Forget everything you might have heard about complex passwords and how to make passwords. Here is the cold, hard truth.
Mr. Fennel Aurora from F-Secure has written a blog about password security, and by just knowing some additional facts, that I will share with you, will clearly improve your security awareness skills.
Initially, Mr Aurora tells us that we should forget everything we might have heard about complex passwords and how to make passwords. Next, he informs us about password complexity, and how password brute forcing software can test multiple variations at breakneck speed. Further, we are told that most passwords are very very predictable as humans are incredibly bad at making random patterns. However, the most interesting part of this blog starts after these initial discussions.
Let’s imagine you have made a really random 8 character password. You have used numbers, upper and lower case English letters and the 10 most common special characters, as you have learnt previously. This actually gives 722 trillion possible passwords! Nevertheless, it only takes a standard computer and the latest version of an open-source password brute forcing software, Hashcat, about two and half hours to test every single 8 character password, which means that your password is more or less useless!
By increasing the length of the password from 8-character to 12-character and using only lower case English letters, it takes 2 weeks to find your password, which is better, but obviously not good enough, if you are trying to protect important data. In other words, making the password longer matters much more than adding more possibilities for each character.
The modern security industry recommendation is to create a passphrase, where you take 4 or 5 or 6 words and put them together. Like this you get a very long password, which we call a «passphrase». It also makes a password easier to remember because it is just words. To keep this simple, if you are able to randomly select (which is actually difficult for human beings) 5 words from a dictionary of 100 000 words, you can create a password it takes almost 4 million years to break, which is a lot better option than the ones above.
In case, you think this is a bit boring, you can just forget this and start to use a password manager, that will also remove the problem with multiple weak passwords you – most probably – struggle to remember.
Reference: Password Complexity for Non-Technical Consumers by Fennel Aurora per 29. April 2020