This is an interesting illustration, showing that strong passwords are more about length than having "special" characters, numbers, mixed case letters, and so forth:
Should companies that try to enforce strong passwords have a longer minimum length limit?
NIST seems to agree. Their updated guidelines recommend not forcing special characters and allowing at least a max of 64 characters.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
My typical password is a base of 12 characters, usually with 2-5 more added. I don't have wacky special characters all throughout it, though I do often thrown in an uppercase or a number just to make it that much more complex (which isn't much). I like to call it "simply complex".
I think manufacturers need to get onboard with making lengths longer. And pet peeve: not allowing most of the special characters on the keyboard is downright silly (though I understand this varies by region). There are multiple cameras that won't accept tilde ~ and it drives us nuts.
This is the crux of my life too! What else can one do when a simple dash just isn't hipster enough!
-
Slightly misleading to say length beats complexity. Modifying one character to a symbol etc, when there wasn't one before yields greater strength than adding another lower case letter:
One character at a time modification, Complexity vs Length using their tool:
I think your example just shows that their tool is making some assumptions about decoding, based on the input given.
In a true real-world case, you would not know how complex the user's password is, so you have to assume it can contain any of the ~90 printable characters (a-z, A-Z, 0-9, ~-/) in any combination. This would make "complexitya" and "C0mpl3xityA" statistically identical, but time to crack would depend on how you approached it (do all 1-character combinations, then all 2-character combinations, etc., or fully random, or increment through dictionary words, common letter/number substitutions, and so forth).
If we know things about the system, like it will allow an alphabet-only password of all lower case characters you could make assumptions that let you greatly speed up cracking the password.
It would also depend on if we were trying to find a specific password (ex: the root password from the Sony backdoor) vs. crack a bunch of hashes to create a rainbow table. For the Sony password case, we do not know anything about the password length or complexity, so we would have to try every option. If we had a dump of hashed user passwords, we could probably decode the majority of them relatively quickly, but long/complex outliers would take significantly longer.
If we knew the site that a dump was procured from enforced rules like "must have at least 1 upper case character and 1 special character" we could crack that FASTER, because you can eliminate trying all combinations that did not meet those requirements.
In general, pure dictionary words are bad, but I personally think that "Complexityhij" (a slightly modified dictionary word) would take more time for the average attacker to crack than "$Fj*b1" (a highly complex password) if all they had to go on was a set of hashed password data.
In a true real-world case, you would not know how complex the user's password is, so you have to assume it can contain any of the ~90 printable characters (a-z, A-Z, 0-9, ~-/) in any combination.
That's true, but with your typical DES hash, even if you don't know anything about the complexity you still try all the combinations of lowercase letters first.
I use lastpass to manage my passwords. Every service gets a unique password, and sometimes username. I don't have a hard and fast rule for password length or complexity, but in general they are at least 8-12 characters and much larger for critical accounts, and always very random. It is rare that I have to type them by hand so it's unimportant how complex they are.
I use dual factor authentication wherever possible. This doesn't really apply to IP cameras yet, but I use it to protect my lastpass, Google, and bank accounts where possible.
Long passwords are good
Complex passwords are good
Long & Complex passwords are basically uncrackable. Attackers are more likely to find a vulnerability in the service before they crack the password.
Lastpass is an excellent tool and it is even better when paired with Lastpass' two-factor authentication.
+1 for LastPass. I actually don't know any of my passwords for anything because they've all been generated by LastPass. Of course, access to LastPass is protected by 2 Factor Authentication and I've enabled 2FA on all other services that supports it (which is sadly not as many as it should be).
Something to consider with 2 factor... services that send text messages to verify something I own (my phone) in addition to something I know (my password) isn't a good option anymore. Impersonating people in order to gain access to mobile device accounts isn't too uncommon (link) so for the determined hacker, getting access to the second factor isn't impossible. It would be good to see more services implement 2FA with authentication apps (like google authenticator), rather than text messages.
I'm with Joshua, use Lastpass as well and also two factor authentication to get into Lastpass (Yubikey). Allthough this last one only works on a PC so on a (not so) smart devices it's only one factor.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
