Why Complex Password Requirements Don’t Necessarily Make You More Secure

Posted on by

We already know that smart passwords for most users do not protect them from hackers . It turns out that the complex password requirements that most sites ask you for don’t help either.

Complexity requirements do not stop hackers and we are still predictable

In the video above , security consultant Rick Redman explains how most websites use weak or outdated rules to help you create a password. The websites on which you create logins probably have the following requirements:

  • Must be more than 8 characters.
  • You must use an uppercase letter, a lowercase letter and a number.
  • You must use a special character such as%, &, * or !.

This makes your passwords more secure – and they are better than a password like 123456 – but for modern password crackers, these are trivial hurdles to get around. As Redman points out, for $ 2,000, a cracker could buy a machine capable of cracking all possible 8-character passwords – no matter how many capital letters or special characters you use – in just 3.7 days using NTLM encryption (which Windows uses) … … If the site used MD5 encryption to store your password, it would take 8 days to crack all possible 8-character passwords. As for SHA1 encryption like the one LinkedIn used for passwords stored in its massive leak , this cheap machine could crack them all in 24 days. If a password cracker had access to better hardware, that time could be dramatically reduced.

In other words, regardless of LinkedIn’s password rules, if you had an 8-digit password at the time of that big leak, a cracker somewhere now knows it. And that’s if you crack the password the hard way.

In reality, most people consciously or subconsciously adhere to certain patterns when creating passwords. Redman uses the following passwords as examples:

Austin1!, Sports9?, Hiphop4$, Camels2%

Each of them seems like a pretty realistic password for the average person. They include an interest or a word they can remember, they start with a capital letter and include a number and a special character attached to satisfy the website’s password requirements.

However, all four follow a specific pattern: one uppercase letter, five lowercase letters, one number, one special. Crackers can use patterns like these to dramatically reduce the time it takes to guess an encrypted password. Now, instead of spending $ 2,000 and 8 days, a password cracking app can do it in much less time.

For the same reason, requiring longer passwords does not necessarily improve the situation. If the end user has to enter a 12 character password instead of 8, they will likely use a password such as Mississippi9, which simply uses a longer base word but still adheres to a predictable pattern.

None of this means that complex passwords are inherently bad or that it is your fault. Most of the websites you use simply don’t explain how complex your password should be. The problem is with us . If it’s something we can reliably remember, it’s probably something a professional password cracker can figure out. The only secure password is one you cannot remember .

What can you do to protect yourself

Redman’s talk is aimed at security professionals and web administrators. Some of what is shown in the video above may seem fatalistic and beyond your control (because it is). Fortunately, there are some other things you can do to protect yourself:

  • Stop using the same password for multiple sites. It cannot be overstated. It doesn’t matter if you had a completely random 100-character password as long as you’ve used it across multiple sites. Whatever your LinkedIn password is, it’s now there. If a professional hacker breaks your password on one site, he will have it on all. Always, always, always use unique passwords for each site.
  • Use Passwords You Can’t Remember (with a password manager): The best password you can have is one that is too difficult to remember. Password managers are perfect for this. Get a password manager, use it to generate random passwords that you can’t remember, and store them in the app. Yes, this means that you trust one application with all your passwords, but that means the passwords you actually use can be much more secure. Check out our comparison of password managers to find the one that’s right for you. At least use Smart Lock in Chrome .
  • If you need to remember a password, use a passphrase: in some cases, you just need to use a memorable password. In this case, if possible, use a passphrase instead . Instead of creating a short password with weird rules, passphrases are long phrases or even sentences. They are easier to remember, but long enough to confuse most password crackers. Or at least it’s enough to confuse them enough to abandon you and move on to someone else.
  • Include two-factor authentication everywhere : Two-factor authentication requires you to use a second factor, like a text message or a code generated on your phone, to log in in addition to your password. Turn it on everywhere . Ideally, this is required for most sites, but not required for now. This is a minor inconvenience, but it could save your account should your password ever get cracked.

You can also tell sites that you are not happy with their lack of security standards. If they don’t support two-factor authentication , set limits on the length of your password, or email you the password in clear text, if you lose it, send an email to support and tell them it’s not acceptable . Companies don’t always do what is best for the safety of their users unless prompted by requests or costs. If you are using a site with poor security, please let them know. I hope they get together.

More…

0
Uncategorized

Leave a Reply