A 20-character, non-complex password is demonstrably harder to crack than a six-to-eight-character complex password. NIST has been saying for years that passwords should not be overly long, complex or frequently changing. Many computer security professionals dont believe that NISTs new password advice is actually better. Most would rather you use a password manager, which you then use to generate long, random passwords for every website you use. Most regulations and frameworks are slow and inflexible. When better ideas come out or circumstances change, they aren’t quickly updated to follow that better advice.”]