IT Security Feb 11, 2021

Passwords – The more complex, the better?

In this age of increased remote working, the spotlight is firmly on security and raising awareness of the topic among employees to create a human firewall using, among other things, secure passwords. But are password guidelines really up to scratch?

Share article

Kathrin Sauerland
Administration & Organisation

If you were to set up an account right now, you’ll probably need an 8-character password with upper and lower case letters, numbers and special characters that contain neither connected words or dates of birth. Users are being forced to think up and remember ever more complex passwords only to have to change them every three months.

The question we have to ask ourselves is are passwords secure simply because they are complex?

If we were only thinking about the password itself, the answer would probably be yes. However, if we also consider their usability, the answer is “absolutely not”.

Why isn’t a complex password a secure one? Let’s take a closer look. Put yourself in the position of a user, who only has a basic understanding of IT security. All you have to do is choose a password made up of numbers, special characters and upper and lower case letters that is at least 8 characters long, does not contain any words in common use, consecutive numbers or dates of birth. It has to be one that sticks in the mind as you are going to have to use it multiple times a day.

Let’s assume you’ve chosen a very complex password that is easy to remember. Three months pass and now you have to rethink your password. What are you going to do? Are you going to think up a completely new, complicated password that fulfils all the requirements or take the easy way out and just extend your previous one by one character. And what would you do if you’ve chosen a really tricky password you can never remember? Write it down? Be honest. Do you ever jot your password down on a Post-it and stick it to the keyboard or monitor?

Size matters.

Let’s take an 8-character password that fulfils all the requirements. There are 2,724,905,250,390,625 potential upper/lower case, number and special character combinations. What are the chances of guessing one of those? When you hear that a PC can calculate up to 2,147,483,600 keys per second, you’ll soon be able to figure out that a password can be cracked within 1,268,883 seconds, or 14 days. 14 days to crack both highly complex and simple 8-character passwords.

By contrast, a hacker would need around 106,107 days—around 290 years—to crack a 10-character password. Only because we’ve made it a little bit longer.

The numbers given here are assuming the hackers are using a single PCs. If you were to connect several to a BOT network, however, decryption would be much faster.

So, what does that mean for our password guidelines?

Hackers will need much more time to guess a longer password than a complex shorter one, as every extra digit increases the number of potential combinations many times over.

The basic principle should therefore be: the longer the password, the better. If we bear this in mind and have a list of blocked or already cracked passwords, our data should be secure even with a less complex one.

What’s more, password lengths can be adapted to different user categories so a user with only limited permissions would be ok with a 10-character password, while users with standard permissions would be better with 12 characters. The higher the authorisation level, the longer the password should be, so a 32-character password is recommended for service accounts.

It is also a good idea to block the account as soon as the password has been incorrectly entered 15 times.

The question we posed at the start can be answered with a clear “no”. Current password guidelines are not secure enough and should be urgently rethought or revised.