How Password Constraints Give You A False Sense Of Security

Photo: Christiaan Colen, Flickr

The next time you're forced to make a password — especially if a site requires you to use a crazy combination of uppercase and lowercase letters, or a number, or a symbol — don't assume that these attempts at obfuscation automatically mean that your password is incredible and secure.

Randy Abrams, a senior security analyst at Webroot, ran some simple tests. He counted up all the potential passwords you can create in an eight-character password, including numbers, uppercase and lowercase letters, and symbols. (That's 95^8 possible combinations, which comes out to 6634,204,312,890,625, or 6.6 quadrillion numbers.)

Let's assume that someone is trying to figure out your password with a typical brute-force attack. Assume they can test about 31 billion passwords per second. Cracking their way through your reasonably complicated eight-character password could take, at most, 212,903 seconds. That's 3548 minutes, or roughly two and a half days.

Now, let's talk about constraints for a minute. Assume that the service you're using requires you to have an eight-character password. Abrams notes that takes 70.6 trillion passwords out of the mix, since every password from a single character long to seven character long is now invalid. That saves the cracking tool a whopping 2277 seconds, or nearly 38 minutes. That's not too bad.

What if, in the name of security, you use an eight-character password (for memorisation) and a service forces you to use uppercase and lowercase letters, as well as symbols. That's more secure, right? It's a more complex password, which makes it harder for an attacker to decipher? Not quite. As Abrams notes, you've just cut the pool of potential passwords by 18.5 per cent, removing items like all-lowercase passwords, for example. Two days, maximum, for a system to sniff out your password in our scenario.

If a service also requires you to have a number in this password — and you take its advice and just do that, keeping your "complicated" password at a mere eight characters — you've cut the potential passwords a brute-force tool needs to guess by roughly 41 per cent. In our scenario, that shortens the maximum time to 34 hours, or just under a day and a half.

How To Create Secure Passwords That Aren't Impossible To Type

How do you create a strong password? Easy: You mash your keyboard for a few seconds until you have a 50-character hunk of gibberish, then you copy and paste that into a password manager so you don't have to actually remember what it is.

Read more

Instead of worrying about the best way to make your shorter password harder to guess or brute-force, Abrams advises that it's a lot better to pick a longer password, because even if a service has password constraints, they'll have much less of an impact:

You might have noticed that there is little effect on the longer passwords. Frequently there is also very little value in imposing constraints on long passwords. This is because each additional character in a password grows the pool of passwords exponentially.

There are 6.5 million times as many combinations of 16 character pass words using only lowercase letters than there are of eight character passwords using all four character sets. That means that 'toodlesmypoodles' is going to be a whole lot harder to crack than '[email protected]'

You should probably not use a three-word passphrase, and instead stick to a passphrase that uses a lot of words — any length is fine — if you're going that route.

Better still, use a long passphrase (that isn't just a famous quote or fairly common phrase) for your password management app, add a second layer of security with two-factor authentication (a token you generate from an app or other hardware device, not a login code you receive via text message), and then use your password manager to generate 16+ character passwords full of uppercase and lowercase letters, numbers, and symbols for all your other services. Go wild.

And if you attempt to sign up for something that only lets you have a short password with constraints — especially if you're only required to use a number — get nervous. If you're lucky, maybe you'll be able to set up 2FA there as well, for a little security boost.


Comments

    This is extremely misleading because it is based on a flawed assumption.
    "Assume they can test about 31 billion passwords per second."

    Whilst is true for an attack on a login password if you have the hashed password, which requires an attacker to have already breached the security of a system. Once that is done it's a moot point if its 2.5 days or 2.5 days minus 38 minutes.

    If you don't have the hashed password you will have to try all these combinations on the host system which will not allow you to try 31 billion logins per second, and after a rather trivial number will lock you out.

    How many articles do we get from the likes of Lifehacker describing surveys of passwords with trivial passwords are also common ones? If the password is for a login it makes a big difference. If they make it complicated enough it will end up on a PostIt note.

Join the discussion!

Trending Stories Right Now