We are often asked what length passwords should be. The answer that we give in general is that we would like user passwords to be at least 14 characters and complex, and that administrator passwords would ideally be at least 20 characters and complex. But we often find that systems will not enforce these minimum password lengths. Many critical systems still enforce password lengths of just 8. The question then becomes what mitigating controls are in place to protect against someone guessing a shorter password.
One way that attackers can take advantage of short passwords is by simply trying to enter every possible combination of passwords until they hit upon the right combination. This is known as “brute forcing” a password, and it is normally done using software that can attempt many guesses each second. Brute force attacks can easily be mitigated by simply locking users out after they enter the incorrect password multiple times. It is very unlikely that an attacker will guess a user password in just five attempts.
The second way a password can be compromised is when an attacker is able to somehow obtain an encrypted or hashed password and crack it offline. This type of attack assumes that the criminal has already managed to gain some access to your network or system but needs the password to go further. In general, the shorter the password is, the more likely it is that the criminal will be able to crack it within a timeframe that they are willing to devote to the task. The question then becomes whether there are controls in place to keep them from deriving or using the password.
One way that short encrypted or hashed passwords can be made stronger is through a concept called “salting”. Salting adds a random custom “salt” to each encrypted password, meaning that the attacker will not be able to rely on traditional cracking algorithms to obtain the password and will likely move on to easier prey. While it may seem that such an effective control would be commonplace in critical systems, most (including Microsoft) do not implement salting. If a system does salt passwords, it is considered a strong mitigating factor.
Besides salting, the most effective protection against an offline password crack is multifactor authentication. An attacker who has your password but cannot correctly provide an MFA response will be unable to gain access. If a system has strong multifactor authentication in place, the risk of an 8-character password is likely mitigated. When assessing this, you need to make sure MFA is required from ALL locations, not just from outside the network.
Another mitigating control is monitoring and alerting when someone attempts to access an encrypted or hashed password. If an alert is generated and is quickly acted upon when a password is accessed in an abnormal way, the organization can quickly take steps to ensure that the attack is stopped and that the passwords accessed are quickly changed.
A third mitigating control against offline password cracks can be conditional access. If an attacker has managed to crack your password but that password is only valid when coming from a system that has a specific certificate on it from a specific IP address range, it means the attacker would need to engineer around these constraints as well so it is less likely the attack will be successful.
Finally, monitoring and alerting on suspicious transaction activity that a criminal would perform after gaining access using a compromised password can reduce the time that an attacker has to do harm, so these controls are also taken into consideration.
So yes, we do recommend password lengths of 14 for users and 20 for administrators. But we also understand that many systems are not equipped to support these longer passwords, and in those cases, we need to holistically look at the entire control landscape to determine whether we will accept the shorter passwords.
If you have problems assessing password lengths or anything else when it comes to cybersecurity, contact us at support@bedelsecurity.com!