Passwords should be safe – we all know that. But how can we achieve it? My opinion is: Today, there is no way to find a satisfying solution. I will explain why and try to find solutions from user perspective.
How people handle passwords
Which passwords do you use in the internet? Would you consider them to be safe? While talking with people, I get the impression there is mainly three categories, how people deal with that problem:
- People, who do not care at all. main goal is to remind the passwords. Often used are passwords like “qwerty”, “123456”, “password” or the name of the pet (or wife/husband). The password is the same on each login page on the internet.
- People, who make a science out of it. They use different passwords for each login and choose passwords with maximum security (mixture of letters, capitals, numbers, special characters). Those can only be stored in Password safes, because nobody can remember them anymore. (A password safe is an encrypted piece of software keeping lots of passwords with information of username, URL, etc. Usually you just need to remember one single password to unlock it.)
- People using mainly one password, which is hard to guess (like sentences with some replaced characters (e.g. “n0b0Dyc4Nr3aDTh!s”).
Unfortunately, each of these solutions comes with some problems:
- It’s obvious, that the first group is at high risk. Passwords can be easily guessed and attackers have then access to all accounts of the victim
- This is VERY secure – isn’t it? Yes and no – weak point here is the password safe that can usually be opened with one single password providing access to all of the complicated ones afterwards. In addition it’s very clunky – and while being on the go, you can’t login anywhere. So this is kind of annoying as well.
- Looks like a good solution, BUT here comes the problem: each website has its own set of rules, how a password MUST look like. Some require letters or at least one special character while others do not allow those characters at all. Some require a specific minimum (and maximum) length. So you end up with a few instead of just one password and need to guess again for each login that isn’t used regularly.
It looks like a dilemma nobody can fix. And we won’t as well. I hope there’s a simple solution in the future like a standardized iris scanner, an automatically generated and submitted key from mobile phone to identify yourself or something like that.
Until that time, my suggestion and desire is: would it be possible, that all login-pages agree on a “minimum Standard”, like a default length and set of characters, that every login page allows? Then, option 3 would become much more attractive and realistic to handle.
Let’s do some calculation..
Let’s say we take the ASCII Standard encoding with 95 printable letters as allowed set of characters. By standardizing, that each login page must allow passwords with a length of 10 characters, it would allow:
possible passwords, which is a bit stronger than a 64 bit key strength. Sure, it’s not that strong, that brute force wouldn’t be able to crack it, but in combination with Re-Captchas or a limited number of tries per hour, it would at least allow to use the same (or slightly adjusted passwords) for different pages.
If we’d increase the allowed length to 32 Characters for instance, we need max. 32 Byte disk space per password and it would allow: possible passwords, which is comparable to a 210 bit key strength – that’s kind of strong already and most likely much stronger than your current password.
Why special characters do not help
A common misunderstanding is, that adding additional possible characters (like special characters) is the best way to increase security on a password. Generally please do not use real words as passwords – they are usually tried first from password crackers. But mathematically spoken, the strengths of a password means, how many guesses a brute-force attack would need to simply guess the password.
Maximum needed guesses for a usual toss of dice is for instance “6” – while we do only need 3,5 guesses in average.
Our latin alphabet has 26 Characters (we can double the number with Capitals) and by allowing numbers we can add another 10 possibilities. In total we have 62 options now. Adding each special character will add 1 more option for each digit of the password.
While the allowed charset defines the # of options, key factor in terms of security is the length of a password: Each additional digit increases the power by 1:
- simple alphabet (26 chars) and a length of 6: 308.915.776 possibilities (in words: 308 million 915 thousand 776)
- dice (6 chars) and a length of 26: 1.71 * 10^20 (which is 5.5 * 10^11 times more)
Another comparison: given is a character set of 26 characters (alphabet) and a length of 10. The following chart shows the evolution of complexity by adding chars vs. the evolution of complexity by adding 2 characters VS increasing length by 2:
Spoken easily: Adding lengths increases complexity of passwords much faster than adding additional characters.
How should you approach the issue now? Still being not the perfect solution, I think for now a combination of some methods is the best approach. We just learned, that a simple (long) sentence is stronger than a mix of characters that you can’t remember. A password safe like KeePass or LastPass can support you to remember all passwords for the different accounts. Let’s hope that one day, a brilliant solution will be invented, so that we can smile looking back telling “can you still remember the times, where we needed to remember passwords…”