The Usability of Passwords
Written by Thomas Baekdal | Saturday, August 11, 2007
Must be online to view included graphics
Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.
So let's dive into the world of passwords, and look at what makes a password secure in practical terms.
the FAQ (updated January 2011):
Update - April 21, 2011:
This article was "featured" on Security Now, here is my reply!
How to hack a password
The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
When is a password secure?
You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn't going to sit around manually trying 500,000 different words to see if one of them is your password.
The measure of security must then be "how many password requests can the automated program make - e.g. per second". The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
This means it takes the following time to hack a simple password like "sun":
Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263
This is of course a highly insecure password, but how much time is enough for a password to be secure?
But let's take a full swing at this. Let's look at "100 year - secure for life". It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.
Let's step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack- let's call this "secure forever". That ought to be good enough, right?
Making usable and secure passwords
Now that we have covered the basics, let's look at some real examples, and see just how usable we can make a password, while still being "secure forever".
Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password - either being by the use of brute-force, common words or dictionary attacks.
First let's look at the common 6 character password - using different methods:
In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.
Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn't going to work. None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note.
To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.
It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".
If you want to be insanely secure; simply choose uncommon words as your password - like:
A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.
It is not just about passwords
One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.
All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:
A hacker can hack the password "alpine fun" in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.
Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.