Longer passwords not solution to better security

Efforts to strengthen passwords by increasing number of characters may backfire and trip users, observers note, urging businesses to move instead to two-factor authentication.
Written by Vivian Yeo, Contributor on

Rather than focus on increasing password length to boost security, organizations should look for cost-effective alternatives such as employing one-time passwords as a second-authentication factor, industry observers urge.

Researchers from the Georgia Tech Research Institute warned recently that advances in supercomputing, particularly parallel processing systems in graphics processing units (GPUs), make cracking of passwords by brute force a piece of cake, according to a BBC report. Password cracking by brute force refers to the trial-and-error approach of attempting every possible combination until the right one is derived.

Passwords with seven or fewer characters will soon be "hopelessly inadequate", said the academics, who recommended that passwords should now be at least 12 characters-long as a safer security measure.

Ronnie Ng, Symantec's systems engineering manager for Singapore, told ZDNet Asia that the username-and-password application is the "first and only layer of defense" for many information systems in organizations today. Hence, while brute force attacks are the least sophisticated of attacks, they remain very effective, he explained in an e-mail.

Ng added: "Probability dictates that the longer a password is, the more difficult it will be to crack." Symantec recommends a minimum password length of eight characters for typical users, and at least 15 for administrators.

However, more than just length, users need to consider the "depth and width" of the password. He said a secret code with depth refers to one that is not conventional or easily guessable, while width refers to the use of numbers and symbols alongside letters.

Concurring, Victor Keong, executive director of IT advisory services at KPMG in Singapore, pointed out that long passwords do not necessarily equate to strong passwords. Instead, good passwords rely on "complexity or the 'strength'" of those passcodes, Keong said in an e-mail.

Adopt two-factor authentication
And while users can be educated to implement stronger and longer passwords, organizations should look beyond such measures as the only means of authentication.

Passwords are often compromised because of poor user habits, said Rob McMillan, research director for security, risk and privacy at Gartner, pointing to how some users jot down passwords on paper or make use of default and simplistic options. Malware also plays a part in stealing passwords from unsuspecting users.

"Simply recommending that password lengths must be extended fails to take into account that passwords are one of the weaker authentication methods, and that this conversation emerges every few years as processing power increases," McMillan said in an e-mail.

Jeffery Kok, strategic solutions consultant at EMC's security arm RSA, added that organizations should address authentication policies holistically rather than depend only on deploying longer passwords as the solution. To that end, technologies such as one-time passwords (OTPs), certificates and multi-factor authentication should be considered, he said.

According to Kok, there are "affordable" offerings available in the market. In particular, multi-factor authentication is cost-effective, easy to implement and a ubiquitous practice in commerce such as two-factor authentication for Internet banking.

"Information is the lifeblood of most organizations today and a small investment in security can prevent information loss that could potentially have a major impact on the business," he said.

KPMG's Keong added that organizations can also tap biometrics such as retina, fingerprint, facial recognition and voice recognition to provide sound authentication mechanisms.

Making static passwords safer
Kok explained, however, that the extent to which the enterprises should employ additional layers of security within their systems depends on the risk factors and business requirements.

"[Businesses] need to look at the risk-cost analysis across the different functions of [their] organization and adopt a holistic and information-centric approach toward security before [determining] how to best secure [their] organization, both from the technology and financial perspectives," he explained.

Companies that opt to rely on long passwords may find it helpful to encourage users to adopt "passphrases", he said, adding that these read like a proper sentence and can be peppered with symbols and numbers to resemble alphabets.

Symantec's Ng also urged password composers to be "creative" by using "personally significant" words or phrases in atypical fashion. "For example, you may want to derive your password from an acronym that's meaningful only to you," he suggested.

"Choose a line from a favorite song or saying, and use the first letter of each word as the basis for your password," he said. "Alternatively, take two short words with nothing in common but that have special significance to you, and combine them with punctuation or numerals, always remembering to use both uppercase and lowercase letters."

Editorial standards