Passw0rd5 are h4rd

History

The history of passwords is pretty astonishing. While we think of them in terms of the internet and computers generally, the idea of the military passphrase goes back to the Roman Empire and beyond. “Halt, who goes there?” was the basis of early “Identity Management”. If you didn’t have the password, get ready for a fight! It’s a pretty basic “friend or foe” mechanic really.

It’s a shame then that some two thousand years later we still use much the same mechanic to protect our digital identities. However, until someone comes up with a better way of doing it, passwords remain an important part of modern life.

It’s also a shame, then, that we’re so tragically poor at choosing a good password. A lot of that woeful inability stems from a lack of education on how hackers now operate. Many people think that a hacker will only get 5 or maybe 10 attempts to guess a password, so the password doesn’t have to be that complex, right? But in reality, hackers will often steal the password hash, then use brute-force “password cracking” software to attack the hash with literally hundreds of millions of passwords every second until they get a successful hit.

What makes a good password?

Password strength is defined by a term called entropy. A highly entropic password is one that’s unpredictable. That unpredictability relies on a number of factors, such as each character being chosen from a large subset, complexity, and length. Crucially, a highly entropic password must also be completely random.

That subset really matters too. For example, in a 4 digit pin each digit can only be 0-9, and so every combination can be guessed with at most 10000 (10^4) attempts. Meanwhile, a 12 character password takes each character from the 128 ASCII symbols, so when you do the math (128^12) it has billions of potential results. Even better if you throw in some Unicode, which means that each character now draws from a pool of over 65000.

Realistically though, how many of you have Unicode characters like é, ó, or ç in your passwords? Hackers know that this is unlikely and have programmed their software to prioritise accordingly. So while their software could feasibly start at aaaaaaaaa, then try aaaaaaaab, and so on, that’s incredibly inefficient. Instead, they often start with what’s known as a “dictionary attack”, trying common words first, then they iterate from there, adding numbers at the end, or punctuation where we as humans tend to put punctuation. They know we’re not good at choosing highly entropic passwords and they capitalise on that.

Then there’s Randall Munroe’s famous XKCD comic, “Password Strength”:

XKCD: Password Strength

Now, since the comic’s premise is to use common dictionary words, you won’t be surprised to learn that hackers programmed this approach into their password cracking software shortly after this comic became famous (nearly 8 years ago!). And four words is probably overkill in the grand scheme of things – “correct horse battery staple” is a 28 character password! So, maybe a more realistic approach is to take two words, but you add a digit, special character, and non-dictionary word for the best possible password result.

Interesting aside: the maths involved in calculating entropy suggest that those special characters, digits, case changes and numbers are not actually necessary, but since many password entry boxes require complexity, it’s probably a moot point.

Interesting aside 2: Since Randall’s comic is so famous, the password “correct horse battery staple” now has an entropy of almost precisely zero.

Interesting aside 3: Since this method of creating a password is so famous, the simple act of only choosing four random dictionary words for your password significantly reduces the entropy of any such password.

Even just putting entropy to the side for the moment, one of the most important things you can do to strengthen your password is exceed the minimum length.

If we calculate the number of permutations in a simple, ASCII-based 12 character password, and then compare that unfeasibly gigantic number to those in an 8 character password… the former is around 250 MILLION times stronger. To put this into perspective, if a password cracker took one hour to crack that 8 character password, all other things being equal, it would take the same cracker 30 thousand YEARS to crack a 12 character password (250M/24/365 = 30K). Add one more character and that goes up to 4 million years.

Now sadly, password cracking does use shortcuts and there are plenty of examples of long passwords being cracked in days or weeks – entropy REALLY matters, but the point stands – longer passwords are generally harder to crack.

Putting it all into practice

So, in short, these bullet points will result in a far stronger than normal password:

  1. Use more than one word as the core of your password.
  2. One of those words, ideally, should not be in the dictionary. This could be a nickname, a deliberate misspelling or a fictional place/name from a book.
  3. Intersperse your words with random but hopefully still memorable characters.

Sticking to the above, a sample password would be something like:

     4Metal! cormac

So, we meet lots of basic requirements: it’s 14 characters long (!), it has a number in it, upper and lower-case letters, and it even has special characters. Ian Cormac happens to be the lead character in the sci-fi book I’m reading right now, in case you were wondering…

Best of all, this is a ridiculously memorable password and it’s incredibly easy to type.

Password Managers

Like a broken record, this is my chance to shout from the rooftops about password managers! In other posts, I’ve sang the praises of LastPass. But honestly, no-one cares if you prefer Dashlane, Keeper, Keepass or any of the many, many other options. They’re ALL better than trying to do this stuff yourself, PROVIDED you enable multi-factor authentication (MFA). For more on MFA or 2FA (two-factor authentication), read my earlier post on Password Managers, and scroll directly to the “What are the Risks?” paragraph.

If you use a password manager, realistically, you’ll end up only having to remember a tiny number of passwords, often just two or three. And if you’re only having to remember two or three, you can afford to make them good ones!

Scaine has written 15 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>