You don’t even need to use symbols and numbers—a mixed-case password that is 40-characters long will take more than a thousand years to crack. Obviously, long passwords are the way to go and we need to make sure that passwords are extremely long, no matter what. (What hashing technique is being used before storing the passwords also matters, but that’s not relevant here.)
Not so fast. Let’s think about the threat model. What is the biggest problem being addressed here? If the biggest concern is that someone will break into the database and steal password hashes, then extremely long and complex passwords are definitely the way to go. But the average enterprise is most concerned about password reuse and phishing, in which case the length of the password doesn’t really matter. If the attackers have already intercepted the actual password through a phishing campaign, then it doesn’t matter if the password is eight, 20, or 50 characters. Copy and paste and the attackers are in. If users are being asked to enter 20-character passwords and don’t have password managers, then passwords are going to be reused. That’s a given.
What’s being protected? That also matters. For something that may be considered low-risk—maybe the local public library—eight-character passwords are good enough. Something that has your entire financial history? A longer password is necessary. Security is a tradeoff – you protect the most valuable accounts with Ft. Knox-level protections. Don’t reuse passwords, watch out for phishing scams, and for many accounts, eight-character passwords can be good enough. This is why NIST’s latest guidelines are fine with eight-character passwords.
There is also a side problem: Passwords are so long that it’s easier for users to just use the “Forgot password?” link and use the knowledge-based-answers to reset the password. It’s much, much easier for people to find out the name of your pet or the city you grew up in than to guess your password.
Password myth 3: Never write down passwords
Truth: It is more about how you do it. Along with using “Password1” as the password, the ultimate sin in password insecurity is writing down the password. However, it’s not always a terrible idea. “Don't write it on a sticky note and put it on your desk with the note reading ‘My new 401K password for Fidelity,’ but writing down a new, long, complex password while you burn it into your memory and keeping it in your wallet or purse for a week until you get that muscle memory of typing it isn't really a problem,” says Chet Wisniewski, a security expert with antivirus company Sophos. He also writes down important ones and stores them in a safe deposit box so that his family can “unlock our lives” in the case of an accident.
Sign up for Computerworld eNewsletters.