It’s all about strong passwords, but what is a strong password?

11 October 2014

In his report Apple security depends on users, hack shows. Warwick Ashford talks about the latest Apple security issues:

‘However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.’

To put it concisely: It’s all about strong passwords.

But what is a strong Password?

There are lots of advices how a build a strong password like ‘#Q7fr%78’. Unfortunately those passwords are really hard to remember and to input. Some days ago I watched a webinar about WordPress security where a different approach was presented.

It’s all about password length because the number of combinations an attacker has to try in a brute force attack depends essentially on the length of the password:

Number of combinations = [Number of characters] to the power of [length of your password]

That’s just boring math. Thus let me show what this means by an example:

If you choose a password from lowercase letters ‘a..z’ only, the number of characters is 26. For a four character password like ‘abcd’ the number of combinations an attacker has to try is

26 to the power of 4 = 26 x 26 x 26 x 26 = 456976.

That takes about 0,2 milliseconds on a desktop computer with Intel I7 processor for cracking. Four characters are definitely too short!

For a 12 character password like ‘abcdefghijkl’ the number of combinations an attacker has to try is

26 to the power of 12 = 95428956661682200, and the time to crack is about 1.5 years.

The following table shows the cracking time in relation to the password length:

Password cracking time vs. lenght

Password cracking time vs. lenght

The yellow marked shows the one-year-time-to-crack for the character set. The one-year-time-to-crack is the password length where an attacker with an Intel I7 processor based computer needs one year to find the combination with a brute force attack. For our plain character set the one-year-time-to-crack is 12.

With character set ‘a..z A..Z0..9’ the one-year-time-to-crack is 10, With the complex character set ‘a..z A..Z0..9 _-%$§&/()#=?’ the one-year-time-to-crack is 9.

Even with the complex character set you should use at least 9 characters.

As a result we get: It’s all about the password length! The influence of the character set is negligible. Even with the plain character set one could create hard to crack passwords.

I would recommend to use at least 14 characters even with the complex character set. Just to be ready for faster CPUs and to anger the NSA!

How to build strong passwords?

My passwords are easy to build and remember. Start with 4 randomly selected words, in total more than 14 characters, like

‘Never use the word.’

This password is rated ‘Strong’ by the Microsoft password checker. Never use the first words of your favourite song or something you published on Facebook or elsewhere, because an attacker will do some social engineering and use this results first.

Strong is not enough, thus write the first character of each word in capital letters and add a special character or two at both ends:

‘#Never Use The Word._‘

This version is rated ‘Best’.

If you are a masochist, hurt yourself and change the first vowel in each word to a number:

‘#N1ver 2he Th3 W4rd._‘

Isn’t this an easy to remember password? 😉