Which one of these two passwords is more secure?
B@s3ba!! takes 10 days to crack. ilikecatsandfishing takes 95 centuries to crack.
Most of us are brainwashed about what constitutes a secure or "strong" password. We often think a password that consists of 8 characters with complexity requirements (uppercase, lowercase, number, special character) is more secure than a "passphase" with no complexity requirements. This is not true. A long (over 15 characters) passphrase is more secure than a 8 character password with complexity requirements. Plus, people can typically remember passphrases, such as a long sentence in all lowercase, so passphrases are less likely to be written down.
For this blog, we used the Kaspersky Secure Password Check to validate. Note: don't ever use one of your active real passwords on this or any other similar site.
As you can see from the images, the B@s3ba!! password took 10 days to crack. ilikecatsandfishing took 95 centuries.
The moral of the story is a longer password with no complexity requirements, often known as a passphrase, is more secure than a shorter password burdened with complexity requirements.
Most organizations make assumptions about cyber security and secure passwords. It is best to validate your policies by doing what an attacker would do, such as routinely checking (cracking) passwords that meet your password policy. Without doing this step, you assume the password policy makes sense and is protecting you. Validate, don't assume.
Check out the Klingon version of the Kaspersky Secure Password Check tool, if you feel like nerding out. Best of luck.
- Certified Ethical Hacker (CEH) Training
- Intro to Penetration Testing Training
- Penetration Testing Resources