Just How Secure is Your Password, Anyway?

It seems like every few days, there is an announcement about a problem with a “security database” at some web service or another. The problem with having so much information in the cloud is that it means your very identity is in the hands of someone else. It is quite possible that someone will take good care of it. But it is also possible that someone will take the information and do something with the information that they shouldn’t.

And let’s face it, the more sites out there, the less and less likely that we are going to be able to keep track of all the credentials needed to log into them. Something has to be done at some point, but in the meantime, we have to figure out first just how secure (or perhaps how insecure) those sites are in the first place.

Many sites these days will provide you with an indicator that tells you how strong your password is as you type it. The problem is that these indicators aren’t particularly good. In at least one case, I’ve seen that logging into two different areas of the same company will result in completely different results when using the exact same password. Why is that? I have no idea, as I don’t have any particular insight into the process. I just know what I see happening.

So that means that all we can do is try our best to make sure the password is secure. The problem here is that many sites will then restrict you to what you can do with the password. After a review of each of my passwords in the last 24 hours, each of these rules is one that I’ve seen at least once:

  • The password has to be more than 6 characters (or 8). Usually not more than that.
  • The password cannot be longer than 32 characters. I have seen maximums as short as 10.
  • The password has to contain one lowercase, one uppercase and one numeric character. But it cannot contain a special character, such as !@#$%^&*(). In some cases, these characters are not allowed – only alphabetic and numeric characters are not allowed. In rare instances, only a small subset of special characters are allowed.
  • The password cannot contain your username, multiple instances of the same character repeating some number of times in a row (usually 2 or 3) and you cannot use the same password that you have used before. Sometimes you can never use the same password again, sometimes you can use it again, but only after you have used some other number of passwords first (usually 5 or 6).

There is nothing wrong with most of these ideas, but the problem is implementing them in the way they are done. Most people end up trying to hard to get around the rules and come up with a password that meets the requirements that they create a password that is just complex enough to meet the rules. For instance, ABC01xyz is a password that has lowercase, uppercase and numeric characters and is eight digits long. As a bonus, it has a number in there that can easily be changed, so if it must be changed once a month, the next password can be ABC02xyz and so on. Problem solved. But is it secure?

To be sure, most experts seem to agree that a password such as this one will be more secure than an eight character word found in the dictionary, such as “aardvark” (which also has no uppercase characters and no numeric either). Thus, a dictionary attack would be much more difficult. In fact, even the word-like areas of the password (ABC and xyz) wouldn’t be found in the dictionary, so it’s not bad. Simple, but not bad.

In fact, using an available utility, we see that an online attack scenario with current computing resources would mean that this password may survive for more than 70 centuries. Of course, it could be that this particular password is chosen before the whole block is exhausted, and that isn’t likely to happen – but it could take a while to exhaust all combinations! Meanwhile, a password like “aardvark” takes just under 7 years, still reasonable. Where it doesn’t hold up is in an offline attack.

When that happens, the dictionary-type word would last only 2 seconds, and the more complex word, while a good percentage longer, could still be exhausted in under 40 minutes! So the big question becomes: Are you worried about an online attack, or an offline one? Many (reputable) online systems are generally going to shut down access to your account after just a few incorrect guesses, so online attacks are not typically an issue, but if the attacker gains offline access to attack your account, all bets are off.

In that case, even complex passwords may not help, because changing one of the letters in our more complex password to a character such as an exclamation point will see an increase in the time to crack the password from about 35 minutes to slightly less than 19 hours – but that is still next to nothing. Less than a day to access your account? Yes, please, sign me up! Instead, the best thing you can do is simply add characters, whether they are special or not.

Moving from an eight character password, such as ABC01xyz, to an 11 character one like ABC01xyzDEF changes the offline time from approximately 35 minutes to nearly 17 years. And if you go to 12 characters, something like ABC01xyzDEF3, the time to crack is now measured in centuries. Even the Massive Cracking Array scenario, something most people don’t have access to right now, would take more than a year. And keep in mind – we still don’t have any special characters. Change one of those numbers to a special character and even that massive attack is now measured in centuries as well.

Put another way – the best passwords are measured in length. I guess size does matter. Specifically, 12 digits and longer. Throw in a lowercase letter, an uppercase letter, a number and a special character if you really want to throw them for a loop. It’s similar to a car alarm. Is it possible that it can be broken? Sure – but in the meantime, everyone else’s will probably be broken first.