As it turns out, widespread requirements for creating strong passwords – combining uppercase letters, lowercase letters, numbers and special characters, and changing your password periodically – aren't all that helpful. That's according to the person who came up with those requirements in 2003.
New password guidelines from the National Institute of Standards and Technology recommend passwords be at least eight characters long. At that length, a password can comprise only letters and mandatory password changes every 90 days are no longer necessary, unless the password has been compromised.
Does this mean we need to throw everything we know about passwords out the window and start over? Not necessarily.
Doing the math on password length
The math tells us that the old guidelines from 2003 still make sense in theory. Consider a four-digit pin code used to unlock a smartphone. The total number of possible codes is calculated by raising the total number of choices for each digit to the power of the length of the code. In a numeric pin code, there are 10 possible choices with digits ranging from 0 to 9. This gives us 10^4 = 10,000 for a four-digit pin code.
In other words, the total number of possible pin codes is 10,000.
Using the same calculation, a 6-digit numeric pin code gives us 10^6, or 1,000,000 possibile codes.
Applying the same math to the old password complexity requirements, we can calculate the following total different possible combinations:
- Uppercase letters: 26
- Lowercase letters: 26
- Numbers: 10
- Special characters: 32
Total number of choices: 94
Assuming an eight-character password, that calculates to 94^8, or 6,095,689,385,410,816 total possible combinations for an attacker to guess.
That sounds secure in theory. However, the analysis is based on the assumption that the password is truly random and might look similar to this: Z?n~>%"-
Accounting for the human factor
The caveat is that the old rules did not take human behavior into account. People have a hard time remembering truly random passwords, a challenge that is compounded by the expectation to set unique passwords for each account.
A study commissioned by the Defense Advanced Research Projects Agency (DARPA) found that the passwords people create follow specific patterns. The most common patterns start with one uppercase letter, followed by three to six lowercase letters and two to four digits (e.g., Fido2005, Wildcat12).
If a special character is required? Most people add an exclamation point at the end (Fido2005!).
If a periodic password change is required? Most people simply increase the value of the number in their passwords (e.g., Wildcat13, Wildcat14).
Hackers know these patterns and adjust their tools accordingly to improve their odds of successfully cracking a password. So what can you do?
Boosting security with a passphrase
The first step is to create passphrases that are uncommon, nonsensical, not directly related to you (e.g., pet name, mother’s maiden name), and as long as possible. For example: bearpathguitar. You can easily remember this password if you imagine a bear playing guitar on a walking path.
If you want to take password security to the next level, add complexity with numbers, special characters, and/or uppercase and lowercase letters. While the new guidelines do not require this combination, they do not prohibit it either. Based on the previous math, your password will be stronger if you combine as many of those categories as possible: 3bearpathguiTAR. Are you imagining three bears playing guitar on that same path?
The weakness of those example passwords is that each includes words found in a dictionary, which is one of many tools attackers use to guess passwords, and those tools can combine words to defeat passwords such as bearpathguitar. Bruce Schneier, a prestigious cryptographer, suggests turning a sentence like "This little piggy went to market" into a similarly memorable but more difficult to guess passphrase like "tlpWENT2m".
These new guidelines are designed to be more human-friendly, easing the burden on people as they create and remember their passwords. By encouraging the use of passphrases, the guidelines also use length to compensate for the lack of randomness.
Looking into the future, hackers will be able to guess more passwords per second as computers get more powerful. This means we will need longer passwords to maintain the same level of security. And ultimately we can conclude that passwords are a fading form of authentication. So what is next on the security horizon? Stay tuned for a post we will release later this month regarding multi-factor authentication.
October is National Cyber Security Awareness Month.