Password Strength

Password Strength

When people are tasked to come up with a good password, often people will take some phrase or their mom’s name, switch a few characters around, and add a special symbol to the end. However, contrary to popular belief, this is actually a really bad password! The purpose of this post is to educate people on what a good password actually looks like. But first, let’s look at what sort of methods crackers use to break into people’s accounts.

Brute force

The brute force method is the one where a cracker will go through every possible combination of characters and check each one against your account. So first they’ll try “a”, and if that doesn’t work, they’ll try “b”, and if that doesn’t work, they’ll try “c”, and so on. And once they run out of letters, they try numbers. And then they try multiple letters: “aa”. I think you get the idea. For short passwords, this method is often effective. However, each additional character increases the amount of time to break the password exponentially.

Dictionary

In this method, an attacker will utilize known passwords (often obtained from a data breach) to try to break into one’s account. As these passwords are known to have been used before, it’s much more likely that another person used it as well. Have I Been Pwned offers a great tool that checks if a password has appeared in a data breach before.

GivingTools automatically checks your password against Have I Been Pwned.

So what is a good password?

A good password is one that is computer-generated. This doesn’t mean the password needs to be hard to remember, rather the password must have a sufficient amount of entropy to be considered secure.

One common method for secure password generation is Diceware. Diceware involves rolling a number of dice (5 or so), and from the results, looking up a word in a public word list. Do this 5 or so times, and you have a 5 word password. Now you may be thinking, if the word list is public, isn’t this susceptible to dictionary attacks? The key thing here is that you picked the words at random, this leaves approximately 1019 different passwords. Checking each one of these would actually turn into a brute force attack and due to the scale, is computationally infeasible.

The key thing to remember is that when you look at a password, you can’t really be sure how secure it is (those password strength meters are lying to you). We assume the attacker knows how the password was generated, be that Diceware or a password manager. What’s important is that there was a sufficient amount of entropy put into the generation algorithm. Usually around 20 bits is considered the bare minimum for password security, but more bits is always better!

So if you think you have a good password, try typing it into HIBP and you might be surprised! (Normally I wouldn’t recommend typing your passwords into another site, but this is the one site you can trust :).)