Longer passwords are stronger passwords. It really is just math. Longer passwords are harder to crack and easier to remember. They increase security while improving end-user productivity and satisfaction.
This comic from XKCD on password strength is popular because it clearly shows the reality of the situation today; what most people think of as strong passwords are actually easy for computers to crack and hard for people to remember.
Have we been measuring password security wrong?
There is a proliferation of password strength meters around the internet. They seem to be relatively consistent and all work off of entropy, or the degree of randomness, in the password possibilities. Some sites to take a look at are https://howsecuireismypassword.net, http://www.passowordmeter.com, https://www.grc.com/haystack.htm. An 8-character password with just upper and lower case and numbers gives us 218,340,105,584,896 possibilities, which seems like a lot but can be cracked in hours. Most of the above password strength meters calculate at 1000 guesses per second.
Longer is stronger
A longer password is a stronger password. A 20-character password using only alpha characters is much stronger than an 8-character password with complexity because of the number of possibilities and the resulting amount of time required to hack the password.
The following passphrases are much more secure than shorter passwords. They are also easier for the user to remember, which reduces the number of account lockouts and calls to the helpdesk.
- This is an amazing password!
- My new password, [email protected], is very strong!
- Chocolate newt sloth envy picture honeypot?
Why doesn’t everyone use passphrases?
People don’t like change but when they realize passphrases are easier to remember they adopt the concept very quickly. Educating users on how to best manage their passwords, and combining that with technologies that allow you to create policies to enforce rules for your users, are both critical items.
In most business situations, the user’s identity is actually an amalgam of many different digital identities. The more complex the scenarios, the greater the need to find solutions that build upon your existing password management environment.
- Use passphrases where possible. Evaluate your IdM environment and figure out where you can fully utilize passphrases.
- Use multiple factors where possible. If a system allows for multi-factor authentication, such as mobile device verificationm, use it!
- Create different policies for different business roles. The password rules should be in line with the type of work performed by the individual. No one-size-fits-all password policy.
- Active Directory is very powerful, and managing password policies through AD is an important aspect of the system, but it’s not enough. Evaluate your security, compliance, and governance requirements and figure out how you can meet those requirements, looking outside of Active Directory if necessary.
- Usability has to be a cornerstone of password security. Don’t create a situation where users rebel against the policies you’ve put in place to protect them.
Kevin Sullivan is the Director of Sales Engineering at Specops Software and a former Program Manager at Microsoft.