What’s the Difference Between a Terrible Password and a Great Password?
It’s safe to say that most of us already know that passwords like ‘password’, ‘letmein’, or ‘qwerty’ are not the most secure passwords that we could choose. But, do we all know how to create solid passwords that aren’t easily guessed or hacked?
For years, the National Institute of Standards and Technology (NIST) has been recommending that organizations require very complex passwords with numeric digits, special characters, and a mixture of upper and lower-case letters, also requiring their users to change their passwords regularly. That makes sense, right?
Well, as it happens, it actually doesn’t. NIST has recently changed their recommendations regarding password strength, and have, in fact, reversed previous guidelines in some areas completely.
Requiring special characters and numbers in passwords (“complex passwords”) turns out to add much less security that it would seem. It’s a trivial exercise in brute-force hacking software to replace o’s, i’s, and e’s with 0’s, 1’s, and 3’s when brute-forcing passwords– and special characters, unfortunately, do not significantly increase the challenge to a hacker who runs any decent hacking software. And make no mistake, a quick Google search for ‘free hacking tools’ will come up with a LOT of results, and this is on the regular World Wide Web – the so-called Dark Web is an even better place for people to find this type of software. (Many software hacking tools are available from websites that position these tools as being for ‘ethical hacking’ and ‘security testing’, but this all depends on who is using the tools…)
Also, periodic password changes seem like a good idea and are commonly enforced. But, in practice, that requirement makes things harder for employees, harder for system administrators who may have to reset new forgotten passwords, and encourages users to simply make a trivial change to their last password so it’s easier to remember. For example, “Hey, it’s required password-change day today, so I’ll change my password from ‘monkey22’ to ‘monkey23’”. In the long run, password changes don’t actually help increase security by very much, if at all.
So, what DOES help make a password hard to crack? It’s simple – length. Adding one character to the length of a password makes it exponentially harder to crack using conventional hacking tools. Once you get into the vicinity of 12 characters or longer, currently-available hacking software running on currently-available hardware is likely to take millennia of computing time to break the password, even if only lower-case alphabetic characters are used. Of course, ‘fourscoreandtwentyyearsago’ or ‘gameofthrones’ as passwords would be susceptible to other kinds of hacking such as dictionary attacks– where the hacker uses an established list of words and phrases commonly used in passwords but, a few randomly-selected words strung together in a way that the user can easily remember is virtually unbreakable with current technology if it is close to 12 characters or longer. For example, I present ‘verbosedolphinsinthewoods’ – no special characters and all lower-case. This password is deemed absolutely unbreakable by one password security evaluation site, although a different site that I found said that it would only take 30 quintillion years to break. A shorter password can be made more secure by adding numbers and/or special characters (as long as they’re not added at the beginning or the end of the password where hackers will expect them), but the bottom line is that the longer the better.
So, in short, the answer to a strong password is password length and a nonsensical and therefore unpredictable sentence that you can easily remember.
Good luck, and remember, it’s a jungle out there…
Check out our blog post on phishing to review our tips on how to protect yourself: https://www.matrixcare.com/blog/phishing-its-a-jungle-out-there/