In a significant shift from traditional cybersecurity advice, the Directorate of Criminal Investigations (DCI) is urging Kenyans to prioritize password length over complexity, recommending the use of passphrases as long as 64 characters to combat an unprecedented surge in cybercrime.
The directive comes amid a stark warning about the vulnerability of personal and organizational accounts, largely attributed to weak and predictable passwords. According to the DCI, cybercriminals are increasingly exploiting these weaknesses, with Kenya recording a staggering 2.54 billion cyber threat incidents in the first quarter of this year alone—a 201.7 per cent increase from the previous quarter.
New Password Guidelines: Length Over Complexity
The detectives have outlined a raft of new, counter-intuitive measures for the public:
- Embrace Long Passphrases: The DCI revealed that longer passwords, especially passphrases stretching up to 64 characters, are significantly more resistant to brute-force attacks, where hackers use automated tools to guess passwords. An example of a strong passphrase would be a memorable, random sentence like
my blue car eats strawberries on tuesday mornings in nairobi!. - Eliminate Arbitrary Complexity Rules: In a move that overturns years of standard advice, the DCI advises against forced rules that require a mix of uppercase letters, numbers, and symbols. The officers stated that such requirements often lead to predictable patterns (like substituting ‘o’ with ‘0’) and user frustration, ultimately weakening security.
- Screen Against Known Breaches: Kenyans are urged to use systems that automatically check and prevent the use of passwords that have previously been exposed in data breaches or are found on lists of commonly used passwords.
- Stop Forced Periodic Changes: The DCI has also warned against the common practice of forcing users to change their passwords periodically unless there is evidence of a compromise. The detectives noted that this practice often backfires, as users tend to make minimal, predictable changes to their existing passwords, thereby undermining security.
A Global Problem with Local Urgency
The DCI’s statement highlights that the cybercrime wave is not just a Kenyan problem but a global one. The warning coincides with the global observance of World Cyber Security Month, aimed at raising awareness about digital safety.
In response to the escalating threats, President William Ruto’s administration has reportedly intensified efforts to curb cybercrime through enhanced national cyber policies and international collaborations.
For the average Kenyan, the new guidance simplifies the path to better security: focus on creating a long, unpredictable, and memorable passphrase, and ensure it hasn’t been compromised in a previous online breach. This new approach aims to build a more resilient digital frontline against the evolving tactics of cybercriminals.
