Alex Archondakis, from the BCS Internet specialist group, explains why password length is more important than complexity.

Ever since passwords have been used as an authentication mechanism we have favoured complexity over length. However, with the progression in computing power, complexity may not provide the level of security it used to.

How can weak password policies be exploited by an attacker?

Weak password policies are often used alongside other vulnerabilities to exploit an application. Let’s look at the following example:

  • Your chosen utility company has a public-facing web application used for paying bills that returns different error messages when a user tries to log in based on whether or not the account exists. An attacker can use readily-available tools that send thousands of requests with potential usernames and analyses the response to build a list of valid usernames. This is called username enumeration.
  • The application does not lockout user accounts after incorrect password attempts, meaning an attacker can try as many different passwords as they like against a user account. This is called a brute-force log-on attack.

Now that an attacker has a valid list of usernames and is aware the application has no account lockout policy another brute-force tool will be used, this time with the list of valid usernames and a common passwords list. The tool will send thousands of requests with potential passwords against the usernames until a valid set of credentials are acquired.

To successfully execute this attack, it is just a matter of time and computing power; the more computing power an attacker can use, the faster they will get credentials, hence a botnet is often used. A botnet is a collection of computers that an attacker has infected and has control over. Botnets can be hired on the dark web, cheaply.

An 8-digit password can be cracked by a 10,000-strong botnet in 30 minutes whereas a 25-character string would take 99 septillion years!

‘In Britain, France, and Germany, one Septillion is represented as one followed by 42 zeros.’

In full: 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000

You can check the strength of your password by using the following application:

If an attacker is able to obtain password hashes via another attack vector such as SQL injection, cracking the password hashes will be a lot easier with shorter length passwords.

From a human perspective adding complexities into a password makes it a lot harder to remember. For example, ‘password’ is a lot easier to remember than ‘P@?Sw#rd’. However, this makes little difference to brute-force tools with the computing power of a strong botnet and is difficult to remember.

Remembering a long password is not as difficult as people think if instead of a password we think of it as a passphrase. The following passphrase would be strong and easy to remember:

‘I eat cheese every single day’

Systems administrators could reward users for using pass phrases by forcing them to change them less often as they are a lot safer and less likely to be cracked.

In conclusion, a long passphrase is harder to brute-force or crack and easier to remember than a complex password.

About the author

Alex is a passionate and enthusiastic penetration tester. His cyber security skills were originally self-taught, and he currently works with various technologies, whilst mainly focusing on web application and external infrastructure testing.