What Makes A Good Password?
As more and more of our lives move online, we end up accumulating more and more accounts each of which has its own password. It feels like almost every site has its own policy, ranging from lax to inane. But, is 4$%nT;6**a really safer than Butterfly5Cat5WaffleIron? What really makes a good password?
A good password is a product of its entropy, which is affected by the complexity and length of the password. Password reuse reduces or even eliminates security. How do these things work together and what does 2FA do to the equation? Let’s also see how to make some easy to remember passwords.
A password’s strength is governed by its bits of entropy. Each bit of entropy is equivalent to an exponential growth in possibilities for the password. What this boils down to is that the longer a password is, the more limited the set of characters used can be (within reason) without necessarily harming the security. The complexity and length each play a part and serve as dimension for security. We’ll hit the math in a bit.
Entropy is powerful because it gives you a way to tell how much more difficult a password is in a more digestable format, but it has its limitations. It is not a panacea to security. Password1! is not as real world secure as Meyapar or similar gibberish. A hacker can make certain assumptions in order to reduce the bits of entropy they test, and potentially succeed. Passwords security means nothing if the database is breached. You buy time with hashes.
Some companies still employ systems which employ plain-text passwords. This renders your password compromised the second the company is breached. A legacy version of Ruby on Rails, or any number of platforms mean that your password may be ripe for the taking. There’s far more than entropy to contend with in the real world.
Password Complexity and Length
The traditional view of password security was that the more complex the better, though this is just one small part of the picture. The length plays in as much as the complexity. An extremely complex password which is short is as bad as an extremely simple password which is longer. When you look at complexity, you also need to take into account several variables to determine how many practical bits of entropy you have.
A mixed case only password will have 52 possible characters, an alphanumeric password will have 62. You can begin to add more characters to get every ASCII character or go even further with Unicode. Some sites have a minimum length, and others have a maximum. The way to approach the balance is to look at the possibilities mathematically.
If we look at raw possibilities, we get that potential charactersnumber of characters will define our number of password possibilities. This is only the number of possibilities though, and not really a true measure of security yet. Possibilities can be reduced with either the right knowledge or the right gamble.
While a password composed of 2 words from a 40,000 word dictionary could be dozens of characters long easily (with 40,0002 = 4e+08), it is about on par with a 6 character alphanumeric password in the grander scheme of things (526 = 9e+08). All it takes is the attacker knowing, or guessing that your password is composed a certain way to more easily compromise it. Or, they can compromise the admin account for your service and have a take at the hashes.
We all have a million accounts and it gets frustrating accounting for every password. While there are solutions which help with remembering passwords, they can be annoying. Sometimes you need to setup a password and don’t get the chance (or forget) to put it in your device. Other times, you just want to use the service.
Many people reuse passwords. It’s unfortunate, but it’s true. Reuse of a password compromises it in a way which bits of entropy can’t account for. How does the service store your password, and how many other services do you use which have the same username (or close enough), and the same password?
It’s fine to reuse passwords for burner services which have no bearing on your life, but once you reuse with a bank or similar, you run the risk of being fully compromised. Many people also forget to reset passwords after a breach, or they don’t even know it happened. There have been countless breaches in the past decade, how many have impacted you and how many do you know about?
Multi-factor authentication (MFA) is a technique to add an algorithmically generated password to logins. The logic goes that by adding a secondary password which is impossible to forget (though it can be lost), you can clamp down after fewer attempts. This means that a password with okay entropy might lead to a low entropy password which locks after 10 failed attempts and alerts the user.
This is the compromise security has made which ends up being substantially more secure. Since the code is random and cycles constantly, it is going to be near impossible to crack barring chance or a broken algorithm. Though there is the risk that some 2FA algorithms might be predictable, they are predicated on a secret key which shouldn’t be exposed. If you crack this far up the chain, you’ve cracked more than encryption can do anything about.
You have to have some degree of trust somewhere in the chain, and you have to assume that a physical and knowledge requirement should be enough for all but the most dedicated hackers. Where do you trade off practicality for security, and how do you stop your user from just writing the password down on their list on their computer? That 100 character requirement is now useless to stop anyone who walks in front of that computer.
What Holes Exist with MFA?
MFA at least ensures that the hacker needs the password and the phone or similar device. Users can still install an authenticator on their computer and write down the password, but you have taken as much care as you can. You can’t stop them, but now their security is entirely on them.
Your car may not drive with you buckled up, but you can always cut the belt and plug it in. If the belt has smart technology and similar, it’s still possible, but it’s probably just angering customers. Where does your responsibility end? You already implied your “do not drink” warning on the security bleach, why would you try and design a drink-proof bottle which will just enrage the other 99.99% of your customers who aren’t actively working against themselves?
MFA also doesn’t stop certain combined attacks. If someone is out to get you by stealing access to your phone and compromise multiple passwords (account password and phone keycode), they’re operating above the pay grade of your password solution. The attacker will just target the service instead, or use rubber hose cryptography at worst. You’re usually dealing with a movie scenario rather than reality at this point.
How This All Works Together
The complexity and length both make a password have higher bits of potential entropy, but predictable factors reduce those bits of entropy. If you’re using a long alphanumeric password, and it’s 2 words from a 40,000 word dictionary, you haven’t accomplished as much as you think you have from the math. This reduction does depend on the attacker knowing or at least gambling on the possibility.
This possibility of compromise gets higher as they target the system itself which means you should avoid reusing passwords, especially with similar usernames. You’re looking at 1 bit of entropy if the credentials are identical. MFA and 2FA can reduce this substantially, to the point you only really have to worry about this with spy film plot level events. They do happen, but most hackers just hit a different route.
The more unpredictability you can add into each password, the more likely you are to approach the higher end of the number of possibilities a computer has to go through. 00000000aA! is going to be cracked quicker on a system which iterates through each possibility with numbers at the start, the alphabet next, then symbols. While the password crackers I used back in the day used this method, newer ones use its evolution (if you want to take the gamble).
Crafting a Password
What are the known bits of entropy if they know what you did and what are the bits of entropy if they don’t? You want a balance without going too crazy. I like to use non-dictionary words with numbers and symbols to make easy to remember passwords.
A jumble of numbers, letters, and symbols is a pain, but something like $Tokyo7sutra%REVERE!!! is going to be much, much easier. While this password is easy to remember on its own, how do you keep track of it? I like to use something like a password algorithm to generate more complex passwords where possible. This doesn’t work for every account, but it helps cut down on a lot of them. You can always use a password app to circumvent this, but it’s good to have on hand.
To generate a secure password, you need to increase the complexity and length to raise the bits of entropy. You also need to take into account how many bits of entropy exist if someone gambles on guessing parts of your password. Your strategy can be as simple as a prefix and a suffix or a mix of affixes and interspersed characters. Mix in rules for casing and similar which are predictable, to you, and you can further increase the complexity.
If you use the password Password, you’re looking at virtually no bits of entropy from a modern dictionary based brute-force program. If you use this as a prefix and intersperse symbols, you greatly raise the complexity without making it harder for yourself. Password@google is substantially more secure but it also isn’t that easy if you don’t know the process. You can throw in a number at the beginning, the middle somewhere, or the end and make it even more difficult to guess. The bits of entropy won’t go up that much for knowing the algorithm though. How likely is your algorithm to be common enough to have rules for it?
The more arbitrary rules you use, the harder it will be for more dedicated hackers to see the pattern. At a certain point though, if you’re a target, you’ll need far more than a password to stay secure. Though quantum computing puts forward the promise to break modern cryptography, we still have a good while before it works out the details enough to actually do it. You’re far more likely to be compromised by social engineering, malware, a breach to the service itself, phishing, a break in the cryptography algorithm, etc. than a smash and grab password hack if you use a non-trivial, secure password.
Use an algorithm which is diverse enough that even knowing the basic rules isn’t enough to trivially compromise it. Have rules to make it easy to adjust and remember the password despite required changes. Split up services and use easier passwords for less important services and harder passwords for more important ones if nothing else. Make your financial sites each unique and don’t worry about some forum you got for a download and some site you signed up for coupons at. What the site contains affects how much security really needs to matter.