May 10, 2013

Secure Passwords: What You’ve Been Taught Is Wrong

A guide for LAN Administrators who want to secure their systems without a user revolt.

keyboard - password - abracadabra - open sesame - photo by Jonathan_W

length + the uniqueness of your brain

More on that in a moment.

But first, if only we could trust our fellow human beings, there would be no need to secure our sensitive data. No need to invent complex methods to thwart criminal mischief. Alas that utopia does not exist. And even though passwords are a nuisance, and are quite susceptible to compromise, they are still the most widely used defense against data theft. Because of that, it’s a safe bet we could all use a lesson when it comes to constructing a secure password.

Which password do you think is more secure?

Password #1: P4ssword!!!!
Password #2: if&eQ23Vsw6

Of course you probably already suspect this is a trick question. Clearly the first password is a common password trick, replace the “a” with a “4”. Surely that will throw off any potential hackery! Most people know better. Well, most conscientious IT administrators know better at least. We know that a dictionary file attack will likely include the use of dictionary words and common alternatives. But even so, the first password is more secure than the second password and it has nothing to do with the “4” replacing the “a”. I’m afraid the font used to display the two password examples betrays honesty. Have a look at those two passwords again with a fixed space font.

Password #1: P4ssword!!!!
Password #2: if&eQ23Vsw6

It should be obvious now that the first password is one character longer than the second password. What is not obvious is why that matters. Your brain is telling you the first password is less secure. Because you can clearly decipher a dictionary word along with a series of repeating characters, your brain says this password is not as secure as the second password that appears completely random. But even though the first password appears less random, appears less secure, and is certainly easier to remember, it is more secure because (a) it is one character longer, and (b) it includes padding. If Password #1 was just a 12 character dictionary word, it would NOT be as secure. But since Password #1 contains those 4 exclamation points, it means the only way it can be cracked is via brute force, just the same as Password #2. And since Password #1 is one character longer, it will take longer to crack it via brute force.

So what is padding? It’s simple, you take a word and you add something after it, before it, or somewhere in the middle. Because a potential hacker has no idea what your password is, what the length is, and also has no idea if they have a partial match (it’s all or nothing), it is possible for a password with a more simplistic appearance to actually require more time and effort to crack.

But don’t take my word for it. Let’s see what GRC’s Interactive Brute Force ‘Search Space’ Password Calculator has to say:

Password #1: P4ssword!!!!

Brute Force Search Space Analysis
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 12 characters
Exact Search Space Size (Count): 546,108,599,233,516,079,517,120
Search Space Size (as a power of 10): 5.46 x 1023

Time Required to Exhaustively Search this Password’s Space
Online Attack Scenario (Assuming one thousand guesses per second): 1.74 hundred billion centuries
Offline Fast Attack Scenario (Assuming one hundred billion guesses per second): 1.74 thousand centuries
Massive Cracking Array Scenario (Assuming one hundred trillion guesses per second): 1.74 centuries


Password #2: if&eQ23Vsw6

Brute Force Search Space Analysis
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 11 characters
Exact Search Space Size (Count): 5,748,511,570,879,116,626,495
Search Space Size (as a power of 10): 5.75 x 1021

Time Required to Exhaustively Search this Password’s Space
Online Attack Scenario (Assuming one thousand guesses per second): 1.83 billion centuries
Offline Fast Attack Scenario (Assuming one hundred billion guesses per second): 18.28 centuries
Massive Cracking Array Scenario (Assuming one hundred trillion guesses per second): 1.83 years


So both passwords are pretty secure. Even the more complex appearing (but less secure) Password #2 could take nearly 2 billion centuries in a plausible brute force attack scenario. But as you can see, in the “Massive Cracking Array Scenario” the second password could be cracked in less than 2 years. Alright, I think I would still feel pretty safe with Password #2 considering 2 years is a long time and that scenario is highly unlikely. But take a look at Password #1. Even considering the over-the-top attack scenario, it would take a few lifetimes to crack.

Warning: This does not mean you should use Password #1 or a similar variant. You should come up with your own unique password length and padding technique. If you were to follow an example published in an online blog, certainly it’s something a potential hacker could try as well.



You can use complexity and length and create a highly secure password. You can force this on your users and surely they will create secure passwords. But after you do this, take a stroll through the office and you may start finding Post-It notes stuck to monitors with random characters written on them. Suddenly your secure password policy is junk.

This is why I say what you’ve been taught is all wrong. You need to come up with a password policy that does two things well, instead of one thing really well:

1. Cannot be cracked by dictionary file and is not easily cracked by brute force.

2. Easy to remember.

That’s why complexity rules should be thrown out the window. With complexity, you achieve #1 at the cost of #2.

Instead, you should require length, not complexity. While you can construct a reasonably secure password (with complexity) with only 7 or 8 characters, if you do not require complexity you must increase the length. Your users may scoff at a 12 or 14 character password requirement, but if you can explain an easy method for creating memorable and secure passwords, that initial negativity is likely to subside.

The longer the password, the longer it takes to crack. Forget about password complexity rules. You don’t need uppercase, lowercase, numbers and symbols. What you need is length combined with some form of padding that is easy to remember but is unique to your brain, and your brain only. In fact, this will probably blow your mind, you can just use several random dictionary words combined for a highly secure password. No, really! I’m serious! Check this out:

Password using simple dictionary words: grasscarpetguitar

So that’s “grass carpet guitar” combined without the spaces for 17 characters. What does the super-duper password calculator say?

Brute Force Search Space Analysis
Search Space Depth (Alphabet): 26
Search Space Length (Characters): 17 characters
Exact Search Space Size (Count): 1,179,180,408,000,556,754,576,342
Search Space Size (as a power of 10): 1.18 x 1024

Time Required to Exhaustively Search this Password’s Space
Online Attack Scenario (Assuming one thousand guesses per second): 3.75 hundred billion centuries
Offline Fast Attack Scenario (Assuming one hundred billion guesses per second): 3.75 thousand centuries
Massive Cracking Array Scenario (Assuming one hundred trillion guesses per second): 3.75 centuries


So a password comprised of three simple dictionary words (totaling 17 characters) could take up to 3.75 hundred billion centuries to crack in the simplest of the attack scenarios. As far as passwords go, that’s pretty secure. While a common phrase (or song title, etc.) might produce the same results in the GRC calculator, a common phrase would also be something a potential hacker could build into a dictionary file attack. Therefore, the key to password strength when using this method is you must use words that have no connection to each other. The only connection is that your brain put the words together.



In this article, I’ve outlined two possible methods to create secure and memorable passwords.

1. A simple word plus some form of padding.

2. Combining multiple, random words.

Either of these methods are capable of producing secure passwords that rival complex passwords. The important thing to remember is: NEVER combine words or patterns that someone else (or a computer) could figure out. You need to come up with your own unique combination of words and/or symbol/number padding. Do not use common number or symbol replacements for letters in a word, hackers have already figured that out. Adding “number” or “symbol” padding to your password should be done in a way which is memorable to you, but has no actual meaning beyond your brain, and your brain only.

And while any change will likely cause some consternation among your users, offering them methods to create memorable secure passwords is surely a better option than flipping the switch and requiring impossible to remember complex passwords.



An article that challenges convention and offers it’s own dissent should also welcome dissent in response! So it is with that thought in mind that I point you to the following Ars Technica article (“Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331“).

Ars Technica — In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

OK, you got my attention. That sounds really alarming. Tell me more.

While Anderson’s 47-percent success rate is impressive, it’s miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn’t disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.

Well crap. Here, why don’t I just tell you my password and save you an “hour” of wasted time on your part.

The list of “plains,” as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. “123456,” “1234567,” and “password” are there, as is “letmein,” “Destiny21,” and “pizzapizza.” Passwords of this ilk are hopelessly weak. Despite the additional tweaking, “p@$$word,” “123456789j,” “letmein1!,” and “LETMEin3” are equally awful. But sprinkled among the overused and easily cracked passcodes in the leaked list are some that many readers might assume are relatively secure. “:LOL1313le” is in there, as are “Coneyisland9/,” “momof3g8kids,” “1368555av,” “n3xtb1gth1ng,” “qeadzcwrsfxv1331,” “m27bufford,” “J21.redskin,” “Garrett1993*,” and “Oscar+emmy2.”

Well crap again. Now I feel like I wasted my time writing this article. I mean really, WTF? How the hell could they crack “qeadzcwrsfxv1331”?

Let me tell you how. In fact, I’ll ask you to demonstrate. Type “qeadzcwrsfxv1331” on your keyboard without the quotes. Notice a pattern? Well guess what, computers are really good with patterns. And while I’ll admit to using the “keyboard pattern” method for passwords in the past, it violates the golden rule. You need to create passwords that are unique to your brain, and your brain only.

A pattern on the keyboard violates the golden rule. Replacing the “A” in a word with a “4” violates the golden rule. If there’s a reasonable chance other human beings have come up with the same method of creating a password as you, it violates the golden rule.

So you want an even more secure method to create a “memorable” password? Back in 2011 I wrote (“You Aren’t Doing Enough To Secure Your Accounts“). In that article I explain how you can avoid using complete dictionary words, but still create a lengthy password that you can remember. I don’t necessarily recommend you copy the exact method I described. I think you should invent your own unique method. I’ve provided the relevant excerpt of that article below which explains a “truncate” method of forming a unique password:

Never use words, phone numbers or anything else that could be identified or is otherwise meaningful. Try to think up a pattern that only you know. It could be the first 3 letters (or less if any words are shorter) of each word of a song title or song lyric. So for example the following lyric “I was a Superman but looks are deceiving” turns into “iwasasupbutlooaredec”. While it doesn’t use numbers or symbols it’s still a very secure password because it means absolutely nothing and is 20 characters long. The longer a password the more time it would take to crack via brute force. In this example only you know which lyric or song title you chose and only you know how many characters of each word you used. Even though this password example is 20 characters long it’s very easy to recall as you type.

You can change it up by adding numbers in between each of the truncated words. It could be as simple as counting from 1 to x where x is the number of words. With this revised scheme the above password turns into: “i1was2a3sup4but5loo6are7dec8″. This new password is 28 characters long and is very secure. This one takes a little bit more time to process in your brain as you type but it’s still easy to recall.

You don’t need to use a song title or lyric as long as this one to make a secure password but I recommend that your password is at least 10 characters long. You also can use other phrases or quotes or you can come up with you own easy to remember scheme.

So if using complete (but unrelated) dictionary words in your passwords feels risky, then a method like the above could be a better alternative. The result is a password that contains very few if any complete dictionary words combined with more than sufficient character length, while still retaining the ability to be recalled from your brain, and your brain only. Remember the golden rule!

OK, so now you are thinking that because this method uses a phrase, song title or lyric people “know,” that means someone could decipher the method. I can’t rule out the possibility, although the more obscure the phrase, the less likely it becomes. But if you believe even this method is risky, then use a hybrid “truncate” and “random word” method. I mentioned earlier that simply combining three random words (of reasonable length) is a way to create a secure password. Not good enough for you? Alright, then combine three or more random words using a variation of the “truncate” method and you still have a password that is easy to recall, yet highly secure.

In this article I’ve given you a lot to chew on when it comes to constructing a secure but memorable password. Think I’m off base? Think I’m off my rocker? Tell me what you think in the comments section below.

photo by Jonathan_W

Please share your thoughts