Posted by Roger

Intro

I've written in some detail about the benefits of good passwords but in this article, I present evidence for the value of longer, more complex passwords.

Use stronger passwords to resist brute force attacks on your website

Brute Force Attacks

One common (but certainly not the only) way that hackers try to access your web server and other computer systems you may have, is by trying many, many different passwords in conjunction with a known user name (which commonly is an email address). It's a crude method but it can be effective.

Of course, the whole process is automated - there's no one actually typing these passwords in to a log in screen.

A survey of available worldwide data conducted by Verizon in 2020, showed that brute force attacks accounted for 34% of all successful IT security breaches in small companies (see page 80 in the Verizon report), so it's a serious issue.

The question naturally arises as to where do hackers get the lists of passwords from. Since we're talking brute force attacks, one approach the hackers use is to create lists of combinations of letters, numbers and special characters using a software program then feed this list into the automated systems they use to repeatedly attempt access to the target system.

It turns out that doing this is really very easy.

Password Data

This is the part where I show you why size matters. I want to compare passwords of 5 characters against those of 8 characters.

Longer, more complex passwords give more protection against brute force attacks on your website

So let's start with the 5 character passwords and work out how many combinations there could be, i.e. how many possible passwords could exist.

  • lower case letters only - 11,881,376 passwords
  • lower case and upper case letters - 380,204,032 passwords
  • lower case, upper case letters and numbers - 916,132,832 passwords
  • lower case, upper case letters, numbers and 32 special characters* - 7,339,040,224 passwords.

So, as you can appreciate, making the password more complex increases the number of possibilities significantly which will make the process to crack the password longer.

Now let's look at 8 character passwords.

  • 8 lower case letters - 208,827,064,576 passwords
  • 8 char (lower and upper)=53,459,728,531,456
  • 8 char (lower, upper and numbers=218,340,105,584,896
  • 8 char (lower, upper, numbers, 32 special chars - 6,095,689,385,410,8164

The increase in the number of possibilities is dramatic. Using the most complex 5 character password produces 7339 million options but with 8 characters, that increases to 6,095,689,385 million possibilities! Taking that to 12 characters, would mean 475,920,314,814,253,376,475,136 possibilities. Size matters!

The longer the password and the more complex it is, the harder it is for hackers to gain access to your systems.

To illustrate this, we're going to use data from Sucuri who state

In 2007, a computer would be able to make about 7 million password attempts per second. Now in 2021, one can make more than 100 million attempts per second.

Let's use that rate of 100 million attempts/second.

  • a 5 character password, lower case letters only will take less than 1 second to crack

  • a 5 character with upper case, lower case letters, numbers and special characters will take 73 seconds

  • an 8 character with upper case, lower case letters, numbers and special characters will take 19 years

  • a 12 character with upper case, lower case letters, numbers and special characters will take 150 million years.

Conclusion

Well, it's clear that the longer and more complex the password, the more effort it will take hackers to break it. In addition, to quote Sucuri again

The bigger the effort behind a brute force attack, the easier it is to detect and block with the right tools in place.

As I mentioned above, brute force attacks account for 34% of breaches in small companies. Interestingly, the corresponding figure for large companies is only 8%. The Verizon report does not give any details about why there is such a disparity, however, we could speculate that larger companies have stronger password policies in place to enforce longer and more complex passwords.

It's also worth mentioning that not all brute force attacks use full lists of all possible passwords combinations because, as we've seen, they can take a long time to complete. Another approach is to use a list of common passwords. These become available after a large company's security data is compromised. Attacks using these lists can be more effective and faster as the hackers believe (often correctly) that an individual will use the same password on multiple sites.

Actions

  • Raise awareness about password security in your organisation
  • Enforce a policy of using passwords that use lower case and upper case letters, numbers and special characters and which are at least 8 characters in length (better with 12 characters)
  • Use a password manager so people don't have to remember or write down the passwords
  • Don't reuse passwords across different sites
  • Review other methods of protecting your systems e.g. 2 Factor authentication.

Note: * The 32 special characters are - !"#$%&'()*+,-./:;<=>?@[]^_`{|}~


More from the blog

Business Website Checklist

Business website success checklist

All the posts on this site are aimed at people who want to get the most from their website in terms of number of engaged and interested visitors, so potentially increasing the amount of business they are able to carry out. To that end, I have written an ebook that contains 35 items that will influence the success of your business website which you can download for free.

Read more

Psychotherapist in Leeds

Psychotherapist in Leeds

AttractMore have been working with Susan Carr in Leeds over a number of years and we have created a couple of websites for her to help promote the services she offers to clients. She recently asked us to create a new site which focused on her work as a psychotherapist and counsellor. The colour scheme was already determined, as was the layout for wider screens since these were carried over from one of Susan’s earlier sites. The challenge here was to create a fully responsive site that worked well on smaller screens as well as larger ones.

Read more