In 2020, is an 8 character password good enough?

Recently I was asked if the “Recommended by the Bank” 8 character uppercase, lowercase, number and special character password is still appropriate in 2020.

In short, no.

For example the password: d)4M*L&K meets all the requirements of the typical “good” 8 character password, whilst also not being easy to remember upon cursory glance.

Checking the password strength tool here at Security.org “https://www.security.org/how-secure-is-my-password/ it shows its broken by a standard computer in 8 hours. Not ideal!

Increasing the length to d)4M*L&Kd%X71@zW at 16 characters is ideal, which would take a much more acceptable “1 trillion years” for a computer to crack. But how do you remember it?

At the heart of a good password is two things:

  1. Easy to remember
  2. Difficult to decrypt

Putting aside the casual glance by someone looking over your shoulder or finding the password scribbled on a Post-it note under your keyboard, this leaves the prospect of a computer focused on deciphering it.

Computers capability is sheer speed and being able to reference different datasets to “smash” a bunch of combinations quickly, mindlessly and efficiently. Hacker methods employed, in general terms from a compute perspective:

Dictionary Attack: There are according to the Oxford Dictionary, some 600,000+ words in the English dictionary, past & present. A dictionary attack smashes “The Dictionary” – and variants – at the password entry point. With a modern computer, it’s quick.

Brute Force Attack: As the name suggests, brute force is used to determine the password by methodical, logical means, but in relentless volume and at speed. As a mundane example, my 10 year old daughter couldn’t remember the lock code to her shiny new suitcase, that had a 3 digit tumbler with the code being somewhere between 000 to 999. A simple brute force attack had me trying all the variables sequentially, literally dialing in 000, 001, 002, 003… all the way until 999. Her unlock code was the obscure – good! – number 341. What’s interesting about brute force tables is that they are populated using known data about particular algorithms and human biases. Any decent brute force table will include variants from here https://en.wikipedia.org/wiki/List_of_the_most_common_passwords – programmed in early in the data set. Don’t use any of these!!!

Similarly if you were a hacker targeting a big brand like “Coke Cola”, your Brute Force Table would include biased variants of industry specific terms and mixing in L33T characters etc. e.g. Coke Cola, C0K3 C0L4, cOkEcOlA, CokeZero, CokeFree, CokeDiet, PepsiKiller, CokePepsico, PepsicoSux etc etc. None of these words are in the dictionary, but they are conceivable human biased variants to take advantage of. A good Brute Force Table will attempt to incorporate these human biased entries.

Rainbow Table: Similar to a brute force table, a rainbow table is one that has an already computed set of passwords, but these are based on the different algorithms or “hashes”, used to encrypt passwords and includes special characters and the datasets that the algorithms create. The thing with rainbow tables is they are big and complicated, but if a hacker has the time, they can get in.

So going back to the premise is 8 characters good enough?

Modern computers can do a Dictionary, Brute Force and Rainbow attack quickly and efficiently, meaning that the humble 8 character is toast. To illustrate this point, using simple, easy to remember terms, aside from my example 7 & 16, you can see that as the password increases in length, the time to decrypt increases.

To illustrate this point, using simple, easy to remember terms, aside from my example 7 & 16, you can see that as the password increases in length, the time to decrypt increases.

Summary:

  1. Complexity of password is needed to minimise random cursory glances and discourage quick recall
  2. Length is what really counts – 12 characters is good, 14 is great, 16 is the best.

As with 8 characters being pretty good, not so long ago, what’s going to scuttle the above is quantum computing. I’m not looking forward to where 64 character passwords are considered the norm.

Further reading:

ALPHR – Top Ten Password Cracking Techniques
https://www.alphr.com/features/371158/top-ten-password-cracking-techniques/
NORTON – How to Secure your Passwords
https://au.norton.com/internetsecurity-how-to-how-to-secure-your-passwords.html
AVAST – Strong Password Ideas
https://blog.avast.com/strong-password-ideas
MCAFEE – 15 Tips to Better Password Security
https://www.mcafee.com/blogs/consumer/family-safety/15-tips-to-better-password-security/
CNET – 9 Rules for Strong Passwords How to Create and Remember your login Credentials
https://www.cnet.com/how-to/9-rules-for-strong-passwords-how-to-create-and-remember-your-login-credentials/
FORBES – 4 Things to know about password security
https://www.forbes.com/sites/kateoflahertyuk/2020/10/24/4-things-to-know-about-password-security/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.