Cyber 101 – Password Requirements

With a new cyberattack reported every day, everyone is asking one question; how can I make sure I’m not next? Cyber 101 is a series of blogs focusing on the ultimate basics of cybersecurity. By utilizing these simple remediations, your networks and accounts will be on their way to defending against cyber actors.

Password Requirements: Do they work?

The odds are that at some point, you’ve had to battle your computer to find a password the system is willing to accept. So between requiring an ancient hieroglyph, the blood of a day-old fawn, and interpretive dance, why are password requirements so stringent?

Password requirements are built with two different principles in mind; complexity and uniqueness. By deconstructing each of these principles, we can highlight the importance of complex passwords in your environment.

Photo by Mikhail Nilov on Pexels.com

Password Complexity

One of the more common methods used to steal passwords is performed via what is known as a brute-force attack. In short, attackers run through a list of every possible password to an account until they find the correct combination. By introducing more complexity to a password, you drastically increase the possible options for the password. Let’s use some demonstrations with the example, password:

  1. If you have no requirements set, a user could simply choose the password of “password.” With eight lowercase characters, the range of possible passwords is just over 62 billion.
  2. If you set a requirement for an uppercase and lowercase letter in the password, you might end up with “Password.” The range of possible passwords is now over 30 trillion.
  3. Adding a requirement of a number to your password, you could use “Passw0rd.” The range of possible passwords is now over 118 trillion.

This demonstration highlights how password complexity can help prevent brute-force attacks; there are simply too many possibilities for an attacker to try.

Password Uniqueness

Another standard method used to steal passwords is by comparing the top exposed passwords from other breaches. It is widespread for attackers to sell lists of exposed passwords from other attacks. Many attackers will compare the top used passwords from different lists available, then run through the first several hundred options found against a known username or email address. In our previous example, you would expect “password,” “Password,” and even “Passw0rd” to be amongst the most frequently used passwords found. We already established that increasing password requirements increases the range of possible passwords chosen, decreasing the chance of selecting a common password.

The next time you ask your user base to create an intricate password, this Cyber 101 post will hopefully help explain the reasons behind the requirements. An informed user base is an active user base, the best hope we have in recognizing and preventing cyberattacks.