A Modern Password Paradigm
Updated: Jan 12
Passwords should be 8 characters or longer, with at least one of each of the following:
Does this sound familiar? For decades, this has been the standard for what constitutes a 'secure password'. So why then are passwords compromised so easily and so often?
These rules work in theory, and they're certainly better than having no minimum standard whatsoever, but in practice we see many problems presented by this approach to password construction. Complex passwords are hard for humans to remember, so we form sloppy bad habits which make our lives easier. Writing your complex password on a Post-it ® Note and sticking it to your monitor might not impact hackers from across the globe, but it definitely helps the would-be data thief from across the room.
Another bad habit caused by complex requirements is password reuse. Many users get accustomed to one complex password, which they believe to be safe, and begin to use it across multiple internal systems -or worse- use it everywhere.
A password that's hard for humans to remember and easy for computers to guess is a recipe for disaster.
A New Paradigm
We've been told a million times that using common dictionary words like 'horse' or 'battery' in our passwords is a fatal mistake. A more in-depth analysis of the math behind brute force attacks reveals something interesting. As shown in this webcomic, a string of four common dictionary words produces a password which is thousands of times more difficult for attackers to brute force than a password which abides by the password construction standards we've all been brainwashed to follow. As a bonus, it's also easier for humans to remember.
For this reason, we need to rethink our corporate password policies and how we train users on password best-practices. Until multi-factor authentication and password management systems are more common place, we can continue to discourage users from writing passwords down and reusing passwords through sensible password construction policies.