Password Security--Is there such a thing as "too" complex?
A few months back I was in a public library when I heard two young adults talking as they sat near one of the public computers. "What's your password again?" the first person asked. "starburst123," she replied. "It's what I use for everything."
While I had no intention of using this sensitive information I had just overheard, there are many unscrupulous users who would have a heyday with such information. In a digital world, one's entire life is online--your bank account, your personal history, your conversations and emails--all of it protected by that small string of characters that is your password.
Users are being told to make their passwords unique, long, and complex. The harder it is to guess, the safer you supposedly are. But a unique string of letters isn't enough--we're now being told to put as many symbols and special characters in our passwords as possible. Instead of a password like "ilikecomputers," your password might be "iL1kéC0mPu+eR$107." Such a password would take decades for a datacenter of computers to brute force, and would be considered by most in the computer world as an excellent password.
But are passwords becoming too complex? Sure, it is difficult to guess the password above. But then again, how easy is it for you to remember? Just try it--without looking to the paragraph above, see if you can type out the password from memory. Not too easy, is it? But this is exactly what we as network administrators are asking our users to do every 30 to 60 days when we mandate that they change their passwords. Our users log on, are told by Windows that they MUST change their password to log in, and we require such complexity that by the time they're done following our guidelines, they have virtually no way of remembering their password. Is it any wonder that so many users write their password down and hide it under their keyboard?
Yet statistics show that half or more of computer security breaches at companies come from inside the company. A casual sweep of a mid-sized office would probably find half a dozen user passwords written on sticky notes in drawers, under keyboards, or even stuck in plain site to a computer monitor. Users are being told what their passwords should look like, but not why. And what's worse, we've forgotten the why as well.
Passwords are given numbers, symbols and special characters for complexity. By adding a number, we force the average brute forcing program to not just guess 26 letters per password character, but 10 numbers as well. Add capital letters in there and now we have a total of 62 possible combinations. Include symbols and ASCII characters (such as © or é), and the complexity goes through the roof.
But consider this for a moment: a password with a single character, even if that character could be any uppercase or lowercase letter or a number, would have 62 combinations. Yet a two character password, using only lower case letters, has 676 possible combinations. Even if the one-letter password could be any randomly chosen letter, digit or symbol in the entire 8-bit range, you would never get more than 256 possibilities. Yet by doubling the size of your password, you increase exponentially the complexity.
Of course, I hope your password is not just one or two characters. A common password requirement for a corporation forces the user to use upper and lowercase letters, numbers, and at least one symbol. A password length of 8 characters is also required. But what if we instead completely removed all other requirements, and increased the length to 12? The comparison is surprising:
8 characters, including mixed case letters, numbers, and common symbols:
That's right--a 12 character non-complex password is more than twenty times more difficult to brute force than a hyper-complex 8-character password.
But keep in mind that our users are likely to choose common words as their passwords: ilikecorvettes would be easier to guess than ywhtohyuwhrysq. If your password is a phrase, the chances of it being guessed goes up. So what's the middle ground?
I personally recommend a password that is at least 12 characters, and includes at least lower case letters and numbers. The letters should not spell out any dictionary word, however. An easy-to-remember password could be developed by using a phrase you can easily recall, and only taking the first letter from it. For example:
"How many roads must a man walk down, before you call him a man" becomes hmrmamwdbycham. Add two digits to this to increase complexity further, and you get hmrmamwdbycham04 (my high school graduation year).
Such a password is easy to remember--I would never have to write this one down--and ends in a number I can remember as well. In 60 days when my mandatory password change policy kicks in, I could pick another song lyric and another two-digit number that have meaning to me, and my password is once again secure.
The folks over at XKCD had another novel idea: use whole words, but make them unrelated. The example they use is correcthorsebatterystaple. The words "correct," "horse," "battery," and "staple" are in no way related. Yet these four words could easily be remembered, and create a staggering 25-digit password. Every computer in the world could work on brute-forcing that for years and come up short.
Regardless of what you choose for your password, remember: don't use the same password in multiple places, and NEVER write it down! The most secure password in the world is useless if someone finds your password sheet. So keep it unique, lengthy and easy for you to remember--and the chance of staying secure is very high.
While I had no intention of using this sensitive information I had just overheard, there are many unscrupulous users who would have a heyday with such information. In a digital world, one's entire life is online--your bank account, your personal history, your conversations and emails--all of it protected by that small string of characters that is your password.
Users are being told to make their passwords unique, long, and complex. The harder it is to guess, the safer you supposedly are. But a unique string of letters isn't enough--we're now being told to put as many symbols and special characters in our passwords as possible. Instead of a password like "ilikecomputers," your password might be "iL1kéC0mPu+eR$107." Such a password would take decades for a datacenter of computers to brute force, and would be considered by most in the computer world as an excellent password.
But are passwords becoming too complex? Sure, it is difficult to guess the password above. But then again, how easy is it for you to remember? Just try it--without looking to the paragraph above, see if you can type out the password from memory. Not too easy, is it? But this is exactly what we as network administrators are asking our users to do every 30 to 60 days when we mandate that they change their passwords. Our users log on, are told by Windows that they MUST change their password to log in, and we require such complexity that by the time they're done following our guidelines, they have virtually no way of remembering their password. Is it any wonder that so many users write their password down and hide it under their keyboard?
Yet statistics show that half or more of computer security breaches at companies come from inside the company. A casual sweep of a mid-sized office would probably find half a dozen user passwords written on sticky notes in drawers, under keyboards, or even stuck in plain site to a computer monitor. Users are being told what their passwords should look like, but not why. And what's worse, we've forgotten the why as well.
Passwords are given numbers, symbols and special characters for complexity. By adding a number, we force the average brute forcing program to not just guess 26 letters per password character, but 10 numbers as well. Add capital letters in there and now we have a total of 62 possible combinations. Include symbols and ASCII characters (such as © or é), and the complexity goes through the roof.
But consider this for a moment: a password with a single character, even if that character could be any uppercase or lowercase letter or a number, would have 62 combinations. Yet a two character password, using only lower case letters, has 676 possible combinations. Even if the one-letter password could be any randomly chosen letter, digit or symbol in the entire 8-bit range, you would never get more than 256 possibilities. Yet by doubling the size of your password, you increase exponentially the complexity.
Of course, I hope your password is not just one or two characters. A common password requirement for a corporation forces the user to use upper and lowercase letters, numbers, and at least one symbol. A password length of 8 characters is also required. But what if we instead completely removed all other requirements, and increased the length to 12? The comparison is surprising:
8 characters, including mixed case letters, numbers, and common symbols:
4 quadrillion combinations
12 characters, all lower case letters:
95 quadrillion combinations
But keep in mind that our users are likely to choose common words as their passwords: ilikecorvettes would be easier to guess than ywhtohyuwhrysq. If your password is a phrase, the chances of it being guessed goes up. So what's the middle ground?
I personally recommend a password that is at least 12 characters, and includes at least lower case letters and numbers. The letters should not spell out any dictionary word, however. An easy-to-remember password could be developed by using a phrase you can easily recall, and only taking the first letter from it. For example:
"How many roads must a man walk down, before you call him a man" becomes hmrmamwdbycham. Add two digits to this to increase complexity further, and you get hmrmamwdbycham04 (my high school graduation year).
Such a password is easy to remember--I would never have to write this one down--and ends in a number I can remember as well. In 60 days when my mandatory password change policy kicks in, I could pick another song lyric and another two-digit number that have meaning to me, and my password is once again secure.
The folks over at XKCD had another novel idea: use whole words, but make them unrelated. The example they use is correcthorsebatterystaple. The words "correct," "horse," "battery," and "staple" are in no way related. Yet these four words could easily be remembered, and create a staggering 25-digit password. Every computer in the world could work on brute-forcing that for years and come up short.
Regardless of what you choose for your password, remember: don't use the same password in multiple places, and NEVER write it down! The most secure password in the world is useless if someone finds your password sheet. So keep it unique, lengthy and easy for you to remember--and the chance of staying secure is very high.
Comments
Post a Comment