The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.
In other words, the guideline writers are compiling security information, rather than curating security information for their readers.
Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.
First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.
Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.
“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”
Still fairly new to the world of computer security myself, so anyone can feel free to correct me of course, but basically;
While adding capitals, lowercase, numbers, etc does make the password more complex, it also makes it harder for the average user to remember. This means that many users reuse the same password across multiple sites/platforms. Or they use shorter passwords with common tricks like Pa$$word1. That checks all the requirements for a “secure” password but it really isn’t. Hackers know that people use $ in place of S, people often use some variation of “password” in their password, and the number is usually a 1 or something easily guessable like the year they were born.
So the more up to date recommendation is to use a long and strong password (like at least 12 characters long), or a password manager and 2FA.
I think “password” is the wrong word for it. “Passphrase” encourages people to make it longer, like a few words, and length beats special characters any day.