Regarding Password Strength

Well, noticed that I haven’t been blogging for some time. So here is a quick post about something that should be obvious, but still goes unnoticed by some people. I will talk about password strength in this post.

The key space of a password is more important than the length of it from a brute-force attack point of view. What is a brute-force attack? It is an attack against the user password by trying all possible passwords in a particular key space.

To exemplify; the (information) entropy (i.e. randomness) achieved by just using case insensitive characters in the English alphabet is 226 bits.

However, if you add numbers to this, the entropy becomes 236 bits. Make the character set case sensitive (26*2=52) + numbers (10) and it becomes 262 bits.

Enlarge the set even more and use all printable characters(including the special characters and alt characters) in ASCII, and it goes up to 294 bits! Use language-specific characters (well, assuming the website/system allows it) and it goes up even more 🙂

We can say that the strength of a password is (key space)key length. So the strength of an 8-character case-insensitive password comprised of characters in the English language is 268=208827064576.  However, if we use all printable ASCII characters and instead use a 6-character password-> 946=689869781056; which is actually 3.3 times higher.

So you see, the larger character set used when forming the password increases the search space more than the length can with a smaller character set. That is why it is much more effective to have characters from diverse sets in your password than to just use all lower-case or all upper-case characters with a longer length as a defense.

An example that uses characters from different language alphabets could be “å9O^%’ğß”.

Of course, it is, generally speaking, a good idea to have a long password. However, there are also many shortcomings of it. After some time, you can’t remember it and if you used a very long one then you have to write it down somewhere, and this actually widens up the attack opportunities. Now they just have to capture that paper of yours and that is it. It doesn’t matter that it is 35 characters 🙂

A good advice that is typically given is to think in terms of phrases and just get the first letter of each word in the phrase along with punctuations. For example;

‘EeIhm,Iha*’ = “Every enemy I have met, I have annihilated.” (It is a Monkey Island insult swordfighting phrase, and yes I still remember it :))

After all; “A good password is easy to remember, but hard to guess.” (Armstrong)

For more info, you can have a look at these articles:

http://en.wikipedia.org/wiki/Password_strength

http://en.wikipedia.org/wiki/Brute_force_attack

http://cng.seas.rochester.edu/CNG/docs/Security/node7.html#SECTION00031100000000000000

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: