A recent study conducted by Specops Software shows that a password composed of multiple characters is more complex to crack but not infallible.
The research team at Specops Software, a company specializing in password management and authentication solutions, publishes the findings of a study that focus on the length of passwords and the methods used by attackers to compromise them.
“We wanted to know what the most common length of compromised passwords was and how many even longer passwords were also cracked,” the company explains. More specifically, Specops Software aims to support the conclusion that “equipping users with strong, long passwords is not a foolproof way to avoid credential compromise.”
Thus, the investigation is based on the analysis of 800 million hacked passwords taken from its own Breached Password Protection database, which lists 4 billion. Here’s what to take away from the study.
A password made up of multiple characters is not necessarily infallible… The first observation of the study will surprise no one: passwords composed of 8 characters are the most regularly hacked. A password composed of a greater number of characters will, therefore, be more complex to decipher: “the more the length of the characters increases, the more the total number of compromised passwords decreases.” This conclusion is consistent with that of a recent report from Hive Systems.
However, it should be emphasized that length is not a guarantee.
Indeed, out of the sample studied, 121.5 million hacked passwords are considered by Specops Software to be sufficiently long, i.e., comprising 12 characters. Worse: 31.1 million hacked passwords consist of more than 16 characters, demonstrating that opting for “longer passwords does not protect you from attacks.” They are particularly vulnerable to brute force attacks, which consist of asking a computer program to test each possible combination one after the other. Like the hybrid dictionary attack, this method can easily detect predictable, repetitive patterns often applied by IT administrators.
…but remains more reliable and difficult to decipher
While the Specops Software research team downplays the importance of length, arguing that it can confer “a false sense of security,” it still recommends opting for passwords composed of a variety of characters, numbers, or symbols. For example, it takes 3 million years to decipher a 13-character password made up of numbers, uppercase letters, lowercase letters, and symbols (see featured image). And this, even if “long passwords can still be compromised.”