By Ben Kast   /   Jan 10th, 2024

Finding the Optimal Minimum Password Length: A Data-Driven Approach to Password Security

minimum password length for secure passwords imageEven as the industry moves towards passwordless authentication (read our new passwordless authentication blog or watch our on-demand webinar for a deep dive into the evolution of this technology), it’s likely to be a while before passwords disappear. In the meantime, there is more data than ever providing compelling evidence why organizations should require users to use long passwords. A number of related developments have occurred that impact the reasoning behind why the right password length requirement in your organization’s password policy is more important than ever. Let’s dive into the data behind finding the optimal minimum password length to increase your organization’s password security until more secure passwordless authentication options are available everywhere.

The Data Behind Requiring a Minimum Password Length

Consider the following points and statistics related to minimum password length and password cracking. They provide good reasons to increase your minimum password length requirements in your domain password policy and implement strong multifactor authentication (MFA). The following statistics are provided as an example based on LMG’s infrastructure, and were based on our testing in 2020 e.g., cracking rigs using GTX 1080 GPUs, but cracking time in the wild varies based on tooling, infrastructure, and investment.

  • Although current NIST 800-63B guidance states that “memorized secrets shall be at least 8 characters if chosen by the subscriber,” LMG’s penetration testers have found this to be totally deficient given the speed of modern computing devices. Further, good MFA coverage does not remove the need for administrators to require long passwords. MFA is not foolproof, especially in the event that non-interactive logins at the protocol level may be available and considering the growth of MFA bypass attack techniques.
  • As a frame of reference, in our 2020 research test LMG’s penetration testers could crack any 8-character Microsoft NT LAN Manager (NTLM) password hash in under 8 hours (assuming the character space includes all uppercase, lowercase, numbers, and symbols).
    • In contrast, the time required for LMG to compute the full 10-character space is just over 8 years, 12 characters is 77,000 years, 14 characters is 710.5 million years, and 16 characters is 6.5 trillion years.
  • For NetNTLMv1 challenge/response hashes, which are more difficult to crack than NTLM hashes and cannot be passed using “pass the hash,” LMG can crack any 8-character password hash in approximately 15 hours or less.
    • In contrast, the time required for LMG to compute the full 10-character space is just over 16.53 years, 12 characters is 152,383 years, 14 characters is 1.4 billion years, and 16 characters is 12.9 trillion years.
  • For NetNTLMv2 challenge/response hashes, which are even more difficult to crack than NetNTLMv1 hashes and also cannot be passed using “pass the hash,” LMG can crack any 8-character password hash in approximately 7 days.
    • In contrast, the time required for LMG to compute the full 10-character space is just over 188 years, 12 characters is 1 million 735 thousand years, 14 characters is 5 billion 835 million years, and 16 characters more than 147 trillion years.
  • Humans are predisposed to use passwords that are less difficult to remember, and thus easier to guess or crack – often incrementing a number in an existing password or changing a special character appended to a previously used password. Malicious actors know this and will appropriately format attacks in order to take advantage of this behavior.

The cracking times provide good evidence for why a longer password is more secure and harder to crack. While we wait for the wide-spread availability of passwordless solutions, it’s clear that you can increase your organization’s password security by implementing minimum password length policies. Don’t forget to also offer password managers (check out our password tip sheet for more details). Let’s consider the last point about the human predisposition to use passwords that are less difficult to remember, and thus easier to guess or crack because this has been LMG’s experience.

Password Cracking Success Rates and Speed Increase

There have been major improvements in graphics processing unit (GPU) technology, with the latest GPUs benefiting from substantial architectural and computational advancements. LMG’s cracking rigs are still going strong with NVIDIA GTX 1080 GPUs released in 2016; updated tools and strategies have allowed LMG to increase its password cracking rate substantially using our existing hardware. The current state-of-the-art GPUs, like the NVIDIA RTX 3090 Ti, for example, have 24 GB of GDDR6X RAM compared with the GTX 1080s, which have 8GB of GDDR5X RAM. This provides increased parallel processing capabilities, which are critical for brute-force and hash-cracking algorithms. The continued evolution of GPU capabilities provides for faster processing of cryptographic hashes making the newer GPUs more capable for high-speed password cracking.

My colleague Emily Gosney, an experienced penetration tester at LMG, described recent improvements to LMG’s password cracking strategy and tools. These changes help illustrate techniques malicious actors are using, which further drive home the need for long passwords.

  • The addition of passwords captured in real-world breaches to the password wordlists used when running dictionary attacks against captured password hashes. This has improved cracking results considerably.
  • The team has also made improvements with password cracking rules, employing hybrid attacks (dictionary and brute force attack hybrid), and mask attacks (specification of a pattern or “mask” to guide the password guessing process), as well as the implementation of private tools that have greatly increased cracking success in corporate environments, while utilizing the same infrastructure.

These improvements are not based on the hash rate specifically (e.g., how quickly a system can attempt different combinations to decrypt a hashed password), which is most important with brute-force attacks that are most useful when cracking randomly generated passwords. They are based on probabilistic methods that are better at cracking human generated passwords, and when configured appropriately can crack passwords in a fraction of the time brute force attacks would take.

This resulted in LMG’s password cracking success rate increasing from around 20% to 85%, a 65% increase using the same hardware and hash rate but placing the focus on the unique problem of human password creation. According to Emily, “The approach we are taking is essentially the same approach used by real-world adversaries, who aren’t limited by hash rate as much as they are time and budget. This is especially true as malicious actors increasingly turn to the cloud for cracking resources due to GPU shortages and inflated GPU prices. Their goal isn’t to exhaustively crack every password, it’s to crack the most passwords in the least amount of time with the least amount of overhead. So they focus on probabilistic attacks that have a high yield and hit rate to achieve their goals. And as our success rate is now approaching 90%, we’ve done a really good job of emulating that.”

Bottom line, human password creation continues to be a weak link in the overall password security landscape. Moving in the direction of using long, randomly generated passwords is a positive step, but it is only realistic in certain contexts and requires the use of a password manager solution for it to be a tenable long-term approach. Users generally do not view randomly generated passwords as particularly easy to use, even if they are the most secure, and usually do not utilize them.

The Balance Between Password Security & Usability

Organizations should have safe password length guidelines, but if they are too cumbersome, users will avoid or try to bypass your minimum password length requirements. Humans can only remember so much information, so if your organization is not yet using a password manager, it is your best best bet to deliver user-friendly password security. Here are some tips to develop your password policies:

  • Require that all privileged accounts (administrators and service accounts) have a minimum password length of 25 characters or greater. Consider implementing a Privileged Account Management (PAM) solution to further reduce the risk of privileged account compromise.
  • Require all regular users to use a minimum password length of at least 16 characters to increase your password security.
  • Users should be encouraged to use passphrases over using a single word with numbers and symbols to satisfy password policies.
  • As a part of this change, start by implementing an approved password manager and train all users on its use to ensure adoption across the user community. Include a password manager usage requirement in the organization’s official password policy and stipulate that under no circumstances should passwords be stored insecurely (e.g., unencrypted).
  • Account lockout policies should enforce a sufficiently long lockout duration and an acceptably strict lockout threshold.
  • Password policies should be enforced using technical controls and user passwords should be periodically audited to ensure users are not using default or weak passwords.
  • Passwords do not need to be changed on 90- or 180-day intervals, as this tends to promote poor password practices. Instead, LMG recommends training users on the difference between strong and weak passwords and that passwords be changed annually or anytime a password is suspected of being compromised.
  • It is crucial to communicate your policies and user security expectations clearly and regularly to everyone in your organization. Read our tips for creating acceptable use policies.

Organizations should require a non-SMS based MFA solution be used for any externally facing authentication interfaces to business systems. This should be in place in addition to requiring users to use a minimum password length of 16-character passwords, and administrators to use a minimum password length of 25-character passwords. MFA should be viewed as the last layer of password security and authentication defense.

Wherever possible, you should also implement authentication throttling, wherein authentication requests that reach a certain configurable capacity within a time window should either be blocked or throttled, reducing the risk of brute-force attacks on exposed interfaces.

Knowing that strong authentication controls are established and users are required to adhere to them across the board dramatically reduces account compromise risk, which could otherwise lead to system and data breaches. There are plenty of examples of organizations that have either taken short cuts in this area or overlooked certain systems in their environment thereby creating weak spots in their overall authentication controls that lead to damaging and costly cybersecurity incidents.

If you need help implementing MFA, updating your organization’s secure authentication policies, or support with your cybersecurity testing, solutions and training, contact us. Our experienced team is ready to help!


About the Author

Ben Kast

Ben Kast is a Principal Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).