Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.
I’ve been getting annoyed lately by web sites and applications which insist that passwords must be entered in a specific format, or with specific characters, in theory to improve security. Specifically, so many sites and apps demand that passwords must include upper and lower case letters, numbers (and sometimes symbols).
For example, here’s what happens now when you try to create a new Apple ID in iTunes:
If you can’t read that grey text, it reads:
“Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don’t use spaces, the same character 3 times in a row, your Apple ID, or a password you’ve used in the last year.”
This greatly annoys me, because it’s silly – it’s “security theater” rather than real security. Using a mix of upper and lower case characters and insisting on the inclusion of a number, only marginally increases the security of a password compared to lower case letters only. And on iOS devices like the iPhone, entering a mix of numbers and upper and lower case characters correctly in a password is simply a pain because of the limited keyboard. Note also that Apple only ask for 8 characters. It’s this short length which is the real flaw.
The fact is that you can greatly increase the security of a password, even if it is all in lower case letters, simply by making the password a few characters longer. I’ll show you the figures below. It annoys me because the assumption is that a password such as NyZq573j is magically (and that’s the correct word, because it’s magical thinking) stronger than a password such as myfavoritefoodischeese. In fact, the latter is both much easier to remember and is many, many orders of magnitude more difficult for a brute-force cracking program to discover.
If you treat myfavoritefoodischeeseas simply a string of random lower-case characters, then there are some 130,000,000,000,000,000,000,000,000,000 (=1.3 × 10^29) possible combinations of the 22 letters in such a password. No cracking program could try out that many combinations in the lifetime of the universe.
But, I hear you say, “if the cracker knows that you habitually use a string of English words in your passwords (I prefer Jeff Attwood’s term “passphrase”) then they can use a ‘dictionary attack’ and quickly crack them”.
Such an attack would work on passphrases of one or two words, perhaps. But with something like 40,000 reasonably common words in the English language, it only takes a phrase of four or five words to be beyond reach. In the case of the 5-word phrase above, there are some 10,000,000,000,000,000,000,000 (= 10^22) possible combinations of words, less than the random letter scenario but still a vast number, and way more than the mere 210,000,000,000,000 (=2.1 × 10^14) combinations of characters in an 8-character password like NyZq573j.
Here’s a comparison chart (the vertical scale is logarithmic). ”Tokens” means either individual characters or whole words:
Here’s the raw data:
Note how adding a few more characters to a lower-case-only password equals or exceeds the complexity of a password mixing upper and lower case characters plus numbers. Eg, a 12-character password of all lower case letters is MORE secure than a 9-character password of mixed case and digits.
The moral of this story, if there is one, is that longer passwords or phrases are much better than those which merely add a greater variety of characters or symbols. And web sites which ignore that (or worse, put a limit to the maximum length of passwords) are being ignorant. The majority of passwords have been stolen because people are forced to write them down because they are hard to remember. Easy to remember passphrases do not have to be written down and, if long enough, are much more secure.
PS: myfavoritefoodischeese is NOT the password to any web site or computer I use!!
Update: more thoughts on this here. I demonstrate that mandating a combination of character types actually decreases password security.