8-Character Passwords Are No Longer Safe

Andrew Froehlich, Network Engineer & IT Consultant | 2/26/2013 | 48 comments

Andrew Froehlich
Hey CIOs, have you checked your password policies lately?

Odds are that you allow user-generated passwords that are eight characters in length or more. If that's the case, you'd better hurry up and modify your policy so it requires a password that's less easy to crack. Or, better yet, perhaps it's time to eliminate your user-generated passwords all together.

Deloitte's IT consulting arm is predicting that passwords that are eight characters long should no longer be considered secure due to processor speed increases and password-cracking algorithm advancements. Eight-character passwords that used to take months to crack using technology from a few years ago can now be broken in a fraction of the time. And according to Deloitte's research, this affects over 90 percent of user-generated passwords in use today. So it's likely that you are working at a company where an eight-character password is still considered to be secure.

And if you think that password "brute force" prevention mechanisms will prevent hackers from breaking your password, think again. In actuality, there are very few brute-force attempts going on across the Internet due to administrators limiting the maximum number of attempts of a username or password before a lockout period. Instead, hackers are finding their way into the authentication servers themselves -- looking for a hashed file that contains all passwords in an encrypted format. It's this file that the bad guys want to get. Then, once they have it, they can use specialized cracking hardware and software locally to decrypt your passwords in no time.

The consequences of insecure passwords are widely known, so I don't feel that I need to repeat them again. Suffice it to say, if your policies aren't modified and enforced as soon as possible, your entire network infrastructure is at risk. At minimum, I would recommend a policy change that requires passwords be at least 10 characters long, including the obligatory upper/lower case, number, and special character requirements to make it more complex.

But there are well-documented issues when attempting to elongate the life of user-generated passwords past eight characters. Current complex passwords are difficult enough for users to remember -- and adding an additional two characters makes it all the more problematic. You'll end up finding that users will begin to form bad habits when trying to generate and remember their passwords. Writing them down on a sticky note or using non-random and easy-to-guess passwords are two bad habits that immediately come to mind.

And it's this exact reason that security engineers have been desperately trying to get rid of the user-generated password for years. The password has served a purpose in the evolution of IT security, but its usefulness has come to an end. 2013 should be known as the time in IT security history where we see a major adoption of multi-factor authentication methods that incorporate several methods to authenticate users including tokens and biometrics.

Up until now, companies have been reluctant to implement multi-factor authentication, sighting hardware/software and end-user training costs. But it's high time we consider the user-generated password insecure across the board. So stop putting off the inevitable and start implementing your multi-factor authentication to rid yourself of user-generated passwords that put your data at risk.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 5   >   >>
MDMConsult   8-Character Passwords Are No Longer Safe   4/20/2013 8:11:12 AM
Re: Get your memory going
Yes, limiting risk here is important for these security issues. With minimizing risk in passwords, like most security issues being able to balancing risk against convenience is important. Very important to find ways to ease risk with organizations.
adil   8-Character Passwords Are No Longer Safe   3/25/2013 2:26:06 AM
Finger print
Another way can be integrating finger print scanners with our online accounts which it currently only used in logging into OS.
batye   8-Character Passwords Are No Longer Safe   3/24/2013 12:18:37 AM
Re: Get your memory going
in the account/user profile you should see option to change settings... one of the should be password ... Hope this helps :)
batye   8-Character Passwords Are No Longer Safe   3/24/2013 12:16:25 AM
Re: Get your memory going
I got hacked because of my opinion... some people do not like it... but it life... what else I could do...  :)
freespiritny25   8-Character Passwords Are No Longer Safe   3/23/2013 7:13:55 PM
Re: Get your memory going
@batye: It is unfortunate that you still get hacked from time to time. You sound much more proactive about changing your passwords than most. Imagine how much mote often you would get hacked of you weren't so proactive.
freespiritny25   8-Character Passwords Are No Longer Safe   3/23/2013 7:11:46 PM
Re: Get your memory going
@Henrisha: We really should change our passwords every 3 months and write it on a piece of paper. The paper needs to be in a secure spot, because it is that important to secure all of our information on the net. I plan on doing this as of today.
freespiritny25   8-Character Passwords Are No Longer Safe   3/23/2013 7:09:35 PM
Re: MyIDKey
I think it is safe to have more than an 8character password. I've been hacked and it's horrible.
angelfuego   8-Character Passwords Are No Longer Safe   3/23/2013 6:57:04 PM
Re: MyIDKey
@Henrisha, Wow, that is new to me. I never heard of the MyIDKey. Pretty sophisticated.
angelfuego   8-Character Passwords Are No Longer Safe   3/23/2013 6:55:48 PM
Re: we need some change in password technology
@Pedro, Maybe downsizing our accounts, can help to reduce the number of username and passwords we have. For example, we can consolidate our accounts. Currently, I have a different email account for friends, different businesses, online shopping, and family.
angelfuego   8-Character Passwords Are No Longer Safe   3/23/2013 6:53:03 PM
Re: Get your memory going
@MDMConsult, I think that it is wise to not use the same password for all accounts and logins. It does get difficult with having various accounts and sites that require a username and password.
Page 1 / 5   >   >>

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Andrew Froehlich
Andrew Froehlich   5/6/2014   13 comments
Not all clouds are equal. That's a pretty obvious statement that we can all agree on. Cloud service providers offer differing levels of services, redundancy, and customer service -- all at ...
Andrew Froehlich   4/30/2014   10 comments
In order for enterprise employees to work together as one unified group, they must follow carefully written policies and procedures -- but every once in a while, you may find yourself in ...
Andrew Froehlich   4/22/2014   49 comments
For those of us who study enterprise IT security, last year's Target store hack turned out to be a fantastic case study that was loaded with lessons to learn.
Andrew Froehlich   4/16/2014   22 comments
With news that Google slashed the price of their big-data offering "Big Query" by up to 85 percent, one has to wonder if the move is to ward off competitors -- or simply that the ...
Andrew Froehlich   3/18/2014   27 comments
At a recent South By Southwest Interactive conference in Austin, Edward Snowden said the NSA is "setting fire to the future of the Internet." In light of this, the World Wide Web ...
Latest Blogs
Larry Bonfante   4/9/2014   10 comments
When every capital expenditure is put under a microscope, it's harder than ever to continue to make the necessary investments in refreshing the technology our companies need to compete in ...
Brien Posey   3/4/2014   5 comments
Right now there seems to be a mild sense of anxiety among healthcare providers regarding the impending deadline to make the transition to ICD-10 coding. Not only are there operational ...
Michael Hugos   2/19/2014   21 comments
If you are a CIO who wants to ensure your place in the organization, a good place to start is with the CMO. That is because the CMO is most likely the C-suite executive under the most ...
Brian Moore   2/10/2014   56 comments
Ease of use matters when you are slaying dragons.
Brien Posey   1/7/2014   22 comments
If 2013 was the year of BYOD (bring-your-own-device), then 2014 could easily be the year of CYOD.