Strong Passwords Aren’t Really More Secure

In my previous post about password security, I looked at the setting commonly found on password-protected systems, namely the number of incorrect login attempts. In this post, I will look at password complexity.

Most of us, at some point, have had an intended password rejected by the system for not meeting password complexity requirements. But, are so called “strong” passwords really more secure?

Security is, at the end of the day, a function of time. How long would it take to perform a brute-force (keep guessing until you get it right) attack. The more passwords we have to go through, the longer it will take to hack an account. Mandylion Research Labs has a Brute Force Attack Time Estimator on their website that allows you to estimate how long it would take a typical desktop PC to perform a Brute-Force attack.

Let us consider a common password scenario. The system administrator has decreed that passwords should be 8 characters, with at least one upper case and one non-numeric. If we assume that most people will stick to exactly that, then using the calculator, we can see that this results in just over 257 billion combinations which, assuming on average we would need to try half of them, would take an average desktop PC just 7.48 hours to crack!

Even if we consider all the legal passwords that match these requirements (hoping our users will use more than one special character and/or capital) then we have 47 trillion passwords, which would take a little over 57 days.

If, however, we do not impose the strength restrictions, then we have 6 quadrillion combinations, which would take just over 20 years to crack. That’s nearly 24,000 times longer than the first-case.

You may point out that the incorrect log in attempt lock would greatly hamper these efforts and you would be absolutely correct. However, it would affect both password systems equally, meaning that the latter system is still 24,000 more complex. Also, bear in mind that many times the hack is done on a compromised password file, so the login mechanism and therefore incorrect login count are not used.

We also should not discount the ease-of-use factor – making your password easy to remember, makes it easy for hackers to guess. Many hacking systems rely on people using a word, (which the strength system is supposed to prevent, thereby preventing so-called “dictionary attacks”), where the strength requirement is met by simply adding the special characters at the end. Be honest, how many of you start your passwords with a non-alphanumeric character? The hackers know this.

I still maintain that security is crucially important, but once again I believe that by taking steps to make the system more secure, we end up having the opposite effect! It’s all about user education.

What do you think?

In my next post in this series, I will look at password change policies.

Paul

Paul Simpson

Paul Simpson

I joined Interactive Intelligence in January 2008 as a Training Consultant in the Education Department. Based initially in the Amsterdam office, I transferred to Indianapolis in 2010, where I still work in Education. My formal areas of interest are Interaction Dialer and Interaction Process Automation, however I can usually be found experimenting with various abstract parts of the product and love to make it do cool things! I’m always playing around with scripting and automation. Anyone who has attended one of my classes will tell you that my theories of troubleshooting can involve chickens and I am passionate about the correct pronunciation of the word “router.” Prior to Interactive Intelligence, I worked as a school teacher (mathematics and computing), a network engineer (mostly Novell), a hardware support engineer and a developer. I can trace my computing history back to the days of the Z80 and 6502. I have a keen personal interest in home media and automation. I am also developing an interest in Animatronics and would like, one day, to create a haunted-house walk-through for Halloween. I can be quite opinionated and hope that my blog posts will spark some healthy debate.