Password Complexity: Easier for you, harder for bad guys with passphrases

Spread the love

What if I told you that my shortest important passwords are in the neighborhood of 20-25 characters?  Would you think to yourself, “You’re insane!”  Some of you would, because some have said it out loud to me when they see me typing in my passwords.  My secret for many of them is to use a pass phrase.  This is easy for me to remember and so complex that it’s almost impossible for a computer, or even a lot of computers, to get through it.

It seems that most people don’t realize that they can use more than just the symbols above the numbers in the top row.  A critical character missed by many is the space.  Throw that in, and you can make a sentence a password.  Think about the following line:

This is a valid password.

Does it look like a good password to you?  Well, let’s analyze it in the context of common recommendations.

  • It has an upper-case letter, many lower-case letters, and symbols (space and dot).  That’s three of the four classes, a common requirement.
  • It’s 25 characters long, far longer than can be brute-forced within a reasonable time frame (where “reasonable” means “before the sun swallows the Earth”).
  • It has no personal characteristics.

Based on these, it hits all the right marks.  But it doesn’t look like a password.  It’s not random and filled with gibberish.  It can’t be that easy, can it?  Let’s check the complexity.

If you recall from the last post, the number of possibilities within a password is determined by taking the number of characters and multiplying that times itself a number of times equal to the length of the password.  For example, a four-character password of just lower-case letters has 26 x 26 x 26 x 26 = 456,976 possible passwords.  That’s not really a lot when there are systems which are, in the scheme of things, relatively inexpensive and can crack 10.4 billion passwords per second.

The passphrase above, though, has five words in it.  The average adult vocabulary seems to be somewhere around 50,000 words, give or take.  If we substitute words for characters in the complexity explanation above, for a five words passphrase, we get 50,000 x 50,000 x 50,000 x 50,000 = 312.5 billion trillion combinations.  Again referring to the last post, we’re now approaching the complexity of a random 12-character password with mixed-case letters, numbers, and symbols in it.  That $1000 password cracking system from before is going to take about 950,000 years to go through that entire range of possibilities, and that’s if the attacker knows that it’s a passphrase.  If he doesn’t it will take until somewhere after the time that all protons and neutrons (including those making up the cracking system) have decayed into smaller particles.

Now, if you’re going to use true, structured sentences as above, some of the complexity drops away because the grammar rules limit the words that can be used in certain places.  I can’t tell you how much because we’re getting into some seriously deep information theory there. But there’s no requirement that you use a perfect sentence, or even that you spell correctly.  Yes, this is the one time that text-speak or AOL-speak is perfectly fine and even useful.  (In all other cases, the previous does not apply.)  In fact, introducing spelling errors enormously increases the complexity.  So does the use of foreign words, if you happen to know more than one language.

Make up your own passphrases.  Choose an interest or a hobby.  Were I to use my flight hobby, I might come up with something like “People think Cessna 172s are slow.”  That’s 34 characters, hits all of the character groups, is easily memorable to me, but the exact phrase is hard for an attacker to get right even though the attacker might guess correctly about the topic.  And frankly, it’s faster for me to type it than it is to type out some of the truly long and complex passwords that I do actually use.  Someone with a love of European history might choose “Emperor Franz Joseph married young Sisi.”  We’re getting more esoteric here.  You could even get away with facts that are not well known: “The cylinder head tolerance is .002″.”  The cylinder head tolerance of what?  Only the passphrase chooser knows.

Remember also that password uniqueness still counts.  It is unwise at best to reuse passwords, especially since there are still a handful of places that store the password in a reversible or cleartext form.  The more sensitive the information, the more important the unique password or passphrase.

A strong suggestion: Do not use anything that is well-known.  Don’t use the passphrase above (“This is a valid password.”) because it’s already out in public.  Don’t use famous quotes like “Four score and seven years ago” or “We choose to go to the moon” because should someone start building up a dictionary of phrases, scouring the Internet for the most used will be how it starts.

One last thing: some programs and web sites don’t allow passwords that use spaces, while others limit the length of passwords.  Fortunately in the latter case, most sites allow at least 32 characters, so it shouldn’t be too difficult to come up with a passphrase that comes under that.  Many programs allow only 16 characters, and this is a trickier problem.  You can use an abbreviated form of your password: “PtC172ss.“, for example, is nine characters, easily derived from the passphrase.

So there you have it: easily remembered, difficult to guess passwords that when typed will blow the minds of those around you with your awesome memory for these insanely long entries.

Also, obligatory XKCD:

One Reply to “Password Complexity: Easier for you, harder for bad guys with passphrases”

Leave a Reply

Your email address will not be published. Required fields are marked *