The Anatomy of a Good Password

The recipe for a good password is not an easy one. It needs to be at the same time easy for the user to remember and hard for the computer to guess. Unfortunately past (and too often current) rules for the password complexity have been exactly the opposite.

First rule of password: Length

Complex strings with special characters does not create memory association to concrete words, items or memories which makes them really hard to remember. Humans can remember short random strings but soon as strings length increases it becomes harder to remember.

Second rule of password: Entropy

Entropy tells us how many character combinations could exits for any given password. Entropy is usually expressed as bits giving us binary logarithmic expression of password quality. Exact formula is log2( (sum of possible characters)length).

If your password requirement is one digit and one digit only, your password could be anything from 0 to 9. Single digit from 0 to 9 can be expressed in bits of 00000000 (0) to 00001111 (15) giving us entropy of four (bits), ie. log2(101)=3.3219 ≈4.

If your password requirement is exactly eight alphanumeric characters then your passwords entropy would be binary logarithm (log2) of exponent of length (8) of possible combinations (26 lowercase, 26 uppercase and 10 digits), ie. log2((26 + 26 + 10)8) ≈ 48 bits.

Third rule of password: It’s easy to remember

Human brains are exceptional bad at remembering random characters or strings. Brain’s memory works by creating links to things you need to remember. If you need to remember something where there is nothing link it against, it becomes much harder to remember. By choosing common words as password (your brain has already created links for those words), the password is much easier to remember.

xkcd: Password strength (Image courtesy of xkcd)

In order to help you to use proper passwords in the future, Wrecked Security has made the Pretty Good Password Generator. PGPG runs client side (javascript) with little help from the server on wordlist (as it would be really inconvenient to download several megabyte wordlist for simple password). Source code is completely open sourced so you can evaluate it your self.


One thought on “The Anatomy of a Good Password

  1. The above comic is currently redundant owing to a hypothetical I saw last year (2017):
    Suppose a dictionary attack using Wikipedia and some popular sites as dictionaries was performed by a botnet with enough total guessing power, the strength of your password becomes the same as “8145” (not my bank card PIN).
    Even with variations, the attack software could be setup to generation them, eg “c0rrect”.
    It may seem lengthy, but ultimately a randomised password with fair length is best.
    With logins, a server can limit the attempts to, say 3 per minute, which is good practice as it mitigates dictionary and brute force, however, if you’ve encrypted a file, patition, or drive and it is in, say “unwanted hands”, there’ no telling the resources those hands have access to. A local attack on an encrypted header to procure the key would take a lot longer if the “words” were not in a known language, say “Epithex Dandunf, Loredal, Phropolus 1234” (obligatory numerics), or simply a random mess of decent length.
    Sure, it is a nuisance, but it is the only truly “safe” password.
    Furthermore, you’ll need one for each site, file, partition, etc.
    This is where a “keyring” comes in. Not a software one, a notebook. Paper, invented before toilets. Get a pocket-sized notebook with an index so passwords are easy to look up.
    Yes, that IS over the top, but it comes down to two things: 1) What you’re trying to hide and 2) From whom you’re trying to hide it. If you’re not an international cy criminal or a government agent, you’re likely safe with batteries and horses.
    Other than that, nice articles, good site, very retro, but I like that.

    All the best and don’t bother following me,
    (just another internet user)

Leave a Reply

Your email address will not be published. Required fields are marked *