 |
| Click on image to enlarge |
Exactly one year ago, my colleague Alexander asked a question. Some topics take a little longer to mature. His question was about passwords and whether it’s really necessary to make them overly complex. He sent along a well‑known chart that illustrates how quickly passwords can be cracked. Let me break it down for you, because it contains a lot of interesting information.
I’ll
start with the title. The key term is ‘brute‑force attack’. Brute force against
what? Any system you want to log into contains a file with all user accounts.
After all, the system must be able to check whether you’re allowed in. Unless
its designer has been living under a rock, the passwords in that file are not stored
in plain text. Otherwise, anyone who manages to steal the file would have free
access. Instead, the passwords are stored in encrypted form. When you log in,
the password you enter is encrypted as well, so it can be compared to the
stored version.
An
attacker needs many attempts to crack your password. If they try logging into a
website with your account, your account will usually be locked after a few
failed attempts. That lockout is a security measure against brute forcing. So,
that approach gets the attacker nowhere. What they really want is the full
password file, so they can attack it offline without getting locked out. Of
course, they first have to break into the target system to steal it.
Let’s
assume they succeed. They then use a powerful computer to attack the accounts
in that file. The chart shows how long that would take. Vertically, the
password length increases from four to eighteen characters. Horizontally, the
number of possible characters increases. The first colourful column represents
ten characters: the digits zero through nine. The next columns give you 26,
then 52, then 62 characters. The last column represents all possible characters
– digits, uppercase and lowercase letters, and symbols (! @ # $ % ^ & * ( )
- _ = + etc.) – about 94 characters (‘printable ASCII’).
In the
top-left corner, you see that a four‑digit password offers no resistance at
all. There are only a thousand possible combinations, meaning the attacker
needs about five hundred guesses on average. That’s just too easy. In the
bottom‑right corner is the other extreme: eighteen characters chosen from 94
possible symbols. That gives you 3.28 × 1035 possible passwords –
roughly a three followed by 35 zeros. According to the table, a powerful
cracking computer would need 463 trillion years to guess it. A trillion is a
thousand billions; the universe is only 13.8 billion years old.
What I
find far more interesting is that the table changes much more vertically than
horizontally. In other words: length matters far more than complexity. If you
make a numeric‑only password four times longer, the attacker suddenly needs two
thousand years. Meanwhile, expanding the character set (at the same length)
hardly affects the cracking time. And if you look at the row for fifteen
characters, a password made up of only lowercase letters already takes nearly
half a billion years to crack. That square could have been coloured green, as
far as I’m concerned.
Conclusion:
if a password is long enough, you don’t need to worry about complexity. Many
systems insist you include at least one digit, one lowercase letter, one
uppercase letter, and one symbol — but that’s unnecessary if your password is
sufficiently long. Allow your password manager to generate and store those long
passwords for you. For the few passwords you can’t store — such as the master
password for your password manager — choose something you can remember but
others can’t easily guess. For example, “You won’t hack my password” or “mhallfwwasmfwas” (Mary had a little
lamb…).
And in the big bad world…
- Password managers aren’t watertight under all circumstances (though the benefits still outweigh the drawbacks).
- This Canadian TV report discusses the privacy risks of Chinese cars.
- This is the long story of a security researcher who was threatened and fought back.
- A new international alliance aims to advance trustworthy technology (note: ASML isn’t mentioned but is also a member).
- The UK government is taking measures to better protect children online.
- Sometimes
you need to release an update to better secure the updating process itself. [DUTCH]
No comments:
Post a Comment