Rethinking the password
Sometimes, it's better to keep it sweet and simple
Jonathan Chang • February 4, 2012
They're not just for game shows anymore. [Image credit: PBS]
We’re denizens of the internet. We’ve crafted dozens of accounts in all sorts of places, ranging from the social media outlets of Facebook and Twitter to our ever-expanding libraries on Netflix and Spotify. With each new account we register, we intricately concoct another password to meet that particular website’s requirements. Password management has turned into a first world problem: we’ve crafted so many different passwords that sometimes we forget how to log into one of our many accounts.
We’ve also been taught a couple of basic guidelines for creating strong passwords. Make it eight characters or longer and use both numbers and symbols in addition to upper and lowercase letters. Since they contain sensitive information, several government and educational institutions (including our very own NYU) have made these conditions mandatory. However, do these policies truly increase the effectiveness of our passwords? Not necessarily, it turns out.
If security were a password’s only concern, then the ideal password would look as if we banged our fists haphazardly on our keyboard. There would be no underlying logic governing our password choice. This type of password has a high amount of entropy, or randomness. Those 52 letters (both upper and lower case), 10 numbers, and 33 symbols provide 95 possible choices for each character in the password. Hence, the number of possible combinations of a password eight characters long would be 95 to the eighth power, a little over 6,000,000,000,000,000. That’s 15 zeroes, if you’re counting. Considering that a typical password cracking program can make 100,000 guesses per second, it would still take over two millennia to exhaust every possible combination of these characters.
Unfortunately, there is that pesky human element to passwords. When we’re forced to incorporate symbols and numbers into a password, we often make predictable substitutions, like a 3 for an E or an @ for an A. Maybe we’ll toss in some extra punctuation and numbers at the end for an additional security boost. In the eyes of the password cracker, these changes are trivial. Furthermore, piling on too many tricks will only end up confusing the user.
As a recent webcomic put it, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
What if we took a different approach towards passwords – a passphrase, perhaps? Instead of choosing a single word and making modifications, the passphrase is a sequence of random words strung together. Diceware is one method that generates passphrases. Roll five dice, and you get one of 7,776 possible combinations. Each combination has an entry on the Diceware chart that corresponds to a common English word or character string, like aaa or 123. Rolling the virtual dice three more times nets you a passphrase four words long.
Even though the passphrase contains easy to guess components, the entropy is large enough that it would still take over 650 years before the password cracker has tried every single combination of four word passphrases. You can see the difference comparing a randomized eight character password to a Diceware generated passphrase.
Password: @`8JTM3l
Passphrase: true solar it’ll reach
Which one looks easier to memorize? The eight random character password may be more secure, but is that extra security really necessary? It’s much easier to remember four words strung together that all use the same character set than it is to remember a password that incorporates a bunch of nuances. Passwords don’t need to be an esoteric string of random characters. A sequence of unusual words, or even of the most common words, will make passwords easier to memorize but give us the security that we need. We can lighten the load on our memory, while still keeping hackers at bay.
1 Comment
A password cracking program can make 100,000 guesses a second only if the hacker can give the program a cryptographic hash of the password (and a salt) to guess against. To do that the hacker must have broken into the database of password hashes that the Web site uses to authenticate users. Sure, hackers do break into databases (see the Password article of Wikipedia), but that’s rare. If the program makes guesses online, and the roundtrip is between 10 and 100 milliseconds, the program can only make between 10 and 100 guesses per second. The Web site can take countermeasures to further reduce the number of guesses (again, see the Password article of Wikipedia).