The Realm of the Verbal Processor

Jarvis's Ramblings

Password Complexity

This morning I got an email from someone about secure passwords. The email was a link to this article. Before even opening the link I had a good idea of what it was going to say…make your passwords use all four character sets and make them random, but base it on a phrase that you can easily remember. My guess (and I was correct) was that it was going to ignore/gloss over the issue of password length.

In years past I was a strong proponent of passwords that used all four character sets (UPPERCASE, lowercase, 12345, !@#$%^%). I’m really not anymore. Reason being that password length has a much greater effect on whether a password can be cracked than does complexity. One of the best articles I have seen on this issue was an InfoWorld article back in 2006. The author did a great job of mathematically showing how the two factors in password complexity (length and number of possible characters) work together.

In the times that I have done password audits for the ministry I work for, this has proven out every time. I have seen some very complex passwords that were shorter in length get cracked. I have never cracked a long password. That is the primary reason that my non-admin password is currently 20+ characters long. The password for my admin account? Somewhere north of 30 characters. Good luck cracking it while I am still alive.

A few paragraphs from the InfoWorld article above that I most enjoyed…:

For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.

Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

~~~~

And because most users also use dictionary words as the root to their “complex” password, and follow other common conventions (capitalized letters are at the beginning, numbers are at the end), a simple hybrid attack will break most of them in less than a day. Trust me, I know — I do it for a living.

~~~~

So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity. For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity — at 15 characters-plus, they are all but uncrackable.

Advertisements

June 3, 2008 - Posted by | computers | ,

8 Comments »

  1. Good point you have there. I always knew that length was important, but I didn’t realize it was that important. It does make sense though.

    Comment by crashsystems | June 3, 2008

  2. This is a VERY illuminating article. I’m a network/systems administrator and I’ve always assumed that any combination of upper, lower, number, and special character is bullet proof. Now I can use long passwords that are easier to remember! Excellent tip, thanks.

    Comment by El Cabong | June 4, 2008

  3. Yep…I used to think the same thing. And ten years ago, that wasn’t bad thinking. Back then, a shorter PW with four character sets was very secure. But especially with the advent of rainbow tables, that is very different now. Length is your ONLY protection from a rainbow crack.

    Comment by Jarvis | June 4, 2008

  4. […] A very good friend of mine recently posted a great password complexity vs pass phrase article here. That agrees with something I have said for a very long time. I read it first in a series of […]

    Pingback by Great Password Complexity vs. Pass Phrase Post « Tim’s Whiteboard | June 4, 2008

  5. if the people who know about making passwords secure know that using three or four separate words in a line rather than just stringing together nonsense in upper and lower case alpha numerics is more secure why won’t most password generating software let you do that? My experience is that password generators usually want a single string of characters.

    Comment by Petur Williams | June 9, 2008

  6. First a password generator does exactly that…spits out a string of characters…that you will never be able to consistently remember correctly. The point to the article (and my post) is that a string of words is easy to remember and gives you the added security because of the overall length of the password. And as far as a password generator spitting out a series of words…you will be much more likely to remember your own series of words.

    One type of password that I have used on some of my accounts is to use a portion of a Bible verse. So, I could take John 3:16 (probably the best known Bible verse) which reads “For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.” I will always be able to refer to the verse if I forget the password. I then take just a part of the verse and make the password something like “ForGodsolovedtheworld”. Bingo…I have a 21 character password that I can easily remember.

    Comment by Jarvis | June 9, 2008

  7. I found a very good article breaking down the math for passphrase strength, and while reading it thought of this blog post. I’ve posted the link below.

    http://www.iusmentis.com/security/passphrasefaq/

    Comment by crashsystems | August 18, 2008


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s