Skip to main content

Password strength

January 2022

PassHub considers a password to be weak if it is shorter than 8 characters or it is in the list of the most frequently used passwords.

PassHub follows the latest NIST 800-63B document on password security. The National Institute of Standards and Technology (NIST) is probably the most authoritative and reputable source of cybersecurity recommendations.

NIST password requirements are as follows:

  • minimal length is 8 symbols; in some special cases even 6-digit sequences may be enough

  • user passwords should be checked against a black list of the most frequently used passwords, say, “12345678”, “administrator”, “iloveyou”, “passw0rd” and alike

  • Spaces are allowed in passwords, with consecutive spaces are counted as a single character.

Basically, that is all. No requirements for upper/lowercase, digits, or special symbols. No need to periodically change passwords.

Why NIST requirements are so relaxed compared to what we often see –

your password should include lower- and upper-case letters, numbers, and special symbols, be at list 10 characters long and periodically changed

Initially, the only threat model taken into account was password guessing or brute force attack. In real life, more effective ways exist to find a user password.

Alex Weinert, Director of Identity Security at Microsoft, shares their team experience in the blog post “Your Pa$$word doesn't matter”.

They identified the main types of attack are

  • Password reuse: same password used on many sites
  • Password spraying: having a list of usernames, attempt the same password from the top ten most used (even top two work) on each account
  • Phishing

Low-frequency attacks

  • Keystroke logging
  • Local discovery
  • Brute force: in the online world brute force is hardly possible at all. Every attempt takes a considerable amount of time. A properly configured network detects successive fault attempts and blacklists that IP. Provided the password is not 123456 or ‘passw0rd’ from the first ten most used, the password will not be cracked that way.

Hence the complexity of the password does not matter at the end (excluding the top ten most frequently used).

Today the average user has more than 100 accounts. The requirement to have a unique password for each site makes it impossible to know all the passwords by heart. Passwords are no more “Memorized Secret”. Users write them on paper, store them in a file, and, best of all, keep in a password manager.

With password managers, it is quite natural to use the internal random password generator to get new passwords. By default, the PassHub generator produces 12 symbols length passwords with upper- and lower-case letters, digits, and special symbols to fit even the most exotic requirements of some service providers.

Still, there are some special cases when the randomly generated long passwords are hardly usable. First is a password for your computer. No way to autofill or at least copy/paste it before the computer starts. That is when you need to memorize the password.

Another example is a password for your password manager, if it is based on a login/password authentication. It might be not so critical for local applications like KeePass, but online password managers need special attention.
Password manager security should be now of major concern, with multifactor authentication is not a premium option but where the whole thing starts.

PassHub does not use login/password authentication at all. Instead, it is based on WWPass multifactor authentication (MFA). Not only WWPass MFA provides a higher level of security, but it also generates a client-side encryption key for the user data. The key is not known to the WWPass itself and becomes available to the browser as a result of authentication only. The key has full 256-bit entropy, it is not derived from the password with PBKDF2 or Argon2d functions.

SUMMARY

The password security is not so in its length or its complexity. What really matters is

  • Properly build attack detection system on verifier side
  • Use of password manages
  • Multi-factor authentication