There are technologies being developed right now that are going to improve the process of authenticating users to computer systems, from wearable devices (rings, bracelets, watches, Digital DNA, etc.) to face and voice recognition technologies fused into every mobile device and personal computer. For right now, however, we must be content with a technology that is almost 50 years old and not very secure. I’m talking about password-based authentication. We use them because they are ubiquitous to every system and or application. They are simple to implement, change, or delete. Because of these benefits, password-based authentication is going to be around for a while. Yet, with a proper policy in place, we can increase their overall security.
Wikipedia defines passwords as a “word or string of characters used for user authentication to prove identity or access approval to gain access to a computer resource, which is to be kept secret from those not allowed access.” By letting users select a word or string of characters, we found ourselves in a classic dilemma. Security administrators are trying to secure access to their systems by implementing strong password policies (random words with lengths greater than X number of characters from at least three character sets that need to be changed frequently and cannot be reused repeatedly). These policies force users to create complicated passwords that are very difficult to remember and have the negative effect of making the users engage in a variety of bad behaviors that compromise the security of passwords (sticky notes under the keyboard) making it easier for non-authorized personnel to gain access into the systems.
The strength of any given password is related to its length, complexity, and randomness. From these, length is the easiest to implement and is the one that has the greatest impact.
Entropy is used in information science to measure the strength of a password and is measured in bits; the higher the bit count, the stronger the password. Let’s use the following process to create a strong password:
• Random word from Webster’s New World College Dictionary (there are over 160,000 entries).
• Add one digit (10 digits).
• Add one special character (33 special characters).
This process will generate a total of 52,800,000 (160,0001033) possible combinations, now let’s calculate the entropy bits: Log2 (160,0001033) equals 25 entropy bits. This is our baseline. Now let’s select two, three, four and five random characters from the 95 ASCII printable characters set (10 digits, 26 lower and 26 upper case letters, and 33 special characters):
• Log2 (95*95) equals 13 bits with 9,025 combinations.
• Log2 (959595) equals 19 bits with 857,375 combinations.
• Log2 (959595*95) equals 26 bits with 81.4 million combinations.
• Log2 (9595959595) equals 32 bits with 7.7 billion combinations.
We can see that at four characters, we already surpass our baseline. In this specific example, we see that increasing length is more effective than complexity.
Now, let’s compare how length effects a strong password versus a passphrase. For this, we are going to use an online tool at https://howsecureismypassword.net which calculates the amount of time a computer needs to execute a brute-force attack to be successful in cracking the selected password.
As we can see, the strong password in our example (having 14 characters in length, digits, upper and lower case letters, and special characters) is very secure, but not so easy to remember. Passphrases on the other hand, are as secure — if not more — just by the fact of having more characters. They are almost impossible for hackers to crack using brute-force and rainbow table attacks, and are very difficult to guess. Passphrases satisfy security best practices and are easier to remember.
If we want to help our users with the daily task of authenticating while also improving the security of passwords, we should look at implementing passphrases instead.