The Password Factor²

Last year we wrote about the complex security concerns facing users of on-line services, and specifically about the strength of traditional passwords. Some visitors seemed confused by the argument that length can match complexity, so we’ve decided to briefly revisit the topic today using two example passwords. As before, remember that now we’ve posted these they’re no longer safe to use as actual passwords.

Insecurity through obscurity

Which of these passwords do you think would be easiest to remember?

lunchdetails!Organiseth3
1o5v74v;A4v89t34nbt7h4g

Obviously it’s the first one, since the second has no natural pattern at all for the user to remember it by.

Now let’s say an attacker somehow knew the exact letters and characters used in your password – he or she just didn’t know what order they were in. How many possible combinations could each password be rearranged into?

The answer is the same for both:

295,095,290,555,142,625,648,321,021,999,764,315,625,454,517,120 possible combinations.

Even with computer hardware that is mostly still at the design stage, it would take 9.38 hundred billion trillion centuries to crack the above password in a “brute force” attack. The first password might seem to leave you vulnerable to an attack that assumes you’re using plain English – but that’s a pretty big assumption, and simply adding a dash between each word would make any “dictionary” attack even more complicated (and take 8.47 thousand trillion trillion centuries to complete).

it would take 9.38 hundred billion trillion centuries to crack

We’re not saying you shouldn’t use passwords like the second one if you so wish – but realistically no end-user is likely to be able to remember that password, and if forced to use a nonsensical password they’re likely to make it much shorter than our example above – thus reducing complexity. This is to say nothing of the dangers of people writing down complex passwords!

What about the random passwords we use?

For the sake of argument, let’s strip the password is stripped down a (supposedly) more memorable version:

1o5v74v

Looks secure, right? It might even be similar to one you use! How long would it take to crack now? Using the same technique as suggested in our earlier examples…

0.000806 seconds.

Plain English passwords, structured “out of order” with at least 24 characters are easy to remember and just as likely as a random one to stop an attacker from ever breaching your account. Because they’re easier to remember they also save money – less forgotten passwords means less time spent resetting them. Finally, people are less likely to have to write such a password down to remember it.

N.B: In the real world most of these attacks would take far longer than calculated here, but the relative security of each choice remains the same.

That’s not the whole story of course, and most cyber security breaches start with the biggest weak-point in any system: human beings. In our next entry on cyber security we’ll examine additional measures you can take to secure you data, and avoid your own staff being used as unwitting accomplices.