Microsoft Says Password Strength Doesn't Matter: Here's Why It Does
Many common attacks foil even the strongest passwords
Your password strength doesn't matter, says a Microsoft security expert. Not the length, not the complexity, not how many special characters it uses. Hackers can get it anyway, and the only thing that truly makes a difference, he says, is whether you have two-factor authentication (2FA) turned on.
"Focusing on password rules, rather than things that can really help," writes Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft in a blog post from earlier this summer, "is just a distraction."
We don't completely agree with Weinert. Password complexity will still slow down attackers in many cases. But he's right that even the strongest password can't defend against a good phishing attack, that a password used more than once might as well be considered gone, and that 2FA -- which Microsoft calls multi-factor authentication, or MFA -- is an absolute necessity.
"Your account is more than 99.9% less likely to be compromised if you use MFA," Weinert writes.
MORE: How to Create Strong, Secure Passwords
Weinert's post, put up on Microsoft's Azure Active Directory Identity Blog in early July, contains an easy-to-understand chart listing several different attacks on passwords, how often they're tried, how successful they are, and whether password complexity helps stop them.
Credential stuffing
One of the most common attacks is credential stuffing, which Weinert says is tried on 20 million Microsoft-associated accounts every day.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Attackers take huge lists of compromised credentials -- passwords and their associated usernames or email addresses -- from past data breaches and try out each set of credentials on other websites.
So if you used "mary.smith@google.com" and "L10nK1Ng333" on LinkedIn (fully compromised in 2012), then an attacker will try those credentials to log into accounts on Facebook, Google, Dropbox, Spotify, Microsoft and several dozen other websites, including banks and online retailers. Odds are, those credentials were reused at least once.
"Passwords are hard to think up," Weinert says in his blog post, adding that "62% of users admit reuse."
The strength of the password doesn't matter with credential stuffing, he writes, because the attacker already has it. The defenses are to never reuse passwords -- and to use 2FA whenever possible to prevent the attacker from logging in even if he or she has the password.
Phishing
Also very common are phishing attacks, which trick the user into typing a password into a phony login page. One in 500 email messages is a phishing lure, Weinert says, and users fall for them because "people are curious or worried and ignore warning signs."
Again, the strength of the password doesn't matter. You've just given the password to the attacker. Two-factor authentication will help block the attack in most cases, but as a commenter on Weinert's post pointed out, good phishers can intercept texted 2FA codes or can trick users into typing 2FA codes into phishing sites.
The best defense against phishing is the most expensive form of 2FA -- a physical security key that communicates with your computer or smartphone via USB, Bluetooth or NFC. You can't duplicate these keys, or forward their communications from a phishing page to a real login page.
Security keys start at about $15 or $20 online, but they may be worth it, and each key creates a different set of encrypted credentials for each online account. Google now requires physical security keys for its employees and supposedly hasn't had a single compromised account since it instituted that rule.
Password spraying
Here's where password strength does matter, sort of. The attacker has a long list of known email addresses (easy to get) and tries to use each one with the 20 or 50 most commonly used passwords to log into many different websites.
This attack won't work in the majority of attempts. But it will work often enough, because millions of people still use "123456" or "qwerty456" or "000000" or even "password" as their passwords. Weinert guesses that hundreds of thousands of accounts are broken into every day through password spraying.
But, he says, only the truly terrible passwords are vulnerable to password spraying. Otherwise, mediocre passwords like "dijskb" (not enough characters, all lower case) are just as safe as strong ones like "V6[zjzau/#q9vK-rd,+:" (20 characters of different cases and types) because they're not among the worst passwords of all.
Brute forcing
This is where password strength truly makes a difference. Weinert says that a good password-cracking computer today could crack "dijskb" in a few seconds, but that a 10-character password using uppercase letters, lowercase letters, numbers and punctuation marks would take about 20 years to crack. We did the math and figured that "V6[zjzau/#q9vK-rd,+:" would take north of 10 septillion years.
That's great, and it really helps in cases where a database is breached AND the passwords are strongly "hashed," i.e. protected by one-way encryption so that they can't be reversed. (When you log into a website, the password you enter is quickly hashed, and the result is compared to the hash that the site stored when you set up the account.)
But here's where we disagree with Weinert. He says that in the event of a data breach, where an attacker is confronted with strongly hashed passwords, the strength of the your password still doesn't matter "unless it's longer than 12 characters and has never been used before -- which means it was generated by a password manager."
We do agree that a good password should be longer than 12 characters. Fifteen characters is where we'd be comfortable now.
But a good passphrase -- random words strung together, with a few character substitutions -- that's long enough will work fine. Don't use the proverbial "correcthorsebatterystaple," because that's well known, but something like "F1n3!$od4?Bu1Ld1ng#4ccur4cy" (based on "finesodabuildingaccuracy") should be fine, won't be cracked for years, and might be easy enough for you to remember while still being very hard to guess.
Password managers and checking new passwords
Weinert goes through a few more types of password attacks -- logging keystrokes, finding someone's passwords written down and flat-out extortion -- and points out that password strength doesn't matter much with them either. But their incidence is so low that you shouldn't worry too much about them.
To really make sure your passwords are as strong as they can be, use a password manager to make sure your passwords are strong, long and unique.
When you make a password up, or a password manager generates one, check the new password to make sure it's not among the hundreds of millions of known compromised passwords at https://haveibeenpwned.com/Passwords before you use it.
HaveIBeenPwned tells us that "correcthorsebatterystaple" has shown up 120 times in data breaches, but that, surprise, "dijskb" has not been seen. Neither has "F1n3!$od4?Bu1Ld1ng#4ccur4cy" or the phrase it was based on, "finesodabuildingaccuracy". But don't use either of those as your own password, because the fact that we've posted them online means they're already kind of compromised.
And, once again, set up two-factor authentication on every account that allows it. Settle for the texted-code factor if that's all that's available. If possible, use authenticator apps like Google Authenticator instead. And if you can afford $20 for a USB security key, use that on every account that supports it.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.