• United States




Why you don’t need long, complex passwords

Sep 03, 20149 mins
AuthenticationData and Information SecurityHacking

These days, hackers steal passwords wholesale, not one by one, which is why you can ignore outdated password practices

Password theft and misuse is so widespread, when only a few million are stolen in one cyber heist, it doesn’t even make the news. Today, it has to surpass — or claim to surpass — a billion, I guess.

Articles in the wake of such scintillating criminal exploits tend to advocate the same bad remedies. If I see someone recommend a long and complex password again, I think I’m going to puke.

[ Also on InfoWorld: Passwords aren’t the problem — we are. | Watch out for 11 signs you’ve been hacked — and learn how to fight back. Find out how in InfoWorld’s PDF special report. | Keep up on the latest threats and solutions for your systems with InfoWorld’s Security Central newsletter. ]

Ignore, for the moment, that I recommended the same many years ago. Times have changed.

How password hacks happen today

Password hacking has been with us as long as we’ve had passwords. For the most part, the chosen means were password guessing or cracking — that is, converting from some other intermediate form to the plaintext equivalent. But methods have advanced over time.

Sure, you still have human hackers (or malware) that attempt to guess people’s passwords, sometimes highly successfully. For example, one of the most popular malware programs, Conficker, successfully compromised hundreds of thousands to millions of drive shares using about 100 hard-coded, simple passwords. Password guessing still works — but it isn’t the primary method used today.

These days, most cases of password theft occur in one of two ways: phishing or credential database compromise. Phishing mostly occurs when an email message or website induces the reader to enter legitimate credentials into a faked logon prompt. You’d think everyone in the world could spot phishing attacks by now, but according to this report, they continue at record levels. Certainly many of the successful APT (advanced persistent threat) attacks begin as spear phishing. Social media sites and rogue applications allow phishers to be as successful as ever.

But the most common way that hackers successfully steal passwords (or their usable intermediate forms, such as hashes) is through theft of credential databases. They either break into a website or into a private directory space and download stored passwords/hashes. These two types of attacks account for nearly all password theft attacks today. Nearly every other method is noise. The days of human attackers pretending to be Matthew Broderick in “WarGames” are long gone.

Which defenses are most successful against credential theft? Well, using overly long and complex passwords is not one of them. Attackers will merely steal your overly long and complex password and say it was nice doing business with you.

Password platitudes

This is not to say that using a nonsimple password is bad. It can only help. But if you choose a password that can’t be immediately guessed in the first few hundred guesses, you’re usually fairly well protected.

My password of “keylargo” is going to provide as much defense against the largest threats as “Key$Largo14$!.” Yes, longer and more complex passwords will frustrate more password guessers and crackers, but these threat risks are not measurable noise in most environments.

Am I saying users don’t need overly long and complex passwords? Yes, that’s exactly what I’m saying.

Now, I know security experts around the world can’t wait to explain why I’m wrong. But if most passwords are stolen directly from what the end-user enters or from the compromised credential database, how is having a longer or more complex password going to help?

I’ll go further toward tightening my own noose. Most of the time, using “more secure” authentication protocols with stronger hashes and algorithms will gain you very little. Switching from DES to Bcrypt gains you little. Switching from password hashes to Kerberos tickets gains you very little. That’s because today’s password attackers aren’t attacking weaknesses in the protocols. Using a stronger authentication protocol doesn’t get you much.

How do I know? Because the vast majority of companies use these stronger protocols today, but it hasn’t stopped billions of passwords from being stolen this year alone. I haven’t heard a single security pro lament: “If only we had used Bcrypt or Kerberos, we would not have had our credential databases compromised.” You won’t hear that ever. It’s an old solution for a problem that hackers no longer care about.

What does work?

This is not to say that you should throw up your hands and give up. Here are the top two defenses that address the main causes: phishing attacks and credential database theft.

Preventing phishing attacks means better end-user education — I’m a big believer in phishing your own users to teach them a lesson — and the use of multiple antiphishing tools. Many browsers come with antiphishing tools; at a bare minimum, use them. In addition, a host of services will throw up an alert if you (or an end-user) heads toward a known phishing site. These services suffer the same accuracy problems as antivirus scanning software, but something always is better than nothing.

The real answer, however, is that host providers need to do a much better job of preventing credential databases from being stolen. That means making it significantly harder for bad people and malware to access the highest-privileged accounts on the systems that host credential databases. I’ve covered this many times before in previous articles; it can be done. The biggest defense in this category is to get rid of all your permanent members of elevated groups. It works wonders.

I’m also a big believer in two-factor authentication (2FA). More and more corporate networks and public services support 2FA schemes. There are important caveats, though, beginning with the fact that most public websites still don’t support 2FA.

Moreover, if the bad guy is allowed to get access to the 2FA authentication database or service, game over. This can be best exemplified by the 2011 attack against RSA and its 2FA solution, SecureID. Initially, RSA said the compromise of its own infrastructure, including RSA SecureID information, could not lead to additional customer compromise. In the end, this statement did not bear out.

It’s also important to realize that even though the end-user or device may use 2FA to authenticate, behind the scenes, at the OS or directory level, the 2FA token is often not in action. After successful 2FA authentication occurs, all authentication and access control transpires using single-factor authentication (typically in another digital representative form). If the bad guy steals those single-factor tokens, it’s game over, 2FA or not.

A lot of websites that support 2FA authentication don’t require it. Bad guys love this. You may enable 2FA and even tell the website that you’re going to use it exclusively, but the bad guy can call tech support, make up a lie, and get your 2FA turned back to 1FA. Sometimes all it takes is answering your far weaker “security questions,” whose answers can often be determined via information about you easily obtainable on the Internet.

Lastly, and this may surprise some readers, decades of evidence prove that 2FA solutions ultimately do not protect users or devices if the involved endpoint node is compromised. I first wrote about this in 2006, but even then, it was historical information. Bank-account-stealing Trojans have long been circumventing 2FA. How do they do it? In a nutshell, if the bad guys have control of your endpoint, they can fake whatever they wish in order to accomplish their malicious activity. They can even take over your account and redirect all new business to themselves. It’s far easier to cut you out of the chain than to take it over.

Other password protections

I’m a big believer in two other defenses. First, don’t reuse your passwords across different security domains or websites. We all belong to dozens of different websites and networks. The more you belong to, the higher the risk of malicious compromise — which will happen eventually. If you don’t reuse your logon credentials all over the place, you make it harder for the bad guys to hurt you more than once.

Second, periodically change your passwords across all sites. I try to do this once a year. You have to assume that at least one of your passwords is sitting around in a hacker database, waiting to be used. By changing your passwords once a year — or more often if you want to reduce risk even further — you make hackers’ ill-gotten gain less effective over time. This of course assumes that all the people and processes protecting the credential database in which your password is stored are doing the same. But you can only control your actions, so start with yourself.

Like most of the world around us, password hacking methods and tools have not remained static. The old advice of using long and complex passwords protected by strong authentication protocols isn’t as helpful as it once was. It doesn’t hurt, but it isn’t slowing down hackers much. Instead, use decent passwords, change them periodically, don’t share them among sites, and opt for 2FA where you can.

I’ll even ignore for a few minutes the glaring fact that if a hacker has already obtained your logon credentials, he or she probably has the ability to access any data or service you were trying to protect in the first place. For now, let’s take baby steps.

This story, “Why you don’t need long, complex passwords,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author