By Ben Kast   /   Jan 9th, 2023

How long should your password be? The data behind a safe password length policy.

How long should your password be imageAt LMG Security (LMG) we are frequently asked, “How long should your password be?” It’s a great question. Unless strong Multifactor Authentication (MFA) is universally in use by the organization, we recommend that user passwords should be a minimum of 16 characters in length. Privileged accounts (administrators and service accounts) should be 25 characters or greater whenever possible. (Yes, there are effective ways of managing passwords that are this long! Read on for implementation tips.) We also recommend that passwords include complexity, but place the most emphasis on a safe password length.

When factoring in the risk to environments, it is important to recognize that MFA is only effective at protecting certain types of interactive logins, and not all protocol-level authentication attack vectors. It is excellent for safeguarding login interfaces like Office 365 or similar, but not for safeguarding authentication at the protocol level (e.g. Server Message Block (SBM) brute-forcing where MFA isn’t applied, or legacy protocols like IMAP/POP, etc.). This is why we universally recommend all privileged accounts use a minimum password length of 25 characters or greater, and regular users use passwords that are 16 characters or greater. As the industry moved to passwordless authentication, passwords may soon become a thing of the past (watch our on-demand webinar on the evolution of passwordless authentication for more details). However, it may be several years before passwords fade away. Until then, read on for the data behind the best password length.

Why do organizations struggle to answer the question, “How long should your password be?”

Organizations frequently and justifiably don’t want security to eclipse usability and along with that business efficiency. Common refrains we hear are:

  • “Our leadership will never go for that.”
  • “Our users have a difficult enough time with 8-character passwords, IT will be swamped with password related support requests if we move to a minimum password length of 16 characters.”
  • “Our business moves at market speed, we can’t have users fumbling around trying to access their systems because they cannot remember a long complex password. Just think of the money we could lose.”
  • “Our users will end up writing their long passwords on post-it notes and in notebooks, opening up the passwords to compromise due to insecure storage.” (This one has an easy fix: Implement and train users to utilize password managers, which greatly reduce the difficulty of creating and using strong passwords).

All of these have one thing in common: They emphasize usability over security, which is understandable. There are inherent risks in doing business and organizations cannot afford to secure themselves to a point of paralysis that disallows them from effectively doing business.

Finding the balance between password security and usability

As organizations implement guidelines to determine how long their passwords should be, it’s important to understand the data to determine safe password length and complexity requirements. To start, it is important to recognize that data breaches frequently involve account compromises due to weak passwords. Data breaches are also frequently very costly. Fundamentally, the balancing act comes down to the old InfoSec saying: “Pay now or pay later.”

When it comes to security, it’s always less expensive to pay now vs. pay later

At LMG we operate from the standpoint that with security it is always less expensive to pay now than to pay later. As you consider how long your password should be, here are some good reasons to increase your minimum password length requirements in your domain password policy and implement strong MFA:

  • Although current NIST 800-63B guidance states that “memorized secrets shall be at least 8 characters if chosen by the subscriber,” LMG’s penetration testers have generally found this to be deficient – unless universally also controlled by strong MFA – given the speed of modern computing devices.
  • As a frame of reference, LMG’s penetration testers can crack any 8-character Microsoft NT LAN Manager (NTLM) password hash in under 8 hours (assuming the character space includes all uppercase, lowercase, numbers, and symbols).
    • In contrast, the time required for LMG to compute the full 10-character space is just over 8 years, 12 characters is 77,000 years, 14 characters is 710.5 million years, and 16 characters is 6.5 trillion years. (Note that these speeds are based on LMG’s 2020 testing data and cracking system infrastructure, we and well-funded malicious actors could achieve much faster speeds today.)
  • For NetNTLMv1 challenge/response hashes, which are more difficult to crack than NTLM hashes and cannot be passed using “pass the hash,” LMG can crack any 8-character password hash in approximately 15 hours or less.
    • In contrast, the time required for LMG to compute the full 10-character space is just over 16.53 years, 12 characters is 152,383 years, 14 characters is 1.4 billion years, and 16 characters is 12.9 trillion years. (Note that these speeds are based on LMG’s current cracking system infrastructure, well-funded malicious actors could achieve much faster speeds.)
  • For NetNTLMv2 challenge/response hashes, which are more difficult to crack than NetNTLMv1 hashes and also cannot be passed using “pass the hash,” LMG can crack any 8-character password hash in approximately 7 days.
    • In contrast, the time required for LMG to compute the full 10-character space is just over 188 years, 12 characters is 1 million 735 thousand years, 14 characters is 5 billion 835 million years, and 16 characters more than 147 trillion years. (Note that these speeds are based on LMG’s current cracking system infrastructure, well-funded malicious actors could achieve much faster speeds.)
  • Humans are predisposed to use passwords that are less difficult to remember, and thus easier to guess or crack – often incrementing a number in an existing password or changing a special character appended to a previously used password. Malicious actors know this and will appropriately format attacks in order to take advantage of this behavior.

How to strike the right balance between security and usability?

It’s about more than, “how long should your password be?” Organizations should have safe password length guidelines. Here are some tips to develop your password policies:

  • When possible, implement minimum password length requirements (e.g, 16-characters for normal users).
  • As a part of this change, start by implementing an approved password manager and train all users on its use to ensure adoption across the user community. Include a password manager usage requirement in the organization’s official password policy and stipulate that under no circumstances should passwords be stored insecurely (e.g., unencrypted).
  • Require that all privileged accounts (administrators and service accounts) use passwords with 25 characters or greater. Consider implementing a Privileged Account Management (PAM) solution to further reduce the risk of privileged account compromise.
  • Require all regular users to use a minimum password length of at least 16 characters. This change to a safe password length may need to be implemented over time, moving from 8 characters to 10 characters, then to 12 characters, and so on – with a stated goal of a minimum password length of 16-characters by a particular point in time.
  • Users should be encouraged to use passphrases over using a single word with numbers and symbols to satisfy password policies.
  • Account lockout policies should enforce a sufficiently long lockout duration and an acceptably strict lockout threshold.
  • Password policies should be enforced using technical controls and user passwords should be periodically audited to ensure users are not using default or weak passwords.
  • Passwords do not need to be changed on 90- or 180-day intervals, as this tends to promote poor password practices. Instead, LMG recommends training users on the difference between strong and weak passwords and that passwords be changed annually or anytime a password is suspected of being compromised.
  • It is crucial to clearly and regularly communicate your policies and user security expectations to everyone in your organization. Read our tips for creating acceptable use policies.

If your organization cannot or will not require a minimum password length of 16-characters, a non-SMS based MFA solution should be universally implemented to reduce the risk of account compromise due to weak passwords. You can also implement authentication throttling, wherein authentication requests that reach a certain configurable capacity within a time window should either be blocked or throttled, reducing the risk of brute-force attacks on exposed interfaces.

In conclusion, unless MFA is universally implemented in your IT environment, it is wise to use at least 16-character passwords. When factoring in the cost of such changes, remember that with respect to information security it is cheaper to pay now than to pay later, and the investments made now to implement a safe password policy and ensure your user accounts are secure, will reduce the risk of account compromise and the risk of a data breach.

About the Author

Ben Kast

Ben Kast is a Principal Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).

CONTACT US