Passwords are, currently, a necessary evil. At the moment, most accounts that you create (on the Internet or elsewhere) will require a password. Your password ends up being 50% of a combination lock. This is all well and good if the person attempting to break into that lock is doing it manually because they’ll likely retry the same combination several times, lose their place and eventually give up. However, the hacking now is not being done by people, so much as by automated programs designed to break into your account.
The first portion of the combination lock for your account is your username. If this is your email, it is already given up. If it is a combination of your first and last name, then it is likely already known. Suffice to say, there’s a likelihood that your account’s username is already known, which means that 50% of your protection is already gone before the hacker even starts. Hackers then use pre-packaged password lists. This is typically a purchased list of known passwords that have been found in use at one time or another. These lists are millions of passwords long and growing daily as more passwords are compromised. If you think your “P@ssw0rd123” is secure, you are very likely fooling yourself. Someone has probably already done a basic character substitution on the word “Password”, and including a small number sequence is not as robust as random numbers.
Currently, we are advising clients to use 2 different words, with upper and lower case, numbers and special characters (like ! or - ) with a minimum of 14-16 characters. Only a few years ago, the ideal password was only 8 characters, with all of the complexity listed above… but this has now been eclipsed by technology and so the complexity has increased.
Charts such as the two below are produced regularly. As these are both 2+ years old and are not being used as references I’m not going to try to find and credit their source. This information is now considered old. But these charts are great illustrations of why you need a complex password – and the need is growing.
and the slightly newer (from 2020)
We can see how the length of the password is forced to keep climbing. The time to hack the password is getting shorter and shorter as the years go on. When these charts are made, it is defined as “How long it takes to brute force a password – USING CURRENT technology.” But technology is ever increasing, not sitting still. Password lists are ever-growing, not sitting still. As the saying goes, Crime never sleeps.
What was 12 years (9 characters, full complexity) turned into 3 weeks in only a couple of years
There are technologies designed to help add complexity, such as 2 Factor Authentication and biometrics, but at the core, with most systems currently available – your combination lock is still only 2 items. If 2FA becomes available, take advantage and implement it, but also realize that the criminal element is also working on ways to bypass these tools as well.
At the end of the day, however, being wary is still your number one protection. A good social engineer doesn’t need to break through your difficult password. They’ll just ask you for it – and you’ll tell it to them, even correcting their mistakes while they hack you. (See our post on Phishing and Social engineering!)