What makes a password “strong”? And why is using only “strong” passwords so important?
Both those questions can be answered in just two words: Password crackers. No, that’s not a crunchy snack—it’s a piece of garage-built, number-crunching technology (or even a free software application or online service) that can figure out weak passwords in a fraction of a second.
As password cracking technology has advanced and become increasingly commonplace and massively more dangerous to our data, what constituted a safe password just a few years ago is now a total sitting duck. That’s why it’s so important to create and manage strong passwords, especially for your critical accounts like financial and email accounts.
How Password Crackers Work
There are lots of different kinds of password crackers, but the way they work is basically similar. It’s all about “match the hash.”
Any well-constructed web application will store a one-way encrypted version of your password (called a hash), not the password itself. There’s no way to de-encrypt the hash directly. But if hackers use the same encryption algorithm as the application, they know their password cracker has guessed your password when they arrive at an identical hash. They do this either by trying every word/combination in a gargantuan list (called a dictionary attack) or by trying every possible combination of characters.
Password Cracking Times
Using all 94 unique characters available on a typical US English keyboard (uppercase letters, lowercase letters, numbers, and special characters) you can create something like 6 quadrillion unique 8-character passwords. Believe it or not, a low-budget password cracker like we have here at the office can guess any 8-character password in only about 8 hours. So even the strongest eight-character password isn’t very strong.
But what if you up the password length to 10 characters? Assuming you didn’t use a word out of the dictionary, your dog’s name or something else that is easily guessable, that ups the number of unique possibilities from 6 quadrillion to 144 quadrillion—which ups the cracking time to 8 days. Now we’re getting somewhere! Up the password length to 12 characters and a typical password cracker might not guess your password for 61 years.
Password Length vs. Complexity
Because of how password crackers work, password length has become more important to password strength (i.e., resistance to cracking) than using special characters or other “complexity” factors that can make passwords harder to remember and to key in. A longer password is also stronger than a shorter password that you change frequently. This is why the most recent NIST Special Publication 800-63B Digital Identity Guidelines recommend nonpredictable (hence not easily guessable) passwords of over 12 characters as “strong.”
So there you have it: as long as a password is not easily guessable and is 12 or more characters long, it should be “strong” enough to keep your data safe today. (Tomorrow is probably another story…) A good way to make a password long enough and random enough but still memorable is to use a passphrase; e.g., better-wombats-dominate or 2*2=4EVERYTIME.
Again, more randomness is better, but you get the idea. Likewise, you might want to up the character count for passwords that protect your bank accounts, email accounts, work VLAN logins or other critical accounts that are more valuable to hackers.
Learn More About Password Security
Understanding password crackers and strong password guidelines is key to “knowing your enemy” and taking steps to stay safe in cyberspace.
April 2019 is “Password Month” here at Pivot Point Security, and this blog post is one of a number we’ll be sharing on how to get your password security into high gear. Stay tuned!