Why do security experts claim that password complexity is not so important?



Opinions such as 'long passwords, better mix alpha-numeric characters' and 'it is important to create a password that can not be guessed by others' are widely accepted, but Alex Vainert working for Microsoft's personal information department security protection team 'The discourse on passwords is often exaggerated, and in fact the length and complexity of passwords is not so important,' he said.

Your Pa $$ word doesn't matter-Microsoft Tech Community-731984

Weinert, who works for security at Microsoft, once a week has argued with 'related issues, why are many exaggerated episodes of passwords spreading?' about. While claims about passwords such as 'make a password never used by anyone' and 'use a long password as much as possible' are widely accepted, these claims are the reality and security protection team of Weinert et al. Seems to be contradictory.

'It's all about distracting from what really matters to security, such as multifactor authentication and improved accuracy in detecting security threats,' said Weinert. To understand that password length and complexity are not so important, it is important to understand how a malicious attacker actually breaks through the password.



The main methods known at the time of writing as an attack that a personal password is penetrated, and the importance of the password for the attack are as follows.

◆ 1: Credential Stuffing Attack → Password is not important
Credential Stuffing attack is an attack method that automatically unauthorized access to various services using leaked account information. According to Weinert, Credential Stuffing is a very common attack method. In this case, since the attacker has already obtained the leaked 'correct password', it does not matter for security no matter how complicated the password is set.

◆ 2: Phishing → Password is not important
Phishing scams are used to send e-mails spoofed by companies, etc., and lead them to fake web pages etc. to get account information etc. Although 0.5% of all incoming email is for phishing scams, Weinert points out that phishing scams are a familiar threat to people, but again the password itself has nothing to do with it. To prevent people from being fooled by phishing scams, it is effective to improve Internet literacy.

◆ 3: Key logging by malware → Password is not important
Key logging refers to the software or hardware recording the action you hit the keyboard. Some malware steals key logging and sends it to a third party. In this case, malware does not perform false key logging no matter what the password is in a complex string. Still, according to Vainert, it is not a very common attack method.



◆ 4: find the password from various clues → password is not important
For example, a memo left behind by someone who can not remember the password, or a method of searching for text with the password in a shared file can be used by the criminal to actually find the password without being used too much. Sex is also low. Even if this attack is successful, the criminal can actually obtain the correct password, so it doesn't matter how complex the password is.

◆ 5: Password acquisition by intimidation → Password is not important
It is rare for a malicious person to pose a threat such as saying, 'If you don't give me a password, I'll break an important secret,' he said in films and other fiction occasionally. Again, the password itself is not important.

◆ 6: Password spray attack → password is a little important
The password spray attack is an attack method that attempts to log in with a large number of accounts using the 'same common password'. Password spray attacks have increased in recent years, and according to Weinert, more than 100,000 people can break passwords in a single day. In this case, the attacker does not actually possess the account password, but tries to attack gradually with 'several commonly used passwords'. So, unless you are using simple passwords like 'qwerty', '123456', 'pass1234', the complexity of the password doesn't matter much.

◆ 7: brute force attack → password is a little important
A brute force attack that attempts to break through passwords by entering all theoretically possible patterns is an attack method that is almost unheard of unless it is a very important target. Due to the nature of the brute force attempt, a longer password is a better security for this case.

by Mark Burnett

From the above attack patterns, it can be understood that the complexity of the password itself is not so important in many of the attacks that can actually occur. Passwords can be said to be of two importance: password spray attacks and brute force attacks, but in the case of password spray attacks, Vainert pointed out that the pattern of passwords that attackers try is very small. Below are the top 10 passwords that attackers use for password spray attacks.

1: '123456'
2: 'password'
3: '000000'
4: '1 qaz2wsx'
5: 'a123456'
6: 'abc 123'
7: 'abcd 1234'
8: '1234 qwer'
9: 'qwe 123'
10: '123 qwe'

In this way, an attacker can attack using only a very small number of passwords, so it is possible to easily prevent a password spray attack by incorporating a word that is known only to you. If it is not something that will be listed in the ranking as a dangerous password, it's almost okay, says Weinert.

Worst password 2018 edition, top is stable '123456'-GIGAZINE

Also, in addition to the fact that an attacker is unlikely to attempt brute force attacks in the first place, creating a password longer than 9 characters can greatly reduce the possibility of being breached by a brute force.

Weinert pointed out that the complexity of the password itself has no major impact on security unless it is an extremely low security password. Rather than worrying about passwords, it concludes that enhancing device security and net literacy and using multifactor authentication that combines passwords with other factors is far more important than password complexity.

by succo

in Security, Posted by log1h_ik