To relaunch Open Intel, I decided to refresh the Security for a New Year series. This will be the first part of a several post series on good security practices. Today’s topic: strong passwords.

In today’s society we are connected in almost every way. From social networking to online banking and email to online stock exchange, we have several accounts across several different websites. With each of these accounts ranging in varying degrees of importance, and with the only layer of security we have being passwords, the strength of each password becomes paramount.

The whole subject of passwords introduces several initial problems. While an entire book could be written on the matter itself, lets simply cover the basics of the problems that come with passwords, and some viable solutions.

The first problem that passwords introduce is the strength issue. A **strong** password is defined as one that is both hard for a person to guess, and at the same time hard for a computer to crack. There are two primary aspects of a password that contribute to its strength. The first aspect is **entropy** or randomness of the characters used. The types of characters used are typically broken down into character sets. There are generally at least three character sets that apply to all passwords. They are upper-case letters, lower-case letters, and numbers. Generally this system is simply referred to as case-sensitive alphanumeric, but I feel that it simply does not go into enough detail as to explain how much of a difference this makes regarding the strength of the password.

The reason multiple character sets are used is because they greatly increase the number of possible outcomes. This is primarily directed at slowing down the process in which a computer can crack the password. One primary method for password cracking, and the one this article focuses on explaining is **brute-force** password cracking, or trying every possible combination of characters until the outcome produced matches the password. The best way to explain how entropy makes a difference is by running some scenarios. Lets say that you have a password that is 8 characters long. If you only used numeric characters that gives you ten (0-9) possible characters for each position in the password. That means there are a maximum of 100,000,000 possible combinations. While that may seem like a lot, if we take varying aspects out of the equation such as the hashing algorithm used for the password, and other security measures such as lockouts; a decent system built for cracking can usually attempt about 500 million password guesses per second. That means in roughly .2 seconds that system would have went through every possible combination of numbers and is guaranteed to have guessed the password.

Now if we add lower-case letters to the password that adds another twenty-six (a-z) possible characters for each position in the password. Using our current 8 character password and including the numeric character set this makes 36 possible characters for each position. This brings us to a grand total of 2,821,109,907,456 possible combinations. You can see how this greatly increases the strength of the password. However, using our password eating system at 500 million guesses per second, this would take approximately 94 minutes to cycle through every possible combination, and inevitably guess the password.

Now if we add upper-case letters, that adds another twenty-six possible characters to each position of our password. This brings a total of 62 possible characters for each position. Using permutations this provides a maximum total of 218,340,105,584,896 possible combinations. While the number of possible combinations is very high, it would still only take our password eating system at 500 million password guesses per second around 121 hours to cycle through every possible combination and guess the password. In other words, in less than a week (roughly 5 days) the system could break the password.

Considering how easily a system can break passwords using the three primary character sets it poses the question of how to overcome this. Some passwords allow symbols, and while that character set adds another 32 (33 if you include a space) possible characters to each position it still doesn’t make it unreasonable to try cracking the password. For the mathematics lovers, that is a total of 6,634,204,312,890,625 possible combinations and would take roughly 154 days for the system to guess every possible combination. Along with symbols comes another issue. Not all passwords can use symbols, and even if they did we still cannot make it infeasible to try cracking the password. Even more so, some systems that allow symbols in passwords do not allow all possible symbols, thus making it even faster for the password to be cracked.

So how do we resolve this issue? This is where the other aspect of password strength comes into play. I refer to this aspect as **character space** some other places may refer to it in other manners, but the basis is still the same, it refers to the length of the password. With the strength through entropy methodology, it only adds an additional number of character possibilities for each position in the password. Character space exponentially strengthens the password as it adds another position – with all character sets used for possibilities in that space. To explain this in more layman’s terms we will go back to our examples. Using case-sensitive alphanumeric (upper-case letters, lower-case letters, and numbers) on a password with a character space of 8 we had a total number of possible outcomes of 218,340,105,584,896 which as we determined could be cracked in under a week. If we use the same three character sets, and set the character space to 10 we end up with a total number of 839,299,365,868,340,224 possible outcomes. Which using our password eating system at 500 million password guesses per second sets it at roughly 53 years to go through every possible combination and guess the password. So by simply adding two more characters to our password length we added years of time to cycle through every possible combination instead of simply days. With keeping the same number of characters and adding a whole other character set we only gained 149 days.

So what is a recommended password length? I typically use passwords that are significantly longer than required, but a good number to stick with is 16. Most passwords support at least 16 characters and some support a much higher number. To show how much of a difference this makes, using the three primary character sets and a character space of 16 we end up with a whopping 47,672,401,706,823,533,450,263,330,816 possible combinations. Using our password eating system at 500 million password guesses per second that means it would take roughly 30,233,638,830 centuries to cycle through every possible combination and guess the password.

Now I have used a lot of math in these examples and I would like to explain how these equations can be easily understood. I use permutations (character space^number of characters in character set)to determine the number of possible combinations. Next I divide by 60 seconds, 60 minutes, 24 hours, 365 days, and 100 years as necessary. Now the chances of your password being the last guess is highly unlikely. So usually it is a good idea to divide the final number by two to determine the time taken to actually crack the password. For example in our initial case sensitive alphanumeric password with a character space of 8 it is more likely to be cracked in 2-3 days instead of taking the full 5 days. There are also other factors that come into play and may limit the system to 1,000 password guesses per second instead of 500 million. Still, there are other systems that can exceed 500 billion password guesses per second. Either way, a 16 character password stands a much greater chance than an 8 character password.

One more time for the mathematics nerds, a 16 character password using upper-case and lower-case letters plus numbers gives us 62 possible characters per position. That is 16^62 for the equation. This gives us 47,672,401,706,823,533,450,263,330,816 possible combinations for the password. Now we throw this at a monstrous 500 BILLION passwords per second machine. The results:

- 95,344,803,413,647,100 Seconds
- 1,589,080,056,894,120 Minutes
- 26,484,667,614,902 Hours
- 1,103,527,817,288 Days
- 3,023,363,883 Years
- 30,233,639 Centuries

Needless to say, regardless of what sort of machine or cluster of machines your password goes up against (unless of course it is a quantum PC… but that won’t be reliable and readily available for hopefully a long time), 16 characters will ensure your password can withstand the sands of time against a brute force attack.

While this may seem like a perfect solution to resolve all your password concerns, we must go back to the entropy aspect. For starters, brute-forcing is not the only method for cracking passwords, in fact it is typically the last resort. While many of the methods rely on the security measures put in place on the side of the program or site you use the passwords on, there are still **dictionary attacks** or when a system uses a dictionary file of words to attempt to crack the password. Even a 16 character password may not stand a chance against a dictionary attack if it does not have enough entropy. In part 2 of strong passwords I will go into detail about how you can create high entropy passwords that also maintain a high character space.

The second problem that comes with passwords is trying to remember them. In part 3 of strong passwords I will go into further detail about how to maintain several high entropy and high character space passwords.

__Closing__

In closing I hope this helps all of you gain a higher understanding of how the strength of a password can be measured and I look forward to any comments regarding this.

~Michael

*This topic was originally posted on 1-1-2013, but has been refreshed to still be accurate in 2015.*