By Dana Scherff, VP, Information Systems

As you may know, we recently changed North Shore Bank’s password length requirements for employees. Your Windows password must now be at least 14 characters long. (Previously, it had to be only 8 characters.) We wanted to explain why we made this change.

As you can see by the chart below, it doesn’t take much time at all for a hacker to crack an 8-character password. By requiring password lengths of at least 14 characters, we make hackers’ jobs exponentially more difficult — what took approximately eight hours with an 8-character password takes more like 200 million years when you add six characters:

And this is not just theoretical. Information Systems hires vendors to test our controls, so that we can continually improve our cybersecurity posture. Because it’s important for us to understand what could happen in a real-world incident, we recently hired someone to try to crack our employees’ Windows passwords. The vendor performed this task while we still had only an 8-character minimum requirement.

The results were very concerning. In the first round, it took the vendor 11 minutes to crack 125 passwords. In the second round, it took the vendor 25 minutes to crack another 71 passwords. In another, it took them one day and 8 hours to crack another 147 passwords. After that, they dabbled a bit more. All told, in under two days, they were able to obtain Windows credentials for more than 400 of our employees.

Due to the incredible number of data breaches that take place now, there are “known password” files available to hackers on the dark web. The bad actors have these files and use them when running their password-cracking software against your passwords. Common passwords are now easier than ever to hack. For example, the password Summer2023! could be hacked in minutes; the name of the season with the year appended is a well-known password combination. All a hacker’s software has to do is add a symbol to that combination and run through each of the symbols until it finds a match.

Do note that even a 14-character or longer password is not invulnerable to hacking. It’s vital for you to practice using strong passwords on your work and personal accounts. Follow these tips:

• Never have a real word or a dictionary word in your password. The password ILoveSummer2023! meets the password length and complexity requirement, but it would be easily hacked. Why? It has dictionary words in it. 1l@v3S^mm#r2023! is much harder to hack. This is the same short sentence without any dictionary words.
• Do not use names of family members or pets.
• Use your favorite lyric, poem, quote, etc. to create a hard-to-crack password. For instance: *IpattFotUso@8 — this password was created using the first letter of each word from the opening of the Pledge of Allegiance. Plus, I added a symbol to the beginning and another symbol and number to the end.

We hope this clarifies exactly why we’ve made the change to our password length requirements, and that you see how important it is to create strong passwords. If you have any concerns or questions, please feel free to reach out to the Help Desk.