Packetizer Logo

Getting a Handle on Passwords

January 16, 2012

Passwords are really getting out of hand. Every web site you visit requires a password. Every password should be different. You should change your passwords from time-to-time. Every password should be very hard to remember, uhm, I mean use letters, numbers, and special characters so they are hard for hackers to crack or guess. Oh, and never write down passwords in a place where somebody might steal them.

While one solution might be to store your passwords securely in a bank vault, that is not a practical solution to managing passwords.

Risk of Using the Same Password

Of all of the rules that people are advised to follow, the one that says you should not use the same password on multiple sites is definitely one rule you do not want to break. While perhaps no web site intends to divulge your password, the fact is that web sites get hacked often and passwords are stolen. When a web site gets hacked that has your password on file and you use that same password for your bank account, watch out! You really should not use the same passwords twice.

Complexity of Passwords

Passwords should also be complex. However, passwords do not need to be as complex as some people might lead you to believe. Web sites that argue that you need a special character (e.g., #, $,%) in your password simply have not done the math to see that such a requirement is utterly useless.

What is important is that passwords are sufficiently long and cryptic. One should not use a password like “12345.” One should also not use a password like “wildcat”. Those are simply too easy to guess. If one can look in the dictionary and find your password, you need a better password. If you merely take a word or a name and a few numbers, that’s also not sufficient. While it might take you a while to guess a password like “sally123”, it would take a computer a very short amount of time to discover that password.

What is a good password length? And what characters should be used? The answer requires a little math, so please don’t fall asleep now. Oh, and the answer requires a little understanding of how a computer organizes information. That might put you to sleep, but keep reading and, if nothing else, just see the result.

Let’s assume you take all upper- and lower-case letters and the digits 0-9 and use those in your passwords. That gives you a total of 62 characters. Let’s assume you have a one-character password. That would mean a hacker would have to look at 62 different values to guess your password. Using password cracking software on a computer, cracking your one-character password would take a split second.

What about a two-character password? Using the same characters, the possible permutations would be 62*62 = 3844. Still, that is nothing for a computer. A hacker could still have your password cracked in the blink of an eye.

Clearly, you need something stronger. How do you measure the “strength” of a password? If you understand that, then it starts to become clearer.

Each character used provides a certain amount of “strength” to your password. Specifically, it provides log2(62) bits of strength, or roughly 5.954 bits of strength. Having a two character password would provide you with about 11.91 bits of strength. So, what is 11.91 in a form a human can understand? This essentially means 2^11.91 possible values, or 3844 possible values. That’s because, 2^(log2(62) * 2) is the same as 62 * 62. I’m not trying to make this challenging for the heck of it. You’ll see why it is useful to use logarithms. It’s important that you think of password strength in terms of bits, not the number 62.

What about a 5 character password? That would provide a bit strength of log2(62)*5 = 29.77. That’s improving, but a purpose-built password cracking machine would have that one cracked in 0.32 seconds. (Per Wikipedia, commercial products can crack 2,800,000,000 passwords per second on a standard desktop computer.)

So, we need more bits of strength. Still, how many bits? Perhaps the answer is another question: how many years would you like a hacker to consume trying to crack your password?

We know that the strength in bits of a password comprised of letters and numbers is log2(62)*n, where n is the number of characters in the password. Further, this means that 2^(log2(62)*n) tells us how many passwords the hacker will have to consider while cracking the password. We also know that a commercial product can crack 2.8x10^9 passwords per second and there are 31556926 seconds in a year. So, the number of years it would take to crack a password of length n using this computer would be 2^(log2(62) * n) / (2.8x10^9 * 31556926).

Let’s use this formula once with a password length of 12 characters. That would be 2^(log2(62) * 12) / (2.8x10^9 * 31556926) = 36513 years. I feel fairly comfortable that my bank account would be secure with such a password, don’t you?

Working the other way, we can compute how long the password should be to force the hacker to work a specified number of years. The formula is log2(years * password_cracks_per_second * 31556926) / log2(62) or log62(years * password_cracks_per_second * 31556926) (but who uses log62?), where “years” you want to make the hacker work. Let’s say you want it to take 100,000 years. Then, you would need a password that is at least log2(100000 * 2.8x10^9 * 31556926) / log2(62) = 12.24 characters long. Since you cannot use part of a character, you would just use 13 characters for good measure.

Let’s also remember that hackers have access to more than one computer. Perhaps they might employ 1000 computers to crack your password. Using the equation 2^(log2(62) * 12) / (2.8x10^9 * 31556926 * 1000), we can see it would still take a hacker up to 36 years. I still feel fairly confident. I do not know a hacker who would want to devote 36 years of computing resources of 1,000 machines to get any information I have.

Even so, let’s say I’m overly paranoid and I want to ensure it would take 100,000 years with 1000 machines. How long should my password be? We use the formula log2(100000 * 2.8x10^9 * 31556926 * 1000) / log2(62) to learn that the password needs to be 13.92 characters long. So, a 14 character password really packs a powerful punch!

Now, recall that I talked about how some web sites insist that you use “special” characters on the keyboard to make passwords “stronger”? On most keyboards, there are only a handful of additional characters available. Let’s assume you use a total of 93 characters, using letters, numbers, and various special characters. How strong would that password be? Well, the bit strength would be log2(93) or 6.54. That’s only a little better than 62 characters. So, a 12-character password with 62 different values has a strength of log2(62)*12 = 71.45 versus log2(93)*12 = 78.47. You can see that there is little difference. If the extra strength is important, just make your password one character longer. There’s no reason to require use of special characters on the keyboard, as it adds an insignificant amount of bit strength. Let’s consider that example again where we want to protect our password from attack for 100,000 years using a single computer. Recall that for 62 characters, we need 12.24 characters. With 93 characters, we need 11.15 characters. So, it’s 12 versus 13 characters. Big deal. It’s not worth the complexity forced on a human to type in the special characters.

So the bottom line is that anything more than 70 bits of strength (12 or more characters) is a strong password today, though I personally prefer using over 90 bits (16 or more characters).

Generating Strong Passwords

Now we know you need a password that is 12 characters or longer to be good. But they cannot be simple words. They need to be as random as possible. It would be advisable to use a program that will generate random passwords for you. Passwords should not be easily guessed and should truly be as random as possible.

Password Management

So, how in the world do you keep track of your passwords? You could write them all down on paper and keep it secure. That’s a valid option, but not portable. Will you take that piece of paper with you on trips? You could write them down in a computer file and take that with you. But what if the file or paper is stolen or lost?

One solution is to keep all of your passwords stored inside of some kind of password management program. Typically, these programs store all of your passwords, securing them with a single secret password that you do not write down. This is a reasonable solution to the problem, especially if the data is accessible while at home, work, or traveling.

Another solution is to use Single Pass. What Single Pass does is generate a unique, secure password that is 16 characters long using a single “master” password that only you know. It’s similar in concept to the password management software, but it actually does not store passwords. Rather, it generates them on demand. To ensure that each password is unique, you provide a “service name” when generating the password. Given your Single Pass password and Service Name, the same password is always generated.

The Service Name could just be the name of the web site or business (which is reasonable for lower-security applications), or it could also be a cryptographically strong string of random characters (useful for your bank account). In fact, I generate random strings for Service Names. I maintain a file that lists the “Service Names” I give to web sites, using this password generator. I then have a master password that I do not write down that only I know. In order to crack my passwords, you would either have to crack it using brute-force (and they are 16 characters long, meaning it would take 1000 high-end machines 539 million years to crack).

The good thing about this dual-password approach is that my Single Pass password is useless without the accompanying file that holds the Service Names. Likewise, the Service Names are useless without the Single Pass password. Should somebody steal either piece of information, I would still have plenty of time to go change my passwords. But I can remember my one password and I don't have to worry so much if somebody steals my list of Service Names.

Doing Away with So Many Passwords

In an ideal world, we would have a better login solution on the Internet than having to use passwords on all web sites. There is one solution on the Internet that has promise: OpenID. OpenID allows you to login to a web site using a single password stored at an OpenID Provider. There are many providers, such as Yahoo!, Google, and VeriSign. If you can place your trust with one of these companies, you can avoid the need to have a different password for every web site on the Internet.

Questions still abound as to whether OpenID will succeed. There has been pretty good adoption and I’m personally a supporter of OpenID. Unfortunately, support is not as widespread as I would like, and most web sites still do not support it. So, alternative solutions like Single Pass that work with the world's crazy password craze are a necessity.

Click here to view the main blog page.