> Sford wiki > Sford password strength

I've seen some chatter lately about password strength. Some claims about greatly increasing password strength leave me unconvinced of their value.

I'm not alone

Looks like xkcd and zxcvbn agree with me. See http://blog.geeky-boy.com/2014/04/password-strength.html

Alphabet size

According to the alphabet size argument, you should use capitals and lower case letters, digits, and special characters.

I used https://www.grc.com/haystack.htm site for a bit of analysis, and I think I can say with good confidence that using upper/lower, digits, and special symbols is far less helpful than many have claimed.

Let's start with the password:

  bigdogseat

(i.e. "big dogs" eat). It has a search space size of 1.47 * 10**14. Not very impressive. So, let's make it better by changing it to include capital letters, digits, and special characters:

  bigdogsE@7

This has a search space size of 6.05 * 10**19. Much better. But instead of that, let's try:

  bigdogseatmice

This has a search space size of 6.71 * 10**19. Even better! The addition of a single 4-letter word did more to increase the search space size than using the larger alphabet. I would claim that the addition of a word is easier to remember than the substitution of capitals, digits, and special characters. So you have an easier-to-remember password which is more secure than the shorter one with caps/digits/specials.

Note that the above assumes a brute-force attack. If we assume a dictionary attack, I'm pretty sure you get the same result, even more strongly, but I admit I haven't done a quantitative analysis.

A cracker will always try a dictionary attack before brute-force. It might first try a single dictionary word, then two, then three, and BINGO, they got my first "bigdogseat" password. Now look at the caps/digit/special character version. Since it uses a predictable substitution algorithm, a dictionary cracker will have little trouble with it. Yes, it will lengthen the search, but not by very much ... because it is algorithmic. Predictable substitution algorithms do NOT force a brute-force attack. Dictionary crackers know the common rules.

So, the same analysis will apply, except that the alphabet size becomes the number of possible words, and the password length becomes the number of words in the password. Using a fixed number of words, but using a predictable caps/digit/special substitution algorithm simply increases the number of words in the dictionary. Increasing the number of words in the password has a greater effect on increasing the search space size. It's the difference between increasing the base v.s. the exponent of A**B - increasing the exponent (password length) has a greater effect than increasing the base (alphabet size).

Padding

In that same haystack site, the author claims that padding a password is a very good way to greatly increase password strength. He managed to convince Eric Gerlach in his blog post: http://eric.gerlach.ca/blog/2011/6/18/why-steve-gibsons-password-padding-works-for-humans.html . Here is my response:

I really like the fact that you identified the core issue as forcing a cracker to resort to brute-force. But I'm still leery about padding algorithms.

My hesitation with using a padding algorithm is simple: if I've thought of it, chances are that somebody else has too. If you simply take a given padding algorithm and call it a "word", and construct a dictionary of common padding algorithms, then all you've really done is used your old algorithm of two random words - the actual word you chose, and the algorithm "word" for padding. Given the limits of human creativity, I suspect that the dictionary of common padding algorithms would be comparable in size to the dictionary of common words. Yes your password ends up with 15 or 20 characters, but since that length is only a simple application of your algorithm, it doesn't significantly increase the domain of possible passwords.

In other words, I'm not sure that a padding algorithm DOES force a cracker into brute-force searching. It just forces them to create a second dictionary and apply it a bit differently.

The fact that Gibson's page exists (and is popular) almost certainly means that simple "dot padding" would be the first padding algorithm "word" that a cracker would try, resulting in a password that is barely more secure than a single dictionary word. (And I'll bet there are a lot of people out there who have skimmed Gibson's page and are using dot padding today, thinking that their password will take billions of years to guess.) The algorithms that you've hinted might similarly be among the first added to this algorithm dictionary. I'll only be able to force a cracker into brute-force if I come up with an algorithm so complicated that few people on the planet would think of it, which probably makes the algorithm itself hard to remember, and we're back where we started from.

Like you, I've solved the problem by using a password vault program so that my passwords are NOT combinations of dictionary words, which truly forces brute-force searching. This also solves the problem inherent in reusing passwords - every account I have uses a different password. THAT is the secret of true security.

Importance of search space size

If a cracker is trying to guess their way into my bank account, I can be safe by choosing a random 4-digit number as my password, EVEN IF I TELL THE CRACKER THAT I DID. After three tries, my account will lock out further attempts until I call them and tell them my SSN and mother's maiden name. So a cracker can only do 3 guesses per day, leading to a worst-case search time of 9 years.

Not all web sites are as draconian. Some simply lock you out for a short time after 3 tries. Even if it is only a 15-minute lockout, you get a worst-case search time of over a month. For a 4-digit number.

So really, there is very little need to worry about password quality to this level of scrutiny.

The exception to this is if the passwords are stored on the server using a standard hash, and a cracker gets ahold of the hash database. In that case, he can do BILLIONS of password checks per second, and dictionary attacks can be very effective. The commonly-recommended methods of improving password security - caps/digits/specials/padding - are still vulnerable to modified dictionary attacks, and won't protect you nearly as much as simply having a longer password.

As it turns out, there are lots of sites which store user passwords in plaintext. I know of more than one. In that case, your password strength is meaningless.

So at the end of the day, chances are pretty good that some cracker is going to get ahold of one of your passwords some day. Your defense is NOT to have highly-secure passwords, but rather to have DIFFERENT passwords for different sites. If somebody breaks into your FaceBook account, don't let them use that password for your gmail and paypal accounts.