Recently I was asked if the “Recommended by the Bank” 8 character uppercase, lowercase, number and special character password is still appropriate in 2020.
In short, no.
For example the password: d)4M*L&K meets all the requirements of the typical “good” 8 character password, whilst also not being easy to remember upon cursory glance.
Checking the password strength tool here at Security.org “https://www.security.org/how-secure-is-my-password/ it shows its broken by a standard computer in 8 hours. Not ideal!
Increasing the length to d)4M*L&Kd%X71@zW at 16 characters is ideal, which would take a much more acceptable “1 trillion years” for a computer to crack. But how do you remember it?
At the heart of a good password is two things:
- Easy to remember
- Difficult to decrypt
Putting aside the casual glance by someone looking over your shoulder or finding the password scribbled on a Post-it note under your keyboard, this leaves the prospect of a computer focused on deciphering it.
Computers capability is sheer speed and being able to reference different datasets to “smash” a bunch of combinations quickly, mindlessly and efficiently. Hacker methods employed, in general terms from a compute perspective:
Dictionary Attack: There are according to the Oxford Dictionary, some 600,000+ words in the English dictionary, past & present. A dictionary attack smashes “The Dictionary” – and variants – at the password entry point. With a modern computer, it’s quick.
Brute Force Attack: As the name suggests, brute force is used to determine the password by methodical, logical means, but in relentless volume and at speed. As a mundane example, my 10 year old daughter couldn’t remember the lock code to her shiny new suitcase, that had a 3 digit tumbler with the code being somewhere between 000 to 999. A simple brute force attack had me trying all the variables sequentially, literally dialing in 000, 001, 002, 003… all the way until 999. Her unlock code was the obscure – good! – number 341. What’s interesting about brute force tables is that they are populated using known data about particular algorithms and human biases. Any decent brute force table will include variants from here https://en.wikipedia.org/wiki/List_of_the_most_common_passwords – programmed in early in the data set. Don’t use any of these!!!
Similarly if you were a hacker targeting a big brand like “Coke Cola”, your Brute Force Table would include biased variants of industry specific terms and mixing in L33T characters etc. e.g. Coke Cola, C0K3 C0L4, cOkEcOlA, CokeZero, CokeFree, CokeDiet, PepsiKiller, CokePepsico, PepsicoSux etc etc. None of these words are in the dictionary, but they are conceivable human biased variants to take advantage of. A good Brute Force Table will attempt to incorporate these human biased entries.
Rainbow Table: Similar to a brute force table, a rainbow table is one that has an already computed set of passwords, but these are based on the different algorithms or “hashes”, used to encrypt passwords and includes special characters and the datasets that the algorithms create. The thing with rainbow tables is they are big and complicated, but if a hacker has the time, they can get in.
So going back to the premise is 8 characters good enough?
Modern computers can do a Dictionary, Brute Force and Rainbow attack quickly and efficiently, meaning that the humble 8 character is toast. To illustrate this point, using simple, easy to remember terms, aside from my example 7 & 16, you can see that as the password increases in length, the time to decrypt increases.
- Complexity of password is needed to minimise random cursory glances and discourage quick recall
- Length is what really counts – 12 characters is good, 14 is great, 16 is the best.
As with 8 characters being pretty good, not so long ago, what’s going to scuttle the above is quantum computing. I’m not looking forward to where 64 character passwords are considered the norm.
ALPHR – Top Ten Password Cracking Techniques
NORTON – How to Secure your Passwords
AVAST – Strong Password Ideas
MCAFEE – 15 Tips to Better Password Security
CNET – 9 Rules for Strong Passwords How to Create and Remember your login Credentials
FORBES – 4 Things to know about password security