This study shares that LONGER passwords are more protective than extensive use of special characters in shorter passwords. Several additional key findings are also shared in this study.
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU.
Weak or default passwords contributed to one third of compromises investigated by Trustwave. Therefore, annihilate weak passwords: Implement and enforce strong authentication policies. Educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords. Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone