iam passwords moc cyb moc cyb iam
==human-created passwordsare easily figured out by password cracking systems. The people who develop and configure cracking software know more about how humans create passwords than anyone else.==
introduction
- How long should passwords be?
- Should you rotate them?
- Does using weird characters make passwords more secure?
how long should passwords be?
Hang on, haaaang on… Lets wheel back a bit here…and start at the begining.
What are passwords? Why and how do we use them?
example 1: company laptop example 2: the passcode you need for your phone example 3: a password manager (such as Apple’s built in one) example 4 amazon.de
the first 3 you ideally need to ‘memorise’ and for these, a passphrase is recommended for the 4th, you do not need to memorise if you’re using a password manager
ok so back to the question: 11 characters, lower and upper case alphabet only: this passphrase is easy to remember and almost impossible to guess or to crack: over journey tea japan too
^^62.70 bits
A password with 20 bits of entropy is twice as hard to crack as one with 19 bits. The 20-bit password is half as hard to crack as a password with 21 bits. A password with 20 bits of entropy is drawn uniformly and randomly from 2²⁰ possible distinct passwords. That’s just over 1 million, and approximately the strength you would get from a 4-character generated password.
Because password-guessing systems can make hundreds of thousands of guesses per second (if the passwords are well hashed) or tens of millions of guesses per second (if the passwords are not well hashed), a 20-bit password is far too weak for most purposes. An 11-character password drawn only from mixed case letters has around 65 bits of entropy, which is more than sufficient for almost any purpose.
Password length versus complexity
Using entropy as a measurement, we can return to the question of how length and character complexity contribute to password strength.
A 90-bit password is well outside the range of what even the most determined and well-resourced attacker could do.
Let’s contrast two pairs of password generation settings — 11 or 12 characters, and requiring numbers versus letters only.
| 11 CHARACTERS | 12 CHARACTERS | 16 CHARACTERS | 20 CHARACTERS | |
|---|---|---|---|---|
| Letters only | 62.70 | 68.41 | 91.21 | 114.01 |
| Require digits | 65.26 | 71.26 | 95.18 | 119.04 |
The lesson here is that while adding numbers increases the strength, the passwords get a greater strength increase through even a small increase in length. A larger increase in length creates an enormous difference for creating difficult passwords. As a rule of thumb, each bit corresponds to doubling the number of possible options (and so doubling the amount of work an attacker needs to do).
This makes the 16 character, letters-only password (91 bits) 8 million times harder to guess than the 12-character (68 bits) one, while the 12-character password with numbers (71 bits) is only eight times harder to crack than the letters-only one.
How long would a cybercriminal need to crack a passphrase? That depends on the resources the attacker is able to throw at it, so it’s more useful to talk in terms of costs to the attacker instead of time. A four-word (56 bits) account password would cost the attacker around 76 million dollars to crack, and a five-word one (71 bits) would require more than a trillion dollar cracking effort given how these are hashed. Even if a government could crack a four-word passphrase, they would likely try a less expensive line of attack.
should you rotate them?
unfortunately, yes Users mis-use passphrases by using them multiple times, and mixing work and personal lives, and these credentials can remain for sale for years after they were harvested. For these reasons alone we recommend a rotation policy at least every 6 months.