15 character passwords are now, not secure

Created: 2017.02.10 | Last updated: 2020.06.23

12 character passwords with fancy characters (upper case, numbers and symbols) haven't been secure for years. Once again, silly rules for passwords are proven a waste of time, lowering password security. Having LONG passwords, easy to remember even, is by far the more secure choice.

Back around 2007 or 2008, I remember reading that a 12 character password was good and a 15 would take '2 billion years' to crack.

Current best practices summary:

Obviously what is considered 'best practices' depends on who is setting the rules. The FBI in early 2020 said "Minimum 15 characters" because 12 characters were the last level that "takes several hours to crack", but at the same time the FBI published 15 as the minimum, other reports published that up to 15 could be cracked in hours. So here are my recommendations for best practices:

Any site with relatively unimportant data where the cost is low if an account is hacked: Minimum 15 characters but allow up to 255 characters. No goofy rules that make users write down their passwords on postit notes (like requiring numbers or symbols) If you are the owner of this site and you agree that the cost to you AND to your customer is low AND you consider yourself unlikely to be hacked in the near future, then you might only REQUIRE 8 characters, but ALLOW a large number.

Any site with important data where the cost is medium or high if an account is hacked: Minimum 20 characters, but allow up to 1000 characters. No goofy rules that make users write down their passwords on postit notes (like requiring numbers or symbols.) If you own the site and the cost to YOU is high then you might want to ENFORCE a minimum of 20 characters. But if your customers will balk at that, you will obviously have to decide - is the inevitability of being hacked lower cost than the cost (lost customers) of forcing a secure password. But if you are one who already really irritates your customers by forcing them to type things like a number, a symbol, a lower case and an upper case - you already don't care at all about whether customers will abandon you due to irritating them - so simplify your life and their's and have one and only one rule: Minimum 20 characters. (or 16 if you are willing to update every year or two as computers become more powerful.)

If you are forced to use an insecure password on a site with data that is important to you, either refuse to use them OR consider what you are going to do WHEN your password is hacked. I'm not fearmongering here - it is a statistal probabilitiy that a password of 15 or less characters at site that has important data, will be hacked in the next 10 years. # The TL;DR version. If you've been here before and just want to see the latest news, the oldest is right here, the newest is at the bottom of this page.

As most of my friends know, I have for decades laughed anytime someone says that something in computers will take 2 billion years to crack. My response is: You can crack it in 10 years. Just do NOTHING for 9 years and 364 days, then crack it the last day using the equipment you buy that day instead of this now 10 year old stuff. Note that in the 10 year to today (2017) while CPU raw speeds haven't increased a billion fold, a combination of GPU improvements and algorithmic improvements have sped up by 600 billion, allowing a 2 billion YEAR job to be done in roughly 1 or 2 days now.

2020.01 Update with lots of suggestions:

All passwords with a length up to 15 characters cracked in < 15 hours with 4 nvidia gtx 2080ti 22.7 sextillion keys per second per gpu

So, instead of a billion years, it took waiting 3 years and then buying the newest fastest video card, and you too can do 2 billion years of cracking in 15 hours!

My response: I am moving my 'minimum password length of 12 for important things' to 'minimum password length of 20' and in many cases 30.

But there is a problem with that. Banks and Government tend to NOT allow good passwords. They want shorts ones with silly rules like capital letters, numbers and symbols, rules that have been shown to decrease the strength and security of passwords for a variety of 'human' reasons.

Humans tend to swap 0 for O and 1 for l. So all password crackers know that, it essentially adds ZERO security while making it harder to remember, and because it is harder to remember, the humans use 'easier' passwords for the rest! And besides, there are only 10 numbers and maybe 20 special characters that anyone is likely to use, so 26 letters, times 2 (upper case) and 30 numbers and special characters. Most cracking routines just naturally try about 100 characters - maybe even 256 - and don't care that you think you are being cute by substituting a few numbers and symbols.

Also, everyone (statistically) uppercases the 1st letter when required. And 1! added to the end of the password makes it pass all the rules.

I am amazed at how many sites will let me enter Password1! as my password and call it 'secure'.When mypassword is actually MORE secure and mysillypassward is hundreds of times more secure yet they tell me that Password1! is very strong but mysillypasswardandmorenomatterhowmuchitype is weak.

Requiring passwords of 15 or 18 or 20 characters and dropping all the silly rules would in almost every case make passwords more secure.

Warning: Don't reuse passwords or password patterns. For example: mysillyTD means that once one is cracked, it is pretty easy to guess with no more than 10,000 attempts (10,000 is a tiny number for computer) that your Scotia bank password is mysillyScot1a or mysillySc0tia

Too little too late, FBI sort of agrees

Around the same time that it was announced that 15 character passwords can now be cracked in about 15 minutes with cheap, readily available hardware, the FBI came out (Tech Tuesday' in early February 2020) and said, they agree that:

  • passwords that are only 12 characters or less long, are terribly insecure even if you make them extremely hard for a human to remember by requiring special characters like upper case, numbers and symbols, even if, unlike most people, you use symbols and numbers other than 1! and even if you do NOT capitalize 'words' in your pass phrase but rather upper case a different letter liKetHis.

  • Instead, they say you are better to have as many characters as you are willing to use, minimum 15, and that it is perfectly OK to use words.

So what should you do for your passwords?

  • Only memorize passwords that you have to type daily. Update 2020: forget memorizing them, do 'the rest' way that follows. The rest, make them 50+ characters long (if you are allowed) and copy paste them. Sadly companies that force you to use symbols and numbers force you, in a practical sense, to use shorter passwords because you can't easily copy paste them - by default most programs stop when they get to a number or symbol.
  • Do you capitalize the words in the phrase? Sure! if it help YOU, but don't do it because you think you are making your password to be more secure. Or do it because you are forced to. For example, I find it easier to include 2 capitals in the following password: "My password Peter is easier to type with upper case"
  • Do you include symbols and numbers? Sure! if it helps YOU, but don't do it because you think you are making your password to be more secure. Or do it because you are forced to.
  • Do you substitute O's with 0's, I's with 1's and so on? Sure, if you are used to doing it and your fingers automatically do it. But don't do it if it is inconvenient, it really makes virtually NO increase in the difficulty to crack your password because every hacker is already including all the substitutions - so it literally makes no increase in the difficulty to crack.
  • Do you use a unicode character, like pile of poo or whatever your favorite is? Sure - but realize that really, all it means is typically you are typing TWO characters - from a hacker's perspective. So if you type 8 unicode characters - that means your password is probably about 16 characters long from a hacker's perspective. But if you think that a unicode character is worth 3 or 4 characters - you are fooling yourself.
  • Do you use spaces? This really depends on two factors - is the system you are using going to ALLOW you to put spaces and, do you easily type a space? I have touch typed since I was 11 years old (Thank you mom and dad) back when I used a old clank clank keyboard to write my first articles on Ichthyology (published in 6 different countries - they didn't realize how young I was) But I digress. Because I touch type, I find it much faster and easier to type "Hi this is my secure password eh? How is it going" than to type "Hithisismysecurepasswordehhowisitgoing" But I admit, I almost never use spaces in my passwords (passphrases) because most systems I have tried to use spaces reject passwords with spaces After all - they want you to type a single pass WORD and then maybe add THEIR choice of special characters - putting limits so that it is easier to hack, and partly because I've used sites that 'fixed the bug where they USED to allow a space in a password.'
  • Personally I recommend AGAINST starting or ending a password with a space. Too hard to 'miss' later, and many programmers will trim spaces from the start or end, so even if it works NOW on a web site, you may find yourself being told your password is wrong when some programmer decides to be 'smart' and 'help' you. And you'll be forced to select 'forgot password?' when really it is 'our programmers damaged your password'. So my advice: don't use leading or trailing space(s).
  • Lock your passwords in a file or software vault that takes a long character phrase to get in to find your other passwords. Make sure it is your most secure and EASIEST TO REMEMBER password. Perhaps: "Hey mom, this is my most secure password, I doubt anyone can guess it but to make sure I am making it really really long."
  • NEVER share ANY of your passwords or any of your real cute ideas. You are human, that means that you will probably have a pattern in many of your passwords without even realizing it. In my case, I have written and given lots of lessons on passwords. I always use examples that are NEVER used in my real passwords. In addition, I use ones that OTHERS have told me they used. That means, sorry, I don't ACTUALLY use 1! on any secure passwords that have a limit that is lower than what I really want my password to be. I might (or might not, I'm not telling) use it if I'm forced to tag it on to the password after I type a good password. As advice, if you are using one of those systems that limit your password to a very short length like 25 or less (and yes, some really do lock you to 12 or less), then I would recommend that you never use 1!, because you want the entropy that 4 would give you. I've also noticed from friends that tell me, that when forced to use a Capital, a number and a symbol. That the 1st letter (or 1st letter of every word) is capitalized and then they type a number and a symbol - in that order. I don't think it will affect a hacker's algorithm, but if you really want to be more secure, don't do it in that order and don't put them together.
  • Use 2 factor or 3 factor authentication, but be aware, 2 factor authentication that uses your phone is only more effective in limited circumstances since it is so easy for a criminal to clone it if they can get near it. But at least it will give you more protection against the Chinese, Nigerian and so on hackers that can't get physically close to your phone (unless you travel to one of those countries.)

What if you are a developer that has software important enough to have passwords?

  • Tell your manager to stop using the stupid rules you are using.
  • Tell your manager: We need to force passwords to be at least 20 or better 30 characters (and review this minimum every year or two.)
  • Tell your manager: Let's allow passwords up to 300 or 1000 characters in length (or if you want to have to keep changing it every few years, set it to allow at least 64 characters according to the current NIST 2018 minimum guidelines.)
  • Tell your manager: Let's allow the space character, question mark, period, comma and as much other punctuation as our software will allow. Sometimes there are some characters like ", ', / and so on that can cause internal problems so it may be safer to not allow them then to risk them allowing SQL injection or other similar problems. If you don't know what this is - then just trust me and don't allow those characters.
  • Test your software. If someone creates a password that is exactly your maximum, does it actually work to login? I've seen a bug where in software we write add-ons for, they had a maximum of something like 25. They let you SET a password to 25 characters, but the login page only allowed LESS THAN 25 (so 24) but they let you type in 30 characters - then they just used the 1st 24 and said "nope, when we take the 1st 24 characters of the 25 you typed in, it doesn't match the 25 character password yet set", well, technically it said "wrong password do you want to reset it?" or something similar.

Some common problems:

  • Do you put valuable things in a site that won't let you have really long passwords? Well, if you are willing to put them in your car where people can see and break in by smashing your windows, then sure. But if you think that your info is too valuable to be that much at risk, then REFUSE to use a site that won't let you put in long passwords, or figure a way to only use that site for 'low risk' stuff. It is really sad that many sites will not let me put in a good (long) password, but instead force me to follow stupid rules that lower the security of my password (because I always upper case the 1st character and I always use 1! as the number and symbol - that way I can remember the password.) The BCR (Bank of Costa Rica) for example, requires I have a password 11 characters OR LESS and then they think they made it secure by giving me a card that someone could easily take a picture of - rendering my only security their 11 character password. The BCR has a lot of other outdated ideas for their web site so don't put a lot of money at a time into a bank that does this 'to' you.
  • But the problem is: Most banks and government sites force you to use insecure passwords. I have seen some that still have a max length of 8 in 2019. So your only real option is to avoid putting a lot of your money into bank accounts, your only real option is to keep most of your wealth in cash or other value that doesn't have to rely on the low security that most banks use. If you know a bank in Canada that allows good passwords, let me know, I might change from my current bank. So ... do you keep ALL your money in cash? Do you gamble that the bank will cover it WHEN there is a leak of millions of passwords and billions of dollars? Do you trust the government won't blame you for your password being hacked? I really don't have the answer to give you, sorry, and for security reasons, I am not going to tell you how I have balanced it and tried to protect myself. I CAN tell you that the bank that only allowed me at maximum a 12 character password - we stopped using them back when it because known that 12 character passwords could be cracked in 36 hours, the risk was in my opinion, too high. I'll also tell you ... I do not keep large amounts of cash in my house - I think that risk is too high too. I am not a 'life savings stuffed in my mattress' person. I trust the CDIC more than I trust the most obscure and secure place in my home.
  • Many programmers are sloppy with their testing. A software product I use lets you type in a 100 character password, it even validates that you entered in the same 100 characters twice. But then when you log in, if you type in more than 22 characters, it fails saying it is the wrong password. What happened? They only used the 1st 22 characters in the place where it is entered. But then when you log in, they try to use everything you type in, as a result, the password doesn't match.
  • Some software will tell you you can have an x character password, let's assume 25. And then when you login they only allow 24! How could THAT happen? Well in one place they say in their code that the password can be <= 25, but in the other place they have code that checks for <25 (hence, 24 max.)

Funny story. The Alberta Government has a web site for people with at risk kids in their home (We are foster parents). They use the password for signing up to educational courses, and people use it, login to it, twice a year. They then require you to change your password every 6 months and don't allow a long password. So you have to change your password essentially every time you log in. Now ... the only REAL risk is that the children in your home will hack in and cancel your classes (since there is only, once every 6 months, a half hour window really where you can sign up for classes, the demand for the classes outstrips the availability.) So what happens? People put the current password on a yellow postit and paste it right above the family computer, where the password is readily visible to the ONLY people who might want to hack it. Whoever designed this system either has a bloated sense of personal importance, or read a few blogs from the 1970's on 'good password strategies' and didn't use their God given brain. Btw, this is not theoretical. I have seen the passwords posted above computers and on bulletin boards at their front entrances. And note: It was always a YELLOW postit - even though yes, other colours are now available. I notified someone there, but they said they didn't know how to reach the correct people.

So what do I do for this one? Simple. I use a randomish password that I don't remember or record to log in once, and every 6 months I click on the 'forgot password' link to set a new password for the the next login.

PC-Financial Presidents choice also used to do it, but their 'forgot password' link was a 1-800 number. So, every time I logged in I called and said "Your password rules are too complicated and I don't want to write it on a yellow postit ... so I need a new password to log in today." Every time I logged in, I did the same thing and they suggested I record it somewhere safe, to which I replied "Oh it's ok, I just call you each time." When they apologized for how long it took, I replied "Oh, no problem, I have you on speaker phone, I'm working on something else while you are resetting the password." Then when they gave me my new 'temporary' password they kindly stayed on line while I confirmed I could login. I was always really polite. One time when they sat there while I typed in my new password, I said "Oh cute, I typed in Capital P - assword one exclamation mark" and it accepted it - THAT will be easy to remember. She said "That isn't a good password"" - I said naively, yes it is, according to your web site it is green, an EXCELLENT password, so I feel secure." I then changed it to something else but didn't tell her. I continued to do that on subsequent calls, if they argued I argued back "No really, your site says it is an Excellent password, no one is going to guess that." After 3 months of this ... they introduced reasonable password rules and they didn't let you include 'Password' or 'password' as part of your password anymore. I guess I wasn't the only one - or they found out everyone else was putting it on a postit note.

2020.5.26 Latest bad example:

I went to the CRA (Canadian Revenue Agency) site, it said I had to change my password because they had new more secure rules. I typed in "pigglywiggleyamlroutinechatforevercatdog" and it wouldn't accept that password because it was 'weak', so for a giggle I typed in "Password1!" - and yup, CRA accepted that as a "very strong" password!!! I of course changed it to one that fit their stupid rules AND was powerful. I notified someone at CRA about this so perhaps they will fix it.

2020.5.28 Latest in the walk of shame:

UPS (United Parcel Service) loves Password1! as a password, but hates IchibanSoupALongPathToSkipAlongAndSingASong (maximum 25 characters and not enough 'hard for a human to remember' characteristics) I notified a human at UPS about it, but their response indicated 'not my problem' - so perhaps they will fix it.

Update 2020.06.23:

Again, even longer passwords can now be cracked. I've switched to 'minimum 50 character' passwords for everything 'important' which includes ALL computers on any network, whether Intranet or internet (unless I have no other choice.) I'm hoping this will be secure for at least the next 5 years. Sometime between now and then, I'll probably start switching to minimum 100 character - and who knows, maybe even 1000 character passwords.