Lessons from Target on password complexity

US retailer Target was infamously hacked in 2013, causing the credit card records of tens of millions of customers to be stolen. Target had its systems assessed and came up with some findings which Brian Krebs has just made public. While there are many lessons in this, I want to focus on one item: the passwords.

The Verizon security team was able to crack a large number of Target’s passwords in a week. Observe that most of the listed top 10 passwords were at least 8 characters long, had small letters, capitals, numbers and a special character. Despite the credentials adhering to the password policy, the passwords were successfully cracked.

The lesson: password complexity rules may be outdated. It is quite possible to stick with the letter of the compliance requirement and be quite insecure. Consider using password managers with really long passwords and multi-factor authentication systems. Meanwhile we should look into technologies that move beyond passwords for authentication.

Also see my previous post: Passwords ain’t nothing but trouble