> Sford wiki > Sford password strength
I've seen some chatter lately about password strength. Some claims about greatly increasing password strength leave me unconvinced of their value.
Contents |
Looks like xkcd and zxcvbn agree with me. See http://blog.geeky-boy.com/2014/04/password-strength.html
According to the alphabet size argument, you should use capitals and lower case letters, digits, and special characters.
I used https://www.grc.com/haystack.htm site for a bit of analysis, and I think I can say with good confidence that using upper/lower, digits, and special symbols is far less helpful than many have claimed.
Let's start with the password:
bigdogseat
(i.e. "big dogs" eat). It has a search space size of 1.47 * 10**14. Not very impressive. So, let's make it better by changing it to include capital letters, digits, and special characters:
bigdogsE@7
This has a search space size of 6.05 * 10**19. Much better. But instead of that, let's try:
bigdogseatmice
This has a search space size of 6.71 * 10**19. Even better! The addition of a single 4-letter word did more to increase the search space size than using the larger alphabet. I would claim that the addition of a word is easier to remember than the substitution of capitals, digits, and special characters. So you have an easier-to-remember password which is more secure than the shorter one with caps/digits/specials.
Note that the above assumes a brute-force attack. If we assume a dictionary attack, I'm pretty sure you get the same result, even more strongly, but I admit I haven't done a quantitative analysis.
A cracker will always try a dictionary attack before brute-force. It might first try a single dictionary word, then two, then three, and BINGO, they got my first "bigdogseat" password. Now look at the caps/digit/special character version. Since it uses a predictable substitution algorithm, a dictionary cracker will have little trouble with it. Yes, it will lengthen the search, but not by very much ... because it is algorithmic. Predictable substitution algorithms do NOT force a brute-force attack. Dictionary crackers know the common rules.
So, the same analysis will apply, except that the alphabet size becomes the number of possible words, and the password length becomes the number of words in the password. Using a fixed number of words, but using a predictable caps/digit/special substitution algorithm simply increases the number of words in the dictionary. Increasing the number of words in the password has a greater effect on increasing the search space size. It's the difference between increasing the base v.s. the exponent of A**B - increasing the exponent (password length) has a greater effect than increasing the base (alphabet size).
In that same haystack site, the author claims that padding a password is a very good way to greatly increase password strength. He managed to convince Eric Gerlach in his blog post: http://eric.gerlach.ca/blog/2011/6/18/why-steve-gibsons-password-padding-works-for-humans.html . Here is my response:
If a cracker is trying to guess their way into my bank account, I can be safe by choosing a random 4-digit number as my password, EVEN IF I TELL THE CRACKER THAT I DID. After three tries, my account will lock out further attempts until I call them and tell them my SSN and mother's maiden name. So a cracker can only do 3 guesses per day, leading to a worst-case search time of 9 years.
Not all web sites are as draconian. Some simply lock you out for a short time after 3 tries. Even if it is only a 15-minute lockout, you get a worst-case search time of over a month. For a 4-digit number.
So really, there is very little need to worry about password quality to this level of scrutiny.
The exception to this is if the passwords are stored on the server using a standard hash, and a cracker gets ahold of the hash database. In that case, he can do BILLIONS of password checks per second, and dictionary attacks can be very effective. The commonly-recommended methods of improving password security - caps/digits/specials/padding - are still vulnerable to modified dictionary attacks, and won't protect you nearly as much as simply having a longer password.
As it turns out, there are lots of sites which store user passwords in plaintext. I know of more than one. In that case, your password strength is meaningless.
So at the end of the day, chances are pretty good that some cracker is going to get ahold of one of your passwords some day. Your defense is NOT to have highly-secure passwords, but rather to have DIFFERENT passwords for different sites. If somebody breaks into your FaceBook account, don't let them use that password for your gmail and paypal accounts.