Password Strength

Here's a fun and simple experiment I recently did...

Some time ago I started using phases to remember passwords. This can work a couple different ways:
1) use the first letter from every word in a sentence.
Example: The quick brown fox jumped over the lazy dog = Tqbfjotld

2) use a whole sentence as a password. 
Example: The quick brown fox jumped over the lazy dog

When I attended SDSU, they required the most obtuse password rules. It was something along the lines of "must have uppercase, lowercase, numbers, and symbols. Cannot use more than 2 of each consecutively. Must be more than 8 characters." Oy...


It came time for me to change passwords on various websites, and I thought back to a recent XKCD comic on this subject. I decided to test the "password strength" of a sentence on 4 various major services. I didn't use spaces, no caps, no numbers, no symbols, and the sentence only came out to 29 characters. The results are amusing. Here are screenshots:

Google
Twitter
OS X 10.8.2
Facebook
I find it fascinating that Facebook hates my test password, when Google, Twitter, and my laptop all tell me it's AOK. Given Facebook's history of privacy and security issues (e.g. 1, 2) I'm not losing any sleep over it. I'm not an expert in cryptography by any means, but a 29 character password seems like it should be reasonably strong!

Do you use sentences/phrases for passwords? Are you still forced/choosing to use l33t speak every day? Let me know in the comments!

5 comments:

  1. As a computer security specialist, a sentence/phrase is much better than a small password.

    The key space (number of possible combinations) of a password is calculated as:
    C^N
    C =number of possible characters in the password
    N =indicates the password length

    So in your example
    "The quick brown fox jumped over the lazy dog"
    C=52(Lower and upper case)you have T Capitalized
    N=29

    52^29 = 5.8089409991159212052332855232012e+49 possible word combinations.

    while
    "Tqbfjotld"
    C=52
    N=9
    52^9 = 2779905883635712
    This number is statistically 1389952941817856 because chances are close to 50% that a computer will have guessed your password by the time it reaches half the possible choices.

    A computer can brute force "Tqbfjotld" within a few hours. The "The quick brown fox jumped over the lazy dog" password would take years to crack. However I would not use the quick brown fox because it is a well known phrase and would be guessed easily because of social engineering.


    Marshall S Smith

    ReplyDelete
  2. I like to go with a sentence/phrase and then throw in symbols between words here and there. This is a far cry from my old passwords a la "123456".

    ReplyDelete
  3. My brother gave me a copy of 1password for my birthday a few years ago, and I'm a total convert. All of my passwords are now random sequences of numbers, letters, and symbols, and each website gets a unique one.

    I can't remember them all, but I don't need to, because the 1password plugin allows me to access my database file with my 'true' password, and then autofills the fields on 95% of the websites I visit, so I don't even need to type my login either.

    The one weak link is that my database is stored (in an encrypted fashion) on Dropbox so it can be accessed on all my computers and iOS devices. So if Dropbox dies or gets cracked, I could be hosed, but the chances of that single-point failure seem much much smaller than someone hacking into some random website that I log into and then being able to re-use my password on all the other services that share the same password...

    ReplyDelete
  4. The HR system that my office uses to manage things like benefits, pay history, and reviews has these rules for creating passwords:

    Password length: 8-11
    Letters: 2
    Uppercase: 1
    Lowercase: 1
    Numbers: 1
    Special characters: 1 (Examples: !@#$%^&*()_-+={[}]|\:;\"'<,>.?/~`

    I used to have a 12 character password that I was forced to shorten to even use the site.

    ReplyDelete
  5. I use lastpass and generate random passwords. Never looked back since.

    I still find it funny that some of my banks have absurd requirements like maximum length of 12 characters, no special characters, etc. while generic forums allow me to have 32-character passwords with no restrictions for character type.

    ReplyDelete

Inappropriate comments, advertisements, or spam will be removed.
Posts older than 2 weeks have moderated comments.
(Anonymous commenting disabled due to increasing spam)

Related Posts Plugin for WordPress, Blogger...