Thursday, August 9, 2012

Practically unbreakable (but memorable) passwords

Originally posted 07/01/2011 on

A month ago in the June 1st edition (episode 303) of his Security Now! podcast Steve Gibson announced that he had experienced an epiphany on what makes a secure password. The traditional requirements for a secure password have been missing an important point. What's the point? That a secure password doesn't have to be what is known as a 'strong' password.

Basically, you want to make the search for your password as hard as possible. The way we are usually told to do that is to make passwords as far from normal words as possible. Unfortunately, that results in impossible to memorize 'passwords' like rP$23)JL#j01p3a!9h9. Steve's revelation was that it isn't the complexity of the password, it's the length and the size of the 'alphabet' it uses that makes it really secure. Alphabet size is easy to understand. If you only use lowercase letters, your alphabet size is 26. Add uppercase and it's 52. Add digits and you've added another 10. Symbols add even more. On top of that, as Steve points out, figuring out a password is all or nothing. Hollywood makes a nice show of computers figuring out one character of a password at a time, but it doesn't work that way. You try a password and it works or it doesn't. If it fails there is no indication if it was too long, too short, or should have had that 'a' capitalized. So for the most secure password you don't have to make something impossible to memorize, you just have to make it long with a large alphabet. So pick a length - I'll use 20 characters - and this is what you do:

  1. make a base passcode that has at least 1 lowercase letter, 1 uppercase letter, one number, and one symbol. For example, aB3$. For that I just used 1,2,3,4 - a (1st letter), B (uppercase 2nd letter), 3 (number 3) and $ (shift-4). Large alphabet, but easy to remember.
  2. Next add padding - it really doesn't matter what as long as you can remember it. I'll use 8 '!' and 8 '&'.
  3. Combine your padding with your base. I'll put the base in between the padding.

My new password is !!!!!!!!aB3$&&&&&&&& and it's extremely secure (except you know it), easy to memorize and hard to crack. But by traditional standards it's extremely weak. There is too much repetition and not enough randomness. But if I hadn't just shown it too you it would be very hard to crack because an attacker won't know how long my password is, won't know how large the alphabet is and will have to try every possible combination from 1 character (well, I'd probably start with 4) and work until he made it up to 20 characters and then guessed my password. Not a simple task.

Steve has created the Password Haystack to help show how effective these types of passwords are. Note that the page does not test the strength of the passwords, just their security.

If you need more evidence strong passwords aren't, here's an interesting link on 'strong' passwords in the era of cheap GPU's (graphics processing units). It's one of many on Steve's 'Password Haystack' page, but this one points up the importance of long, large alphabet passwords: Cheap GPU's are rendering strong passwords useless

So rethink your password strategy and put in some hardcore secure passwords that are easy to memorize.