The University System of New Hampshire (USNH) recently implemented a password policy requiring various USNH account holders including students, faculty and staff to change their passwords. According to new password policy, passwords now must be between 14 and 64 characters in length, be sufficiently different from previous passwords, and contain a minimum of five unique characters.
In an email sent to all effected users, UNH Information Technology Communications said that USNH changed the policy in order to “improve information security and protect your privacy.” This short explanation has left many across USNH frustrated over the new change. The previous password policy required only eight characters, and now users have to remember an additional six characters and log back into all services linked to the USNH.
USNH is not the only organization to up their password security. USNH Information Technology has yet to respond for a request for comment, but here are some of the reasons why universities, towns and companies across the world have been requiring stronger and longer passwords.
Longer passwords = Increased security
If a password is longer, there is a larger number of variations, which in turn makes it more secure. The previous password requirement of eight characters has 52^8 combinations or 5.34X100,000,000,000,000 assuming that lowercase letters, uppercase letters, numbers, and select special characters can be used. The new password requirement of 14 characters has 52^14 different combinations or 1.06X10,000,000,000,000,000,000,000,000. Adding six characters provides nearly a 2 trillion percent increase in the amount of combinations. This makes it a lot harder for hackers to get into an account and comprise the security of the whole university.
The website Random Ize has a “How Long to Hack my Password” calculator where users can use to test this fact out themselves. Although this calculator is simplified, it does show how a longer password is more secure than a shorter one. For example, the password STUDENT would take two seconds to hack, whereas the password IAMAUNHSTUDENT would take 730 years and six months to hack.
Reduce cyberattack risks
Institutions that have bad password security that are vulnerable for break-ins are at an increased risk for cyber terrorism. If USNH experienced a cyber-threat it could have an impact on the entire function of the university system. Many local governments and companies have recently been affected by ransomware attacks, where a hacker completely blocks hardware and software systems until they receive money from the organization. There has been a piece circulating in the news about an attack in Palm Beach County, Florida, the third most populous county in the state. Strong password security across an entire organization strongly reduces the risk of these cyberattacks and ransomware.
The ‘experts’ recommend it
The National Institute of Standards and Technology releases digital identity guidelines used by organizations like the CIA and FBI and recommends that users use long passphrases that are easy to remember rather than long complex passwords. Users typically have to write down long randomized complex passwords that can easily be found by hackers. A long passphrase or sentence-like password that a user can easily remember does not pose this risk because it does not have to be written down. This national recommendation is probably why USNH account holders no longer have any special character or casing requirements on their passwords.