NERC CIP-007-5 (Systems Security Management) Requirement 5 (System Access Control) requires that (for High and Medium Impact BES Cyber Assets) password lengths of at least eight characters and a minimum password complexity of three different types of characters. (The Requirement includes provisions for Cyber Assets that do not support these minimums.)
There is a good reason for this requirement. A common and simple passwords attack involves testing every possible password until the one that works is found. This is known as a brute-force attack, or, less violently, as an exhaustive key search. Longer passwords and passwords that include more character options (that is, more unique characters that may be included in the password) provide better protections against such attacks. Let’s take a look at the numbers.
The number of possible passwords is equal to the number of character options, or number of possible values for characters used to form the password, raised to the power of the number of characters used in the password, or the length the password. For example, a standard ATM PIN made up of four numeric characters, each of which can be one of ten possible values (0,1,2,…,9) has 104 or 10,000 possible combinations.
Now let’s add alphabetic characters into the password mix. The Latin alphabet used for most western languages has 26 characters, so now our four character password has 36 options for each character, leading to 364 or 1,679,616 possible combinations.
But wait! We have upper and lower case characters in our alphabet. Using both in our passwords gives use 62 character options and 624 or 14,776,336 possible combinations. And if we go to the NERC CIP password length requirement of eight characters, that is 628 or 218,340,105,584,896 possible combinations.
Now let’s throw in some punctuation characters. If we allow !, @, #, $, %, ^, &, *, (, ), -, +, =, ~, ’, ”, ., ,, <, > and ?, that is 21 more characters for a total of 83. The possible combinations are now 838 or 2,252,292,232,139,040. That’s more than a quadrillion! (I thought bazillion came after trillion. I looked it up; turns out I was wrong.)
You may have noticed that increasing the length of the password has a greater effect than increasing the number of character options. A four character long password made up of four character options has 256 possible values. Doubling the number of character options to eight increases the possible values to 4,096. Leaving the number of character options at four but doubling the length to eight increases the possible values to 65,536. Increasing character options has a linear effect, increasing length has an exponential effect. So here is a tip – if you want to make your password 80 million times harder to crack, use 12 characters instead of eight.
While length is the dominant effect, having as many character options as possible is also important. A bazillion, or even a quadrillion, is a lot more than a trillion, so it is important to require punctuation characters as well as uppercase, lowercase and numeric characters. There is no technical reason why an authentication system should not support all 96 printable ASCII characters. (ASCII, American Standard Code for Information Interchange, is the character-encoding scheme used by most computer systems.) I find systems that support some but not all punctuation characters annoying. (You mean I can use $, @, #, % and & but not !? $@#%&!!!!)
Why are length and complexity important? Because long and complex passwords are less prone to brute force attacks. Brute force attacks or exhaustive key searches work by generating and testing every possible password until the one that works is found. This is a game of time and computing power. Computing power determines the rate at which possible passwords can be generated, and then time determines how many possible passwords are actually generated.
There is a password generating tool that I could download right now if I wanted to that claims to generate eight million passwords per second. Using such a tool, the correct password might be generated on the first try, or on the last try, or any try in between. The average time it takes to find the correct password will be the time it takes to generate half the total possible passwords. The table below shows the number of passwords possible using the 95 character options available in the full ASCII printable character set and various password lengths, and the average time it would take to find the correct password testing eight million passwords per second.
| Length | Possible Passwords | Time to Crack | |
| 4 | 81,450,625 | 5 | seconds |
| 6 | 735,091,890,625 | 13 | hours |
| 8 | 6,634,204,312,890,620 | 13 | years |
| 10 | 59,873,693,923,837,900,000 | 119,000 | years |
| 12 | 540,360,087,662,637,000,000,000 | 1 | billion years |
A long and complex password is a safer password.
The post Passwords by the Numbers appeared first on Encari LLC.