Password Complexity vs Length

Philip Robinson by Updated On - 05.26.2021   General

In the digital age, we use passwords for many things, including email accounts, desktops and mobile devices, social media platforms, retail platforms, healthcare portals, and a lot more.

Trying to remember which passwords we used for which accounts can be overwhelming. It’s not hard to understand why people are tempted to use simple passwords, and also use the same passwords for multiple accounts. But as we all know, this is not a good practice as it makes life a lot easier for adversaries who wish to gain access to our data.

In the past, we could get away with using easy-to-guess passwords such as “password123”. These days, however, many platforms enforce the use of complex passwords that require a mix of uppercase and lowercase characters, as well as numbers and special characters.

Until recent times, this was seen to be a good practice. However, the emphasis has shifted from short and complex passwords towards the use of lengthier (albeit simpler) passphrases.

Get the Free Guide Explaining How to Mitigate Cyber Attacks
By downloading you agree to the terms in our privacy policy.

The NIST Recommendations

According to guidance offered by the National Institute of Standards and Technology (NIST), password length is more important than password complexity. This actually makes a lot of sense as longer passphrases take longer to crack, and they are easier to remember than a string of meaningless characters. NIST has provided a number of additional recommendations for organizations to follow, some of which include:

  • Passphrases should consist of 15 or more characters.
  • Uppercase, lowercase, or special characters are not required.
  • Only ask users to change their passwords if you believe your network has been compromised.
  • Check all new passwords against a list of passwords that are frequently compromised.
  • Avoid locking your users out of their accounts after a number of unsuccessful login attempts, as hackers will often try to flood networks by purposely trying incorrect passwords in order to lock users out of their accounts.
  • Don’t allow password “hints.”

Should You Use a Password Manager?

Using a password manager is a double-edged sword. On one hand, they can be very helpful for enabling us to remember a large number of complex passwords. All passwords are kept in a secure vault, protected by a single strong password.

Of course, were an adversary to obtain the password for your vault, they will have access to all of your accounts. That said, most security professionals still argue that the benefits of using a password manager outweigh the risks.

Context-Based Passphrases

While not a part of the NIST recommendations, an alternative to using a password manager is to use context-based passphrases, whereby the account which we are trying to access gives us a clue as to which passphrase we used for the account.

For example, let’s say that we wanted to create a password for an ebay account. We could use a passphrase that uses the first four characters of the company name as the first character for each word in the phrase, i.e.

(e)dible (b)arometer (a)bsolution (y)outhfulness.

If that seems too easy to guess, you can reverse the order of the words and use different symbols, I.e.
y-outhfulness a-bsolution b-arometer e-dible.

Of course, some might argue that this is still too easy guess, as hackers will have a clue about what passphrase you used. But what if there were many different systems to choose from? To illustrate my point, let’s try a slightly different set of rules.

  • Take the first five characters of the company name.
  • Reverse the order of the words in the phrase.
  • Add a period after the first character of each word.
  • Alternate and append a hashtag (#) and an @ sign to the end of each word respectively.

So let’s create a passphrase for gov.uk – where the first five characters are “govuk”. Using the rules above we can come up with something like: k.nowledge# u.tter@ v.ertical# o.pen@ g.oat#

Wouldn’t that be too long? Well, the important thing to remember is that it’s up to you to choose which system of mnemonics works best for you and stick to it. As long as you remember the system, it will be easy for you to figure out which passphrase you used for which account. And it shouldn’t be difficult to remember the system as you will be using it every time you enter a passphrase. But is it secure enough? Were a hacker to gain access to one set of credentials, could they guess which system you used? Possibly, but it would be very hard as there would be so many potential combinations to look out for (assuming you chose a complex enough system).

At the end of the day, a trade-off has to be made. It’s impractical to ask someone to remember a long string of unrelated words for each account they use, yet using a password manager also comes with its own risks. Not only that, but if you wanted to access an account from a device you don’t normally use, you would need to install the same password manager to gain access to your passwords, which is not convenient in most cases.

Once your password management strategy has been implemented, you’ll need a tool to help you IT Team clean up passwords that never expire, automate password reminders, and generate password reports easily. Lepide enables IT Teams to use automated expiration reminders and reduces your attack surface by cleaning up accounts with passwords set to never expire. For more information, click here.

Comments are closed.