Source: Doug Austin, Cloud Nine from Michael Potters, CEO, Managing Partner, Glenmont Group

• If you have a password that is numbers only, a password that is as much as eight numbers (that’s nearly 100 million number combinations) can still be cracked almost instantly
• Even if that number only password is 14 numbers (that’s nearly 100 trillion number combinations), it only takes four days to crack
• Want to use all upper and lower case letters instead? That will help somewhat, but a five-letter password can still be cracked almost instantly
• And a nine-letter password will still only take 4 days to crack
• Want to mix numbers and upper and lower case letters? You’d better use more than seven characters or it will take no more than 3 hours to crack your password; Even with eight characters, it could still take as few as ten days
• If you add in symbols, then a seven character password could still take less than a day
• But, if you add an eighth character, that pushes the time up to 57 days. Add a ninth character? That pushes the time up to 12 years

Size does matter when it comes to passwords.

An 18 number password takes 126 years to crack; an 18 letter password takes a trillion years

an 18 number and letter password takes 374 trillion years

an 18 number, letter and symbol password takes 1 quintillion years!

Considering the number of password protected accounts you have, just how many 9 character passwords do you think you can remember?

The early NIST recommendations

In 2003, a manager at NIST, Bill Burr wrote “NIST Special Publication 800–63. Appendix A” which became the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. For litigation purposes it is the standard for “best practices” in cybersecurity.

After years of research Burr now says his advice that demanded a letter, number, uppercase letter and special character—such as an exclamation point or question mark was wrong.

The new NIST recommendations

In June, 2019 Special Publication 800–63 got a thorough rewrite, led by Paul Grassi, an NIST standards-and-technology adviser, which resulted in dropping the advice to change passwords every 90 days and the requirement for special characters which Grassi said did little for security and “actually had a negative impact on usability.”

“[Burr] wrote a security document that held up for 10 to 15 years,” Grassi said. “I only hope to be able to have a document hold up that long.”

“pass-phrases” instead of “passwords”

The newly updated NIST guide encourages a long, easy-to-remember string of concatenated (strung together without spaces) unrelated words with a total of more than 18 letters. They don’t even need numbers or special characters. However, since almost all sites require a mix of characters, capitalize one of the letters and substitute the numeral zero (0) for the letter “o” and the at sign, @, for the letter “a”.

Kevin Mitnick, reputedly the world’s most famous hacker, recommends a minimum of 25 characters with a mix of numbers, upper & lower case letters, and symbols. He prefers to refer to these as “pass-phrases” instead of “passwords”. His simple suggestion is to just type in a phrase that you will remember, such as: “F0rTheFirstTimeInF0rever@Fr0zenTheM0vie”.

Password strength testing

One of the best ways to assure the strength of your user passwords/passphrases is to use one of the publicly available password strength test programs such as, “Comparitech” at https://www.comparitech.com/privacy-security-tools/password-strength-test/#password-test-tool; “my1login” at https://www.my1login.com/resources/password-strength-test/; “thycotic” at https://www.my1login.com/resources/password-strength-test/;

Email account testing

Don’t forget to check your email accounts using a program such as “Have I Been Pwned?” at https://haveibeenpwned.com/. “Pwned”, originally a misspelling of “owned” in the computer game Warcraft, now means “to own” or to be dominated by an opponent or situation, especially by some computer-like force.

For the mathematically inclined, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word whereas the password Tr0ub4dor&3 (a typical example of a password using Burr’s old rules) could be cracked in three days. His calculations have been verified by computer-security specialists.