Passwords Don't Need to be 20 Characters

How many characters should your password have? How often should you change it? What if I told you that you have believed a lie? Passwords are an important part of everyday security for anyone who uses any type of technology today, but the notion that a strong password has to be changed every few months is ridiculous. If it’s a strong password, it will take much longer than 60 days to try to break it. And why would anyone mandate passwords so long and complex that even the smartest person will have difficulty remembering it from day to day? Do you need a strong password? Yes! Do you need one that is 20 characters long? Absolutely not.

If you have spent as much time online as I have, you have undoubtedly noticed that some websites don’t allow any special characters in their passwords. Others don’t allow any numbers. And the length requirements are all over the place. One would hope that websites used for financial transactions would have the most rigorous of password requirements, but that is not always the case. Are the completely lax in this process, or do they know something we don’t?

I came across an article in 2013 written by William Cheswick for the Association for Computing Machinery (titled Rethinking Passwords) that essentially challenged what has become the “standard rules” for password creation. His approach was pretty simple. He tested how long it would take to brute force a password of different complexities to determine if the password rules were outrageously ridiculous. Guess what he determined? They are outrageously ridiculous! He found that an 8-character password that includes at least one upper case letter, one lowercase letter, one number, one special character, and is not a standard dictionary word can be broken in about 9 days. But, a password of 11 characters using these same elements will withstand the same brute force attack for 20,000 years!

That was using computing capabilities from 5 years ago, so we could feasibly reduce that number down to about 5,000 years today. That’s still strong enough for me. A password of this strength doesn’t need to be changed every 60 days. You could easily relax the rule to changing your password once a year and not require anything longer than 11 characters. Your users will be happier, will be much more able to remember their passwords, and might even take the time to develop something a bit more complex if they know they don’t have to change it again next week. This type of out of the box thinking is exactly what LRI provides for our clients, and we’re ready to help you shift the way you think about security. Sign up below for access to our free video about saving time, money, and resources in cyber security and to schedule a free cyber security consultation with a proven expert in the field.