The National Institute of Standards and Technology (NIST) defined the rules for strong passwords nearly 20 years ago. Password rules will be familiar to many, as they are still used by numerous websites, portals, and other services: at least 8 characters, uppercase and lowercase letters, numbers and special characters. Despite this rule, even passwords that satisfy the criteria are no longer secure against modern attackers. Individually, the only thing we can do to enhance the security of our accounts is to ensure that our passwords are long, complex, and never reused across multiple accounts. However, this approach is cumbersome and overwhelming for individuals due to high password maintenance requirements. Companies and industries will be the ones responsible for increasing online safety for their users by using passwordless authentication solutions, like FIDO2, and eliminating passwords altogether.
Today, The Same Password Rules Cannot Apply
Password-based security is no longer considered adequate in this day and age. We need to ensure now more than ever before that our data is protected from cybercrime as our digital world expands rapidly. With the growing use of online services, cybercriminals see an opportunity to target people in a more sophisticated way. One reason is that while we enjoy the advancement of technology for our personal, social, or economic development, cybercriminals have likewise enjoyed the advantage of better computer graphics cards and machine learning to develop their methods of attack. Besides the issue of more advanced cyberattacks, we face two main interlinking issues with traditional password rules:
The first issue relates to our struggle to manage passwords
As an individual, you can make your passwords more secure by doing a few things. For starters, lengthen and enhance the complexity of your passwords. Secondly, use a different password for every site you visit. However, the more complex a password becomes, the harder it is to remember. As a result, we tend to choose passwords that are easy to remember, but do not meet all the requirements. Managing numerous complex passwords for every online account also becomes overwhelming, and so the same passwords are often reused for different platforms. Consequently, a successful attacker hits the jackpot right away.
At the same time, we cannot blame our poor password management abilities, but instead the high level of password complexity that is now required to ensure safety online. A good solution is to use a password manager to create and store strong passwords. Without any help like password managers, managing strong passwords for every online account we own is humanly impossible. The issue creates risks that people write down their passwords because they cannot remember the complex, random sets of letters, numbers, and special characters. With notes kept on a desk or digital documents on the computer, passwords are left unguarded allowing attackers to hack and read passwords easily.
The second issue lies in the mathematical limitation of passwords
Since a password is a combination of characters, numbers and symbols there always exists a mathematically limited number of possible password combinations. As a result, brute force attacks are the most effective method for cracking passwords. Brute force attacks try all possible combinations of letters, numbers and symbols until the right combination is found and the password is cracked. In theory, the longer the password is, the more combinations there are, the longer it takes to crack the password, making it more secure. However, attackers are now using Graphic Processing Units (GPUs) to crack passwords at significantly higher rates. Originally, GPUs were built to make pictures and videos load faster on computers, and exist as part of the graphics card of a computer. Now they also prove to be useful for calculating hashes (the method used in brute force attacks).
Research on password cracking time proves that with more powerful computer graphics cards, the time taken to crack passwords decreases significantly. An 8-character password that once took 8 hours to crack back in 2018 now takes only 39 minutes using the latest available computer graphic cards (see the conclusive 2022 results in the table below). There is a worrying trend that passwords are becoming rapidly easier to crack due to latest technological advancements. More importantly, however, is that regardless of password complexity or what computer graphics card the attacker is using, if a password has previously been stolen, reused between sites, or uses simple words then attackers can instantly gain access to your accounts.
To visualize this mathematical example, consider a 4-character password that consists of the 26 letters of the Latin alphabet (case-insensitive), meaning we have
26^4 = 456,976 possible password combinations
When you add special characters, numbers, and uppercase and lowercase letters, the possible combinations increase to
95^4 = 81,450,625 possible password combinations
However, since the password must contain at least one uppercase and one lowercase letter, one number and one special character, the amount reduces to
5,353,920 possible password combinations
Regardless, this takes a computer less than a second to crack, assuming no password-entry protection mechanisms (such as automatic account blocking).
Make Passwords Longer And More Complex
When tasked to create a new password, longer or more complex password phrases are highly recommended. This way, the codes are more difficult to crack for potential attackers. In addition to the number of possible combinations, it is also important to consider the popularity of the chosen password combination. For example, brute force attacks are often also based on lists of frequent passwords or phrases, such as ‘qwerty’, ‘password’, or ‘12345’.
The password should therefore be as unique as possible, or not contain any words at all. For example, one method would be to use acronyms or mnemonics, such as taking the first letters of a long sentence and making a password out of it. An example could be taking the phrase I love to ski at Seven Springs! to create the password Ilts@7S!.
Still, Password Length And Complexity Is Not Enough
We understand that the only way to affect the strength of our passwords, and thus the security of our accounts, is to make passwords longer and more complex. Below, the average time it takes for an attacker to crack a password using a powerful commercial computer in 2022 is shown. This table has been studied and updated since 2018, and proves that modern computers increase the speed at which passwords can be cracked. This trend points to the fact that, whatever we do to make longer and more complex passwords, passwords are no longer sufficient to achieve adequate online security standards.
In conclusion, password rules make passwords more complicated, but not necessarily more secure.
To Beat Advanced Attackers We Have To Eliminate Passwords
With today’s powerful computers and machine learning capabilities, attackers can easily program scripts and bots to quickly crack and collect user and password information. Our article here explains how machine learning and modern bots are used for account takeover fraud. In addition, you are likely to fall for a phishing email or text message without even realizing it and have your passwords stolen that way as well. Meanwhile, the most sophisticated passwords are worthless if they are shared with others, written down, or stored in plain text on your computer. Even the most advanced Password Manager will not help you in such cases. No matter how long and complex your password is, once stolen, an attacker gains free access to your accounts.
The good news is that there are ways to eliminate passwords completely and remove the security risk they pose. Unfortunately, as an individual, you cannot take any significant action as the issues are far more advanced than what should be expected from us. Rather, you should avoid or be cautious of online services or websites that follow only traditional password rules for account security. Companies that implement two-factor or multi-factor authentication (2FA/MFA) are a step in the right direction. However, implementing FIDO2 passwordless authentication solutions is the best method for companies. Our article here discusses how FIDO2 is stronger than other 2FA or MFA solutions for online security. FIDO2 is an open standard for passwordless login developed by the Fast Identity Online Alliance. Due to phishing and ransomware threats becoming more sophisticated, the elimination of passwords makes it much more difficult for hackers to gain access to accounts and make transactions.
As individuals, we can take comfort in knowing that FIDO2 will be adopted in many industries soon, paving the way for a passwordless future.