How Long Should My Password Be?
The debate about password strength, length and complexity goes back for decades. Many organizations don’t enforce strong enough passwords to mitigate the risk of password cracking.
Each organization needs a proper technical and written password policy. IT management can then move onto improving other security controls.
The key trick with Windows passwords is that the password policy settings within Group Policy can enforce the use of only 3 out of the 4 character types (A-Z, a-z, 0-9, special). Consider this factor when setting password length. Enforcing the use of all 4 character types would be ideal, but cannot be natively enforced in an Active Directory environment.
In Group Policy, enforcing a length of 8 characters and enforcing complexity (3 of 4 character groups) should be the absolute bare minimum. This is also the minimum requirement of most auditing frameworks.
When considering how real world cracking techniques work as well as Moore’s Law, organizations should consider passwords in the range of 9 to 12 characters. Each added character makes the password about 80 times stronger.
On the flip side, forcing users to remember complex passwords may force them to write it down. Encourage users to think of their own pass phrases and their own unique ways to remember strong passwords.
For example “D0g………” is a very strong password (4 character types and 12 characters). The more padding the better.
Additional Security Resources
- In 2012, a security researcher was able to crack all combinations of 8-character Windows passwords in 6 hours. They used a $15,000 server with graphics cards (GPUs). This is an inexpensive setup for a professional attacker.
- A useful and funny comic of creating pass phrases by XKCD.
- A table showing crackability of different password types with old numbers that provides some context.
- List of common worst passwords.
- See how a Rainbow Tables help speed up cracking if an attacker can sniff your network for NT hashes. The grey area represents a lower success rate and the other areas have high successful cracking rates.
Would you like to secure your organization against password cracking and other threats? Let's Talk.
Author: Todd Bey
Equilibrium IT Solutions, Inc.