Passwords aren’t going anywhere. While I would have thought there would be more advances by this time, and there are, the basic password is still required in many places, especially for resetting an account. Even those MFA places where I can click a notification or enter a code, I still sometimes need a password.
That’s fine, and I think MFA is a good solution, but it doesn’t alleviate the need to have a strong password. Troy Hunt has written about this topic because we as a collective do a poor job of building passwords. Especially with regards to length. Some of that is poor app (and database) design where we unnecessarily limit password length. However, some of the issues are our fault, as we continue as a group to use poor habits and practices.
There are many guidelines to use with passwords, one of which is the length. The length you should use keeps increasing because hardware power keeps growing. Because of new attacks and techniques, we ought to review what we think is strong on a periodic basis. My password manager defaulted to 8 characters when I started using it over 20 years ago. Since then I’ve increased that to 12, and now 15. I ask for mixed upper case, lower, and numbers, along with symbols. These are so random that every time I need to give one to my wife to enter in, she’s annoyed with the length and mix of keys that need to be pressed.
I haven’t seen the brute force table from Hive Systems before, but I like the visual. It helps you determine how strong your password is with modern hardware. This is a similar graphic to the one I used in an encryption talk years ago, where it showed how much it would cost to rent compute power on AWS to brute force crack various algorithms. In case you were wondering, about 5 years ago you could crack a 512bit key on AWS for less than US$75.
I like the graphic, and it shows that my 15 character passwords should be safe for years. This Friday, I’m wondering if you’re comfortable with your password lengths? Are they crack-able in less than a year? Take a look at the graphic and let us know.