” IT Security is only as strong as it’s weakest link ”
In this article I hope to show you that password length is more secure than password complexity.
We have all been forced at one point to create a password that lives up to a certain complexity such as one number, one capital letter and one special character.
A common hack that requires no technical ability is password guessing, you would be surprised how often this actually works, users don’t want to have to remember long passwords.
A good way to secure authentication from a human perspective is to add the complexities into a password to make it harder for the human brain to guess, for example:
This now becomes a lot harder for the human mind to guess but makes very little difference for a computer or botnet to guess. A botnet is a collection of computers that are controlled by an attacker so they may use the collective computational power for malicious purposes.
Freely available tools exist to make brute-force attacks on passwords very easy for an attacker to execute such as hydra which comes installed on the Kali platform (penetration testing operating system).
Automated tools and botnets can try thousands of passwords per second with the use of standard brute forcing or rainbow tables there are many ways to do it.
An 8-digit password can be cracked by a 10,000 strong botnet in 30 minutes whereas a 25-character string would take 99 septillion years! Septillion?!?
“in Britain, France, and Germany, 1 Septillian is represented as one followed by 42 zeros (10 42)”
Remembering a long password is not as difficult as you may think, instead of viewing it as a password, view it as a pass phrase, make a joke out of your string – insult your friend or co-worker (They will never know). Humans like funny things therefore we remember them.
I eat bacon every single day
How simple is that? You won’t forget it and you will be one step closer to being protected against hackers.
From a system administrators point of view you can reward your users for using long pass phrases by reducing how often they are required to change their passwords.
So in conclusion, it is better to focus on length of a password as opposed to complexity, or even better! Have both.