The Length of a Password is More Important than the Complexity
As you can see above adding 4 characters to a password length with no special characters makes the password much more secure than requiring adding special characters like uppercase, lowercase, digits and symbols with the same length.
Passwords are (one of) the biggest pain(s) in today’s IT security. They are a factor of life, and the modern lifestyle requires us to have a great many of them. So we need to make sure we’re aware of what is a strong and a secure password. How many times did we enter our information into an online service, registering with our credentials, only to be greeted with a variation of a “Please use a strong password” message?
NIST Guidelines for Password Security: If You Are Using a Password Manager, You Should Be in Good Shape
The US National Institute of Standards and Technology (NIST) is a federal agency that is part of the US Department of Commerce which means that although it doesn't have any regulatory functions, it employs plenty of people that are supposed to know what they're talking about. For years, NIST has discussed, among other things, the problem of secure online authentication and passwords. As the organization's name suggests, its goal is to standardize the world of technology, and although it hasn't completely unified everyone's perception, its guidelines have, to a certain extent, influenced our ideas on what is and what isn't a good password.
Should we continue to listen to everything it says about online authentication?
** A huge thanks to the MS Crypto Board for all of the hand-holding and explanations -- especially David LeBlanc, Michael Scovetta, and Marsh Ray.
For the purpose of this post, the following definitions will be used:
- Password Complexity: the rules associated with setting passwords to try and guarantee that the passwords used are both difficult-to-crack as well as difficult-to-guess.
- Password Entropy: the level of chaos or randomness present in a system -- in this case, a string of characters that make up a password.
- Bits of Entropy: the mathematical measurement, in bits, of how difficult it is to crack a password.
So there are a couple of really interesting things you might have noticed:
The company now says forcing users to routinely reset passwords at pre-set time intervals doesn't work as well other security options.
Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.
The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.
The National Institute of Standards and Technology (NIST) has issued new guidelines regarding secure passwords. Who is NIST? NIST is a non-regulatory federal agency whose purpose is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology, in ways that enhance economic security and improve our quality of life.
Do you have to follow these guidelines? No, you don’t. But they are generally considered a reasonable standard not only in the U.S., but also around the globe. Following these standards are likely to give you a fair bit of protection, should you ever be accused of not following good security practices.
There are actually several things you need to keep in mind when creating and using passwords, but a good password manager will help you take care of the two most important ones. It will make sure all your passwords are long and strong, and it will also make sure each password is used for only one account.
Why you need a password manager
These days, an eight-character password just won't do. Modern password-cracking tools will make short work of it. It's much safer to have a 15-character password.
What password managers do
That's where the password manager comes in. It remembers your passwords for you. All you need to remember is the single "master" password that unlocks the password manager.