Sufficiently Secure

I use the term Sufficiently Secure when describing passwords, pass phrases, and sometimes encryption and security practices in general.  This is an explanation of what I mean by that term.

First, there is no such thing as perfect security.  Somewhere, somehow, there is or will be a flaw that an attacker can exploit and until that happens, all we know is that things seem secure for the moment and we’ve taken as many precautions as we deem reasonable at the time.  To help come to a conclusion, we can make assumptions based on current methods, attacks, and tools that are identified in the wild.  Some of those assumptions may be proven to be faulty in time, but that is a risk I choose to take based on the given situation.  From time to time I review my assumptions when it comes to security as new attacks are discovered and I encourage everyone to do the same.

Most commonly, I use sufficiently secure to describe a password or pass phrase.  In that context, I currently mean that a credential should be at least 16 characters in length and be structured like a nonsense sentence complete with spaces and punctuation if possible.

The reason I use 16 characters is because based on the latest password cracking super hardware (as of 2015), and using an all lower case text only password, it would take 3 thousand years to brute force your way through all possibilities.  Statistically, a brute force attack doesn’t have to go through all possibilities because the answer is found along the way.  It’s common to assume that by half way through, there may be success.  So that puts us at 1,500 years.  Knowing that technology improves every year and that attackers can work together, we’ll cut that in half again to 750 years.  I consider it to be very unlikely, but not completely impossible, that an attacker could improve on that speed substantially in the near future.

So if it will take an attacker 750 years to brute force a 16 character lower case text only password, I consider that to be secure enough to sleep at night.  Add in a number or two, punctuation and spaces to form a sentence like “Pop d0g cumulus!” and that takes us to 1 trillion years.  So I don’t have any fear of that being brute force cracked in anyone’s lifetime – even with substantial gains in technology and methodology.

Even if it was possible to construct a device to crack that password faster, by the time you weigh that option against other more straight forward options, it’s just not very likely to happen.  Faced with the potential for hundreds or thousands of dollars in equipment costs, dozens of people having to work together, and the ultimate lack of any promise of success – an attacker would sooner pick up a gun and kidnap me versus trying to brute force a password like that.

What the attackers do (as proven time and again by real world interviews and forensic analysis) is take the path of least resistance.  For example, an attacker may try to brute force a password for a few hours or days, but if that’s not successful quickly, then they move on to other methods.  There might be some determined attacker that has been trying to brute force their way through a password for the last decade, but changing a password with any frequency at all thwarts all that work, so it’s extremely risky and comes with very little chance of success so why waste that much time?

Next year, next decade, maybe sufficiently secure might include more characters, or it might mean certificate based authentication only.  Only time will tell.  But for now, 16 characters in a nonsense sentence is what I call sufficiently secure.  Nonsense sentences are often easier to make longer however, so 20-30 characters will be even better and more future proof.

[2022 update]

I still stand by this overall philosophy.  I still consider 16 characters ‘sufficiently secure’ for passwords/passphrases.  Cracking technology has evolved as expected, but no method is anywhere close to being able to crack a 16 character password in less than 100 years without having an exact match in a password breach list or a major technical flaw in the password storage mechanism.  16 characters is still where I’m at for length, but there are many other factors to consider when it comes to passwords and authentication as a whole.

This original article was intended only to explain the term ‘sufficiently secure’, but as it eludes to the broader issue of authentication, if I was writing this article today it would be prudent to expand on several important related points:

  1. The importance of multi-factor authentication (MFA) cannot be stressed enough.  MFA is not a silver bullet and has its own nuance to discuss, but at the very least, it must be enabled on all sensitive public-facing systems, especially email accounts.
  2. The most common attacks now are email-based (phishing attacks) and are highly successful at convincing users to click on links and reveal credentials.  Strong passwords and MFA together can be defeated easily if the authorized employee is tricked into doing the bad actor’s work for them.  Phishing protection technologies and training are very important.
  3. Password breaches are very common and so the issue of password re-use is a very real threat.  If you have a 32 character password, but then use it for multiple systems, once one of those systems has a breach, all of the other systems are vulnerable.  Bad actors know this and actively exploit this.  The Disney+ streaming service saw a huge amount of account takeovers on day one because when users signed up for the brand new service, they re-used passwords that had been breached elsewhere.
  4. Any discussion about authentication inevitably includes the idea that passwords are ‘dead’ as an authentication method.  I myself am in favor of a certificate-based system that utilizes certificate automation of the ACME variety along with password managers and browser integration.  I believe we have 75% or more of what we need for this transition in place already and all that is left is cooperation and integration from a few key players.  We’ll see what the industry lands on, but simple username & password combinations do need to go away.