Password Security - is my Password Secure

Password Security – Why Secure Passwords Need Length Over Complexity

Password Security - is my Password Secure

Please create a new secure password.

Password has to meet the following criteria:

  • Must be at least 8 characters long.

  • Must contain at least:
    • one uppercase letter[A-Z]
    • one lowercase letter[a-z]
    • one numeric character [0-9]
    • one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?
  • Must not contain your login ID, email address, first, or last name.
  • It cannot contain repeating character strings of 3 or more identical characters. (E.g. '1111' or 'aaa')
To log in to the system, you must also:
  • Send in a blood sample with each log in
  • Send in a strand of hair
  • Tap your head while rubbing your stomach and say "Let me in!" three times
Sound familiar? Passwords these days are required to be more and more complex, and for the right reason. It is all too easy for a determined hacker to run a brute-force attack on a website in order to steal someone's password, especially if it is shorter. You know the fairly recent "iCloud security breach" where many photos of celebrities were stolen off their iCloud accounts? That was done through a brute-force attack, and it all could have been easily prevented if the passwords had been both more complex AND longer. Well that, and if Apple had some sort of brute-force prevention in place such as a limited amount of password guesses before that IP is locked out. But we will ignore that for now.

This may come as a surprise to some people, but a simple, yet long password is much harder to crack than a complex, but short password. Say that you're following the criteria that most websites make you follow in order to create a "complex" password. Your password needs to be at least 8 characters, needs to have a capital and lowercase letter, a number, and a symbol. Okay, so your password might come to look something like this: C0mpl3x! -- pretty complex, right? Not so fast.

Which one of these passwords do you think is easier to crack? C0mpl3x! or ThisIsMyPasswrd? Notice the missing 'o' in ThisIsMyPasswrd. If you said ThisIsMyPasswrd would be easier to crack, you'd be very wrong. Despite the fact that it doesn't use a number or a symbol, ThisIsMyPasswrd has nearly double the characters (15) as C0mpl3x! (8) which makes it significantly harder for a hacker to figure it out by using a brute-force attack. Also, since the 'o' is missing from the word "password", all of the pieces aren't full English words. This helps with password security as well. Although some letters are replaced for numbers in the C0mpl3x! password, it doesn't make it secure. Certain hack attempts know all about replacing letters with numbers, and C0mpl3x! might as well just read Complex!.

Computers are getting faster and faster each year, and a powerful home desktop would be able to crack many people's 8-character passwords in a matter of seconds. Yes, seconds in some cases.

Password Comparison Tables

Let's look at some tables. These values are coming from two great tools that you can use to check how secure your own password is. The first one is called How Secure is My Password (labeled HSIMP in the table below) and it determines how long it would take to crack your password using a brute-force attack. The other tool I used is called Passfault Analyzer (labeled PA in the table below) and it uses all sorts of methods for determining how secure your password is. This might include dictionary insertion, dictionary substitution, dictionary misspelling, repeated patterns, keyboard patterns, and more. So the Passfault Analyzer tool will usually calculate a lower time since it takes into account more than brute-force when analyzing your password.
Type Password Time (HSIMP) Time (PA) Security Level
8 character common word required 52 seconds <1 day Useless
8 random characters qkcrmztd 52 seconds <1 day Useless
8 random chars w/numbers kqwbv832 11 minutes <1 day Useless
8 random chars w/mixed
case, symbols, & numbers
J5bZ>9p! 20 days <1 day Risky
Type Password Time (HSIMP) Time (PA) Security Level
2 common word password orange tea 98 days <1 day Risky
3 common word password this is cool 546 years <1 day Risky
5 uncommon word password du-bi-du-bi-doo 12 million years <1 day Risky
You'll notice that the time it takes to crack your password according to How Secure is My Password which assumes a brute-force attack keeps getting larger and larger. This is due to the length of the password. Each character you can add onto your password adds tremendously more time when it comes to trying to crack it with a brute-force attack. However, according to the Passfault Analyzer, all of the passwords I have provided will be cracked in less than a day. That's not good. Why is this? Well, I'm using common dictionary words, simple patterns, and still don't have a password larger than 15 characters.

Let's change that. I will start using some longer passwords or passphrases which will be a number of words separated by either spaces or dashes along with adding some complexity such as lower/uppercase letters, numbers, and symbols. In fact, let's try some small sentences with punctuation as our password and see what the results are.
Type Password Time (HSIMP) Time (PA) Security Level
Passphrase 1 i own 2 dogs and 1 cat 1 sextillion years 330130 centuries Secure forever
Passphrase 2 I own 2 dogs and 1 cat! 30 octillion years 8594846 centuries Secure forever
Passphrase 3 #I own 2 dogs and 1 cat!? 285 nonillion years 1220882818 centuries Secure forever
Whoa... a crack time of 285 nonillion years and 1220882818 centuries from both sites? Now we're talking!

I can't stress enough the importance of having length paired with complexity. Passphrases need to start getting used rather than your typical password. Sure, it might take longer to type in, but the benefits greatly outweigh those slight disadvantages.

Passphrase Tips and Examples

Here is a list of tips to consider when creating a new passphrase:

  • Don't use common dictionary words - Ex. orange, car, password
  • Don't use sequential letters or numbers - Ex. 12345, abcde
  • Don't use repeated letters/numbers or keyboard patterns - Ex. 111, aaa, qwerty, asdfgh
  • Don't use the same passphrase for every site if you can help it. Something you could do would be to make a passphrase saying "I am accessing Facebook!" for Facebook, or "I am accessing YouTube!" for YouTube, etc.

  • Consider using spaces - Ex. Instead of making it "iown2dogs", make it "i own 2 dogs"
  • Consider using misspellings - Ex. Instead of making it "why would you do that", make it "why wuld u do tht". If the word is not in a dictionary, it helps make it more secure.
  • Consider using a long and complex passphrase - Ex. Instead of making it "i own 2 dogs and 1 cat", add some punctuation and capitalization to make it something like "I own 2 dogs, and 1 cat!"
Here is a list of example passphrases you could use to help spark some ideas along with the amount of time it would take to crack it according to the Passfault Analyzer:

  • One(1)+Seven(7)=Eight(8)!! - 9558454160 centuries
  • Me gu5ta L0s Angeles?! - 686 centuries
  • #My son's bday is 20,Dec() - 39490895060 centuries
  • *I gr4duated in twenty-ten. - 4042 centuries
  • I am accessing Facebook! - 1 century, 5 decades

Conclusion

All in all, it's time that we all start taking password security seriously by considering better practices when creating our passwords (unless you don't care about getting hacked of course). So many sites these days have you create a "complex" password which usually ends up being an 8-character password with a mix of letters, symbols, and numbers like J5bZ>9p!. Sites call passwords like these "strong" when in reality many of them could be hacked in under a day by a determined hacker.

We need to move away from passwords (generally using one word) and begin using passphrases which could be a sentence or multiple words. Not only are you preventing yourself from getting hacked, but they can also be extremely easy to remember. Which is easier to remember? J5bZ>9p! or I like kitty cats!? I would hope I like kitty cats! would be easier to remember and it would take almost 10 years longer to crack than J5bZ>9p!.

The longer you can make your passphrase while still adding some complexity, the better. A brute-force attack was used to hack multiple celebrities in the iCloud incident, and it could have been prevented had their passwords been longer and more complex. The problem is that many people use the same exact password for all their accounts such as their Facebook, email, and bank account. All it takes is one determined hacker and a weak password for all that information to be breached.

Do yourself a favor and put more thought into password security. You can create an extremely secure (yet very memorable) password/passphrase in a matter of seconds if you follow the tips mentioned in this post. There is no need to make some crazy random array of letters, numbers, and symbols which you will never remember. You'll thank yourself later when your personal info stays as it should... personal.

Comments 4

  1. Pingback: 10 Quick Tips on Cybersecurity, Privacy - Radical Compliance

  2. An interesting write up. I use 1Password myself to generate the passwords for me, makes it a lot easier to manage multiple passwords across many different accounts.

    It’s surprising just how many people believe a combination of a few random letters is secure, when in reality as shown above a string of easily rememberable words is a lot harder to crack.

    1. Post
      Author

      I haven’t used 1Password before, but definitely have heard of it. I may look into it sometime. But yes, I agree. Everyone believes that a random combination of a few letters/numbers/symbols is secure when really brute force attacks can crack those passwords in a very short time. A long string/sentence is much better!

  3. Pingback: Passwords – Complexity or Length? • Weblog for MIS 4153

Leave a Reply

Your email address will not be published. Required fields are marked *