[ale] creating very powerful relatively short memorable passwords

Ron Frazier atllinuxenthinfo at c3energy.com
Sat Sep 10 02:54:55 EDT 2011


Hi all,

If you've been watching the list, you know I've been in discussion with 
several others related to the topic of creating strong passwords.  Based 
on prior discussions and recommendations, I had concluded that pass 
phrases are highly desirable.  However, if using a 2048 word lexicon, 
they must be 6 words long to achieve a few days of crack resistance from 
a botnet array.  You have to go up to 8 words to reach a crack time of 
centuries if the attacker is doing 100 trillion guesses / second.  Pass 
phrases this long are impossible to enter into many websites.  And, even 
if they can be entered, it is very tedious to type this many words in a 
password field.

Here, I will describe a good compromise if you either wish to or are 
forced to use a shorter password.

I was slamming my bank in prior discussions due to only allowing 8 
character passwords.  Well, I guess other people have been slamming 
them.  I checked the password policy today and it has been updated to 
the following:

"Must be 6-20 characters with at least one letter and one number. There 
should be no spaces and no special characters."

As you can see, I cannot use a 6-8 word pass phrase here.  However, I 
can still make it plenty strong.  The key to making a short password 
work is not only making it as long as you can, but including as many as 
possible of the following in the alphabet of characters you use: lower 
case letters, upper case letters, digits, symbols.  Adding just 1 of 
these character types, as long as the attacker doesn't know your 
pattern, dramatically expands the number of guesses he has to make.

Here is a simple example of what adding each different possibility 
does.  Imagine a 4 character password.  This one won't be strong, it's 
just for an example.

* lower case, ex: "junk" (excluding quotes), 26 possibilities in each 
character, permutations = 26^4 = 456,976
* lower, upper, ex: "Junk", 52 possibilities in each character, 
permutations = 52^4 = 7,311,616   (Note that this is 16 times more secure.)
* lower, upper, digits, ex: "Jun8", 62 possibilities in each character, 
permutations = 62^4 = 14,776,336   (Note that this is 32 times more secure.)
* lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each 
character, permutations = 95^4 = 81,450,625   (Note that this is 178 
times more secure.)

These short passwords would be cracked instantly by a cracking array.  
However, a bit of clever adding of characters will allow me to have a 
very secure and pretty memorable password, even at MY bank.

Following is the minimum character length of a password of each type to 
require at least a century of crack time by an array operating at 100 
trillion guesses / second.

lower case, 17 characters, 3.60 centuries crack time
lower, upper, 14 characters, 3.35 centuries crack time
lower, upper, digits, 14 characters, 39.33 centuries crack time
lower, upper, digits, symbols, 12 characters, 1.71 centuries crack 
time   (Note that my bank will not accept this one.)

Going any SHORTER will reduce the crack time to less than a centuries, 
and it does so VERY rapidly.  In the case of the lower, upper, digits, 
removing 1 character reduces crack time to 63.43 years.  Removing a 2nd 
character reduces it to 1.02 years.  And, removing a 3rd character 
reduces it to 6.02 days.

The best compromise of length, memorability, usability at websites, and 
security is the lower, upper, digits scenario with 14 characters.  An 
easy way to do this is to pick 2 words from a standard English 
dictionary which combine to at least 12 characters then throw some caps 
and 2 digits in, or 13 characters and 1 digit.  This has some of the 
benefits of a pass phrase and is pretty memorable, and will be accepted 
by most websites.  You could use more digits, but there is no big 
benefit.  Once you've added even 1 digit, you've increased the 
possibilities at each character spot from 52 to 62.  Note that all this 
assumes the attacker is brute force guessing and doesn't know YOUR word 
pattern.

4AntimonyBlast - 14 characters - 39.33 centuries crack time
CastoffWander2 - 14 characters - 39.33 centuries crack time
Debark3Debates - 14 characters - 39.33 centuries crack time

Here's how the math works.

permutations = 62^14 = 12.402 x 10^24
time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x 
10^09 seconds
divide by 3600 to get hours, then 24 to get days, then 365 to get years, 
then 100 to get centuries

To do the whole thing at once, take the number of permutations and 
divide by 315.36 x 10^21.
time to crack = 39.33 centuries

-----> BOTTOM LINE <------

So, the BOTTOM LINE is: create a password at least 14 characters long 
containing lower case, upper case, and digits; and you will be 
uncrackable by a botnet of 1000 pc's doing a total of 100 trillion 
guesses / second for almost 40 centuries.  Some of the crypto guys can 
chip in and say whether, statistically, the cracker might hit your 
password in 1/2 the time.  In that case, you're good for 20 centuries.

I hope you find this useful.  I certainly found the analysis revealing, 
and I'll be upgrading some of my website and applications passwords.

There's a lot of math here, all hand done.  I'm pretty sure it's all 
right, but if there's typos (at 2 AM), they'll have to be corrected later.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list