Oh for Pete’s sake (passwords again)!

This is getting silly. We’re all familiar with password complexity rules intended to help us create “strong” passwords that are harder to crack. Those of us who have been paying attention will know that the real outcome of this approach is to create passwords that are surprisingly easy for computers to crack but really hard for people to remember. I first wrote about this more than six years ago: https://blog.rappidly.com/2013/01/16/why-cant-people-get-the-message-about-passphrases/

So, why the dead thread resurrection? Because Barclays Data Security Manager – their PCI-DSS platform – has come up with this comedy gem of a policy:

Your password should be a minimum of 8 characters.
Your password should at least contain 1 upper-case letter.
Your password should at least contain 1 lower-case letter.
Your password should at least contain 1 special character (e.g.: #?!@$%^&*-)
Your password should at least contain 1 number.
Your password shouldn’t contain more than 2 repeating characters in the same case.
Example: “Bob” = 1 “B” & 1 “b” = is allowed.
“bob” = 2 “b’s” = is allowed.
“Bobby” = 1 “B” & 2 “b’s” = is allowed.
“bobby” = 3 “b’s” = is not allowed.

Seriously? It took me four attempts to come up with something I had any chance of remembering long enough just to type it into the confirmation box. It’s as if these people are in the pay of password manager vendors. It’s madness.

A reminder: passwords (or better, passphrases) need to have these characteristics (none of which appear in the list above):

  • Memorable to the user
  • Not easily guessed by someone who is well-informed about the user
  • Different for each system
  • Computationally infeasible to crack

That last one is the kicker. Passwords are stored as hashes – the outputs of a one-way mathematical function. What makes your password hard for a hacker to crack, assuming you’ve not used “password123” or a similar commonly-chosen example, is the mathematical complexity of that output. The easiest way to drive up that complexity is to have a long passphrase. So 16-character password limits are idiotic. Yes, Microsoft, I’m looking at you. Mixing cases and adding special characters is only necessary if your length is restricted – otherwise, frankly, more is always more.

B4rc14ysWTF? is a strong (-ish) password. But it’s a much weaker password than Barclays should read my blog. Really:

Length: 12
Strength: Strong – This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 61.8 bits
Charset Size: 84 characters

Barclays should read my blog.
Length: 29
Strength: Very Strong – More often than not, this level of security is overkill.
Entropy: 147.4 bits
Charset Size: 75 characters

Overkill? I like overkill. Especially when it’s delivered by something I can actually remember, and type correctly the first time.

My colleagues tell me I should try mindfulness to control my anger issues. I think I prefer blogging…

2 thoughts on “Oh for Pete’s sake (passwords again)!

  1. I’m not convinced that a passphrase is as good as you claim. By using a string of words from the dictionary, separated each time by a single space, you effectively have a string of length 5 , with a character-set size of (for argument’s sake) 500,000 with proper nouns/names. The string length being much more significant than the charset size.

    In fact, an AI algorithm can easily exploit your phrase further by knowing which words are more likely to appear, and which might occur together.

    What am I missing?

    You could of course enhance this by changing separators and scattering additional characters, but then you’re making it less memorable.

    Obviously, Barclays’ example is ridiculous, exceeded only by those that insist on a *maximum* of 8 characters.

    1. Maths is what you’re missing. I suspect the problem is harder for AI than you think, especially if your passphrases aren’t correlated sentences (for example, rather than “Barclays should read my blog.”, you could have “horse battery chocolate staple”, to borrow the xkcd example). But the basic point is maths. Take your 500,000 predicates. Let’s double it to account for capitalisation, which is entirely significant in deriving a hash value. Let’s ignore the additional complexity of spacing and punctuation, for simplicity, although they hugely increase the computational problem – “To be, or not to be.” (4a2ccb4075409f3786bae80b960d9e73) is a completely different MD5-hash to “To be or not to be.” (861343e8f0f35d1b1aef966905739cc7). So that’s 1e6 “characters” in a 5-character string, or 1e6^5 combinations – about 1e30. My password counter-example has an 85 character set, in a 12-character string. That’s 85e12, or 1.42e23 combinations. So my passphrase is 7 orders of magnitude harder to brute force than a 12-character mixed-case and symbol password. There are (admittedly very large) rainbow tables out there for all possible combinations of 8-character passwords using both cases, numbers and symbols, so reversing captured hashes is just a storage and lookup problem. There’s simply no possibility of creating a rainbow table for all 5-word parsable sentences in English, never mind all possible 5-word nonsense phrases. And, of course, I might use a different language for my passphrase.

      Much more importantly, though, not only can I remember a passphrase, I can inflect it to produce a different hash for every service I use. As long as the rest of the passphrase can’t be intuited from my social data, so “marmalade geranium toenail vomit”, I just add the name of the service to it and end up with a massively entropic and unique hash.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.