For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.
Randomness remains important, but as it turns out, size matters more.
A password today should have a minimum of 12 characters, and ideally, 16 or even more.
Become a Patron of Ask Leo! and go ad-free!
Large-scale account hacks
When you hear about large numbers of accounts being stolen by a hack at some service provider, you are naturally concerned that the hacker might now have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case. (As I’ve said before, if a service is storing your actual passwords1, then they simply don’t understand security, or they have made some horrifically bad decisions.)
In fact, most services store an encrypted (technically, a “hashed”) form of your password. For example, if my password were “password” (and that’s a very poor password, of course), then a service might store “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”, which is the hash value that corresponds to that password.2
What that means is that hackers do not get a list of user names and passwords. What they get is a list of usernames and password hashes.
And what’s great about hashes is that you can calculate a hash from a password, but you cannot do the reverse – you cannot calculate the password from the hash.
As a result, one would think that by being hashed it’d be pretty unhackable, right?
Sadly, not so much.
The most common type of password attack is simply a high-speed guessing game. This doesn’t work when pounding on an actual log-in page; they’re slow, and will quickly deny further access after too many failures. But this technique works wonderfully if the hacker has the entire database of account and password hashes sitting on his computer.
These attacks involve starting with an exhaustive list of possible words and known common passwords (including names, profanities, acronyms, and more) and perhaps a few rules to try interesting and common ways that people try to obfuscate words. They calculate the hash of each guess, and if it matches what was found in the compromised database of account information that they’re working against, they’ve figured out the password for that account.
As we’ll see in a moment, it’s easy for hackers to make an amazing number of guesses is a short amount of time.
That’s why you’re not using that kind of password, right?
That’s why a password created from a totally random combination of characters is best. It forces hackers to move on to a true brute force attack of every possible combination to gain access.
Brute force attacks
Computers are fast. In fact, the computer on your desk is so fast that its ability to do simple operations is measured in terms of billions of operations per second.
Creating a password hash is not a simple operation, on purpose. However, it’s still something that can be done very quickly on most machines today. Spread the work over a number of machines – perhaps a botnet – and the amount of processing power that can be thrown at password cracking is amazing.
The net impact is that it’s now feasible to calculate the encrypted hash values for all possible eight-character passwords comprised of upper and lowercase alphabetic characters and digits.
This seems like a lot, until you realize that an off-line attack, which is easily performed once you’ve stolen a database of usernames and encrypted passwords, can be completed in a few hours. (This assumes technology that can “guess” something like 10 billion passwords per second – which, for those performing these kinds of attacks, is quite possible.)
It doesn’t matter what your password is; if it’s eight characters and constructed using upper and lower case letters and numbers, the hackers now have it – even if it was hashed by the service they stole it from.
Why 12 is better and 16 better still
As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be reasonably brute-force guessed offline in hours.
Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time in this case would be measured in centuries.
Sixteen takes the calculation off the chart. Today.
That’s why 16 is better than 12, and both are better than eight.
What about special characters?
I did leave out special characters, it’s true.
Let’s say that the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.
That takes us to 700 trillion possibilities.
Compare that to sticking with the original 62 letters and numbers, but adding only a single character to make it a nine-character password.
That takes us to over 13 quadrillion possibilities.
Yes, adding and using special characters makes your password better, but significantly better yet is to simply add one more character.
So add two. Or six. 🙂
Long passwords are good, pass-phrases are better
The difference is really a semantic one, but in general:
- A password is a random string of characters.
- A pass-phrase is a longer string of words.
Why passphrase? Because they’re easier to remember, and they’re easier to make long – and as we saw, password length is perhaps the single easiest way to increase the security of a password.
“BT6aKgcAN44VK4yw” is a very nice, 16-character long, secure password that’s difficult to remember. In fact, the only way to use this is with a password manager of some sort that remembers it for you.
On the other hand, “Its fleece was white as you know nothing John Snow”, at 50 characters, is wonderfully long, secure, and most of all, memorable. Much like the now canonical example of “Correct Horse Battery Staple“, you might even have a difficult time forgetting it5.
The biggest problem with passphrases? Many services that use passwords don’t allow spaces and don’t allow such lengthy passwords.
Shouldn’t services fix this and do better?
Absolutely, they should. And many do.
As I’ve stated above, passwords shouldn’t be kept in plain text anywhere by the service at all … yet some do.
There are techniques that make brute-force attacks significantly harder … and yet, many use techniques which are easier than the example above.
There are services that do a great job of keeping your information secure. There are also services that don’t. The problem is you really can’t be certain which is which.
To be safe, you have to act like they’re all at risk.
The bottom line
The bottom line for staying safe is simply this:
- Don’t trust that the service you’re using is handling passwords properly. While many do, it’s become painfully clear that many do not, and you won’t know which kind you’re dealing with until it’s too late.
- Use longer passwords: 12 characters minimum, 16 if at all possible.
- Use even longer passphrases where they’re supported, or where information is particularly sensitive. I use one for sensitive Truecrypt volumes, for example.
- Use a different password for each different site login you have. That way, a password compromised on one service won’t give hackers access to everything else.
Even the best eight-character passwords should no longer be considered secure. Twelve is “good enough for now”, but you really should consider moving to 16 for the long run.