Originally posted on October 3, 2018 by Damien

Having worked in IT for many years, I thought I had a good handle on how to create a secure password. My passwords didn’t use dictionary words, I used mixed case, numbers and symbols. Of course, they were damn difficult to remember, so I ended up using words and substituting numbers and symbols into them.

Well, it turns out that doing that probably made my passwords easier to crack. How could that be? Well password cracking tools are pretty sophisticated these days, and they automatically try common letter/number substitutions (like replacing an “o” with a zero). A while back I found an xkcd comic that explained exactly how easy such passwords are for computers to crack.

To cut a long story short, it’s better to have a long password made up of just lower-case letters, than a short password made up of any of the printable characters. The maths isn’t that hard, it’s simply the number of characters you have to choose from, to the power of how long the password is.  As an example, let’s compare an 8 character password made from any of the 95 ASCII printable characters (essentially, any character you can type using your keyboard):
95^8 = 6.6 x 10^15 potential passwords (that’s a 6 with 15 zeros after it…)

That seems like a lot, but let’s look at doubling the password length to 16, but only using the 26 lower-case letters:
26^16 =4.3 x 10^22 potential passwords

That’s a lot more passwords, and you can make a 16 character password easily from 3 or four words.  So, how does that affect someone trying to crack your password? Simply put, the more guesses an attacker has to make, the longer it takes them to crack the password.

How long are we talking? Well, it depends on how the password is dealt with, and that can get quite complicated. In the interests of simplicity, then, I will just use some figures I pulled out of thin air (but based on real world situations) to demonstrate.  Let’s assume an attacker wants to crack your password, and you’ve been smart enough not to use a dictionary word. The attacker will only be able to guess a certain number of passwords a second, and assuming they’ve got access to some decent hardware, this could be as many as 1 trillion guesses per second. That means it will only take, in a worst case scenario 6634 a bit under two hours to crack an 8 character password.

So, with a password using 16 lower-case characters, doing a brute force attack will take 1382 years.  That’s a much safer password, right? Well, not really. It turns out that if you use dictionary words, then it takes much less time to crack than expected.

When looking for resources to test how much quicker it is to crack a pass-phrase made up of dictionary words, I found the Diceware password generator page. This is a method of generating a password using 5 dictionary words selected by rolling dice (using something like dice removes security issues related to random number generation on a computer). The handy thing is that they have not one, but two dictionaries you can use.  This is great, because it gives us some numbers to work with.

Firstly, it gives us a good size for our potential pool of words (7776, in this case), and secondly, allows us to find an average word length (about 4 characters). This means that our 16 character pass-phrase using dictionary words is about 4 words long. We can use the same formula as before to determine how many tries it will take to crack our password, except it will be the number of words in our dictionary to the power of the number of words we choose:
7776^4 = 3.6 x 10^15

That’s actually less than the number of tries we need for an 8 character password.  It also means that the time to crack that password will be just over 1 hour. So, how do we fix that problem?

Well, one solution suggested on the Diceware page is to randomly select 1 letter in one word to be replaced by a randomly selected symbol.  Because this is random, a cracking tool won’t be able to use common substitutions to defeat it. You could also insert a random number or symbol between one or more words, or even just capitalise a random letter in the pass-phrase. Either of these tricks will achieve the same result.

Whatever solution you use, the result is a pass-phrase that is hopefully easy to remember, and is not likely to be easily cracked.