Love it or hate it, technology has become a big part of our everyday lives. From the office to our homes, and everything in between, we are surrounded by gadgets, gizmos, and do-dads that are all designed to “help” us and make our lives “easier”. While we could go on and on about whether or not all this technology actually does this, the point of this article is about something decidedly more annoying, and more specific Passwords. Yes, those terribly annoying little (or long) things that we use to secure all of our personal “stuff” from nefariously-minded co-workers, bosses, spouses, friends, children, etc… The number of passwords that we have to keep track of day-to-day can be staggering! From the ones that we use on a regular basis that are, as such, easy to remember, to the “wait-that-has-a-password?-i-cant’-remember-what-i-set-it-to-the-last-time-i-logged-in-ten-years-ago” beasts that put a major speed bump in our lives at just the wrong time.
We’ve all come up with our little devices on how to remember all of these little devils. From setting them to something that’s easy and obvious to remember (and guess), to making them all the same, to adding trickery by ending swapping out the ‘e’s with ‘3’s and ending them all with a ‘1’, or an ‘!’, they all have their good points and bad points. Above all this, there’s one thing we all understand, namely, that the passwords that protect our most valuable stuff have to be complicated and confusing in order to be secure. Right? Wrong. Although unintentionally misguided, this idea of passwords having to be “complex” in order to be secure has its roots in something called password entropy.
First, a little dip into the theoretical side of the pool… Password entropy is the way in which technical geek-types measure just how secure a password is. In a nutshell, entropy states that there are a finite number of guesses you can make for each character in a password before you get that particular character right. To increase a passwords entropy (or security), you simply increase the number potential characters that each individual character can be. This means that the bad guys have more guesses to make per character, and that your password is more secure. Confused?
Let’s break this down into something a bit more tangible. Let’s analyze a PIN number from an entropy standpoint. A typical PIN number has four digits, each a numbered from 0 to 9. In entropy-speak, this means that in ten guesses or less, and password cracker will absolutely get the correct digit for each individual digit in the PIN number. Without going into the math, each symbol in a 10-symbol-based password, has an entropy of 3.3219. That’s not very good. So how do you make this PIN number more secure? One option -which is the most-utilized option, is to increase the number of possible symbols each character can be. In our PIN number, by adding the letters A through Z (without case-sensitivity) into the mix, an additional 26 possible guesses have to be made in addition to our original 10. In entropy, our newly-upgraded PIN has an entropy of 5.1699. Almost two full bits better than our original. If we then add case-sensitivity, spaces, and all the special characters we have on our keyboards (like ‘!’, ‘@’, etc..) we can push entropy up to 6.5699.
What does all of this mean? If we crunch the math, it means that given the right password cracking tools, a bad guy can get our original 4-digit PIN (with its lowly entropy of 3.3219) in 10,000 guesses or less. That may seem like a large number, but given the speed at which a computer can work, it really doesn’t take much time to crunch through all of those guesses. For our purposes, let’s just say that the bad guys have a horribly slow password cracker that can only make 100 guesses per second.
Our feeble little PIN will be owned by these bad guys in 1 minute 40 seconds or less! What about the newer versions of our PIN numbers that have the larger symbols-sets? The first one, with entropy of 5.1699 would take 1,679,616 guesses, and would be cracked in 4 hours 39 minutes 56.16 seconds or less. Our super-tough 4-digit password with entropy of 6.5699 stays secure through 9 days 10 hours 15 minutes 6.25 seconds of cracking before its known!
This illustrates why we have passwords that have all of those horribly difficult to remember symbols. BUT, that’s only one side of the story! Unfortunately, it’s usually the only side of the story we pay any attention to -which is sad, because our brains are not wired to remember sequences of characters and symbols in this manner. Just think about it, when you think of the word ‘Tiger’ do you think to yourself “T” followed by “I” followed by “G” and so on and so on, or do you just think of the word as a whole? Clearly language and length are things our minds can more easily manage. So how do make easy-to-remember-but-still-secure passwords? One word – LENGTH!
If our bank allows us to have a password of up to 20 characters, why don’t we use them? Instead of ‘BW^#97zp’ (which is 8 characters, and takes 6.63×10^15 guesses to crack) that is awkward to type and difficult to remember (so it’s probably written down somewhere, and probably in a place near your computer where a would-be thief could easily guess), why not use ‘MyKidsAreGreat123!@#’ -which is easy to type, easy to remember (the last ‘!@#’ are just ‘123’ with the ‘shift’ key pressed), is twenty characters long, and would take a staggering 3.62×10^39 guesses to crack! Why are we so hard on ourselves?
In summary, let’s not forget that password length is a vital part of password complexity, and that we can make our lives easier (and possibly more secure) by lengthening our passwords with somewhat random, common-language words that we can actually remember (so they don’t have to written down)!