Why Complex Password Requirements Don’t Necessarily Make You Safer

We already know that most users’ clever passwords aren’t protecting them from hackers. It turns out that the complex password requirements most sites ask you for aren’t doing as much to help either.

Complexity Requirements Don’t Stop Hackers, And We’re Still Predictable

In the video above, security consultant Rick Redman explains how most websites use weak or outdated rules to help you create a password. The websites where you create logins probably have requirements that look something like this:

• Must have more than eight characters.
• Must use a capital letter, lower case letter and a number.
• Must use a special character like %, &, * or !.

These make your passwords feel safer — and they are better than a password like “123456” — but for modern password crackers, these are trivial hurdles to bypass. As Redman points out, for $2700 a cracker could acquire a machine that can crack all possible eight-character passwords — no matter how many capital letters or special characters you use — in as little as 3.7 days when using NTLM encryption (which Windows uses). If a site used MD5 encryption to store your password, it would take eight days to crack all possible eight-character passwords. For SHA1 encryption, like the kind that LinkedIn used for passwords stored in its massive leak, that cheap machine could crack them all in 24 days. If a password cracker had access to better machinery, that time could be dramatically reduced.

To put that another way, no matter what rules LinkedIn had for passwords, if you had an eight-character password during that big leak, a cracker somewhere right now knows it. And that’s if you’re cracking a password the hard way.

In reality, most people either consciously or subconsciously adhere to certain patterns when creating their passwords. Redman uses the following passwords as examples:

Austin1!, Sports9?, Hiphop4$, Camels2%

Each of these seem like pretty realistic passwords for the average person. They include an interest or word they can remember, they begin with a capital letter, and they include a number and a special character tacked on to satisfy a website’s password requirements.

However, all four follow a specific pattern: One capital letter, five lower case letters, one number, one special. Crackers can use patterns like these to drastically reduce how much time it takes to guess an encrypted password. Now, instead of taking $2700 and eight days, a password cracking app can do it in far less time.

This is also why longer password requirements don’t necessarily make things better. If an end user has to enter a 12-character password instead of eight characters, they will probably use a password like Mississippi9, which just uses a longer base word, but still adheres to a predictable pattern.

None of this is to say that complex passwords are inherently bad, or that it’s your fault. Most websites you use simply don’t adequately explain how complex your password needs to be. The problem is us. If it’s something we can reliably remember, it’s probably something that a professional password cracker can figure out. The only secure password is the one you can’t remember.

What You Can Do to Defend Yourself

Redman’s talk is aimed at security professionals and web admins. Some of what’s in the video above might sound fatalist and out of your control (because it is). Fortunately, there are still some things you can do to protect yourself:

• Stop using the same password for more than one site. This cannot be stressed enough. It doesn’t matter if you have a completely random 100-character password, if you used it on multiple sites. Whatever your password was on LinkedIn, it’s out there now. If a professional hacker cracks your password on one site, they have it on all of them. Always, always, always use unique passwords for every site.
• Use passwords you can’t remember (with a password manager): The best password you can have is one that’s too complex for you to remember. Password managers are perfect for this. Get a password manager, use it to generate random, impossible-to-remember passwords and store them with the app. Yes, it means trusting one app with all your passwords, but it means that the passwords you actually use can be much stronger. Check out our password manager comparison to find one that works for you. At the very least, use Chrome’s Smart Lock.
• If you have to remember a password, use a passphrase: There are some times you just have to use a memorable password. In that case, if possible, use a passphrase instead. Rather than making a short password with weird rules, passphrases are long phrases or even sentences. These can be easier to remember while also being long enough to trip up most password crackers. Or at least trip them up enough to give up on you and move on to someone else.
• Turn on two-factor authentication everywhere: Two factor authentication requires you to use a second factor like a text message or a code generated on your phone to login, in addition to a password. Turn it on everywhere. Ideally, most sites would require this, but for right now it’s optional. It’s a minor inconvenience, but it can save your account if your password is ever cracked.

You can also let sites know that you’re not happy when their security standards are lacking. If they don’t support two-factor authentication, put restrictive limits on how long your password can be or will email your password to you in plaintext if you lose it, email their support and let them know that’s not acceptable. Companies don’t always do what’s best for their users’ security unless they’re prompted by user demand or cost. If you’re using a site with poor security, let them know. Hopefully they will get their act together.