Password strength

From Wikipedia, the free encyclopedia

Password strength is the likelihood that a password can be guessed by an unauthorized person or computer. Passwords easily guessed are known as weak or vulnerable; passwords very difficult or impossible to guess are considered strong.

The terms weak and strong are relative and have meaning only with regard to specific password systems. The necessary quality of the password depends on how well the password system limits attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. In a cryptographic context, the terms can have considerable precision. For example, passwords generally are not suitable for use as encryption keys. But note that even a 'strong' password may still be stolen, tricked, or extorted from a user, collected from a keyboard logger, intercepted in transit, or otherwise discovered.

Contents 1 Weak passwords 2 Strong passwords 2.1 Random passwords 2.2 Mnemonic passwords 2.3 Patterned passwords 3 Guarding user passwords 4 Password discovery 5 External links

[edit] Weak passwords

A weak password is short, common, a system default, or that which could be rapidly guessed by executing a brute force attack using a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. Passwords easily guessed by acquaintances of the user, such as a birth date and pet's name, are also considered weak.

Examples of weak passwords include:

• admin -- too easily guessed
• 1234 -- too easily guessed
• susan -- common personal name
• password -- trivially guessed, used astonishingly often
• rover -- common name for a pet, a dictionary word in any case
• 12/3/75 -- date, possibly of personal importance
• nbusr123 -- probably a user name, if so very easily guessed
• asdf -- a sequence of adjacent letters on many keyboards

Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed.

Many users do not change the default password that comes with many computer security systems. Lists of default passwords are available on the Internet.[1]

A password might be guessable if a user chooses an easily-discovered piece of personal information as a password (such as a student ID number, a boy- or girlfriend's name, a birthday, a telephone number, or a license plate number). Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor.

A password is often vulnerable if it can be found in a list. Dictionaries in machine-readable form are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems.

A too-short password, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash of the password. Computers are now fast enough to try all alphabetic passwords shorter than 7 characters, for example.

[edit] Strong passwords

A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, that successfully guessing it will require too long a time. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. A student's password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank's electronic money transfer system might be worth many weeks of computer time.

Examples of stronger passwords include:

• t3wahSetyeT4
• 4pRte!ai@3
• #3kLfN2x
• MoOoOfIn245679

These passwords are longer and use combinations of lower and upper case letters, digits, and symbols. They are unlikely to be in any password cracking word list and are sufficiently long to make direct brute force search impractical in some systems. Note that some systems do not allow symbols like #, @ and ! in passwords and they may be hard to find on different keyboard layouts. In such cases, adding another letter or number or two may offer equivalent security.

The above examples, having been published in this article as password examples, are no longer good choices; examples from publicly-accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack. However, beware that even "strong" passwords (by this limited criterion), and especially human-chosen passwords, are not equivalent to a strong encryption key, and should not be used as such. Passphrases and password-authenticated key agreement methods have been used to address this limitation.

The passwords can only be found by using so called brute force password generators; A small program that simply tries all possible combinations. A common 3GHz processor these days can generate approximately 3 million passwords a second. When one has chosen a password like the 4pRte!ai@3 listed above it will take approximately 95¹⁰ / 3000000 / 3600 / 24 / 365 = 632860 years!

The formula to calculate the number of combinations : maximumCombinations = nrAvailableChars^{PassswordLength} this shows that when you only use the 26 lowercase letters and a password length of 6 characters the number of combinations is relativaly small: 26⁷ = 8.03 billion combinations. This sounds large however when an average computer can generate 3 million passwords it will only take as much as 18.59 days to find the password.

Passwords longer than 7 characters using non-dictionary words are therefore preferred and thus good passwords. The fact however is that the majority of computer users don't live up to these rules, since these complex passwords are hard to remember.

Brute force program code here is a simple program written in C that allows a person to look for and time a given password (it allows you to try all passwords using any combination of the characters [A-Z][a-z][0-9],_!); this can be easily adapted to brute force all the 95 keyboard characters. [2] experimenting with this program shows a person quickly that a password such as apple isn't a safe password, since it will be found within 30 seconds.

[edit] Random passwords

The most secure passwords are long, random strings of characters, but such passwords are generally the most difficult to remember. For the same number of characters, a password is stronger if it includes a mix of upper and lower case letters, numbers and other symbols (when allowed). The difficulty in remembering such a password increases the chance that the user will write down the password, which makes it more vulnerable. Whether this represents a net reduction in security depends on whether the primary threat to security is internal or external.

Forcing users to use system-created random passwords ensures the password will have no connection with that user and shouldn't be found in any dictionary. Several operating systems have included such a feature. While helpful from a security viewpoint, many users resent such measures, particularly in the absence of effective security awareness training. In addition, the imposition of strong random passwords may encourage users to write down their password, thus increasing the risk of its loss.

[edit] Mnemonic passwords

Some users develop mnemonic phrases that have the random letters as the initial of each word; this requires considerable effort for some random passwords. Another way to make "random" passwords more memorable is to use random words (see diceware) or syllables instead of randomly chosen letters.

Personal mnemonics are sometimes recommended; that is, things that are memorable to you, but not to others. For example, the password Iw21wIfvP, a difficult to remember string, derives from "I was 21 when I first visited Paris", possibly easily remembered. However, if your first experience of Paris is important to you, it may be possible to guess this password from a little research about you, and, if so, this would not be a sensible password choice.

Another is NYianc@US which derives from the phrase "New York is a nice city at the US", though it may run afoul of restrictions on allowed characters on some systems. Most likely, the exclusion of punctuation and non-alphanumeric symbols is a practical issue as some keyboards will not have all such characters and some software will not accept some of these characters in a password. It is also a reduction in security, as the policy makes guessing passwords easier, an undesirable outcome. On the other hand, such a password is a considerable improvement on a child or pet's name, initials, birthday, mother's maiden name, or many of the choices made without such a requirement.

[edit] Patterned passwords

Any pattern in a password makes guessing (automated or not) easier. As of October 2005, employees of the UK Government are advised to use passwords of the following form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example pinray45). Apparently upper and lower case do not matter, and this form is called an Environ password. The pattern of alternated vowel and consonant has probably been suggested so that the result will be somewhat pronouncable; it is a considerable reduction in the "randomness" of the generated password and is a reduction in security as a result, as is the restriction to letters and numbers.

[edit] Guarding user passwords

Computer users are generally advised "never write a password down anywhere, no matter what" and "never use a password for more than one account." These maxims, while sound in theory, ignore the reality that an ordinary computer user may have dozens of password-protected accounts. The multitude of accounts often ends up with users having the same password everywhere. A user's attempt to comply will often result in many forgotten passwords, even for important accounts.

If passwords are written down, they should never be kept in obvious places such as address books, Rolodex files, under drawers or keyboards or behind pictures. Perhaps the worst, but all too common, method is a Post-it note near the computer. Better locations are a safe deposit box or a locked file approved for information of comparable sensitivity to that protected by the password. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to use a single password for low security accounts and select separate, strong passwords for a smaller number of high-value applications such as online banking.

At a 2005 security conference, an expert from Microsoft was quoted as saying: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them." [3]

Whether it is worse to use weak passwords that are memorized or strong passwords that are written down can provoke fierce debate among experts. Practical security in the real world generally requires balancing conflicting requirements and human factors.

[edit] Password discovery

Passwords can be discovered by shoulder surfing, burglary, extortion, blackmail, threats, or other methods. Dumpster diving is surprisingly fruitful for situations in which sensitive printed data is discarded with insufficient precaution; it is said to be part of the techniques which have produced the recent rise in identity theft. Approximate password length can be discovered even without shoulder surfing by simply counting keyboard clicks or noting finger motions. Research published by IBM in 2004 shows that each key on a keyboard has a distinctive acoustic signature, allowing keyed in data, including passwords, to be recovered by analyzing recordings from a covert listening device or "bug." See: Acoustic cryptanalysis.

Obtaining passwords by psychological manipulation of users is an example of social engineering. An attacker might telephone a user and say "Hi. Systems Control here. We're doing a security test. Can we have your password so we can proceed?" Systems administrators and other support staff will very rarely, if ever, need to know a user's password in order to perform their jobs. System administrators with "root" or superuser privileges can change the users' passwords without their permission, so they have no need whatsoever to ask for it. In addition, they will go out of their way not to ask for a password, precisely because they do not want to encourage the habit of giving passwords to anyone. Users do not generally appreciate that any of this is so, and are thus too often vulnerable to social engineering.

[edit] External links

• GRC's Ultra High Security Password Generator.
• Choosing Good Passwords -- A User Guide.
• Password Policy Guidelines.
• Examples of common (and hence weak) passwords