Password security: Complexity vs. length [updated 2021]
When it comes to user authentication, the password is, and has been, the most used mechanism; passwords are used to access computers, mobile devices, networks or operating systems. In essence, they are part of our everyday lives. Through time, requirements have evolved and, nowadays, most systems' password must consist of a lengthy set of characters often including numbers, special characters and a combination of upper and lower cases. The strength of a password is seen as a function of how complex and/or long it is; but, what matters most, size or complexity?
Any systems, regardless of which method is used for identification and/or authentication is susceptible to hacking. Password-protected systems or collection of data (think bank accounts, social networks, and e-mail systems) are probed daily and are subject to frequent attacks carried forward not only through phishing and social engineering methods, but also by means of passwords cracking tools. The debate is always open, and the length vs. complexity issue divides experts and users. Both have pros and cons as well as their own supporters.
Strengthen security awareness with human risk management
Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization.
Bad Password Habits
Let's face it, most users tend to create terrible passwords and seldom change them. Today, every system, device, account we need daily has its own password-creation rules, and it is becoming difficult (maybe impossible) to keep track of all access keys. Writing down passwords, re-using the same one for all systems, using easy-to-remember words or phrases or creating shorter access keys are problems that are a direct consequence of the overload of passwords we are all ask to use on a regular basis. With too many keywords to remember, people often choose weaker passwords that are less secure, online and offline.
Weak and insecure passwords are a security concern and a gateway to breaches that can affect more than just the targeted users. It is important to create keys that strike the right balance between being easy to remember and hard for others (intruders or impostors) to guess, crack or hack.
Of the security incidents reported to the CERT Division of the Software Engineering Institute (SEI) related to poorly chosen passwords, a great percentage is caused by human error. The phrase 'security is only as strong as the weakest link' highlights the importance of the role of users within the security chain and the need to train and help them choose passkeys that protect assets and data efficiently. The evolution in password cracking continues and having weak passwords can only make the hackers' job even simpler.
According to the 2015 annual public sector information security survey, a report by i-Sprint Innovations and eGov Innovation, "Weak authentication security is the leading cause of data breaches, accounting for 76% of compromised records." In addition, the Enterprise Innovation study notes that 'simple password-based authentication' is not an adequate means of protecting all this precious data. The problem is that a good number of organizations rely solely on a password-based authentication and have not opted for more secure authentication systems (e.g., PKI-based, OTP-based, or context-based authentication, or else biometric-enabled identifiers).
Best Passwords?
Considerations on password length and complexity are key in the quest for the ideal password. Complexity is often seen as an important aspect of a secure password. A random combination of alphanumerical characters and symbols intuitively seems as the best defense against cracking. Dictionary attacks carried out thanks to tools that look for most likely word combinations won't be able to "guess" such passwords in a timely way. Are they really effective against all attacks though? Probably not. Complex passwords, often tend to be shorter than passphrases, for example, and a brute-force attack with tools that quickly try all possible combinations of keys until they get it right might easily break them as the shorter the password, the smallest the number of possible combinations. This type of attack was at the center of the infamous iCloud breach that exposed hundreds of celebrities' personal pictures.
Brute-force attacks, thanks to the higher computing power of new machines as well as predictability of certain users-chosen character combinations are becoming particularly effective. Due to the complexity of remembering sequences of random numbers, in fact, users often choose predictable sequences made of consecutive numbers and repetitions (123, 4545 for example) or adjacent keyboard keys (qwerty, zxc, etc…). Users could also engage in a number of other risky behaviors, like writing passwords down or reducing the number of characters used. When a user is able to memorize such passwords, they also tend to use them consistently across all systems.
So is a long password the way to go? Possibly. Lengthy passwords are often associated with an increase in password entropy, which basically is the measure of how much uncertainty there is in a key. An increase in entropy is seen as directly proportional to password strength. Therefore, a lengthy list of easy-to-remember words or a passphrase could be actually more secure than a shorter list of random characters.
Lengthy passwords made of actual words are definitely easier to remember and could help users manage them in more secure way. Problems could arise, however, if users choose words that are too related to each other or too personal; this would open the door for dictionary-based passwords tools to guess the correct sequence even in presence of a larger amount of possible combinations. Using something memorable or familiar (family, pet or street name) even in a password of adequate length and complexity is not practical as it makes it quite vulnerable for discovery by penetrators.
So, what makes a password secure?
An interesting Microsoft TechNet blog article shows how, by looking at the formula to calculate bits of entropy (the measure in bits of how difficult it is to hack a password), the role of length is emphasized. The formula is log(C) / log(2) * L where C is the size of the character set and L the length of the password; from a mathematical standpoint, it is clear how L, the length, has a predominant role in the calculation of the entropy bits. C normally includes symbols, lower and upper case characters and number for a total of 96 possible characters or less, if some are excluded: "When looking at passwords in this light, it really starts to become clear how much more important the password length is, as opposed to the defined complexity requirements. To further this point, if you're using passwords with a character set of 10 (only numbers), in order to achieve the same amount of entropy as a character set of 94 (all possible ASCII characters), you only have the double the password's length. To say it another way, a password that is 16 characters long made up of only numbers provides the same level of difficultly-to-crack as an 8-character password made up of the possible 94 possible characters."
It seems though as a combination of approaches might work better: lengthy and fairly complex passwords.
- Lengthy – Short length passwords are relatively easy to break, so the idea is to create lengthier ones for added security and to make them less predictable. So what is the desired or required length? A 2010 Georgia Tech Research Institute (GTRI) study told how a 12-character random password could satisfy a minimum length requirement to defeat code breaking and cracking software, said Joshua Davis, a research scientist at GTRI. Richard Boyd, a senior researcher at GTRI says, "Eight-character passwords are insufficient now… and if you restrict your characters to only alphabetic letters, it can be cracked in minutes." In any case, to be on the safe side, a password length of 12 characters or more should be adopted.
- Strong and complex – Strong passwords are still key. Security experts agree that upper and lowercase alphanumerical characters are good practices for increasing passwords strength and making it capable of resisting guessing and brute-force attacks. In order to add complexity without compromising ease-of-use, users could modify passphrases by inserting spaces, punctuation and misspellings.
Although, eventually, any passwords can be compromised, a combination of the two approaches can be used to increase the amount of time needed to crack them using any attack method.
Of course, users need to be also aware that password strength is not all. Risky behaviors like using auto save features in browsers or saving passwords in plaintext in desktop files, for example, will compromise even the strongest password. Falling pray of social engineering tactics would also defeat the purpose of using any strong, impossible-to-crack passwords.
Protection should also granted through measures implemented by system administrators who can use tools to limit the number of password-cracking attempts that can be made before the system denies any access to the data. Requiring another proof of identity to gain access to a resource, something the user has or is, for example, is also an extra protection in addition to the use of passwords. In addition, in a company, regular password auditing will help strengthen the security posture making sure that the complexity and strength of all access passkeys are adequate and that users are prompted to change theirs if found to be too weak.
Phishing simulations & training
Conclusion
Password-based authentication has existed for some time as the simplest form of security requiring users to verify their identity; therefore, they are not going away any time soon and will likely continue to play an important role in the future of network security even in view of other, secure alternatives in authentication methods. In other words, passwords won't die despite their weaknesses; therefore, people need to know how to make passwords be 'less' predictable. Until the "human weakness is minimized or eliminated," perhaps "removing human interaction with passwords and automating their selection and change is a major step forward on several levels," points out Richard Walters GM/VP, Identity and Access Management, Intermedia, in a Infosecurity Magazine post
Users are asked to apply complexity as well as length rules as well as basic security practices in order to minimize the odds of seeing their passwords compromised. Weak password authentication offers no security and is prone to several types of attacks, as mentioned, so ways for strengthening passkeys continue to be researched. Commonly, an extra layer of security is often added. Coupling two-factor authentication, for example, provides a better sense of security to users, as it offers some type of physical or secondary verification.
A multi-factor authentication strategy may be the better way to identify and verify users; nevertheless, if the password is weak, the entire authentication system is weakened. Therefore, the importance of creating passwords that can resist attack is still paramount.
Users' awareness is important in conveying the importance of using passwords that can really protect data assets. Of course, even the strongest password cannot withstand attacks like those perpetrated against credentials database, when hackers simply collect scores of passwords and authentication information to be decoded and used at their leisure; but that's a different issue.
Phishing simulations & training
Sources
Password security best practices: Change passwords to passphrases
Password Complexity versus Password Entropy.
Three alternatives to using passwords
How to Change Employees' Poor Password Habits
Why Your 'Secure' Password Will Fail You (And What to Do About It)