Password Requirements Do Not Make Your Password Stronger
Password strength is something that lots of websites push on us and remind us about; we must have strong passwords on the internet to protect our important information, bank accounts, Facebook, etc. Strong passwords are, apparently, a random string of numbers and letters and special characters that no one will actually ever remember, thus forcing us to write them down or create a document somewhere on our computer with all of our passwords saved in it.
Websites have started putting more and more requirements on our passwords, and it’s become a huge internet joke.
We’re told that these requirements are put in place to help us create stronger passwords that are harder to hack, but that’s the exact opposite of the truth. First, stop thinking as these things as, ‘requirements,’ and start thinking of them as what they really are: Parameters. Allow me to explain:
We start off with infinite possibilities when it comes to your password. It can be whatever you want, using any characters, and is any length. No password requirements means you can pick something you’ll actually have a shot at remembering, and a hacker has no given parameters to program into any software to generate possible passwords for your account. What I mean is, they don’t know if there are any special characters, capital letters, or numbers. It’s pretty safe and secure, so long as you don’t pick something blatantly obvious, give your password out, or input it into a false login screen.
Add in a character limit: Your password must be at least 8 characters long, but no longer than 24 characters. We’ve now established a parameter, and the number of possible passwords has been reduced. The number of possible passwords is still large, but it is still possible to get lucky and generate the password for the account(s) you’re attempting to hack.
Add in a mandatory capital letter: We have our second parameter; we now know the password will have a capital letter and will be between 8 and 24 characters long. We’ve further reduced the number of possible passwords a hacker’s software will have to generate in order to hack someone or multiple people’s accounts.
Add in a mandatory number: We now have three parameters that further reduces the number of possible combinations that the passwords on this particular site can be.
Add in a mandatory special character: We now have four parameters for the software to work with; that’s even less possibilities and a greater chance of your password – though, really, I should be saying an entire website’s password database – being figured out by a piece of software constructed by a hacker.
Think of it like a search string; if we, for example, search for Tyler Hoechlin in Google for a project, you get this:
But we need a picture of Tyler Hoechlin, so we narrow our search results to images only:
But our project is for our film class, and we’re supposed to highlight a role of an actor, well then we just add Teen Wolf to the search string and we get…
But, alas, our favorite picture is from the Teen Wolf Season 3B promotions, so let’s add that to the search string:
With four parameters set to a search we were able to narrow it down to the exact picture I was looking for; and that’s basically how password cracking software works. It starts off with infinite possibilities, and then each parameter (limitations and restrictions, really) the website adds to their password requirements eliminates possibilities, narrowing down the results.
It’s not that companies (or even the government, because they do the same thing with passwords on their websites) aren’t aware of the way this works, either. I’m not the only person that has pointed this out, and I won’t be the last.
Why, then, do websites continue to utilize password requirements? Well, some websites already sell off any information you put on it off (Facebook sells off all personal information you put on it, including the things you click like on), so it would behoove a hacker to attack that database rather than individual accounts.
Are random password generators any safer? Not really. Websites that offer password generators have their parameters already set in the software, so it’s still using the same requirements that the hacker already has access to. The algorithm the generator uses could also be potentially used to make the hacker’s job easier.
When you bitch about password requirements on a website, you’re in the right to bitch. Whether or not you’re bitching about them for the right reasons, however, is another question entirely.