Katherine Parker

Katherine Parker

Marketing & Communications

The Password

As a marketing manager armed with a math degree and working for a network security firm, I have a unique vantage into an industry that is not entirely in my wheelhouse, but it is still in my academic neighborhood. I am a non-technician on staff, yet my education still gives me an ability to grasp security methods and the technology that supports them. This is essential: my job is to convey intelligently the many important, business-saving principles of a secure network. While there is industry jargon I have had to learn and abstract concepts of virtualization I have worked to understand, I have also come to appreciate that fundamental mathematical laws that rule the universe remain consistently true in the field of network security. This means that conventional wisdom in network security is occasionally up for revision when the math no longer adds up. It is particularly true of the wisdom regarding secure access to our computers, applications, and so forth, universally recognized by what we affectionately call ‘the password’.


As we have all figured out by setting up access to our bank and email accounts, the minimum requirement for a password is that it contain an assortment of upper and lower case letters, numbers, and be at least 6 characters long. Those are the minimum requirements for a login system to accept your password as safe. Oh, and please now add a special character. Hold on… now make the password 8 – no – 12 characters long. And in six months there will be a prompt to change your password. Get a password manager; you’re going to need it.

The rules, they are a-changing.

What’s Prompting the Password Rule Changes?

Bill Burr of the NIST was the person who originally codified password best practices way back in 2003. Unfortunately, bad actors kept finding new ways to blast through passwords. They are, after all, nothing more than a limited number of letters, numbers, symbols and the number of permutations possible in the password length. There’s a simple mathematical formula to get through that. As you might expect, bad actors went about finding creative ways and clever algorithms to crack passwords. One of the most effective tools is called hashcat, which is available to all. Eventually, Burr had to come out publicly and clear the air: Those original password best practices now offer little more than false promises. Passwords will need some further enhancements in order to be strong.


Making Passwords Work

The use of passwords is still an important step for secure access. We should not ‘throw the baby out with the bathwater’ just because the best minds of 2003 could not foresee the uptick in computation speeds that would make it relatively quick to figure passwords out. Brute force attacks able to crack them still must go through an algorithmic process of exhausting all the various arrangements of letters, numbers, and symbols to find the right sequence, and this gives us the advantage we need. The lovely thing about permutations is that rifling through all the variations of a relatively short password, versus the time it takes to exhaust all possibilities of a very long password, grows not at a mere exponential rate. No, no. It grows at a geometric rate.


Check out password hack times for yourself:

Typical password consisting of 6 letters (U/l), numbers, and special characters: 4 minutes
Typical password consisting of 8 letters (U/l), numbers, and special characters: 24 days
Typical password consisting of 12 letters (U/l), numbers, and special characters: over 5,000 years

Passwords and Promises of Multi-Factor Authentication Protection

Multi-Factor Authentication will send an additional approval or code to confirm access after the password step is complete.

Bear in mind that a code cracker’s bag of tricks is not limited to hashcat and algorithm help. They also practice social engineering techniques and will even use various malware (like a keylogger) to help them get a peek at password information. Why would a bad actor use hashcat on you if, for instance, they know your passwords are kept in your right bottom drawer? That is why having a two-factor/multi-factor authentication step is so important. Access is no longer solely reliant on the password. Now it also relies on your fingerprint, an additional code that is sent to your phone’s text messages, or some other push that can only be performed by the actual account holder.

From a statistical point of view, this increases the odds against an attacker’s success dramatically.

As a math nerd crunching the numbers, it is easy for me to conclude that it is smart to increase that password length, and add that extra authentication step. Bear in mind that bad actors are now busy finding ways to beat multi-factor authentication as well.

But rather than make you feel defeated about this never-ending battle against the bad guys, I would prefer to equip you with another common-sense and encouraging insight: Your job is to make sure that a bad actor would never waste his time on you. By keeping your passwords long and strong, protecting them, and using multi-factor authentication as an extra insurance, chances are good that a bad actor will pass you right by and look for an easier victim to attack… and crack.

Hybrid VDI - Total Economic Impact of VMWare End User Computing