{"id":518,"date":"2026-05-08T13:23:47","date_gmt":"2026-05-08T13:23:47","guid":{"rendered":"https:\/\/server.ua\/en\/blog\/?p=518"},"modified":"2026-05-08T13:50:58","modified_gmt":"2026-05-08T13:50:58","slug":"which-old-password-creation-rules-no-longer-work","status":"publish","type":"post","link":"https:\/\/server.ua\/en\/blog\/which-old-password-creation-rules-no-longer-work","title":{"rendered":"Which old password creation rules no longer work"},"content":{"rendered":"\n
\"The
Account security starts with the right approach to passwords<\/figcaption><\/figure>\n\n\n\n

Passwords are often perceived as a formality: added a digit, put an exclamation mark \u2013 and the job is done. But this approach is based on rules from ten years ago, when there were far fewer services, and computing power for attacks was much more modest. Today each of us has dozens of accounts: from email and banks to work panels for domain management or cloud storage. A weak or repeated password in such an ecosystem creates a domino effect: once one site is hacked, everything is put at risk.<\/p>\n\n\n\n\n\n\n\n

The main trap is that we are used to judging password complexity visually. A combination like P@ssw0rd1!<\/em> seems reliable because it has both special characters and digits. In reality, it is built according to an obvious pattern, which automated guessing systems calculate instantly. A long phrase made of random words will be much more resistant: it is easier for a person to remember, and almost impossible for a machine to brute-force.<\/p>\n\n\n\n

Why \u201ccapital letter + digit\u201d no longer protects you<\/h2>\n\n\n\n

Most services still require the mandatory set: an uppercase letter, a lowercase letter, a digit and a symbol. Users have learned to bypass this rule mechanically: they write a word with a capital letter, then add the current year and an exclamation mark at the end. Summer2025!<\/em> is formally perfect, but its logic is too typical.<\/p>\n\n\n\n

Modern standards, in particular NIST recommendations, shift the focus from artificial \u201ccomplexity\u201d to length and uniqueness. There is no longer any point in forcing people to change passwords on schedule every 90 days. This only encourages them to create predictable sequences like Password1<\/em>, Password2<\/em>, and so on. A password should be changed only when there is a real threat of compromise.<\/p>\n\n\n\n

Length as the main factor of resilience<\/h2>\n\n\n\n

The brute force method works simply: the system tries all possible options until it guesses the right one. The shorter the password, the faster the finish. Even if you use the entire available character set, the number of characters will be decisive.<\/p>\n\n\n\n

Password length
<\/th>		Digits only
<\/th>		Lowercase
letters
<\/th>		Uppercase and
lowercase letters
<\/th>		Digits, letters
and symbols
<\/th><\/tr><\/thead>
8 characters<\/td>
instantly
<\/td>		about 1 hour<\/td>about 2 weeks<\/td>about 5 months<\/td><\/tr>
10 characters<\/td>
instantly
<\/td>		about 1 month<\/td>about 112 years<\/td>about 2 thousand years<\/td><\/tr>
12 characters<\/td>
about 7 hours
<\/td>		about 74 years<\/td>about 303 thousand years<\/td>about 10 million years<\/td><\/tr>
14 characters<\/td>
about 4 weeks
<\/td>		about 50 thousand years<\/td>about 819 million years<\/td>about 52 billion years<\/td><\/tr>
16 characters<\/td>
about 8 years
<\/td>		about 33 million years<\/td>about 2 trillion years<\/td>about 257 trillion years<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The difference between 8 and 12 characters is enormous. A short password, even with a chaotic set of symbols, can be cracked in a matter of days or months. Adding just a few characters turns the brute-force time into millions of years. This clearly proves why a long phrase always beats a short, even if confusing, code.<\/p>\n\n\n\n

Which habits are worth giving up<\/h2>\n\n\n\n