What do nursery rhymes, memorable movie phrases and great song lines have in common? They make great passwords. And there is not a single number or special character in them. The requirement to make complex passwords using special characters and numbers is being re-thought.
The original idea for complex passwords came from Bill Burr in 2003, a former manager of the National Institute of Standards & Technology (NIST) and a well-respected Cyber-Security expert. He wrote an 8-page article that recommended complex passwords. He also recommended they be changed frequently – at least every 90 days.
It now appears these recommendations may not have been appropriate. The NIST authored a new set of recommendations this June. Complex passwords are out. Pass phrases are in. The need to change passwords frequently is also not as important as it once was.
“With brute force cracking, it makes common sense that longer passwords are more difficult to crack.”
There are two ways passwords are compromised; a keystroke sniffer and password crackers. Sniffers are malware that track keyboard typing looking for typical credential combinations. Crackers look for account portals over the Internet; a VPN (Virtual Private Network) on a firewall, a Terminal Server login, a server login, a website login – anything with a login page. They attempt to log in by using common passwords – like 123456, or by brute force – trying every combination of letters, numbers and special characters.
With brute force cracking, it makes common sense that longer passwords are more difficult to crack. But how much more difficult? Here are some simple examples:
The pattern is obvious - and length appears to be more important than complexity. The current recommendation is to use a simple phrase that's easy to remember. Hastalavista,baby would take 4.6 billion years to crack using brute force.
Some systems force a number or a special character, which are easily appended to a phrase: Hastalavista,baby1!, for example.
Song lyrics, movie lines, poetry, a sentence from a favourite book – just about anything can be a great pass phrase. Pass phrases should be 15 characters or longer. Usetheforceluke is too short. Most modern systems can accommodate 25-character passwords; some as long as 1,000. The days of complex and difficult passwords are coming to an end. Hasta la vista, baby!