Password Security Theater 2
I’m still being annoyed by web sites which insist on you having a password which includes upper and lower case characters, numbers and symbols, yet allow stupidly short passwords.
As I demonstrated in my original post, longer passwords trump complex passwords every time.
Here’s an actual example of this nonsense. A few weeks ago I was driven crazy again by a web site (which I will not name) which demands a nonsensical approach to password complexity.
Your password has to be at least 6 characters (note this!!).
So I put in a much longer password (15 characters or more), only to have it rejected because it was all lower case!
OK, so I added an uppercase character. Now it was rejected because it didn’t include a digit!!
OK, so I added four numbers. Now it was rejected because it didn’t include any punctuation!!!
Bear in mind that we’re now nearly up to 20 characters all together, and this stupid web site would have been content with only 6, so long as they included upper and lower case, digits, and punctuation.
Listen to me, folks! A 6-digit password is not in the least secure! No matter how many silly kinds of characters you put into it.
A 15 or longer password, even if all in lower or all in uppercase, is far, far, far more secure. And what’s more, you can remember it!
Thinking about this some more, I came to realize that actually, insisting that a password include upper and lower case characters and at least one digit, in fact decreases (not increases) password security. And what’s more I can prove it.
How so? Because it gives additional information to the hacker, that’s how.
If you have a system which allows but does not mandate upper and lower case letters and digits in passwords, then the number of possible combinations which the hacker has to work through is much, much larger than if that requirement is mandated.
Let’s take a worked example. We start with the pathetic 6-character long password the above site wanted, to keep the numbers manageable. We’ll also ignore the use of punctuation symbols for the time being.
If upper and lower case and digits are allowed, then there are 26 x 2 (upper + lower case letters) + 10 (numerals) = 62 possible tokens. For a password length of 6, that means that in each of the six character positions there can be any of the 62 tokens, so the total number of combinations is 62 raised to the power of 6 (62 x 62 x 62 x 62 x 62 x 62) . Wolfram Alpha tells me that is nearly 57 billion possible combinations.
Now consider sites which mandate (insist upon) the use of at least one uppercase letter, at least one lowercase letter and at least one digit. Hackers now know for certain that any password the site accepts must be structured like this. This clearly reduces the number of possible combinations. By how much? Well, if there must be at least one uppercase letter, then one of the character positions only has 26 possible variants, not 62. Same for the required lowercase letter. Worst of all is the digit – that means the hacker knows that one of the character positions only has 10 possible variants, not 62. So the number of combinations must be only (26 x 26 x 10 x 62 x 62 x 62). This is a mere 1.6 billion. Compared with 57 billion for a site which didn’t mandate.
1.6 billion combinations would be a doddle for automated hacking tools to crack by testing each combination in turn.
Hence, the insistence on fancy combinations of characters has made the hacker’s job some 35 times easier (or put another way, means that the hacker can crack the password in less than 3% of the time) than if the web site had not mandated how the password was structured. How’s that for a perverse result?
All of this is true with longer passwords, but it’s the acceptance of short passwords is the real killer. In my view, the minimum length should be at least 12 characters.
Please, web site managers, come to your senses and insist on long passwords or pass-phrases, and allow them to be all upper or all lowercase or whatever, so that they can be easy for people to remember. A pass-phrase like ‘allmyfriendsaregettingmarried’ is way, way, way more secure than ’3k5&1w’ .
