Richard Bucker

Quickie : password security

Posted at — Sep 9, 2011

I cannot take credit for the recommendation that we start using words for passwords. The argument I recall reading suggested that a 40-character password made from 4 or 5 dictionary words was a) easy to remember and b) harder to crack.At first my intuition had me thinking that this guy was nuts. But then I did some rudimentary math. First I assumed that in a strong password or the traditional sense there were a few valid chars:a-z A-Z 0-9 and !@#$%^&*() ,./<>?;':"[]{}|= <space>The problem with this is that even the strongest websites limit the user to alphanumeric plus a few simple special characters. So let’s say we have 72 valid chars. That means that the math for a 7 character password looks like:72^7 = 1.00E1372^8 = 7.22E1472^9 = 5.19E1672^10 = 3.74E18I’m hoping I have the math right but there is some huge wiggle room. For instance there is a list of invalid words and sequences, dictionary attacks, and then l33t speak. So this will reduce the number of combinations by some amount. If not I’m hoping that it’s in proportion to the “word” scenario.In the proper work scenario we talk about 4 or 5 proper words. Considering the average number of words is between 60,000 and 75,000 [ref] this might actually be reasonable:60K^4 = 1.29E1960K^5 = 7.77E2360K^6 = 4.66E28WOW! I had no idea that this was the case. Now the real discovery is whether or not I really know 60K words and can I stream them together in a way that I can easily memorize and recite. I suppose it might be better to permit a combination of the strict and worded. This way you get the combined complexity and brute force is even harder to execute.I don’t know where my passwords fall in terms of strength. I know they are random and they they overlap both. But I know that I’ve had to deal with systems that have rules that limit the valid passwords. This, of course, totally corrupts whatever ruleset I have devised for myself to remember my passwords.I’m not going to share what I do next. It could be nothing. But if you’re going to hack my accounts I want to keep you guessing as long as I can.