Megatheriums for Breakfast

I’m still being annoyed by web sites which insist on you having a password which includes upper and lower case characters, numbers and symbols, yet allow stupidly short passwords.

As I demonstrated in my original post, longer passwords trump complex passwords every time.

Here’s an actual example of this nonsense.  A few weeks ago I was driven crazy again by a web site (which I will not name) which demands a nonsensical approach to password complexity.

Your password has to be at least 6 characters (note this!!).

So I put in a much longer password (15 characters or more), only to have it rejected because it was all lower case!

OK, so I added an uppercase character. Now it was rejected because it didn’t include a digit!!

OK, so I added four numbers. Now it was rejected because it didn’t include any punctuation!!!

Bear in mind that we’re now nearly up to 20 characters all together, and this stupid web site would have been content with only 6, so long as they included upper and lower case, digits, and punctuation.

Listen to me, folks! A 6-digit password is not in the least secure! No matter how many silly kinds of characters you put into it.

A 15 or longer password, even if all in lower or all in uppercase, is far, far, far more secure. And what’s more, you can remember it!

Thinking about this some more, I came to realize that actually, insisting that a password include upper and lower case characters and at least one digit, in fact decreases (not increases) password security.  And what’s more I can prove it.

How so? Because it gives additional information to the hacker, that’s how.

If you have a system which allows but does not mandate upper and lower case letters and digits in passwords, then the number of possible combinations which the hacker has to work through is much, much larger than if that requirement is mandated.

Let’s take a worked example.  We start with the pathetic 6-character long password the above site wanted, to keep the numbers manageable. We’ll also ignore the use of punctuation symbols for the time being.

If upper and lower case and digits are allowed, then there are 26 x 2 (upper + lower case letters) + 10 (numerals) = 62 possible tokens.  For a password length of 6, that means that in each of the six character positions there can be any of the 62 tokens, so the total number of combinations is 62 raised to the power of 6 (62 x 62 x 62 x 62 x 62 x 62) .  Wolfram Alpha tells me that is nearly 57 billion possible combinations.

Now consider sites which mandate (insist upon) the use of at least one uppercase letter, at least one lowercase letter and at least one digit.  Hackers now know for certain that any password the site accepts must be structured like this.  This clearly reduces the number of possible combinations. By how much? Well, if there must be at least one uppercase letter, then one of the character positions only has 26 possible variants, not 62.  Same for the required lowercase letter. Worst of all is the digit – that means the hacker knows that one of the character positions only has 10 possible variants, not 62.  So the number of combinations must be only (26 x 26 x 10 x 62 x 62 x 62).  This is a mere 1.6 billion. Compared with 57 billion for a site which didn’t mandate.

1.6 billion combinations would be a doddle for automated hacking tools to crack by testing each combination in turn.

Hence, the insistence on fancy combinations of characters has made the hacker’s job some 35 times easier (or put another way, means that the hacker can crack the password in less than 3% of the time) than if the web site had not mandated how the password was structured.  How’s that for a perverse result?

All of this is true with longer passwords, but it’s the acceptance of short passwords is the real killer. In my view, the minimum length should be at least 12 characters.

Please, web site managers, come to your senses and insist on long passwords or pass-phrases, and allow them to be all upper or all lowercase or whatever, so that they can be easy for people to remember. A pass-phrase like ‘allmyfriendsaregettingmarried’ is way, way, way more secure than ’3k5&1w’ .

I’ve just started a new venture, a new web site dedicated to publishing short original fiction for free.

It’s called The Narratorium, and here’s some more information about it:

What is The Narratorium all about?

The Narratorium is primarily aimed at readers.  We want to provide you with an enjoyable place to come and read selected stories, free of charge. We aim to publish at least two or three original items each and every week.  The stories we post here will be curated, selected by ourselves for readability and storytelling value.  You can think of it as a free online fiction magazine with a small group of editors, who are also authors.

The stories you’ll see here will certainly reflect our own specific taste and writing styles, and if you don’t like our taste or style, you’ll have to go elsewhere.  If you do like what we write, however, we hope that you’ll keep coming back.  Follow us on your favorite social network and we’ll keep you informed of every new piece we post.

Please come and visit!

Please note!

This story has now been moved to my new venture The Narratorium.  Please come and visit us there, we’ll be publishing at least two or three new pieces of fiction or other narrative every week.

Just a quick note to say that I have just released one of my stories as a free e-book. It is formatted to be suitable for reading in iBooks or any other e-reader which can access the ePub format.  PDF and mobi (Kindle) versions are also available.

Titled Paradise Lost, the story deals with Ellie, who in fleeing the collapse of civilization has found herself facing a terrible choice.

Click here to select your format and download the story.