For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.
Randomness remains important, but as it turns out, size matters more.
A password today should have a minimum of 12 characters, and ideally, 16 or even more.
Large-scale account hacks
When you hear about large numbers of accounts being stolen by a hack at some service provider, you are naturally concerned that the hacker might now have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case. (As I’ve said before, if a service is storing your actual passwords1, then they simply don’t understand security, or they have made some horrifically bad decisions.)
In fact, most services store an encrypted (technically, a “hashed”) form of your password. For example, if my password were “password” (and that’s a very poor password, of course), then a service might store “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”, which is the hash value that corresponds to that password.2
- affiliate link
- affiliate program
- Animated GIF
- aspect ratio
- back up
- bare metal
- Basic Input/Output System
- Blind Carbon Copy
- Blue Screen of Death
- brute force attack
- Central Processing Unit
- click bait
- Completely Automated Public Turing test to tell Computers and Humans Apart
- Content Delivery Network
- context menu
- CPU bit-ness
- cross-site scripting
- Cyclic Redundancy Check
- dark web
- deep web
- device driver
- dialog box
- digital signature
- Digital Rights Management
- Digital Subscriber Line
- Distributed Denial Of Service attack
- Domain Name System
- Dots Per Inch
- Dynamic Host Configuration Protocol
- Dynamic Link Library
- echo chamber
- electronic publication
- Email Service Provider
- encryption – asymmetric
- encryption – public key
- encryption – symmetric
- encryption key
- Fear Uncertainty Doubt
- Fiber Optic Service
- file system
- File Transfer Protocol
- form factor
- Globally Unique IDentifier
- Graphical User Interface
- Graphics Interchange Format
- Hard Disk Drive
- home page
- HyperText Mark-up Language
- HyperText Transfer Protocol
- HyperText Transfer Protocol – Secure
- image backup
- incremental backup
- Internet Message Access Procotol
- Internet Of Things
- Internet Protocol Address
- Internet Service Provider
- IP address
- ISO image
- Local Area Network
- malicious software
- man in the middle
- Modulator Demodulator
- multi-factor authentication
- net etiquette
- network adapter
- Network Interface Controller
- Network Address Translation
- Network Attached Storage
- nonbreaking space
- notification area
- op-level domain
- open wifi
- Personal STore
- Plain Old Telephone System
- Point Of Presence
- pop-up menu
- Port 25
- Portable Document Format
- Post Office Protocol version 3
- Potentially Unwanted Program
- Problem Exists Between Chair And Keyboard
- QR Code
- Quick Response
- rainbow table
- Random Access Memory
- recovery drive
- redundant array of independent disks
- screen shot
- Secure Boot
- Secure File Transfer Protocol
- Secure SHell
- Secure Sockets Layer
- Self-Encrypting Drive
- Serial ATA
- Service Set IDentifier
- Short Message Service
- Simple Mail Transfer Protocol
- Solid State Disk
- Solid State Disks
- system tray
- Three-Letter Acronym
- Too long; didn’t read
- top-level domain
- Transport Layer Security
- Two-factor authentication
- Unified Extensible Firmware Interface
- Uniform Resource Locator
- User Account Control
- video blog
- virtual machine
- Virtual Memory
- Virtual Private Network
- Voice Over Internet Protocol
- volume (disk)
- Volume Snapshot Service
- web log
- What You See Is What You Get
- Wide Area Network
- wireless network
- wireless network adapter
- Your Mileage May Vary
And what’s great about hashes is that you can calculate a hash from a password, but you cannot do the reverse – you cannot calculate the password from the hash.
As a result, one would think that by being hashed it’d be pretty unhackable, right?
Sadly, not so much.
The most common type of password attack is simply a high-speed guessing game. This doesn’t work when pounding on an actual log-in page; they’re slow, and will quickly deny further access after too many failures. But this technique works wonderfully if the hacker has the entire database of account and password hashes sitting on his computer.
These attacks involve starting with an exhaustive list of possible words and known common passwords (including names, profanities, acronyms, and more) and perhaps a few rules to try interesting and common ways that people try to obfuscate words. They calculate the hash of each guess, and if it matches what was found in the compromised database of account information that they’re working against, they’ve figured out the password for that account.
As we’ll see in a moment, it’s easy for hackers to make an amazing number of guesses is a short amount of time.
That’s why you’re not using that kind of password, right?
That’s why a password created from a totally random combination of characters is best. It forces hackers to move on to a true brute force attack of every possible combination to gain access.
Brute force attacks
Computers are fast. In fact, the computer on your desk is so fast that its ability to do simple operations is measured in terms of billions of operations per second.
Creating a password hash is not a simple operation, on purpose. However, it’s still something that can be done very quickly on most machines today. Spread the work over a number of machines – perhaps a botnet – and the amount of processing power that can be thrown at password cracking is amazing.
The net impact is that it’s now feasible to calculate the encrypted hash values for all possible eight-character passwords comprised of upper and lowercase alphabetic characters and digits.
This seems like a lot, until you realize that an off-line attack, which is easily performed once you’ve stolen a database of usernames and encrypted passwords, can be completed in a few hours. (This assumes technology that can “guess” something like 10 billion passwords per second – which, for those performing these kinds of attacks, is quite possible.)
It doesn’t matter what your password is; if it’s eight characters and constructed using upper and lower case letters and numbers, the hackers now have it – even if it was hashed by the service they stole it from.
Why 12 is better and 16 better still
As we’ve seen, eight-character passwords give you over 221 trillion combinations, which can be reasonably brute-force guessed offline in hours.
Twelve characters gives you over three sextillion (3,279,156,381,453,603,096,810). The offline brute-force guessing time in this case would be measured in centuries.
Sixteen takes the calculation off the chart. Today.
That’s why 16 is better than 12, and both are better than eight.
What about special characters?
I did leave out special characters, it’s true.
Let’s say that the system you’re using allows you to use any of 10 different “special characters” in addition to A-Z, a-z, and 0-9. Now, instead of 62 characters, we have 72 possibilities per position.
That takes us to 700 trillion possibilities.
Compare that to sticking with the original 62 letters and numbers, but adding only a single character to make it a nine-character password.
That takes us to over 13 quadrillion possibilities.
Yes, adding and using special characters makes your password better, but significantly better yet is to simply add one more character.
So add two. Or six. 🙂
Long passwords are good, pass-phrases are better
The difference is really a semantic one, but in general:
- A password is a random string of characters.
- A pass-phrase is a longer string of words.
Why passphrase? Because they’re easier to remember, and they’re easier to make long – and as we saw, password length is perhaps the single easiest way to increase the security of a password.
“BT6aKgcAN44VK4yw” is a very nice, 16-character long, secure password that’s difficult to remember. In fact, the only way to use this is with a password manager of some sort that remembers it for you.
On the other hand, “Its fleece was white as you know nothing John Snow”, at 50 characters, is wonderfully long, secure, and most of all, memorable. Much like the now canonical example of “Correct Horse Battery Staple“, you might even have a difficult time forgetting it5.
The biggest problem with passphrases? Many services that use passwords don’t allow spaces and don’t allow such lengthy passwords.
Shouldn’t services fix this and do better?
Absolutely, they should. And many do.
As I’ve stated above, passwords shouldn’t be kept in plain text anywhere by the service at all … yet some do.
There are techniques that make brute-force attacks significantly harder … and yet, many use techniques which are easier than the example above.
There are services that do a great job of keeping your information secure. There are also services that don’t. The problem is you really can’t be certain which is which.
To be safe, you have to act like they’re all at risk.
The bottom line
The bottom line for staying safe is simply this:
- Don’t trust that the service you’re using is handling passwords properly. While many do, it’s become painfully clear that many do not, and you won’t know which kind you’re dealing with until it’s too late.
- Use longer passwords: 12 characters minimum, 16 if at all possible.
- Use even longer passphrases where they’re supported, or where information is particularly sensitive. I use one for sensitive Truecrypt volumes, for example.
- Use a different password for each different site login you have. That way, a password compromised on one service won’t give hackers access to everything else.
Even the best eight-character passwords should no longer be considered secure. Twelve is “good enough for now”, but you really should consider moving to 16 for the long run.