Today is World Password Day and this means that, once again, vendors, bloggers and pundits from around the world will put forth a large volume of conflicting advice. So, just exactly how is someone supposed to interpret these opposing opinions, especially if they are expected to speak authoritatively on the subject to others?
There are a few reasons there is so much disagreement regarding passwords on the internet. From a purely technological standpoint, passwords with higher entropy (meaning that they’re longer and use multiple types of characters) are best. Therefore, the most common password advice is to make the longest password possible, with an uppercase letter, a lowercase letter, a number and a symbol.
The more “complex” your password, the harder it is to “guess” using brute force attacks or password hash cracking approaches. The problem is that humans are much more clever than a straightforward technological approach to password management would allow. Not to mention, we’re also terrible at remembering long random strings of characters.
Cracking Passwords
Over the years, there have been hundreds of millions – if not billions – of individual passwords revealed in various data breaches. This massive data set allows smart people to perform statistical analysis on these passwords and, ultimately, learn how people with different personality types choose – and iterate – their passwords.
The classic movie trope involves the hacker guessing a person’s password by looking at a picture and using the target’s pet’s name or something similar. In reality, a lot of password breaches aren’t far off. Combing through the global breach databases might show, for example, that the various passwords for a given email address have followed the pattern [dog’s name][child’s name][four numbers][special character].
As soon as this pattern is spotted, the potential list of passwords is instantly reduced from some incompressible large number of combinations down to [four numbers][special character] because [dog’s name][child’s name] doesn’t change. Any junior programmer could write a script that can try that problem space in a few seconds.
Using statistical analysis techniques is a little more complicated – but not by much. It’s relatively easy to scrape social media and get a good idea of an individual’s personality type, which has a strong influence on how they choose passwords, the complexity they’re likely to be able to remember and how they iterate them. Global password databases, combined with social media scraping, have functionally turned analysis into a professional discipline within hacker circles.
All of this is to say that “long” and “complex” aren’t necessarily enough, when it comes to password security. For example, the phrase Correct Horse Battery Staple has, on its surface, 44 bits of entropy. But, in reality, it’s not that simple. First off, thanks to the XKCD comic, Correct Horse Battery Staple is in every single password database used by modern hackers and a standard dictionary attack will guess it.
Even if Correct Horse Battery Staple weren’t in a hacker’s dictionary to try as a single password, it is composed of four well-known words. An iterative dictionary attack (combining multiple words in the dictionary) realistically means that Correct Horse Battery Staple has four bits of entropy, not 44. The attacker only must put four words together in the right sequence.
Thanks to global databases, hackers now have dictionaries that include every password ever leaked. Clever hackers analyze the data to find patterns in the passwords, moving beyond simply trying known passwords into trying passwords that are similar to known ones and/or likely to be iterations of known passwords, based on the pattern of iterations seen in the database.
The really clever ones do the above, but factor in personality type, as well as anything else they can think of, all with the goal of narrowing the size of the possible password space and thus the number of attempts required to successfully guess the password.
None of this is to say that you can’t use words from the dictionary in your passwords. What it means is that individual words (or even previously used passwords, if they have leaked into one of the global password databases) should be considered a single “bit” of entropy, the same as a single character. The result is that the word “disestablishmentarianism” adds just as much entropy to your password as the letter j, at least from the standpoint of modern attack techniques.
The Human Factor
Each person can remember a different number of passwords, but most of us can only retain a handful of passwords with any significant complexity to them. For a time, it was popular to try to force people to memorize new ones on a regular basis, as a means of defeating attackers – but that approach has been repeatedly disproven. In fact, it is generally accepted as bad practice today.
So, where does that leave us? We need long, high-entropy passwords, which are things humans are terrible at remembering. In addition, both password reuse and password iteration – two techniques used by humans to make remembering complex passwords easier – are not wise strategies, for all the reasons detailed above.
This leaves us with password managers and multi-factor authentication (MFA). The basic idea behind a password manager is that it is an application you install on your device(s) that remembers all your passwords. You only have to remember a single complex password — the one to the password manager – and it will take care of the rest.
MFA takes a different track. Instead of the traditional approach where authentication is based off of something you are (a username, ID or biometric) and something you know (a password), an additional factor is required in the form of something you have (a coded token, or a PIN provided by either SMS or an authenticator app). To break into an account using MFA, attackers would need to obtain the additional authorization factor, which usually involves physically getting hold of something.
Password managers are highly convenient and they allow for a significant improvement in password entropy over human-memorized passwords; however, multi-factor authentication is far more challenging to defeat in practice. Combining the two methods is currently the best approach available.
