Strong password myth

2 minute read

I find traditional password advices on various registration forms given to customers is outdated and false, thus giving false sense of security. We can not really talk about brute force attacks on the web due to the time required to post a request is around 200ms on an average hosted server and even slower on the cloud. This is because the login forms should render website menus, display different CMS blocks and this takes server resources. A brute force password attack is more likely taking down the server before any success. So a password with 8 characters is strong enough to prevent the success of these kind of attacks (strength will be elaborated below).

There’s also a false misconception around the used character set as well. Paid security experts often say that using special characters, numbers is required for a strong password. This is also false. Above a minimum requirement it appears that increasing password strength does little to solve any threat. What is really a solution is using a strong user ID: do not use the e-mail address as user name, do not use your real name as username, do not use the same password for different websites, do not share same password for employees accounts.

Regarding password strength, a simple formula can tell the maximum number of guesses required to find your password. NIST, the National Institute of Standards and Technology, has a few words to say on the topic: Password strength boils down to the number of bits of entropy that a password has. Take the numbers from:

Decimal digits: 10 0-9

Lower case alpha: 26 a-z

Upper case alpha: 26 A-Z

Special characters: 3 +, /

Additional keyboard special characters: 12 !@#$%^&*(){}

If your password contains all of the above, the sum is 77. If your password contains lower case and uppercase characters only, it’s 52. This is still not entropy, as per definition entropy is the measurement of chaos in passwords, rathter than number of combinations.

If your password’s length is 7 characters, then the maximum number of guesses required to guess it is: 7 ^ 77 (1.1818138658059589e+65) using all the characters above and 7 ^ 62 (2.4893071176241543e+52) using small and capital letters and numbers only. However, if we increase the number of characters, using 12 places with 62 different characters is more secure than using 7 places with 77 characters. Similarly,

AjfXeop is more secure than gr33tings.

During my research, I came across this xkcd: