I'm hearing more and more security experts say passwords should be in excess of 14 characters in order to thwart brute-force password-hacking tools. However, this seems a lot to ask of most enterprises' user populations. What's your advice for character length of standard passwords?
There is a reason why experts suggest long password lengths, and it’s not because of brute-force tools; it’s because of rainbow tables, which we'll explain in a moment. First, for obvious security reasons, modern applications and operating systems don’t store user passwords in clear text. Instead, as a user resets his or her password, the alphanumeric characters entered are run against an encryption algorithm that creates a unique cryptographic hash value, which represents the password and is stored on the system in a file. When a user returns to access the system, by entering the same sequence of the letters and numbers, the system generates an on-the-fly hash sequence and it’s this value that the system compares against the original hash file value for that user to determine if the password entered is correct or not.
In the past, hashing passwords was considered a safe approach, because even if a hacker was able to obtain a system’s password hash file, the computational effort it would have taken to randomly type in passwords and match the result to the known hash values found in the system file was an impossible task. However, because of the worth of this information and the exponential computational capabilities of today’s computers, hackers have taken on the task of mapping every combination of password character sequences to their hash values -- starting with A, AA, AAA, through the entire alpha-numeric sequence -- and have stored the results in publicly available tables called rainbow tables. This of course takes many hours of effort, but these types of endeavors are ongoing. Since the initial attempts at acquiring the hash values of passwords started, the tables have grown in scope and size to the point where it’s likely that any password below 12-14 characters in length now most likely has its hash value registered somewhere in a rainbow table. This means a nefarious person who acquires a system’s hash file can simply attain a rainbow table for that operating system or application and look up the hash values to get the users’ passwords stored within. The bad news is that as rainbow tables grow in size, passwords will have to be longer and more complex so the effort required to obtain their values becomes too onerous. This ongoing work to assemble rainbow table data may soon make minimum password length best practices discussions moot, and is the main reason many experts consider passwords a poor choice for authentication credentials for important and valuable data.
In spite of the danger posed by password hash files, this problem can easily be solved by using stronger, alternative credentials, like soft/hard tokens, biometrics and knowledge-based authentication, although passwords continue to hold on as the most prevalent type of authentication credential in today’s market. For that reason, enforcing a longer minimum password length on enterprise systems can help make passwords less susceptible to brute-force attacks. So what can be done to make the task of using long passwords more user-friendly? The simple answer is by using “pass phrases”. Instead of creating a long string of meaningless characters and numbers, people can use familiar sentences that create images in their mind, something humans find easier to recall, to remember their password. For example, if a user has a child in school, they might think of the phrase, “My child is on the fifth grade honor roll,” which can easily be translated into a password he or she would remember, like, Bobbies#1OnThe5thGradeHR. Or a person might be into music and think, “My favorite band when I graduated high school in 1998 was Savage Garden,” which can be made into the password N1998ILovedSavageGarden. Both examples are complex and well past the 14-characters password length. Shorter and unique combinations can be made as well; it just takes some imagination and a different way of thinking about how to create passwords.
This was first published in January 2012