“Through 20 years of effort, we’ve successfully rained everyone to use passwords that are hard for humans to remember, but are easy for computers to guess.” Randall Monroe, XKCD
For users, passwords and passphrases are a way of life. How else can an individual not only identify themselves to access necessary services but also prove that they are who they say they are without biometrics? However, the way in which many businesses choose to think about passwords and passphrases is not only wrong, but harmful. Many financial institutions, as well as work places, require that passwords max out at a short, fixed number of characters (anything between six and twelve), include an uppercase and lowercase letter, as well as at least one digit. This is, unfortunately, not an ideal solution. In essence, any organization requiring that users make passwords under such conditions is setting their users up for failure on a multitude of levels. Not only are these passwords easier to crack than other options but they typically cannot be memorized, requiring the user(s) in question to write them down or store them elsewhere.
Data released in a recent study by Carnegie Mellon University’s CyLab indicates that traditional methods for password and passphrase creation are woefully inadequate and that a great many users have a mistaken idea of the methods in which adversaries employ in the attempt to crack them.
This study reveals that, “Participants, on average, also believed any password with numbers and symbols was a strong password, which is not always true. For example, p@ssw0rd was thought to be more secure than pAsswOrd, but the researchers’ attacker model predicted that it would take 4,000 times more guesses to crack pAsswOrd than p@ssw0rd. In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.”
The question then becomes, what can the user do to avoid this situation? The engineers at MetaFlows have a very unique way of creating passwords/passphrases that are much more secure. There is a basic equation for password strength, failing that the password appears in a known dictionary, is:
Complexity being the number of possible characters the password contains
So a password using only lower case letters has a complexity of 26
A password using lower, upper, and numbers has a complexity of 62
A complex password with a length of eight:
62^8 = 218,340,105,584,896 possibilities
A simple password with a length of twelve:
26^12 = 95,428,956,661,682,176
The longer, but simpler, password in this example has a total search space 437 times greater than a standard “complex” password. This is not to say that complexity is bad, complexity helps, but length is the dominant factor in determining strength against brute force. It should be able to be memorized, so going ahead and adding a number or a weird character is fine. However, if adding that element makes it too hard to remember then consider tacking on another word instead that is easier to remember to increase the strength exponentially.
What is the difference between a password and a passphrase?
The example password meets all standard complexity requirements: lower case, upper case, number, and special character. One of our engineers decided to see how long it would take for them to crack this password. The end result is as follows:
Search Space 6.70×10^15
Single Machine traditional estimated crack time: 18.62 hours
Cracked during several hours while playing WoW and a good night’s sleep.
The experiment was repeated with a passphrase, which is a group of words strung together that act as a password. The passphrase below meets none of the standard complexity requirements as it is all lower case and contains no digits. Unlike Pa$sw0rd, it is easy to remember.
Search Space 4.33×10^39
Single Machine traditional estimated crack time: 13.76 million trillion centuries
Still not cracked long after the death of our solar system.
In most cases, adding a few words that are related to the site or process in question is helpful to remembering them but we also know that people are surprisingly good at remembering almost any silly combinations of words as a passphrase. The more unrelated the words chosen are, the less likely they will ever end up in a dictionary. Picking one nonsensical word increases the potential strength against dictionaries to a level that is realistically beyond guessable. For example, “mypasswordisnotpassword” may be obvious enough to get added to a dictionary, but “mylongitudinalpasswordisnotamonkey” is arcane.
Another method, advocated by Micha Lee at The Intercept_ is Diceware. The method for creating a Diceware password is simple and straightforward but the end results may lead to a far more secure passphrase. The Diceware method is effective because it will provide randomness that the human brain cannot. The value of using a method that involves randomization is ideal when one considers entropy. “The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).”
Once a user creates a password, one must have a clear idea of where to store it. While there are numerous password saving applications available on the web and scraps of paper abound, nothing is more secure than pure memorization. When considering password creation, always stick to something easy to memorize as well as difficult to crack. To put it plainly, storing passwords anywhere other than the human mind creates an exploitable vulnerability. This of course, includes writing them down on a sheet of paper and attempting to hide it. The popularity of password storage books and password applications is no indication as to the level of security they provide, which is limited at best.
No matter how random and entropic a password may be, it is vital that if using the same password for more than one service, that passwords used for social media accounts should in no way resemble those used for online banking and other vital activities. It cannot be stressed enough that reusing passwords, sharing passwords, recording passwords, and repeatedly recycling through a set of passwords is far from advisable.