Monday, June 11, 2012

Password entropy, or how to choose a strong password

For a long time now system administrators have been trying to teach their users how to pick strong passwords and for the most part, people appear to be listening. However, system administrators have been teaching the users the old - and now wrong way of picking a strong password. We asked people to choose passwords that were hard for humans to guess, but which ended up being easy for computers to figure out.

These days, very few systems keep their passwords unencrypted. So even when their databases get hacked, the passwords at least have a minimal form of protection protecting them and have to be brute force hacked.

When they brute force hack your password they try all possible combinations of all characters until they get the right password.

A good example of this is the recent LinkedIn hack where hackers were able to obtain all the MD5 hash`s (the stored but encrypted passwords) in the LinkedIn database.

What does this mean exactly?

Well say I join a website, and I choose a password like: Bubblz!248 . Due to sites being easily hacked these days, the person who creates the site will lightly encrypt your password with a MD5 hash, so that all the hacker can see is an encrypted form of the password which looks like this:

Md5 Hash: 57c366fbaee03d11b6a241de52037463

However there is a weakness with this encryption. If the hacker knows that 57c366fbaee03d11b6a241de52037463 = Bubblz!248 then he will be easily able to decipher your password.

If he does not yet know what the decrypted form of the password is, he will try all possible combinations of letters, numbers and other characters to find the right combination that will eventually match your password.

This is where the old form of teaching people to choose passwords is no longer sufficient. In the past we used to ask people to choose passwords that are not easily guessable. Then we asked users to choose passwords with special characters, with capitalization and other random characters inserted into them (users would often forget their passwords). Now we need to ask people to choose long passwords. Special characters are only partly relevant now. Long passwords are currently the best way to be safe now.

Ill give you an example and explain to you why. Lets say your name is Bobby. You want to make a password that you will easily remember and that will be hard to crack.

Bobby, listening to the advice of his system administrator decides to make a complex password that is not guessable, so he creates the password:


Now in that old days that would be a pretty impressive password. It uses special characters, numbers and even has upper and low case characters in it. That is not easily guessable by a long shot... but it is pretty easy to crack.

According to GRC`s Haystack, it would take a super array of computers a week to crack that password (Assuming one hundred trillion guesses per second). Added to that is now Bobby has to remember a very complex password that he can easily make mistakes with.

So what is a better way of choosing a password? As I said earlier. Choose a long password, and the best way I have found to do this is to make a simple sentence that you can easily remember. Lets go back to our user Bobby and get him to choose a new password, this time he chooses a simple sentence like:


I can guarantee you that the sentence password listed above is going to be easier for Bobby to remember. He likes dog and only has to remember the sentence, "bobby likes to take his dog for a walk".

So how much better is the new password and its entropy? According to GRC's Haystack it would take a super array of computers 9.30 million trillion centuries (Assuming one hundred trillion guesses per second) to crack that password!

So to conclude I would like to leave you with a couple of DO'S and DON'TS.

DO: Choose a sentence for you password
DON'T: Never ever ever choose a single dictionary word (even if its in another language) for your password.
DO: Use different passwords for different sites. Sites get hacked all the time, so you need to assume that at some point hackers will have an encrypted form of your password.
DON'T: Choose a password with less than 20 characters.

Think you have a good password? Be sure to check its entropy at GRC's Haystack:

No comments:

Post a Comment