The Truth About Passwords

I don’t like to keep people in suspense, so I’ll start off with the surprise ending: your password is not secure. Now that I’ve gotten your attention, we can talk about why that is (and what you can do to improve upon it).

Let’s start with the basics: What makes a good password? You’ve probably heard variants on this from many different places over the years. “Your password should consist of numbers, letters and punctuation. It should be at least 8 characters long, not contain your name, birthday, pet’s name or social security number.”

I’m sorry to tell you this, but you have been lied to.

The simple truth is that passwords of that level of complexity are of extremely poor value in the real world. Brute-force attempts to try every possible combination, while inefficient, could potentially crack your password in a matter of a few days or weeks of dedicated work on modern computers. Beyond that, despite the recommendations above, people tend to use passwords that are easier for them to remember (such as a common word or name, followed by a few numbers). Passwords of this nature are even easier to figure out, because the base words that they originate from (as well as common manipulations, like substituting a zero for an “o”) are often gathered into “dictionaries” for attackers to try.

There are other problems inherent in these password requirements, beyond the basic mathematical limitations. While the degree of complexity is easy to measure with arithmetic, it’s very hard to put a number to “how hard is it to remember?”. The more complex the password requirements get, the harder it is to remember it. This is, of course, a qualitative judgement. Some people are perfectly capable of remembering fifteen-character jumbles of random letters and numbers. For those of us that are mere mortals, we tend towards having difficulty with this.

As computers get faster, our only solution has been to increase the length of our password requirements, in order to stave off the increase in computational speed necessary to break them. So while eight characters may have been sufficient ten years ago, now passwords need to be a dozen or more in length before they are “unbreakable”, until computers catch up. In the meantime, we’ve rendered them so completely impossible to remember that nearly everyone is forced to store them written down somewhere.

Any security professional will tell you that once a password has been written down, its effectiveness is reduced immensely. All it takes is for one person to manage to get a quick snap of your Post-It note with their cellphone camera and all of the company’s carefully invested security policy is worthless.

So what do we do? How do we manage to control access to our computers without either using insecure passwords or forcing our users to write them down to remember them? Well, there are several ways; the first would be to use a second form of authentication (such as a smartcard or time-based authentication token). This means that you can theoretically reduce the password-complexity requirements because your access now relies on more than just having your password. You also need some physical device on your person. This makes an attack much less-likely to succeed (since you’ll likely notice that your authentication token is missing).

There is a second approach that more and more companies are starting to become aware of. As I mentioned in passing above, the biggest gain with passwords (mathematically) is with length, not character complexity. So a fair number of companies have started reducing the number of required characters and instead are simply relying on longer passwords. This can result in much easier-to-remember passwords. For example, instead of a random sequence of letters, numbers and special characters, a company could require that your password only require letters and spaces, with no upper limit on length. Employees could be encouraged then to just pick several English words and remember the order, such as “vagrant pizza mouse garden pick”. This is a much simpler phrase to remember than “p1ZZapi3” would have been, and at the same time it is much more secure because of its significant length. This second approach has effectively zero cost to a corporate environment, while providing a significant gain in security.