Best Practice for Minimum Password Length: Is a 14-character password really necessary?

Q: I have heard more and more security experts say that the password should exceed 14 characters to prevent brute force password hacking tools. However, for most enterprise user groups, this seems a little too demanding. What are your suggestions for the standard password length?

A: The length of the password recommended by experts is caused by a reason, not by brute force tools. It is because of the Rainbow Table (Rainbow Table, which is a comparison Table of plaintext and ciphertext generated using various encryption algorithms). We will explain this later. First, for security, modern applications and operating systems do not store user passwords in plain text. On the contrary, because the user resets the password, the entered letters and numbers will undergo an encryption algorithm, creating a unique encryption hash value, which represents the password and is stored in a file in the system. When the user returns to the access system, the system generates a dynamic hash sequence and its value by inputting the same letters and numbers in the sequence, and compares it with the value of the original file, check whether the password entered by the user is correct.
In the past, hash passwords were considered a safe method, because even if hackers can obtain the hash files of system passwords, it is an impossible task to match a random password with a known hash value in the system file. However, due to the value of such information
As well as the exponential computing power of today's computers, hackers have begun to map the combinations of character sequences of each password to their hash values-starting from A, AA, and AAA through the entire letter-and-digit sequence, the results are stored in a publicly available table called a rainbow table. Of course it takes many hours, but this type of work is in progress. Starting from the first attempt to obtain the hash value of the password, the table's range and size are constantly increasing. As the password length has increased to below 12-14 characters, their hash values are now likely to be stored somewhere in the rainbow table. This means that a malicious person who obtains the hash file of the system can easily obtain a rainbow table (about the operating system or application) and search for the hash value to obtain the password stored in the user. Unfortunately, as the scale of the rainbow table continues to grow, the password must become longer and more complex, so that others can get the user's hash value. The ongoing work of assembling rainbow table data may soon make it meaningless to discuss the best practices for minimum password length, this is also the main reason why many experts believe that passwords are a bad choice for important valuable data authentication creden.
Although Password Hashing Files pose a risk, this problem can be easily solved by using powerful other creden, such as software/hardware tokens, biometrics and knowledge-based authentication. However, in today's market, passwords are still the most common authentication creden. Therefore, executing a longer minimum password length for the enterprise system can help make the password vulnerable to brute force attacks. So how can we make it easier for users to use long passwords? The answer is simple. You can use a "password phrase ". Instead of creating a long string of meaningless characters and numbers, people can use familiar sentences to create images in their hearts. Some people think it is easier to recall and remember their passwords. For example, if a user has a child at school, they may think of this sentence: "My child is a top five student, this can be easily translated into the password he or she remembers, such as Bobbies # 1OnThe5thGradeHR. Or a person may like music very much and then think, "My favorite band at my high school graduation is the Savage Garden." This can be converted into the password N1998ILovedSavageGarden. The passwords in these two examples are complex and easily exceed the length of 14 characters. A combination of short passwords and unique passwords is also acceptable, but it requires some imagination and different ways of thinking when creating passwords.


From original Chinese content of TechTarget