Cryptosmith

Passwords are a pain.

I’ve spoken at length about this in my book Authentication and in my web site on Password Sanity. It’s best summed up in an old Dilbert cartoon that I licensed for the book and web site. The terrifying thing is that Mordac’s crazy ideas are typical for password policy these days.

People sometimes ask me about good ways of creating strong, memorable passwords. My favorite approach, described in my book Authentication, is to pick two large-ish words and punctuate them with a digit or special character. An arguably better way is to pick three shorter words and separate each with a digit or punctuation.

A friend recently described a password selection tool he uses at work: the tool presents three (hopefully) random lists of words. You choose your password by picking one from each column. The password consists of the three words separated by periods. If you don’t like the words in the lists, you push a button and the selector generates three more lists.

I like this approach for several reasons:

1. Since it’s built out of a very small number of words, people are more likely to remember the password without having to write it down.
2. People are unlikely to remember but misspell their password since it didn’t require them to randomly replace l3tt3rs with d1g1ts or miScapitalize things.
3. A properly designed system can easily yield over a billion possible passwords.

A strong password must be chosen from a very, very large collection of possibilities. If you use a common English word as a password, then it probably falls into a list of the 1,000 most common words in the language. This is a bad strategy. An attacker only has to try those 1,000 possibilities to recover your password. While that may seem impractical when facing a login screen on your laptop, there are ways to automate such trial-and-error attacks. A thousand trials pose no challenge to a good attacker.

This is why Microsoft implemented “complexity” requirements for passwords. Those are the rules that force us to insert both upper- and lower-case letters into our passwords, and/or digits and punctuation. Ideally, this is supposed to make us construct passwords out of random sequences of letters and punctuation. In practice, lots of people pick a simple word and then embellish it until it contains the right mix of characters. For example, “computer” becomes a compliant password by adding capitalization and punctuation: “Computer.”

This doesn’t really make cracking that much harder. The cracking software starts with a list of 7- or 8-character words, since passwords must be at least 8 characters long. Then it tries all possibilities of all words capitalized, and for each one, suffixes the word with a digit or punctuation mark.

This makes a desktop computer work a little harder, since there are perhaps 10,000 longer words people might use. This perhaps yields a million alternatives. This takes a thousand times longer than the ten seconds or so we might require to check a thousand alternatives. So it takes a half of a day to crack Microsoft-approved passwords in this form.

I tried to better this in Authentication by building passwords from two long-ish words separated by a digit and/or punctuation. That yields 10,000 x 10,000 possible passwords, not including the punctuation (which is really included only to satisfy Microsoft’s complexity rules), or 100 million possibilities. That’s starting to call for serious computation involving days, weeks, and/or more and bigger machines.

The three short word approach is even better. Let’s work with a list of the 1,000 most common English words. Just about any user will recognize and remember any word on that list. When we build a password from three words, we end up with a range of a billion possible passwords. These are an order of magnitude stronger and, since they use simpler words, may be easier to remember.

Posted under Information Security |