Its always been difficult for users and security experts to come to an agreement when it comes to password creation. Users want something simple and easy to remember so they can just log in without having to think of which password they need for that site, while security experts would like each person to have a to complex password with a mixture of capital letters, numbers and symbols. On top of that they say its best practice to use different passwords for each site, having the same password for each site leaves you vulnerable if your password leaks once it leaks for everything. But new research from Max-Planck-Institute for Physics of Complex Systems has come up with a way to help stop brute force attacks when it comes to hackers trying to steal your password.
Brute force attacks are when hackers run a program to try every letter combination in order to get into your account. This means that the longer and more complex the password is the longer it will take the hacker to try all the combinations.
The chart shows us that something as simple as using a 7 character password with a random capital letter can increase the time needed from a couple hours to a few years. The time needed is increased more if you add in numbers and symbols to the list of requirements for the password, as most sites now enforce.
This new research in passwords is meant to stop brute force attacks completely by splitting the password in two. The first half is the user password, which they will be in charge of remembering, the second half is a CAPTCHA image, the image of a word that you have to enter when signing up for accounts to prove that you are not a bot. By using both a user password with a CAPTCHA phrase you instantly stop brute force hacks as now they have to guess both your password along with the randomly generated image of a word.
Having this adds another layer of security to your accounts, but it by no means fully protects it and as a reminder using the same password for all your accounts leaves you vulnerable, if a less secure website, like a forum were to be hacked and your password stolen then all they need to do is log into your email and they have access to all your accounts, including financial accounts that are linked to that email address.
This is still in the research stage, but expect bigger companies to start using methods like this in the distant future, as the less time they have to spend with retrieving stolen accounts the more time and resources they can spend doing other things.