The Eternal Password Riddle
Despite constant technological innovation going on all around us, password management still feels like a riddle, a good excuse to deep dive into information entropy.
Passwords are part of our life, simple strings of characters which unlock access to the most vulnerable parts of our digital lives and our personal information. By now we all have many accounts, social networks, banks, blog and so many others, trying to remember passwords is hugely challenging and we know our passwords need to be unique to each account but still use the same one. Despite constant technological innovation going on all around us, password management still feels like a riddle.
According to HaveIBeenPwned, over 1,000 million of users passwords are being leaked from data breaches in different organizations. Those leaks reveal all kinds of personal information, but the most dangerous information which could be revealed is a password which is being used for many accounts, a sacred string to unlock all doors.
Before digging down into the subject in this article, let's analyze why. We understand that the "sacred" string needs to satisfy two big requirements:
- Complexity - The password should not be guessed easily.
- Simplicity - The password should be remembered.
For this reason, choosing a good password which fulfills these preconditions is not an easy task. People prefer to use a common password than having to remember a complex one and they have a habit of reusing passwords again and again.
Websites suggest that you generate a password composed by 8 characters, where 1 must be a special character, but this does not seem the best method and in this article I'm going to explain why. In this article, we assume a computer could elaborate more than 1,000,000 passwords per second.
Password attacks
Brute-force
One of the most famous password attacks is the brute force attack, where an unknown identity could try to login with every string generated in a specific way. The goal of this attack is to guess your password spending the least amount of resources and calculations. The brute-force attack will always work, but the more characters a password has, more the time it will take to guess it, years sometimes.
Dictionary
Instead of trying every combination of a password, the attacker uses a pre-imposted dictionary based on the details of the target. It is based on the principle that a person creates a password using their name, emails, birthday, or even common passwords (such as 'password', 'admin', '1234', 'querty').
Information Entropy
Before going deeper, we should introduce the concept of entropy. In Information Theory, entropy is defined as the grade of disorder or uncertainty of a defined data. It is also referred as the rate of predicting a string. For example, bbbbbb contains less entropy than banana. Given a password which includes K elements, the possible dispositions could be summarized with:
D'(n,k)=nk
Where:
- k is the number of characters contained in a string
- n is the character sets you are using
The explanation of that formula is simple. How many characters could you use for the first position? N. What about for the second? N. And for the third? N ... and for k? N. It's N ⋅ N ⋅ N....
A character set is defined as the number of elements which compose grouping of characters. For ASCII characters, the variable n would be 93 (some elements are not so easy to be used as a password, like the NULL character, or the LINE_BREAKING one).
Note, the following formulas work when a password is chosen randomly and uniformly from a given sect. Let's imagine we are simple users then we usually use 26 characters (the latin alphabet).
D'(26,k)=26k
In a password with 8 characters, the dispositions will be 208.827.064.576. In order to calculate entropy, we need to :
entropy = log2(total_dispositions);
Assuming K = 8, and total_dispositions = 208.827.064.576, entropy will be 37 bits.
On average, an attacker will have to try half the possible number of passwords before finding the correct one. 29 hours for this example.
208.827.064.576 / 1.000.000 about 58 hours.
Unfortunately, entropy alone does not ensure the strength of a password. Imagine the password "qwerty" or "password", the former has an entropy of 28 bits, and the latter has 37 bits. Another example could be drowssap and pawrossd, 8 characters, same entropy.
Adding a character to the string vs adding a character to the set
Now it is the time to ask ourself if the suggestions given by popular websites work. One of the rules I would like to break is "using special characters" to add entropy to the string. Is more secure to add a character to the string or add a character to the set we're using for generating a password? It is important to highlight that there is no perfect rule. It is a balance between these two rules. Let's give an example.
Adding a character to the string
n = 26 (All the minus ASCII letters);
k = 12
Then, total dispositions will be
D'(26,12) = 2612 = 95.428.956.661.682.176
Entropy: 56.40527661769311
Characteristics:
- easy to remember (no special characters);
- you spend some time to write it;
Adding a character to the set
n = 41 (All the minus ASCII letters and special characters)
k = 8
D'(41,8) = 418 = 7.984.925.229.121
Entropy = 42.86041603694467
Characteristics:
- impossible to remember;
- copy&paste solution (more probability of a involuntary leak);
- different keyboard layout could stress the user who had to login;
Creating a strong password
Humans have defects, and one of these weaknesses is the way our minds work. Indirectly, we think about a concept based on mental schemes, these mental schemes are being reused every time we had to think about that concept. This means that each time we have to generate a password, indirectly, we use the same scheme.
This is one of the reasons that I had to specify that past formulas work only if the password had be choose randomly and uniformly. According to a study [1] that highlights that users use some letters more frequently than others, the letter 'e' was used over 1.5 million times, while the letter 'f' was used only 250,000 times.
Using a password generator (especially offline one) is one of the best solutions for creating a strong password. One other problem could be storage this passwords, then I'd like to suggest self-hosted tools like LessPass which can keep your randomly passwords in your own machine.
Conclusions
We understand that adding entropy is just way of strengthening a password. Adding more characters to a password can be more efficient than using complex and special characters, which are not always friendly to user.
Does "the eternal password" exist? I'm sorry, but no, it can not exist for a simple reason: each year the computing power will increase. A password generated 10 years ago could not be considered secure, there has been too much time to crack it and the life of a password is always a security issue, the longer it exists the less secure it is. I suggest changing the passwords of your most important accounts frequently.
All of this begs the question we should be really asking though. Why do we need a password and there any better alternatives to remembering sacred strings of text?
While passwords are still a riddle I think not.
You can find the author of this post on Twitter @SerHack_ , in his blog or email.
[1] Burnett, Mark (2006). Kleiman, Dave, ed. Perfect Passwords. Rockland, Massachusetts: Syngress Publishing. p. 181