Is "RogerLovesTaco$24" a strong password? No! Everyone has a ton of passwords. They should be strong and unique for every site and service you use. Everyone knows this.
Note: The information and recommendations in this post are supported in detail by the KnowBe4 ebook, What Your Password Policy Should Be.
What Is a Strong Password?
But what does having a strong password really mean?
Well, it means resistance to most/every password-guessing and password hash-cracking attack. There are many different types of attacks against passwords, but the only ones where the strength of your password matters are guessing and cracking attacks. If I can socially engineer you out of your password, which is what happens in 79% of credential theft instances, I do not care how strong it is.
If I can use an unpatched vulnerability to bypass all your defenses and steal your password or password hash, I do not care about how strong your password is. But for password guessing and cracking attacks, hackers very much care about how strong it is.
What is a strong password?
Password Strength Over Time
It has changed over time, especially as password attacks have improved over time.
Back when I started in computer security in 1987, it meant having a password at least six characters long. To be honest, we would just get excited if you used a password at all or had one that was not just 3 or 4 characters long or was not ‘password’.
My third book, in November 2004…a monthly serial ebook on password attacks and defenses for Windows & IT Pro magazine, called Keeping Your Business Safe From Attack: Passwords and Permissions, also discussed recommended password strength. It called for eight-character passwords with some complexity (e.g., uppercase characters, numbers, symbols, etc.) for most users. I also said that if you used a 15-character or longer password, it disabled LANManager (LM) password hash storage, which was a great thing to do, especially for administrative accounts.
Much of early password recommendation strength was based on early National Institute for Standards & Technology (NIST) password strength recommendations, which Microsoft and other vendors followed as well.
Over time, because of the increasing speed of hacker password guessing and cracking technology, the minimum recommended length became 10 characters and then 12 characters. Today, most entities implementing a 12-character, complex password would pass most password audits.
But 12 characters long with some complexity is not enough for today’s password hackers. Today, password hackers with sufficient technology or funding can guess passwords as fast as the underlying platform allows and guess at stolen password hashes in excess of ten trillion times a second.
Would your password withstand being guessed at over ten trillion times a second? Probably not.
Strong Passwords Today
In order to defeat password guessers and password hash cracking, what constitutes a strong password today is one of three things:
-
- Use multi-factor authentication (MFA) instead. If you have to use a password, create and use:
- A 12-character or longer PERFECTLY RANDOM password, like r#3Yv&ZCAojrX, or
- A 20-character or longer password with some complexity if created by a human
It is believed that a 12-character, truly random password defeats all known password guessing and cracking attacks. There could be a nation-state that could defeat a password of that strength, but it is not publicly known…and let’s just be realistic…if a nation state threat actor is after you, they are going to get you one way or another. We are just trying to stop non-nation state hackers.
Our Recommend Password Policy
Here are our password recommendations in full (graphically represented):
Long, Complex Passwords Can Be Surprising Simple To Crack
This part of my post may be a bit of a shocker, but I am familiar with several password penetration testing teams who routinely break 18-character complex passwords. Passphrases like RogerLovesTaco$24 are routinely guessed and cracked. That may be shocking to some.
It is 17 characters long and contains complexity. And, yes, passwords like that are guessed successfully all the time by non-nation-state hackers.
To be fair, it is usually the password hash that is being successfully guessed. The longest real-world hacker, password guess I am aware of…using just application-based password guessing, is 10 characters. That attack is here. It required that the defender to have such poor security that the attacker could guess over 100,000 times a day for over a year. Although I think this type of attack would be possible for the majority of companies around the world (i.e., the victim company was not an outlier).
The longer and more complex passwords I am aware of that have been “guessed” were successful cracks against stolen/obtained password hashes. Password hashes can be stolen lots of ways, and many times, it does not take local administrative access. I covered that here.
As previously covered above, attackers can now routinely guess password hashes over ten trillion guesses a second. It has been this way for years. I can never re-read this fact and not get blown away each and every time. Using this speed, very long and supposedly complex passwords, like "RogerLovesTaco$24," can be successfully guessed in a short amount of time.
Now let me state that if you use a long and complex password, say 12 characters or longer, I am in general, pretty happy that you do that. But if you want a strong password that is truly resilient against known password guessing and cracking attacks, it has to be either truly random or not be so easily guessable and crackable. I would prefer you use a truly random password. Those are best and most resilient to guessing and cracking. Everything else is a hedge made for convenience or a policy that makes you less secure.
But password guessers know that most people’s passwords, even if complexity is required, often follow some basic rules. Not all passwords. Not all password creators. But most. And those rules entail that they will likely include one or more words from their default language. If required to use a capital letter in their password, they will usually put it as the first character, and that first character will typically not be a vowel.
If they have multiple words in their password, if a capital letter is used in each word, it will usually be the first letter of the word. That capital letter will almost always be followed by a lowercase character, and usually, it will be a vowel (although not always).
If they use a number in their password, it will likely be one, two or three, and appear at the end. If they use multiple numbers, it will usually be a two- or four-digit date, and often it is the current year or the year of the person’s birth. People like to put sequential numbers in their password, such as 123, 123456, and 123456789.
If they use a symbol, it will usually be one of the following, !@#$&, and be toward or at the end of the password. Even if all users are allowed to use all possible characters on a keyboard for their password (i.e., 89 to 101 characters are usually available), most people will use the same 19 characters.
Many letters (e.g., Q and Z) will be underused. Many letters will be more likely to be used (e.g., A, E, T, N, S, etc.). Basically, you can use Scrabble game scoring to figure out common letter frequency. When a passphrase is used, people like to mimic grammatically correct phrasing and sentence structure.
People love to include names, places, dates and sports (and sports teams) in their passwords. Users like to put the word password in their password. qwerty, Iloveyou, and abc123, are not uncommon. The same most common passwords used by people this year are nearly the exact same most common passwords used 20 years ago. They do not really change that much.
Much of the reason why a supposedly complex password (or passphrase) like RogerLovesTaco$24 gets successfully guessed is that it follows many of the most common rules for user-created passwords. It starts with an uppercase consonant. It is then followed by a lowercase vowel. It follows English grammar rules. It ends with a commonly used symbol and digits of the current year. In summary, it is fairly predictable when guessing trillions of times a second.
Want a stronger password?
Use a randomly generated password or one that does not follow the expected rules. I could simply put the numbers or the uppercase characters in the middle of the password and create a significantly harder to crack password. I could start with a lowercase vowel followed by an uppercase consonant and make it a lot harder to guess.
"RogerLovesTaco$24," and other passwords like it, are not weak. They are not bad passwords. They are stronger than most. But if you want a truly strong and resilient password, break some of the rules.