Better Security with a Lengthier Password
Published on : Friday 08-01-2021
Are you acting as a miser while choosing a lengthy password, asks Shekhar Pawar.
According to the Open Web Application Security Project (OWASP) and many other security best practices, minimum length of the passwords should be enforced by the application which should not be less than 8 characters. Otherwise it will be considered to be weak (NIST SP800-63B). Also, it recommends that maximum password length should not be set too low, as it will prevent users from creating passphrases. In many IT systems, a common maximum length is 68 characters followed as there are limitations in certain hashing algorithms.
Apart from length of password, there are many other recommendations such as password should have at least one capital letter, at least one small letter, at least one number and at least one special character. Security policies also force how frequently passwords should be changed, how old passwords should not be used again, etc.
And why are they forcing minimum password length? Isn’t it enough to just use a complex password?
There is an idea of mathematics behind it. Don’t worry – no need to recall your complex mathematics exam time from school and college days! I will explain it in a simple way.
What is the Brute Force attack?
Brute Force attack is one of the easiest and very common attacks in cyber world. As you might be knowing, in this kind of attack cybercriminals keep trying different passwords till they find a working password. This is done using intelligent Brute Force attack tools. To perform such an attack with manual efforts is simply not possible. Using Brute Force tools cybercriminals assume the hash algorithm, user name, and hashed password value are known. These attacks are mostly using computers or systems having only a few known user ids which cybercriminals do find out by few cyber tricks and techniques. The remaining unknown portion then remains the ‘password’ of those users. Cybercriminals can simply begin by hashing sequential possibilities like ‘a’, ‘A’, ‘ab’, ‘Ab’, ‘aB’, ‘AB’, ‘AZ’ and so on until a hash pops out that matches the user's hashed password. The method is systematic and brute force in the extreme. In the real world, if a cybercriminal already knows that there are few validations followed by organisations – such as minimum length, etc – then they can even skip few possibilities in advanced Brute Force attack tools.
You can refer the latest list of the most common passwords, and check if you find your password or portion of your password in it: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
These attacks work in 3 important steps – the first step is ‘Guessing’ where cybercriminals try to know favourite passwords. If the first step fails, cybercriminals try the next step which is ‘Dictionary’. In this, they try every word in a dictionary. They mostly try to use a few common combinations of words. It’s one of the effective ways. For example, they might try to replace ‘a’ with ‘@’ in ‘cat’ and it will become ‘c@t’. Few other things are like replacing ‘o’ with ‘0’ (zero), also the ‘s’ is replaced with ‘$’ or ‘&’, etc. Cybercriminals actually try to understand how people might be manipulating passwords making them easy to remember. After a dictionary attack, if still cybercriminal failed – they will go for heavy ultimate force to crack passwords using special computers designed to execute hash algorithms at very high speeds. These special computers have the capacity to try billions of password combinations per second.
What is the impact of length of password?
The lengthier the password, more will be the time required to reach the correct password by Brute Force attack. It is making it difficult to guess.
If we consider the following two points:
- character sets ‘a-z’, ‘A-Z’, ‘0-9’, ‘!@#$%&’, it will be 68 possible characters.
- Password cracking computers have processing capacity of 68 billion guesses per second.
Conclusion
Never behave like a miser while choosing lengthy passwords, it’s a free trick. It will surely increase security for your login accounts.
Shekhar Ashok Pawar is Founder & Executive Director, GrassDew IT Solutions Private Limited, Mumbai, which is primarily focused on Cybersecurity, Consulting, Software Solutions, Digital Marketing and Knowledge Services. With 15 years of international experience, Shekhar is CISA, CEH, MCP, Blockchain Developer, CMMi Level 5 ATM & ISO 27001 LA. He did Executive Management (IIT-Bombay), after Engineering in Electronics & Telecommunications, and has experience in various IT delivery areas across USA, Europe, UK, UAE and India.
