Password Compliance Standards
Ever wonder where the 8 character password requirement comes from?
In 1985, NIST estimated that an 8 character password would last 6 months before being cracked. In 1985 the computing power at the time allowed for ~12k guesses per day. So as long as you changed it every 3 months, on average, you would be okay. This was their thought process and part of a formula outlined, and at the time it seemed reasonable enough.
Times changed, as times often do. Yet, one way or another, compliance organizations only picked up on the character number and not the formula inputs, so passwords starting at 8 characters became the standard. Now nearing 40 years later, we still see this as the minimum character requirement for passwords to this day.
If you use their original formula with today’s computing power, you’d need to change your password roughly every half a second to keep up. Adding complexity through special characters, numbers, symbols and cases has increased the time to crack but nothing helps more than adding length.
‘mypasswordis1234’ is an objectively better password than ‘P@$sW0rd’. The latter taking less than a month to crack while the former would be done as the rings of Saturn evaporate into space — over 90 million years from now. Check out this site to see how your passwords stack up.
Applications like Hashcat can utilize the processing power of GPUs which are like millions (or billions) of tiny computers that process in parallel as opposed one powerful processor that works on tasks in sequence. These are generally used for rendering graphics, textures, and lighting in video games but do phenomenally well at cracking hashes. As more computing power becomes available in services like Azure, AWS, and GCP, the rate at which hashes can be calculated will only accelerate, placing an even higher onus on password length.
To combat this, services like LastPass have been popping up that will create a super long, super complex password and save it for you. These are typically a few dollars a month, but if you don’t want to go that route there’s a relevant XKCD comic that might help:
