What is the ideal length of a password? Is the longer the better? Not necessarily, according to a new study that explores the link between password length and their security.
If you think your passwords are safe because they’re long, think again! A new study from the Specops research team challenges this preconceived idea. Analyzing some 800 million passwords that were hacked, researchers found that the average password length was less than 12 characters, and 85% of them were less than 12 characters long.
But the researchers also found that a length of 8 characters was the most vulnerable, probably because it matches the default length of passwords in Active Directory, the directory for Windows systems.
A “just” long password does not necessarily protect you any more than a short password
Some of the most compromised 8-character passwords include common words like “password” or “research” and “GGGGGGGG.” In total, Specops identified 212.5 million possibly hacked passwords.
Subsequently, the number of compromised passwords decreases as its length increases. But even if they seem more secure, longer passwords are not safe from threats. Length in the strict sense of the term is no longer enough. The effectiveness of a password relies on the diversity of characters, the complexity and the regularity of changes. The number of compromised passwords thus remains very high for codes of 14 characters (67.7 million), 15 characters (45.7 million) and even 16 characters (31.1 million).
Simple sequences like “GGGGGGGG” still appear regularly, which shows that many Internet users still favor simplicity over security.
Strong and long password: a first base
This study can serve as a lesson: a password must be strong and complex to resist attacks. But if we question (a little) here the relevance of longer passwords, should we systematically create extended codes? “ The answer is clear: absolutely », Tells us Specops Software.
As we said, the vast majority of compromised passwords (85%) have less than 12 characters. Researchers found that a 12-character password including numbers and various characters, as well as upper and lower case letters, would take a hacker 26,500 years to crack. Suffice to say that even Michel Drucker would not survive! This password must obviously be hashed, that is to say it is converted into an alphanumeric string which makes it, unlike encryption, irreversible and therefore more secure.
Teasing aside, a 12-character password made up of numbers only can be cracked instantly. And if the long password is ever compromised (phishing and other forms of social engineering unfortunately still exist), then there is nothing that can be done, especially if the attackers get their hands on a database of words passwords from an online application or less secure site.
This is why you must also use a long, complex password, and above all combine your modest defense tool with double authentication, ensuring that you only reserve one unique password per site or application. Because no password strategy is yet completely infallible.
13