Passwords and Complexity - II

Chris Cassell, Technical Team


  • Security Blog

ARGH! Why do computers hate me?!

You‘ve said to hell with it and written down your password or made one that's easy... because you‘ve got a job to do and “security” is getting in the way!

For years the security people have been going about things totally backwards because they thought it was the way forward. They were wrong. But forgive me as I zoom off on a tangent and dip our toe in to the murky world of maths and ultimately what passwords are all about.

So, you have a new password. It's one character long, it's X. That's it. Just X. Kind of hard to forget that. So why can‘t you have that as your password? Well because our primate friends could crack that given a little time.

Basically in the Latin Alphabet there are 26 letters, each can have an upper and lower case. So 52 options there, plus ten numbers, so 62. Add some common special characters you can see on your keyboard, another 34 or so on a standard keyboard layout. 96 options (or bits of entropy as it's known) realistically. So you‘d only need to try 96 possible options to get that one character password. Anyone could do that in pretty short order; I can guess your password in maybe five minutes?

Okay so you decide to foil me by making a two character password! So that's two blocks of 96 options I have to try against each other 96*96, that's 9,216 options. Okay I really don‘t personally fancy trying to type 9,216 passwords out to try to get access to your latest half finished novel about vampires and werewolves doing interesting things.

So I tell my computer to do it for me. Let's pick a midrange computer, a standard Intel I5 processor. That‘ll do 83,000 million operations per second. There's a few needed for each attempt but I won‘t bore you with that. Suffice to say about 42 nanoseconds later I have your password. That's 0.000000042 of a second. I think I‘ll let my computer take that strain.

Let's just skip ahead a few characters! An 8 character password. 7,213,895,789,838,336 options. Wow that's pretty secure right? Yeah loving that. That looks good. Until I put it up against a decent computer and let that have a go. 2 days. That's all it would take for a computer to work out your password by trying them all. Statistically actually 1 day, as it's likely to get it right about half way through.

How about something longer - MonkeyMagic! Twelve characters, and after reading me yammer on about monkeys you‘ll likely remember that for ages. Well same calculations. About 6,000 years. Now, call me careless, but I‘m not particularly bothered if someone reads my e-mails in 6,000 years time. They‘re not that exciting to read today really.

I know it's disappointing but, size actually does matter

Note that in none of the above do I talk about how many special characters you need, how many upper case and lower case you need, because realistically that's pretty irrelevant to the process because the bad guy will still have to assume they are in play and will have to try all 96 combinations against every character in your password, else they‘ll miss anyone that throws in even a simple ’!‘ as I did above.

It's really less about how complicated your password is, and far more about how long it is, as long as it's not easy to guess.

So P74Y*d>” (2 days) is actually weaker than ThisIsMyExceptionallyLongPasswordThatIsEasyToRemember (962 Vigintillion years, and no I didn‘t know what a Vigintillion was either. It's really big). Obviously don‘t now use that password as bad people might guess it from having seen it. But the point is a long phrase of at least four words added together with maybe some capitals and a ? or ! in it is near infinitely stronger and easier to remember than the random short ones people believe are good.

Now those more in the know might be muttering things like “Hash Table”, “Weak algorithm”, “Large bowl of custard”. I agree that's a valid attack, but do the maths and you‘ll find that both the above passwords are vulnerable to that sort of attack and again, the longer one is still stronger, even in that scenario.

All that old school random hard to remember stuff isn‘t looking so clever now is it?

Don‘t ever change (to try to please me)

If your password has never let you down before, then don‘t change it. Look at the maths again you would have to change your 8 character meaningless string of gibberish every two days. Even then it would still be vulnerable if the attacker got lucky. To be safe from the random nature of guessing I might want to change My Exceptionally Long Password in approximately 400 Vigintillion years, if I‘m being paranoid.

So why do we have to change passwords all the time then? Well that's to minimise the damage in case someone has managed to break your password. Some sites have very bad security practices and store passwords in plain text. So if someone hacks in they can get your password and use it to try other sites. That's why you‘re told not to use the same password in other places. It's also why we change them as it means that if someone else is using your password they‘ll get shut out again within 30, 60, 90 days, whichever is set.

So they‘ll only have several weeks of access to your stuff without you knowing about it. Then you change your password and lock them out. I‘m sure after a few weeks they probably still have things to do, right? Well no. Frankly they‘ll have done their damage immediately and either moved on, or changed your password for you and locked you out so they can do what they like till you get it fixed. In fact an exposed password is statistically likely to be used within 24 hours of the breech. So that whole changing your password regularly thing? Pointless.

Wouldn‘t it be much better to have a system where you log in and you‘re immediately given details about the last log in and attempted logins? Then you see that you logged in at sometime that wasn‘t you? You know there is a problem and you can fix it right there and then. Report it to the authorities and change your password and get the damage dealt with. Sounds better than waiting 30 days to lock someone out and not having known it was a problem anyway?

Leave a comment

Comments (0)

Latest News

  • Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme

    Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme ...Read more


  • Zero Trust networks with zero hype - an overview of real world deployments

    An overview of the NCSC CloudClient project in the context of Zero Trust network characteristics ...Read more


  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more