Created: 2017.02.10 | Last updated: 2020.06.23
12 character passwords with fancy characters (upper case, numbers and symbols) haven't been secure for years. Once again, silly rules for passwords are proven a waste of time, lowering password security. Having LONG passwords, easy to remember even, is by far the more secure choice.
Back around 2007 or 2008, I remember reading that a 12 character password was good and a 15 would take '2 billion years' to crack.
Obviously what is considered 'best practices' depends on who is setting the rules. The FBI in early 2020 said "Minimum 15 characters" because 12 characters were the last level that "takes several hours to crack", but at the same time the FBI published 15 as the minimum, other reports published that up to 15 could be cracked in hours. So here are my recommendations for best practices:
Any site with relatively unimportant data where the cost is low if an account is hacked: Minimum 15 characters but allow up to 255 characters. No goofy rules that make users write down their passwords on postit notes (like requiring numbers or symbols) If you are the owner of this site and you agree that the cost to you AND to your customer is low AND you consider yourself unlikely to be hacked in the near future, then you might only REQUIRE 8 characters, but ALLOW a large number.
Any site with important data where the cost is medium or high if an account is hacked: Minimum 20 characters, but allow up to 1000 characters. No goofy rules that make users write down their passwords on postit notes (like requiring numbers or symbols.) If you own the site and the cost to YOU is high then you might want to ENFORCE a minimum of 20 characters. But if your customers will balk at that, you will obviously have to decide - is the inevitability of being hacked lower cost than the cost (lost customers) of forcing a secure password. But if you are one who already really irritates your customers by forcing them to type things like a number, a symbol, a lower case and an upper case - you already don't care at all about whether customers will abandon you due to irritating them - so simplify your life and their's and have one and only one rule: Minimum 20 characters. (or 16 if you are willing to update every year or two as computers become more powerful.)
If you are forced to use an insecure password on a site with data that is important to you, either refuse to use them OR consider what you are going to do WHEN your password is hacked. I'm not fearmongering here - it is a statistal probabilitiy that a password of 15 or less characters at site that has important data, will be hacked in the next 10 years.
If you've been here before and just want to see the latest news, the oldest is right here, the newest is at the bottom of this page.
As most of my friends know, I have for decades laughed anytime someone says that something in computers will take 2 billion years to crack. My response is: You can crack it in 10 years. Just do NOTHING for 9 years and 364 days, then crack it the last day using the equipment you buy that day instead of this now 10 year old stuff. Note that in the 10 year to today (2017) while CPU raw speeds haven't increased a billion fold, a combination of GPU improvements and algorithmic improvements have sped up by 600 billion, allowing a 2 billion YEAR job to be done in roughly 1 or 2 days now.
All passwords with a length up to 15 characters cracked in < 15 hours with 4 nvidia gtx 2080ti 22.7 sextillion keys per second per gpu
So, instead of a billion years, it took waiting 3 years and then buying the newest fastest video card, and you too can do 2 billion years of cracking in 15 hours!
My response: I am moving my 'minimum password length of 12 for important things' to 'minimum password length of 20' and in many cases 30.
But there is a problem with that. Banks and Government tend to NOT allow good passwords. They want shorts ones with silly rules like capital letters, numbers and symbols, rules that have been shown to decrease the strength and security of passwords for a variety of 'human' reasons.
Humans tend to swap 0 for O and 1 for l. So all password crackers know that, it essentially adds ZERO security while making it harder to remember, and because it is harder to remember, the humans use 'easier' passwords for the rest! And besides, there are only 10 numbers and maybe 20 special characters that anyone is likely to use, so 26 letters, times 2 (upper case) and 30 numbers and special characters. Most cracking routines just naturally try about 100 characters - maybe even 256 - and don't care that you think you are being cute by substituting a few numbers and symbols.
Also, everyone (statistically) uppercases the 1st letter when required. And 1! added to the end of the password makes it pass all the rules.
I am amazed at how many sites will let me enter Password1! as my password and call it 'secure'.When mypassword is actually MORE secure and mysillypassward is hundreds of times more secure yet they tell me that Password1! is very strong but mysillypasswardandmorenomatterhowmuchitype is weak.
Requiring passwords of 15 or 18 or 20 characters and dropping all the silly rules would in almost every case make passwords more secure.
Warning: Don't reuse passwords or password patterns. For example: mysillyTD means that once one is cracked, it is pretty easy to guess with no more than 10,000 attempts (10,000 is a tiny number for computer) that your Scotia bank password is mysillyScot1a or mysillySc0tia
Around the same time that it was announced that 15 character passwords can now be cracked in about 15 minutes with cheap, readily available hardware, the FBI came out (Tech Tuesday' in early February 2020) and said, they agree that:
passwords that are only 12 characters or less long, are terribly insecure even if you make them extremely hard for a human to remember by requiring special characters like upper case, numbers and symbols, even if, unlike most people, you use symbols and numbers other than 1! and even if you do NOT capitalize 'words' in your pass phrase but rather upper case a different letter liKetHis.
Instead, they say you are better to have as many characters as you are willing to use, minimum 15, and that it is perfectly OK to use words.
What if you are a developer that has software important enough to have passwords?
Some common problems:
Funny story. The Alberta Government has a web site for people with at risk kids in their home (We are foster parents). They use the password for signing up to educational courses, and people use it, login to it, twice a year. They then require you to change your password every 6 months and don't allow a long password. So you have to change your password essentially every time you log in. Now ... the only REAL risk is that the children in your home will hack in and cancel your classes (since there is only, once every 6 months, a half hour window really where you can sign up for classes, the demand for the classes outstrips the availability.) So what happens? People put the current password on a yellow postit and paste it right above the family computer, where the password is readily visible to the ONLY people who might want to hack it. Whoever designed this system either has a bloated sense of personal importance, or read a few blogs from the 1970's on 'good password strategies' and didn't use their God given brain. Btw, this is not theoretical. I have seen the passwords posted above computers and on bulletin boards at their front entrances. And note: It was always a YELLOW postit - even though yes, other colours are now available. I notified someone there, but they said they didn't know how to reach the correct people.
So what do I do for this one? Simple. I use a randomish password that I don't remember or record to log in once, and every 6 months I click on the 'forgot password' link to set a new password for the the next login.
PC-Financial Presidents choice also used to do it, but their 'forgot password' link was a 1-800 number. So, every time I logged in I called and said "Your password rules are too complicated and I don't want to write it on a yellow postit ... so I need a new password to log in today." Every time I logged in, I did the same thing and they suggested I record it somewhere safe, to which I replied "Oh it's ok, I just call you each time." When they apologized for how long it took, I replied "Oh, no problem, I have you on speaker phone, I'm working on something else while you are resetting the password." Then when they gave me my new 'temporary' password they kindly stayed on line while I confirmed I could login. I was always really polite. One time when they sat there while I typed in my new password, I said "Oh cute, I typed in Capital P - assword one exclamation mark" and it accepted it - THAT will be easy to remember. She said "That isn't a good password"" - I said naively, yes it is, according to your web site it is green, an EXCELLENT password, so I feel secure." I then changed it to something else but didn't tell her. I continued to do that on subsequent calls, if they argued I argued back "No really, your site says it is an Excellent password, no one is going to guess that." After 3 months of this ... they introduced reasonable password rules and they didn't let you include 'Password' or 'password' as part of your password anymore. I guess I wasn't the only one - or they found out everyone else was putting it on a postit note.
I went to the CRA (Canadian Revenue Agency) site, it said I had to change my password because they had new more secure rules. I typed in "pigglywiggleyamlroutinechatforevercatdog" and it wouldn't accept that password because it was 'weak', so for a giggle I typed in "Password1!" - and yup, CRA accepted that as a "very strong" password!!! I of course changed it to one that fit their stupid rules AND was powerful. I notified someone at CRA about this so perhaps they will fix it.
UPS (United Parcel Service) loves Password1! as a password, but hates IchibanSoupALongPathToSkipAlongAndSingASong (maximum 25 characters and not enough 'hard for a human to remember' characteristics) I notified a human at UPS about it, but their response indicated 'not my problem' - so perhaps they will fix it.
Again, even longer passwords can now be cracked. I've switched to 'minimum 50 character' passwords for everything 'important' which includes ALL computers on any network, whether Intranet or internet (unless I have no other choice.) I'm hoping this will be secure for at least the next 5 years. Sometime between now and then, I'll probably start switching to minimum 100 character - and who knows, maybe even 1000 character passwords.