In my previous post about password security, I looked at the setting commonly found on password-protected systems, namely the number of incorrect login attempts. In this post, I will look at password complexity.
Most of us, at some point, have had an intended password rejected by the system for not meeting password complexity requirements. But, are so called “strong” passwords really more secure?
Security is, at the end of the day, a function of time. How long would it take to perform a brute-force (keep guessing until you get it right) attack. The more passwords we have to go through, the longer it will take to hack an account. Mandylion Research Labs has a Brute Force Attack Time Estimator on their website that allows you to estimate how long it would take a typical desktop PC to perform a Brute-Force attack.
Let us consider a common password scenario. The system administrator has decreed that passwords should be 8 characters, with at least one upper case and one non-numeric. If we assume that most people will stick to exactly that, then using the calculator, we can see that this results in just over 257 billion combinations which, assuming on average we would need to try half of them, would take an average desktop PC just 7.48 hours to crack!
Even if we consider all the legal passwords that match these requirements (hoping our users will use more than one special character and/or capital) then we have 47 trillion passwords, which would take a little over 57 days.
If, however, we do not impose the strength restrictions, then we have 6 quadrillion combinations, which would take just over 20 years to crack. That’s nearly 24,000 times longer than the first-case.
You may point out that the incorrect log in attempt lock would greatly hamper these efforts and you would be absolutely correct. However, it would affect both password systems equally, meaning that the latter system is still 24,000 more complex. Also, bear in mind that many times the hack is done on a compromised password file, so the login mechanism and therefore incorrect login count are not used.
We also should not discount the ease-of-use factor – making your password easy to remember, makes it easy for hackers to guess. Many hacking systems rely on people using a word, (which the strength system is supposed to prevent, thereby preventing so-called “dictionary attacks”), where the strength requirement is met by simply adding the special characters at the end. Be honest, how many of you start your passwords with a non-alphanumeric character? The hackers know this.
I still maintain that security is crucially important, but once again I believe that by taking steps to make the system more secure, we end up having the opposite effect! It’s all about user education.
What do you think?
In my next post in this series, I will look at password change policies.