The Problem with Password Requirements

“People are stupid. We need to make sure they use stronger passwords.”

“Yeah, you’re right. The amount of people that use simple passwords like ‘password’ is way too high.”

*requires a number, a special character, an uppercase and lowercase letter, and at least 8 characters*

In terms of security, that sounds good, right? I mean, it gets people away from using passwords like “12345678” or “password” and using safer and more complex passwords, so that must mean that they’re harder to crack… Right?

Interim factoid here: in order to count the number of possible configurations for a “string,” or a collection of letters and numbers, you calculate (# of possible characters)^(length of the string). For a length of four with all lowercase letters, we have 26^4, or 456,976 possible combinations of letters.

Actually, no, it isn’t. In fact, in some cases, it makes it easier for computers. Think about it – if you’re brute forcing against an encryption key, you want to be able to narrow down and use as few characters as possible. If you assume that everyone uses typical lowercase letters only for their passwords, and at minimum length, then you only have to compute 26^8 to find every single password. That’s almost 209 BILLION combinations of letters! That’s crazy! Nobody would be able to type that fast!

First of all, computers are a lot faster than that. If they even take an entire 1KHz to compute a hash on a password, on a modern computer (4GHz dual core), they can compute 8,000,000 hashes per second (8 Mhps), which means that it would finish cranking out all the possible combinations of letters in 7 hours and 15 minutes. The thing is, if you have a machine dedicated to hashing, they can go even faster than that, and if you’re just producing hashes until you find the one that matches the hash for the password you want, it would take even less time than that: on average, 3 hours and 7.5 minutes. That’s not much time at all, so we should create more possibilities, to make it harder for computers, right?

Yes and no. If you figure into the equation all of the special characters that would be included, according to this document, you have 23 special characters, plus 10 digits, plus 26 lowercase letters, plus 26 uppercase letters. That means, with a eight-character minimum, you’d have 85^8 possibilities, or 2.7 QUADRILLION possibilities (in comparison, 2724905 billion compared to 209 billion, or by a factor of 13,038). That means that the full hash time would take over 94,524 hours, or 10.8 years. The average would be half that, 5.4 years. Anybody would be crazy to try making computations for that long – by the time that 5.4 years passed by, the person may have changed their password, or they might not even have an account there anymore, since technology is like a fast-flowing river – they may have changed services to a different or better company, or the company may have changed their security protocols.

However, again, computers are faster than that, and humans are lazy. I mean, many people just put “password” as their password. Would the new protocols – special characters, et cetera, actually change anything? While I am not aware of any password hacks of facilities that use this specific protocol, I would bet that 90% of people that would make their password “password”, would make their new password “P4ssword!” or “P4ssword.”. If you try to account for small variations on common passwords (in a database of passwords, which is often used by crackers), then suddenly that 2.7 quadrillion computations shrinks to a much smaller number (small note: technically, “P4ssword.” is 9 characters, so the actual number of computations would be 231 quadrillion hashes – a minor difference), and instead of trying to brute force all possible combinations of characters and numbers, you just try to think like a human, suddenly passwords are much easier to crack. Then the issue for password crackers becomes, not how long it is going to take, but how good their algorithm and database are to try to figure out any given password.

See, the problem isn’t with computers – it’s with humans. For the first example, special characters and numbers are still able to be used – if crackers are still applying their algorithms to common passwords, then yes, the issue still exists. However, if the majority of people practiced using longer passwords instead of the minimum, guess how long brute force hacking takes? Even if we assume only letters, and no numbers or special characters,

(52^8 = 54 trillion, 52^9 = 2.7 quadrillion, 52^12 = 3.9 x 10^20, 52^16 = 2.9 x 10^27)

If you account for special characters and numbers, that must be to the power of infinity, right? Actually… not really. Even with 16 characters, 85^16 = 7.42 x 10^30, which is only a factor of a few thousand, compared to the difference between the first and second examples we did, which was a factor of over thirteen thousand. While that can still mean a lot of time, it doesn’t really make much difference if we’re talking about brute forcing a “LongStringLikeThi” (16 characters).

Not only does it not make much difference, but it is also harder for people to remember a random phrase like “L3#7pAs%” which is quite short AND hard to remember. Mathematically speaking, there are more password combinations if you have more general requirements than specific, complex requirements, as in our second example, because there aren’t limitations on what you can create as a password. In fact, the more creative we are with our passwords, rather than more complex, the harder it is for computers to guess, as crackers need to create better algorithms and larger dictionaries (or databases) to compensate for all the computations they would have to do.

In conclusion, we need to get companies to stop requiring complex passwords as a form of “higher security”, and instead teach people how to make creative passwords that are not as easy to crack, for the ease of ourselves, and for the sake of our personal security.

Reference:

https://xkcd.com/936/

Advertisements