbols into small strings. And users can actually remember them.
Why do passphrases win on every front?
The matter of passphrases is not theoretical, it is practical:
Low reset. When passwords become memorable, users stop writing them on Post-it notes or reusing the same variations across accounts. Your helpdesk tickets drop, which alone justifies the change.
Better attack resistance. Attackers adapt to patterns. They test dictionary words with common replacements (@0 for a, 0 for o) because that’s what people do. A four-word passphrase bypasses these patterns completely – but only if the words are truly random and unrelated.
In line with current guidance. NIST is clear: prioritize length over forced complexity. The traditional 8-character minimum should really be a thing of the past.
A rule worth following
47 Stop managing password requirements. Give users a clear instruction:
Choose 3-4 unrelated common words + a separator. Avoid song lyrics, proper names or famous phrases. Never reuse all accounts.
Example: common-glacier-laptop-furnace Or cricket.highway.mustard.piano
That’s it. No mandatory capitals, no required symbols, no complexity theater. Just length and randomness.
This is being released without any disturbance
Changes in certification may provoke resistance. Here’s how to reduce friction:
Start with a pilot group, capture 50-100 users from different departments. Give them (but don’t enforce) new guidance and monitoring for two weeks. Keep an eye on patterns: Are people not liking pop culture phrases? Are they consistently meeting minimum length requirements?
Then switch to alert-only mode across the entire organization. When users’ new passphrase is weak or compromised, they see alerts, but they don’t get blocked. It creates awareness without creating support barriers.
Apply only after measuring:
- passphrase adoption percentage
- helpdesk reset reduction
- Restricted-password hits from your blocklist
- User Reported Friction Points
Track these as KPIs. They will tell you whether it is working better than the old policy.
Maintaining it with the right policy tools
Your Active Directory password policy needs three updates to properly support passphrases:
- Increase minimum length. Move from 8 to 14+ characters. It adjusts the passphrase without causing problems for users who still prefer traditional passwords.
- Forced skip complexity check. Stop requiring uppercase, numbers and symbols. The length provides better protection with less user friction.
- Block compromised credentials. This is not negotiable. Even the strongest passphrase doesn’t help if it’s already leaked in a breach. Your policy should check submissions against the known-compromise list in real time.
Password auditing gives you visibility into adoption rates. You can still identify accounts that use short passwords or common patterns, then target those users with additional guidance.
Tools like Specops Password Policy handle all three tasks: expanding policy minimums, blocking over 4 billion compromised passwords, and integrating with SSPR workflows. The policy syncs with Active Directory and Azure AD without additional infrastructure, and the blocklist is updated daily as new violations emerge.
What does it look like in practice
Imagine your policy requires 15 characters but all complexity rules are removed. creates a user umbrella-coaster-fountain-sketch During their next password change. A tool like Specops Password Policy checks this against a compromised password database – it’s clean. The user remembers it even without a password manager because it consists of four solid images linked together. They don’t reuse it because they know it’s specific to this account.
Six months later, no reset requests. No post-it notes and no calls to the helpdesk because they pointed a finger at a symbol. Nothing revolutionary – just simple and effective.
The protection you really need
Passphrases are not a silver bullet. MFA still matters. Compromised credential monitoring still matters. But if you’re spending resources on password policy changes, this is where it’s best to spend it: long minimums, simple rules, and real protection against compromised credentials.
Attackers still steal the hashes and force them offline. What has changed is our understanding of what really slows them down, so your next password policy should reflect this. Interested in trying it? Book a live demo of Specops Password Policy.
