Hello,
I am using around 10-12 letters/symbols/numbers long password. Up until a few years ago they were considered “strong” on websites. Now they are rated “weak”.
To get a strong one I need to add like 8 more digits. What changed in the www? I was under the impression you can not brute force 12 digit passwords. I literally faceroll my keyboard (yes I am that old) and chose with a dice where to add symbols and where to use upper case letters.
So what changed?
Comments
More Powerfull pcs can calculate faster and brute force more combinations in a shorter time.
And maybe some paranoia. Best way is always two factor methods, not only password but also confirmation with your phone.
It’s not necessarily what changed on the Internet itself, it’s what’s changed with computer hardware. It’s gotten so much faster that brute forcing 12+ digit passwords has gone from months or years all the way down to weeks. Even days if you make broad assumptions such as passwords being words, and/or some letters being substituted with special characters (a to @, I to !).
In simple terms processing power and speeds have gotten better, and people still use basic passwords.
If you consider (basic maths here) the first character is a 1 in 75ish chance and multiply that out that for 8 characters that’s 75^8 ish or in this case 75^12 previously getting that would have taken trillions of years as you could do 1 calculation every 1/8 of a second, now people are doing 20 to 30 times as many calculations drastically cutting password guessing time, plus dictionary attacks are more sophisticated. Also you randomly choosing characters only makes the password difficult for you not the computer. You’d be much better choosing the first 8 words of your favourite book and adding 1 number and 1 character. It’ll be memorable for you and likely 35 characters. My favourite password was the first 10 ingredients of a popular snack food in our office.
Improvements in hardware and the rise of database leaks moved the bar.
Better hardware such as the graphics chips used to crunch crypto have vastly increased how quickly attempts can be churned through and the rise in database scale leaks means they have tens of thousands of goals that can be worked in parallel and each small success makes it worthwhile to continue churning past a point that would previously have been enough sunk costs.
Computers are a lot faster, and especially things like graphics cards just so happen to be really really good at brute force testing millions of potential passwords per second.
Adding a few more characters to the length, plus adding in symbols and uppercase letters drastically increases the search space, and makes the password drastically harder to crack. Like it can go from days or weeks to millions of years.
But honestly, password lengths already make brute forcing a bad option most of the time. A more common attack vector is going to be just testing common passwords and/or trying to use re-used passwords.
I think a lot of these newer rules are to try to get people to use password managers that generate longer and effectively random passwords that are unique for every account and then manage them for the users. As opposed to people coming up with passwords on their own, in which case they’re more likely to use a common password (like password12345 or whatever) and more likely to reuse passwords to make it easier to remember them.
The ELI5 explanation is when you play Guess the Number with your dad, he helps you win by limiting the range of numbers to say 1-10. If he did not want you to win then he might increase the number range to say 1-100. It’s really up to him to decide what he thinks is a large enough range to trick you. And while it is true that he can make it statistically unlikely you will win, it is still possible you guess the right number.
The non-ELI5 explanation is that while there is a security organization that publishes a suggested password complexity requirement, there are no rules. It’s really up to the website owners, developers, companies, etc. to decide what is right for them. For example, a financial institution which has more advanced end users and stands to lose a lot of money might implement tighter security. On the other hand a company with non-critical data might decide they can lower customer support costs by lowering their password complexity requirements. Security is not about secure vs. not secure. It’s about balancing risk with other factors like usability.
Edit: I forgot to talk about the statistics angle in the non-ELI5 explanation. When they add characters for more complexity, they do a calculation of the number of possible passwords based on every possible combination of characters for that password length. I don’t know the numbers but the possible combinations might be in the billions of billions just to use a nonsense example. That means an attackers would have to make that many guesses to try every possible password combination. We refer to that as a brute force attack. From there you can multiply the amount of time it would take to accomplish that and then you would realize the universe will end before that can be accomplished.
However, that is just a theoretical calculation. In the real world, things work differently. Humans don’t use random strings of characters. They use passwords they can remember. That helps attackers narrow down their guesses. Databases of commonly-used passwords are available to them. A password such as P@ssword1234 might meet complexity requirements, but it is still a terrible choice.
One thing I’ll point out is that a lot of websites actively worsen security with their password requirements. For example, my company requires that we update passwords every 2 months. This doesn’t make things any more secure, it actually makes people more likely to not remember their password so they’ll either write it down somewhere or make the password much easier.
If your password is actually 12 completely random characters, it’s unlikely to get brute forced anytime soon. The problem is that for a lot of people, a 12 character password is a 10 letter word with the first letter capitalized, ending with 1! Or !1. We aren’t creative and make really shitty passwords, which makes brute forcing way easier
The industry broadly is moving toward longer passwords that you set once and only reset if you suspect compromise. Microsoft first made the move and NIST’s updated guidance concurred. I think NIST now recommends 14 character passwords. PCI (standard governing credit card security) moved to 12 (though still wedded to 90 day password rotation).
In terms of brute forcing, there’s a few things:
Online live attacks – Yes, brute forcing a 10 char password this way isn’t going to work
Offline attacks (cracking captured hashes) – Here modern GPUs make brute forcing hashes very plausible so password length matters. If the hash alg is strong then it remains computationally expensive to brute force but many are not.
Brute forcing is short circuited by so many people using predictable passwords, so getting hits against a user list (taken from some other breach) against the top 20 passwords will get you some accounts. Forcing longer passwords is a way to break this habit (for awhile until the top 20 14 character passwords are known from future breaches). Enterprises get hurt from any account being pawned, so if 999,990 of their users have strong passwords but 10 people use “qwerty123456” then their security & legal teams are still having a bad day.