Fourteen good reasons to require 14-character passwords
A cheatsheet to overcoming the leadership objections
Password. Password123. Yea, you’ve seen them all when it comes to bad passwords. It comes standard when managing IT security.
But while your organization likely requires special characters, uppercase letters and even a number or two, if you don’t require longer passwords you’re not taking one of the most important steps to protect your network.
Below, we’ve laid out 14 credible reasons to require everyone in your organization to use 14-character passwords. We’re pretty sure you’ll be convinced. If not, long live Password123.
Short passwords. Less variation. An 8-character password has about 722 trillion permutations. A 10-character password has 3.7 quadrillion permutations. That may sound like a lot. It’s not and makes it easy for hackers to guess passwords and crack hashes.
Increase time to crack passwords. It takes about less than a day to crack an 8-character password and very often a similar amount of time to crack most 10-character passwords. That’s not long in the world of hacking.
14-characters take too long to crack. We’re talking about an insane amount of time to crack – like, longer-than-the-universe-has-existed kind of time. Well, OK, maybe not that long. For four extra characters, we think it’s worth it.
Spaces. Now an option! Most systems allow spaces in a password. This makes it much easier to reach the 14-character requirement when layered on top of other requirements, such as numbers and special characters.
Phrases are easy on the brain. Passphrases are generally easier for people to remember than a password. For instance, “Marvel is way better than DC!” is far easier to remember (and type) than “1r0nM@nSux”. This also means people end up calling the helpdesk less often, saving your staff time and money.
Strength in phrases. Nothing complicated, here. Even when randomness is applied to short passwords, they’re still weaker than phrases. That is, if it’s not something common, like “Wu-Tang Forever.”
User confusion isn’t real. Yes, when you implement a 14-character requirement you’ll get help-desk inquiries and annoyed employees. You can’t please everyone. But we’ve seen repeatedly that adoption is quick and the need for assistance falls off rapidly when the change is deployed slowly and with proper security awareness information. Get your employee’s excited about security!
Most mainframes support them. If your system doesn’t support 14-character passwords, it’s way out of date. Run fast. Kidding, but get that fixed, asap. You have security issues beyond password length. ACF2, RACF and TopSecret all support more than 8 characters. Also, applications integrated into your system may be responsible for the issue – not the system itself.
Drop complexity in favor of length. If you must, only require 2 of 4 requirements (capital letter, lowercase letter, number, symbol) instead of 3. This will make life easier for users as length increases.
Increase password expiration dates. If you currently require passwords changed after 90 days, increase it to 180 days once you activate the longer password requirements. Again, it makes users a bit less annoyed.
Password spraying is less effective with longer passwords/phrases. The time it takes to guess a password increases exponentially once you implement a 14-character password policy.
Experts say do it. National Institute of Standards and Technology (NIST) recommends longer passwords. … just in case you need the street cred for making the case.
Works well with MFA. A 14-character password coupled with multi-factor authentication provides solid security. It will also make you more comfortable removing password complexities.
Combats common reuse issues. While users will continue to “reuse” passwords, making only minimal changes, a longer phrase or password helps improve security. Of course, always check sites such as haveibeenpwned to make sure an email account hasn’t been part of a breach.
A case study
Sprocket was working with a client using a weak password policy. Attempts were made to guess employee passwords and were successful. “So what?”, you ask. At worst, you can read the employee’s mail and nothing that sensitive is in there. This is where you’re wrong. Using access to this employee’s account, Sprocket found a configuration file allowing access to the company’s VPN.
With the user’s credentials and this configuration file, Sprocket gained access to the company’s internal network and took over the entire domain. With this access, it’s entirely possible for a real-world attacker to:
- Steal company data and customer PII
- Deploy ransomware
- Compromise partner companies
Weak password policies not only pose a financial risk to the organization but also a substantial risk to your business partners and customers. Something as simple as a weak password policy can cripple a company and destroy reputation. Don’t count on your security controls and vulnerability scans to keep you safe. Stick to the essentials and protect your employee accounts.
Getting a strong password policy in place might be hard, but it’s worth it. Why put your entire company at risk by not making such a simple change? Not only does this protect your employees, but it also shows other organizations and stakeholders in your company that you’re aware and care about modern, real threats. Make the change. If you get stuck send us a note.
Continuous Penetration Testing Subscription
- Web App Testing
- Red Teaming
- Social Engineering
- Adversary Simulations