Your passwords might not be as strong as you think they are.
It’s not your fault. When you register with many online services, you’re often required you to pick a password that uses a mixture of upper/lower case letters, numbers and symbols. Something like ‘1Ntel1quK!’
These password rules are based upon guidelines (PDF) suggested by Bill Burr and the National Institute of Standards and Technology (NIST) back in 2006. Over a decade later, a combination of increased processing power and our inability to remember complex codes means that today’s passwords are far weaker than they appear.
We are lazy and predictable
New research by NIST has shown that “users respond in very predictable ways to the requirements imposed by [the 2006] composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.”
In fact using ‘password’ as a password came eighth on Keeper Security’s Top 25 Most Common Passwords of 2016. Out of 10 million analysed passwords, the classic ‘123456’ came top (used by nearly 17% of users), followed by ‘123456789’, ‘qwerty’, ‘12345678’ and ‘111111’.
Such simple and predictable passwords like these can be ‘brute force’ hacked in seconds. It’s why NIST has recently updated its guidelines, re-evaluating what makes a ‘strong’ password. As it turns out, switching from passwords to pass phrases might be the answer.
Make your passwords even longer
“Password length has been found to be a primary factor in characterizing password strength,” says NIST. “Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords… Users should be encouraged to make their passwords as lengthy as they want, within reason.”
NIST’s new recommendations suggest that passwords should be “at least 8 characters in length” and could support long alphanumeric strings up to 64 characters long (including spaces). Behind the scenes, passwords should be rejected if they: match a password obtained from a previous breach; include dictionary words; feature repetitive or sequential characters (e.g. ‘aaaaa’ or ‘123456’); or include words that repeat a username or the name of the service that password allows access to.
Longer-term, passwords might be killed off in favour of biometrics — fingerprint scanners and facial recognition cameras. Until then, however, dedicated password managers like LastPass, 1Password, True Key and Keeper can beef up security, while two-factor authentication (if available) adds an extra layer of protection.
Why four random words works better
“It would take 4.825650839752918 years to brute-force crack a randomly-generated 51 character password with letters, numbers and symbols,” says Keeper Security.
If you don’t want to use a randomly-generated code, consider this sage advice from xkcd.com. A hard to remember short password such as ‘Tr0ub4dor&3’ might take 3 days for a computer to brute force (at 1,000 guesses per second). But a longer password, made up of four random words (like ‘correcthorsebatterystaple’) would take around 550 years to guess.
Keep that in mind when you choose your next password.