We’ve talked a lot about passwords. We wrote a work of fiction about how your bank account password might be compromised, we wrote about how to have fewer passwords, we mentioned how you can break into a secure WiFi network without breaking the password, and we’ve even reviewed password software. But what goes into a password? Other than its commonality, why is “123456” so much less secure than “123abc456?”
If you’re a doctor, you need to know your coccyx from your larynx, and why humans have 23 chromosome pairs and what that means. In other words, you need to know your anatomy. If you’re a password-ologist, you need to know your password anatomy, too — and on the “information superhighway” we’re all password-ologists.
The first and most obvious component of a password is its length. Simply put, a longer password is harder to guess, because each additional character increases the number of possible passwords of the same length. So, obviously, it’s better to have a 10 character password than a 5 character one.
How much better? Well, that depends on its complexity, or in technical terms, the size of its keyspace. The keyspace of a password is determined by the number of symbols it could contain (without knowing how many it actually did contain — remember, the attacker here only knows the length and the class of characters). Let’s pretend our hypothetical password is a single character to illustrate for now:
- If the password was numeric only, it would have a keyspace of 10 (0, 1, 2, …, 9)
- If it was only lowercase letters, it would have a keyspace of 26
- If it was upper- and lowercase letters, it would be 52 (2 × 26)
- If it was upper- and lowercase letters, as well as digits, it would be 62 (2 × 26 + 10)
- If it was the entire printable ASCII character set, it would be 95
- If it was the entire (current) Unicode character set, it would be over 110,000
Combining the ideas of length and keyspace, if all common English printable characters (letters, numbers, and “special characters”) were allowed, our 5 character password would have 95 × 95 × 95 × 95 × 95 = 955 ≈ 7.7 billion different combinations; that 10 character password, by comparison, would be over 7.7 billion times more secure than that, with nearly 6 × 1019 combinations (just over 59 quintillion, but who’s counting?).
Security margin (simple)
How much security would that ginormous password really provide, though? Well, that all depends. Automated password crackers have gotten pretty fast. My favorite (linked), for instance, can easily reach around 20,000 attempts per second on a normal home computer — and that’s not even touching distributed computing or other more complex (and powerful) attacks. That means that if your attacker knows your super secure password (123456) is six digits and numeric only, expect it to be broken in 50 seconds or less. (That’s quite a bit faster than the roughly 95 million years john would take on that hyper-secure 10 character password, cracked naïvely.)
It’s not that simple
The thing is, I lied. Not all ten character ASCII passwords are equal. For example, T$f0_ke\E` is quite a bit more secure than gesundheit. Why? Entropy. In simple applied terms, entropy measures the randomness, or unpredictability, of a password. Higher entropy (less predictability) is better. While it’s difficult for the layperson to measure, the following mistakes are all things that will affect your password’s entropy:
- Whether or not your password appears on a wordlist. If you’ve got a word or common phrase, consider your password broken out of the gate. Rainbow tables and wordlists of common words and phrases will devastate any security you think you have.
- If you’ve used common substitutions. Did you swap a “!” or a “1” in for your “i”s and “l”s? We know. Did you use a “5” or a “$” for an “s,” or write “><” instead of “x?” So did everyone else. Cracking software is built to try these and many other common word alterations, so security gained by these tricks is not as great as you think it is.
- If your password follows normal symbol distributions. For example, in English, q is frequently followed by u, so if it is in your password as well, it’s less secure.
- Whether your password relies on anything that can be known about you. Expect all of your biographical information and interests, as well as anything you talk about, to be used as guesses against your password. If you’ve used any family member names or birth dates, pet names, components of favorite songs, words relating to your favorite sports teams, etc., then someone can guess your password more easily just by learning about you. Social media makes this even easier, as people voluntarily vomit up the very information that is often all that is needed to compromise their accounts.
So what’s a girl to do? Actually, the situation isn’t so bad:
- Pick one really good, secure password that will secure all your others. Bang on the keyboard a lot, then go into the middle and bang some more. Highlight some letters at random, and delete half of them. Bang some more in their place. Shuffle some things around. Bang. Delete. Bang bang bang. Tired yet? Good.
- Write it down on a piece of paper. Put the paper in your wallet or purse. You’re already really used to protecting the contents of that, so it’s pretty safe now.
- Download a password manager, or use one built into your system.
- Use the password manager to generate secure random passwords for any services you use. They can be long and crazy, because you won’t have to remember them. They can also be different, which is important because one account being compromised won’t compromise your others. (This is especially important for email accounts, which are often used to reset passwords for other services.)
- Whenever you need a password, take out your piece of paper, read off the password and use it to unlock your manager, and then copy-and-paste your random secure password into the login form as you need to.
- On a regular basis, go ahead and rotate your account passwords; and on a somewhat less regular basis, your “master password.”