[ale] creating very powerful relatively short memorable passwords
Ron Frazier
atllinuxenthinfo at c3energy.com
Sat Sep 10 02:54:55 EDT 2011
Hi all,
If you've been watching the list, you know I've been in discussion with
several others related to the topic of creating strong passwords. Based
on prior discussions and recommendations, I had concluded that pass
phrases are highly desirable. However, if using a 2048 word lexicon,
they must be 6 words long to achieve a few days of crack resistance from
a botnet array. You have to go up to 8 words to reach a crack time of
centuries if the attacker is doing 100 trillion guesses / second. Pass
phrases this long are impossible to enter into many websites. And, even
if they can be entered, it is very tedious to type this many words in a
password field.
Here, I will describe a good compromise if you either wish to or are
forced to use a shorter password.
I was slamming my bank in prior discussions due to only allowing 8
character passwords. Well, I guess other people have been slamming
them. I checked the password policy today and it has been updated to
the following:
"Must be 6-20 characters with at least one letter and one number. There
should be no spaces and no special characters."
As you can see, I cannot use a 6-8 word pass phrase here. However, I
can still make it plenty strong. The key to making a short password
work is not only making it as long as you can, but including as many as
possible of the following in the alphabet of characters you use: lower
case letters, upper case letters, digits, symbols. Adding just 1 of
these character types, as long as the attacker doesn't know your
pattern, dramatically expands the number of guesses he has to make.
Here is a simple example of what adding each different possibility
does. Imagine a 4 character password. This one won't be strong, it's
just for an example.
* lower case, ex: "junk" (excluding quotes), 26 possibilities in each
character, permutations = 26^4 = 456,976
* lower, upper, ex: "Junk", 52 possibilities in each character,
permutations = 52^4 = 7,311,616 (Note that this is 16 times more secure.)
* lower, upper, digits, ex: "Jun8", 62 possibilities in each character,
permutations = 62^4 = 14,776,336 (Note that this is 32 times more secure.)
* lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each
character, permutations = 95^4 = 81,450,625 (Note that this is 178
times more secure.)
These short passwords would be cracked instantly by a cracking array.
However, a bit of clever adding of characters will allow me to have a
very secure and pretty memorable password, even at MY bank.
Following is the minimum character length of a password of each type to
require at least a century of crack time by an array operating at 100
trillion guesses / second.
lower case, 17 characters, 3.60 centuries crack time
lower, upper, 14 characters, 3.35 centuries crack time
lower, upper, digits, 14 characters, 39.33 centuries crack time
lower, upper, digits, symbols, 12 characters, 1.71 centuries crack
time (Note that my bank will not accept this one.)
Going any SHORTER will reduce the crack time to less than a centuries,
and it does so VERY rapidly. In the case of the lower, upper, digits,
removing 1 character reduces crack time to 63.43 years. Removing a 2nd
character reduces it to 1.02 years. And, removing a 3rd character
reduces it to 6.02 days.
The best compromise of length, memorability, usability at websites, and
security is the lower, upper, digits scenario with 14 characters. An
easy way to do this is to pick 2 words from a standard English
dictionary which combine to at least 12 characters then throw some caps
and 2 digits in, or 13 characters and 1 digit. This has some of the
benefits of a pass phrase and is pretty memorable, and will be accepted
by most websites. You could use more digits, but there is no big
benefit. Once you've added even 1 digit, you've increased the
possibilities at each character spot from 52 to 62. Note that all this
assumes the attacker is brute force guessing and doesn't know YOUR word
pattern.
4AntimonyBlast - 14 characters - 39.33 centuries crack time
CastoffWander2 - 14 characters - 39.33 centuries crack time
Debark3Debates - 14 characters - 39.33 centuries crack time
Here's how the math works.
permutations = 62^14 = 12.402 x 10^24
time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x
10^09 seconds
divide by 3600 to get hours, then 24 to get days, then 365 to get years,
then 100 to get centuries
To do the whole thing at once, take the number of permutations and
divide by 315.36 x 10^21.
time to crack = 39.33 centuries
-----> BOTTOM LINE <------
So, the BOTTOM LINE is: create a password at least 14 characters long
containing lower case, upper case, and digits; and you will be
uncrackable by a botnet of 1000 pc's doing a total of 100 trillion
guesses / second for almost 40 centuries. Some of the crypto guys can
chip in and say whether, statistically, the cracker might hit your
password in 1/2 the time. In that case, you're good for 20 centuries.
I hope you find this useful. I certainly found the analysis revealing,
and I'll be upgrading some of my website and applications passwords.
There's a lot of math here, all hand done. I'm pretty sure it's all
right, but if there's typos (at 2 AM), they'll have to be corrected later.
Sincerely,
Ron
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list