In a lot of organizations we work with, something as simple as changing the password policy from a minimum length requirement of 8 to 14 is anything but simple. They have to get approval, organizational buy-in from top management, and then deal with hundreds of help desk tickets and frustrated employees once the change is implemented. It is easy to question whether mandating employees have at least a 14 character password is really worth all that hassle. Well, as a penetration tester who has encountered organizations with password policies mandating anywhere from 6 characters in length to 22, I can provide some insights. So let’s discuss.
First, Why 14?
Why does Triaxiom recommend password policies to require a minimum length of 14 characters? We use the Center for Internet Security‘s (CIS) password recommendation, as we feel it is important for us to remain unbiased and rely on recognized industry standards. While we would go even further and recommend organizations implement a much longer minimum and a passphrase policy to switch the paradigm away from traditional passwords (which could definitely be even more secure), we always fall back on an industry recognized standard wherever applicable.
Ok, So Is it Better?
The short answer is yes, the longer you can make your minimum password length for your enterprise password policy, the harder it is going to be to crack or guess those passwords. Now this does assume that your user’s don’t pick really bad passwords still, because without training that can still happen. But short passwords simply do not work and they make password attacks much more trivial. Triaxiom has a password cracking machine that can brute force a 6 character password in under 30 minutes. 7 characters can be done in an hour. 8 characters can be completed in under 2 days. 9 characters would be closer to 15 days. And it continues to go up exponentially from there. So as you can see, from just a rudimentary brute force perspective, the longer a password is in length, the harder it is to crack. 14 characters would take many years to brute force, even with today’s processing power, so it takes away some of the cracking options from an adversary’s toolbox.
With that being said, in a previous blog we covered how an attacker tries to guess your password. It is extremely rare for us to use a brute force attack, in general. Especially if we know the password policy is longer than 10 characters. It would take way too much time. Rather, we are going to take dictionaries of normal words and append characters to them, or digits and a symbol. So even if you have a 14 character password policy, if you have an employee who makes their password CompanyRocks12 it is still weak and an attacker can guess it very quickly.
This is where employee training comes in, as a 14 character password policy alone is not enough (though it is a good start). You have to help your employees understand how password security works, what’s the difference between a bad password and a good password, and the importance of using unique passwords everywhere. This is done through regular awareness training and just simply teaching your employees these key skills, like how to choose a strong password. This may be hard to believe, but we’ve found that people honestly don’t know how to choose a strong password. In addition to these training efforts, consider combining this with additional technical controls to help enforce your written policies, such as implementing a password blacklist so employees can’t select extremely weak passwords (e.g. based off the company’s name/address) and conducting regular password database audits.