How Password Restrictions Create a False Sense of Security
The next time you have to enter a password, especially if the site requires you to use an insane combination of upper and lower case letters, numbers or symbols, don’t assume that these obfuscation attempts automatically mean your password is incredible and secure.
Randy Abrams, Senior Security Analyst at Webroot, ran some simple tests . It has counted all the potential passwords you can create in an eight-digit password, including numbers, upper and lower case letters, and symbols. (That’s 95 ^ 8 possible combinations, which gives 6,634,204,312,890,625 or 6.6 quadrillion numbers.)
Suppose someone is trying to find out your password using a typical brute-force attack . Let’s say they can check about 31 billion passwords per second . Cracking your fairly complex eight-character password can take at most 212,903 seconds. That’s 3548 minutes, or roughly two and a half days.
Now let’s talk about restrictions for a minute. Suppose the service you are using requires an eight-digit password. Abrams notes that this requires 70.6 trillion passwords, as every one to seven-character password is now invalid. This will save the jailbreak tool a whopping 2,277 seconds, or almost 38 minutes. It’s not that bad.
What to do if, in the name of security, you use an eight-digit password (to remember) and the service forces you to use uppercase and lowercase letters and symbols. It’s safer this way, right? Is this a more complex password that makes it harder for an attacker to decrypt? Not really. As Abrams points out, you just shrunk the pool of potential passwords by 18.5 percent by removing, for example, items such as lowercase passwords. A maximum of two days for the system to detect your password in our scenario.
If the service also requires you to have a number in that password — and you follow its advice and simply do so while keeping your “complex” password of just eight characters — you’ve cut down on the potential passwords that a brute-force tool needs. assume about 41 percent. In our scenario, this reduces the maximum time to 34 hours, or just under one and a half days.
Instead of worrying about how best to make your shorter password harder to brute-force or brute-force, Abrams advises choosing a longer password because even if the service has password restrictions, they will have much less impact:
“You may have noticed that longer passwords have little effect. There is often very little point in imposing restrictions on long passwords as well. This is because each additional character in the password exponentially increases the password pool. There are 6.5 million times more combinations of 16-character passwords using only lowercase letters than eight-character passwords using all four character sets. This means that “toodlesmypoodles” will be much more difficult to crack than “I81B @ gle” “
You should probably not use a three-word passphrase, but instead stick to a passphrase that uses many words – any length will work – if you go that route.
Better yet, use a long passphrase (this is not just a famous quote or a fairly common passphrase) for your password management app , add a second layer of security with two factor authentication (a token you generate from an app or other hardware device, not a login code to the system you receive in a text message) and then use a password manager to generate passwords of 16+ characters filled with upper and lower case letters, numbers and symbols for all your other services. Rampage.
And if you try to subscribe to something that only allows you to have a limited, short password – especially if you only need to use a number – get nervous. If you’re lucky, you might also be able to set up 2FA there for a little more security.