I’ve been told that my passwords should now be at least 10 characters long in order to be secure nowadays. Is that true?
This question was answered on August 17, 2016. Much of the information contained herein may have changed since posting.
Passwords tend to be the only thing separating criminals and thieves from our online accounts, which is why they spend so much time creating sophisticated means in which to compromise them.
Just about all the advice you’ll ever hear about creating ‘strong passwords’ is generally designed to thwart sophisticated guessing schemes commonly referred to as ‘brute-force attacks’.
Brute-force attacks, which are generally performed off-line by high-speed computer networks, are a systematic process of trying every possible combination of letters, numbers and special characters until the correct combination is figured out.
Long, complex passwords are the best way to combat this type of attack.
Understanding Brute-Force Attacks
If you were to only use 2 characters for your password, you can see how a high-speed computer could guess every possible combination in the blink of an eye.
In fact, the Gibson Research Password Haystack Tool (https://grc.com/haystack) suggests that any 2-character password can be broken in 0.0000000000354 seconds or less.
Each additional character that you add exponentially increases the number of possible combinations, so the longer your password is, the longer it will take for a brute-force attack to be successful.
Most of you have been trained to use complex 8 character passwords, which are hard for you to remember and easy for attackers to crack. With today’s sophisticated password cracking technology, GRC’s tool suggest it’ll take just over 1 minute to break any 8 character password, no matter what combination of characters you use.
By stretching the password to 10 characters, that 1-minute goes to 1-week, as long as you have included uppercase characters, numbers and special characters.
Use Passphrases, Not Passwords
If you don’t follow the guidance on using all the required characters, the number of possible combinations drops exponentially.
For instance, the time that it takes to crack a complex 10-character password that does not include an upper case letter goes from 1-week down to just over 6 hours.
The key to creating strong complex passwords that you can remember is to stop using passwords and start using passphrases.
My go-to example of ‘I H8te Passwords!’ is a 17-character passphrase (including spaces) that GRC’s tool suggests would take 13.44 billion centuries to crack.
By creating a passphrase that is personal to you, you have a much better chance of creating a long complex password that you can easily remember.
For example, I’m Going To Aruba in 2017! is 27 characters long and uses all the required characters. Some sites don’t allow you to use spaces, but it would still be 22-characters long.
I personally shoot for at least 12-character passphrases these days, knowing that brute-force cracking technology is going to get faster as time goes on.
If time wasn’t a factor, any password of any length can eventually be broken, but time is a factor with cyber-thieves, so make yours long and complex enough so that your accounts aren’t worth their time.
About the author
Posted by Ken Colburn of Data Doctors on August 17, 2016