Why do passwords need to be so complicated?

To understand why so many systems have complexity requirements for passwords, you need to understand a little bit about how passwords are stored and used by the system. Systems should never store your password in plain text - instead, the passwords are encrypted using a one-way encryption algorithm.

When you attempt to log in, the password you type in and submit is then also encrypted, and the resulting cryptographic hash is compared to the one stored on the system. If they match, the system can be sure that the password you typed is the correct password, even though it doesn’t have the original password in storage, only the hash. This is a simplistic explanation, and many systems use additional steps and processes, but we don’t need that level of detail.

If the password storage of the system is compromised, the attacker now has all of the cryptographic hashes of users’ passwords. What the attacker now needs to do is crack the hashes in order to obtain the original password. As we mentioned earlier, the passwords are encrypted using a one-way algorithm, meaning they can’t just simply decrypt the password. Instead, they have to crack it by putting many guesses at your password through the same hashing algorithm, and comparing the hashes of the guesses to the hash of your password.

In some cases, depending on the system where the passwords originated, the attacker might be able to use rainbow tables, which are big tables of pre-calculated hashes, to look up your password hash and avoid the cracking process.

In either case, whether the attacker attempts cracking or whether they attempt to use rainbow tables, the weaker your original password, the greater chance the attacker has of success.

If your password is too short, there is a greater likelihood that it will be in the pre-calculated rainbow table, which means the attacker can learn your original password practically instantly. Also if your password is too short, they’ll be able to crack the password much more easily.

But making passwords longer and more complex is such a pain - and I can never remember them!

The current solution to this problem is using a password manager. With a password manager, you can generate very long and complex passwords, and the password manager stores it so that you don’t have to remember it. You will need to create a very strong master password for the password manager itself - and remember it, but that’s certainly better than having to remember a strong password for every service you use.

Can’t I just use the same really strong password for everything?

No way! Unfortunately, not all systems have good security. Some systems out there may still store passwords in plain text. If their database containing users’ passwords is compromised, then your password is immediately revealed, no matter how strong you made it. If you use the same password for multiple services, then one service being compromised can lead to your account being compromised for every other service where you used the same password.

Attackers are really good at finding out where all a person has used the same password. They’re also good at automating things - so they can do it at lightning speed.

For these reasons, it’s very important to use different passwords for every system or service. You simply cannot trust that a service won’t be compromised, and you can’t know for sure that they’re using good security practices like hashing users’ passwords. Even big sites like Facebook have recently made major security errors that have led to passwords being stored in plain text.

Using unique passwords for every service just makes life that much more difficult - now you not only have to come up with long and complex passwords, but you have to have a different one for every service! The solution is again the use of a password manager.

I’m now using a password manager and making unique and secure passwords for every service, so I’m good?

Unfortunately, the sad reality is that even using secure and unique passwords is not enough protection in this day and time. In addition to using unique and secure passwords, you should also enable 2 factor authentication for every service that has the option. Avoid using text messaging as the 2nd factor authentication option if there are other choices, as using text messaging carries its own risks.

There may come a day…

There may come a day when we no longer need to jump through so many hoops to keep our online accounts secure. Until that time, at least many of the tools that help us with passwords are becoming more prevalent and easy-to-use. There are many options available for password managers, with plenty of features that make them easier to use. More and more services are getting set up to allow 2 factor authentication, and 2 factor authentication tools are also becoming easier to use.