The counter argument is that a password is not considered “strong” until the time it takes to break the password (called cracking) via brute force, exceeds the change window.
For example:
An 8 character NTLM (windows) password has a maximum brute force test of 6.6 quadrillion combinations. Since I work in security and as a pen tester, I have built a cracking server that can go through that entire space is less than 15 hours.
That is assuming the worst case scenario. In reality, users are creatures of habit and often use easily guessed passwords. I have compiled a list of over 2 Billion passwords by assembling hundreds of password lists from the dark web. Very often when I test a client’s Active Directory account, I find about 20% of the passwords are contained in this list. I recently tested a regional financial institution and was able to test their ~2,000 accounts against the 2 billion passwords in about 5 minutes of computer time.
In reality, most users only use upper case, lower case, numbers and keyboard special characters. Adding these up (24 + 24 + 10 + 30) means that the key space is not the full 95 possible but rather 88. So an 8 character password is 88^8 in total size. In reality, it is only about 3.5 quadrillion tests that need to be made.
In essence, it now requires a 10 character password to qualify as “strong”. That would take my cracking server about 6.7 years to go through the entire keyspace. That is well outside the 90 day window for changing the password.
That is why I am telling my customers to adopt a pass PHRASE, instead of a password.
I’m getting more into phrases.
Good thing I’ve seen so many obscure movies and TV shows plus all of the oddball old books read, I can mix and match all kinds of nonsense phrases.
All very interesting. Password management has become a bit oppressive, when one has numerous web sites that require a password as well as a username, not to mention the accessory questions designed to supposedly keep your data safe.
I live in fear of the 90 day password change or the six month password change. Why? because I have 21 pages of hand entry passwords and usernames, that require exacting accuracy and I rarely need access except annually. So is all this leading to a question? Would not having four or more cracking servers reduce the time to a point that no password would be safe?
Hence password phrasing and just how many of my password entities have the structure that allow phrasing? So, last question, a small explanation of what benefits phrasing brings to the table and is it usable for any site requiring a password?
No one is gonna crack a password unless you are a target specifically. With millions of hacked passwords for sale for a few dollars each, why would anyone waste time cracking one unless you are a specific target. And, if you are, they are gonna get you some other way.