Why Passwords Don’t Work

By | November 22, 2004

Unlike earlier “feature length” articles, today’s article is designed as a bit of a security primer. This is really a heads up on some newer thoughts circulating in the security field, and how those thoughts apply to you as an individual.

The topic at hand is that of passwords. What is a password? A password is a token that allows someone to positively identify themselves. Combined with a username, you get Authentication: Alice is who she says she is, because she has something only Alice has. A password is only good as long as it’s something only Alice knows. If Bob knows Alice’s password, it really doesn’t authenticate Alice anymore. Our goal in choosing a password is to make sure that only Alice will know it.

The way security professionals measure the strength of a password is how random it is or how much “entropy” the password has. Password length is great, but a password which is nothing but “1” typed in 100 times isn’t very random, and is very easy for password cracking programs to penetrate.

In the old days, the goal of a password was to make it difficult for someone else to guess when you were typing, as well as difficult for someone to guess when you weren’t around.

While that goal still holds true today, one of the single largest goals of a password in today’s age – the age of interconnected, high powered, remotely accessible systems – is to prevent people with malicious intent and sophisticated software from gaining access to your profile – i.e.: trying to make a system think they are you, when obviously they aren’t.

The Entropy of the Matter

As I mentioned earlier, entropy is the key to determining how secure a password is. In simple terms, this is usually expressed in 2 raised to a certain number, i.e., how many “bits” it has. For instance, a random number between 0-15 would have 4 bits of entropy, a strength of 2^^4. A single Roman letter, a-z (no case differences) has 4.7 bits of entropy if chosen randomly (Log2(26)). These numbers are theoretical, though, as in reality few sequences of anything are truly random.

Traditional logic finds that if you have a 9 character password like monkeyboy, it is made more random by swapping out certain characters: 0 for o, 3 for e and so forth. However, there is nothing truly random about this: you have applied simple logic to create the password, and all someone who is trying to break your password needs to do is apply simple logic to break it.

Therefore, you really have two options: make really random short passwords, or make “less random” longer passwords. In an ideal world, we could give users 5-7 character passwords which were both completely random and totally easy to remember. In addition, we could give users new passwords every 2-4 weeks. However, this isn’t a perfect world.

The second option is to go for length: 50+ characters of words are inherently more secure than 10 characters of words. Since most users, or most anyone for that matter, can’t actually remember 50 characters of “text”, more and more security consultants and system administrators are turning to what are commonly known as “Passphrases”.

A Phrase is a Phrase

Much like a “password” – which is a secret made up of a word – a Passphrase is a secret made up of several words, the more the merrier. A passphrase could be as simple as “to be or not to be, that is the question”. This 40 character passphrase should be easy for most anyone to remember.

The advantage to this is that the current generation of cracking programs is effectively useless at cracking anything longer than 10 characters. This means that for the next 2-3 years, your data is basically safe – from a passphrase perspective.

The downside to passphrases is that while they are longer, their length doesn’t guarantee security. For example, while there are roughly 250,000 words in the English language, most people’s vocabulary is only about 50,000. When asked to think up a simple phrase, that dictionary drops to a mere 10,000 words. In a purely random sense, 10,000 is a fantastic seed. However, some words occur much more often than others, and there are certain language constructs which make guessing a sentence easier than guessing a single a string of 50 characters.

So while security professionals are currently evangelizing passphrases, it is with the knowledge that as soon as there are programs which can incorporate the English dictionary, learn to parse sentences and pick apart words instead of characters, we may be back to the proverbial drawing board.

However, evening the long term there are some simple steps that can be taken to make your passphrase more secure. By doing to passphrases what many people do to passwords – swapping out characters – the inherent security of the passphrase becomes much greater, largely because it makes the dictionary of the cracker practically useless.

Another commonly held suggestion is to simply spell one or two words in your passphrase wrong, which will also render the passphrase impossible to guess. After all, you only need to fool a cracker on one word to keep your passphrase secure.

From the Experts

Obviously no security article would be complete without input from true experts. The current world record holder for making the biggest splash on an article in relation to passphrases goes to Jesper M. Johannson, Ph.D., ISSAP, CISSP.

Jesper recently finished one of the defining pieces on the subject of passphrases.

Another industry expert is Robert Hensing. His blog is full of useful information on the subject, and he encourages readers to email him with questions.

What does this all boil down to, to quote Jesper’s conclusion to his fantastic 3-part series:

While no one can conclusively answer the question of whether pass phrases are stronger than passwords, math and the logic appear to show that a 5- or 6-word pass phrase is roughly as strong as a completely random 9-character password. Since most people are better able to remember a 6-word pass phrase than a totally random 9-character password, pass phrases seem to be better than passwords. In addition, by adding some substitutions and misspellings to a pass phrase, users can significantly strengthen it, which is not possible with a totally random 9-character password. Contrary to what your grade school teacher taught you, there actually is value in misspelling things!

Leave a Reply