o there is a lot of myths around password complexity and using multiple upper and lower characters — AbCdE — or combining lots of symbols and numbers such as #2$&abCe#& — to improve strength and encryption. The problem is that you’re constantly stuck remembering what the combination was, or what symbol came first, or whether the password had an upper or lower C. It’s puzzling, confusing and even security firms try to meddle in this process by recommending ‘easier’ methods for people to remember passwords.
Take this video by Sophos embedded below. While what Mr. Graham Cluley is doing is admirable in trying to assist internet citizens in increasing their password strength by muddling up words, symbols and letters — the outcome is increasingly confusing.
I mean Graham starts out with — Fred and Wilma sat down for a dinner of eggs and ham — and ends up with — f+wsd4adoe&h. Frankly, the earlier is a hell of lot easier to remember than the latter in my mind. So inspired by the comic by XKCD — I wanted to highlight a fundamentally simpler way to create a strong password based on the concept of entropy.
You’re thinking — “WTF is entropy?”
Well, WikiPedia describes it as a measure of the uncertainty associated with a random variable and in the world of the Internet — this infers that it’s all related to bits — or a basic unit of information that’s typically described as a 0 or 1.
In the most ‘basic and non-complex’ form — when hackers are trying to crack your password — the less the amount of entropy in the password — the easier it is to guess your password. This is done by simply iterating through the combination of the words, numbers of symbols and trying all the numbers or combinations possible. For example, check out the picture below — which illustrates time:
You can see the total number of hack attempts that are available to any hacker [based on simple brute force combination hacking] here per year on a relatively slow computer. Now let’s throw a password into the mix:
So you can see that with a relatively basic password with a combination of letters and numbers — it’s not that difficult to process the total number of combinations available based on the passwords entropy and figure it out. However, now let’s simply use a standard combination of four relatively common words, in the random order that they first popped into my head, and see what happens:
The difference is frankly astounding and the principle is so simple — using longer phrases, which are easier to remember, allows you to substantially increase the time it takes to brute hack a password. Of course, adding in upper and lower case letters, numbers or symbols only seeks to further increase the protection of this password — however, the point is that you don’t always need to do this. Simply select a combination of words, relatively unique and unknown in their order is more than adequate, which have an entropy of more than 50 bits and it will take well over 1000 years to get close to hacking it at 1000 passwords/sec. In fact, choosing obscure words makes other hacking methods like dictionary attacks even harder — which still fundamentally struggle with high entropy passwords because of sheer volume of combinations.
Faster computers may be able to attack faster, but the times involved will still be many years — so don’t always listen to the populus and select your passwords based on entropy remembering that -
Time is a hackers worst friend. As time increases as a function spent on you — the faster the function moves onto someone else.
To calculate entropy for your password — use this handy calculator.