We often say that our people are our first line of defence when it comes to information security, but I sometimes wonder that we actually set them up for failure in terms of some of our cybersecurity practices. The one that we do really bad with is how we look at passwords.
Passwords are seen as a crucial part of securing our accounts, whether on online services and website, or on our organisation networks, and we know if the bad guys get our passwords, we tell people that they have the keys to the kingdom. So, to stop these bad people from guessing our passwords we have introduced all these rules to make them more complex. We have required passwords to be at least so many characters in length, to use combinations of uppercase and lowercase letters, numbers and special characters, and not use any dictionary words. What we have done is create passwords that are so complex, that we need to write them down, or reuse them over and over, or use some form of password manager. In essence, by making them complex, we have introduced a weakness. But here is the problem. What is complex for a person to guess, is trivial for a computer.
Let’s consider this 9-character password T6&l9*acQ. That’s a pretty complex password and if you can remember that one, then I would be very impressed. But here is the thing, as far as a computer is concerned, this password is just complex as the password password1. Both have a key space of 9 characters. Now if you used this same password on an online service and it was hacked, allowing the hackers to obtain your password hash, it would take them anywhere from 2 and a half months to calculate your password to just under 2 hours, depending on the computing power that they have available.
The key to a good password is not complexity, but length. If I used a password EastLondonisawesome which is an easy to remember 19-character password, at the quickest, hackers could determine the password in 1.3 billion centuries, with the most likely being 1.3 trillion centuries. I think that the password is pretty secure.
When it comes to passwords, length trumps complexity every time. As a challenge to all readers of this column, please email me your organisation’s password rules, so we can survey exactly how password secure our Border-Kei business region is. All responses will be confidential, and I will report on the findings in a future column.
Until next issue, stay safe and remember that it’s the length that counts.til next issue, stay safe and remember that it’s the length that counts.
• Jason Jordaan | Principal Forensic Analyst
• DFIRLABS (Pty) Ltd | @DFS_JasonJ | [email protected]