Since reading Randall Munroe’s excellent commentary on password strength in modern web applications, I’ve noticed countless online services that limit the potential strength of a user’s password by limiting the length, while simultaneously increasing the difficulty of remembering that password by requiring that it include symbols, numbers, and mixed cases. Even a number of well-known financial institutions have fallen prey to this misconception. If your organization or company is thinking about how to structure password requirements, the comic provides a perfect illustration of how to reorient your approach to increasing security for your clients.
How to Pick a Secure Password
As the comic rightly points out, the different types of characters in a password based on a root uncommon word doesn’t increase security as much as a passphrase of several common words would. Thus, a password like bananasandwichspringhula f1@tw0rm{5. That passphrase of 4 common English words is not only easier to remember, but is actually more secure. Even more secure (by a factor of about 1.66) is a truly random string of 8 characters – symbols, numbers, and letters – but that’s also much harder to remember.
The Business Case
Ensuring password strength is a common business problem. As a result, there are plenty of simple JavaScript fragments that will happily compute a password’s strength or let your application force users to pick a “secure” password. The problem? They’re doing it wrong. Each of these free algorithms perpetuates the misconceptions about what makes for a secure password. They mistake “hard for humans to remember” for “hard for computers to figure out.” The ideal solution would be a script that quickly calculates the entropy of a given password, enabling the user to select an easily remembered password that is also secure.
The Challenge
Quickly determining the difference between Oo9kX9^# and f1@tw0rm{5 might be easy for the human creating the password, but the fact that one is based on a root word is not as immediately clear to a computer. The computer must try common substitutions, subtle variations, and match the word against a dictionary list. Effectively, to determine the strength of the password, the computer must attempt to crack it in a more sophisticated way that simple brute force. Calculating a simple brute-force time-to-crack would yield the same result for each of these passwords. However, in an actual attack, the latter would fall much more quickly than the former. While a purely random password is easy for a computer to assess, the lack of randomness introduced by the user in trying to make the password memorable is what introduces vulnerabilities for savvy hackers.
The Solution
To achieve a balanced compromise, service providers should educate users about how to keep their information safe by creating a strong password that is also memorable. Don’t assume that simply requiring certain character types will make your users more secure. Many users will follow the letter of the law, not the spirit, in their attempt to create an easily memorable password. And please, please don’t limit the length of user’s passwords! Munroe’s compromise of a simple string of common words isn’t a perfect solution on security or memorability, but it is a realistic improvement that will help your users do what they want: protect their data online.
Photo by Marc Falardeau