subject: Todays Password Problems And Solutions [print this page] Love it or hate it, technology has become a big part of our everyday lives. From the office to our homes, and everything in between, we are surrounded by gadgets, gizmos, and do-dads that are all designed to help us and make our lives easier. While we could go on and on about whether or not all this technology actually does this, the point of this article is about something decidedly more annoying, and more specific Passwords. Yes, those terribly annoying little (or long) things that we use to secure all of our personal stuff from nefariously-minded co-workers, bosses, spouses, friends, children, etc The number of passwords that we have to keep track of day-to-day can be staggering! From the ones that we use on a regular basis that are, as such, easy to remember, to the wait-that-has-a-password?-i-cant-remember-what-i-set-it-to-the-last-time-i-logged-in-ten-years-ago beasts that put a major speed bump in our lives at just the wrong time.
Weve all come up with our little devices on how to remember all of these little devils. From setting them to something thats easy and obvious to remember (and guess), to making them all the same, to adding trickery by ending swapping out the es with 3s and ending them all with a 1, or an !, they all have their good points and bad points. Above all this, theres one thing we all understand, namely, that the passwords that protect our most valuable stuff have to be complicated and confusing in order to be secure. Right? Wrong. Although unintentionally misguided, this idea of passwords having to be complex in order to be secure has its roots in something called password entropy.
First, a little dip into the theoretical side of the pool Password entropy is the way in which technical geek-types measure just how secure a password is. In a nutshell, entropy states that there are a finite number of guesses you can make for each character in a password before you get that particular character right. To increase a passwords entropy (or security), you simply increase the number potential characters that each individual character can be. This means that the bad guys have more guesses to make per character, and that your password is more secure. Confused? Lets break this down into something a bit more tangible. Lets analyze a PIN number from an entropy standpoint. A typical PIN number has four digits, each a numbered from 0 to 9. In entropy-speak, this means that in ten guesses or less, and password cracker will absolutely get the correct digit for each individual digit in the PIN number. Without going into the math, each symbol in a 10-symbol-based password, has an entropy of 3.3219. Thats not very good. So how do you make this PIN number more secure? One option which is the most-utilized option, is to increase the number of possible symbols each character can be. In our PIN number, by adding the letters A through Z (without case-sensitivity) into the mix, an additional 26 possible guesses have to be made in addition to our original 10. In entropy, our newly-upgraded PIN has an entropy of 5.1699. Almost two full bits better than our original. If we then add case-sensitivity, spaces, and all the special characters we have on our keyboards (like !, @, etc..) we can push entropy up to 6.5699.
What does all of this mean? If we crunch the math, it means that given the right password cracking tools, a bad guy can get our original 4-digit PIN (with its lowly entropy of 3.3219) in 10,000 guesses or less. That may seem like a large number, but given the speed at which a computer can work, it really doesnt take much time to crunch through all of those guesses. For our purposes, lets just say that the bad guys have a horribly slow password cracker that can only make 100 guesses per second. Our feeble little PIN will be owned by these bad guys in 1 minute 40 seconds or less! What about the newer versions of our PIN numbers that have the larger symbols-sets? The first one, with an entropy of 5.1699 would take 1,679,616 guesses, and would be cracked in 4 hours 39 minutes 56.16 seconds or less. Our super-tough 4-digit password with an entropy of 6.5699 stays secure through 9 days 10 hours 15 minutes 6.25 seconds of cracking before its known!
This illustrates why we have passwords that have all of those horribly difficult to remember symbols. BUT, thats only one side of the story! Unfortunately, its usually the only side of the story we pay any attention to which is sad, because our brains are not wired to remember sequences of characters and symbols in this manner. Just think about it, when you think of the word Tiger do you think to yourself T followed by I followed by G and so on and so on, or do you just think of the word as a whole? Clearly language and length are things our minds can more easily manage. So how do make easy-to-remember-but-still-secure passwords? One word - LENGTH! If our bank allows us to have a password of up to 20 characters, why dont we use them? Instead of BW^#97zp (which is 8 characters, and takes 6.63x10^15 guesses to crack) that is awkward to type and difficult to remember (so its probably written down somewhere, and probably in a place near your computer where a would-be thief could easily guess), why not use MyKidsAreGreat123!@# -which is easy to type, easy to remember (the last !@# are just 123 with the shift key pressed), is twenty characters long, and would take a staggering 3.62x10^39 guesses to crack! Why are we so hard on ourselves?
In summary, lets not forget that password length is a vital part of password complexity, and that we can make our lives easier (and possibly more secure) by lengthening our passwords with somewhat random, common-language words that we can actually remember (so they dont have to written down)!
A famous tech-centric online comic strip, xkcd, beautifully summarized all of this in one of their comics, which can be found here.
