Why passwords generally don’t…

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.
Clifford Stoll

Passwords are always a thorny topic in IT departments, and everyone (including their Aunty) has an opinion. I’ve seen loads of different policies, rules of thumb and fudges trying to get users to keep your estate safe. Here are a couple of lesser known ones:

  • CVC, Consonant-Vowel-Consonant, is a way of grouping random letters in arrangements that are phonemes and are almost always ‘sayable’. For example your policy might dictate 4 groups of CVCs. POWHATBOTZEB, this is easier given our brains are designed for language processing (a benefit of being a higher functioning species*). Now I can repeat over and over that my password is phonetically pa?w hæ?t bot zeb,On the plus side this is really easy to remember. On the down side it is trivial to break, if we explore the technical elements in this 12 character password it has a very limited degree of entropy, approximately $latex 21⁸+5⁴approx37Billion$**
  • Numeric, hardly even worth commenting on this! Only entertain this in a Two Factor Authentication chain (2FA). You bank card PIN only has 10,000 possible combinations***.
[singlepic id=3 w=320 h=240 mode=web20 float=left] All credit to XKCD, www.xkcd.com, for this pic.

You may now be thinking “37 Billion seems like a pretty big number!”, and you’d be right. It is, however, smaller than 12 Trillion, but that’s not relevant. What is relevant though is that someone realised that a GPU basically just does maths, but it does it at incredible speed and with incredible efficiency to figure out exactly what pixel needs to be where and with what colour. This means with a little bit of tweaking, instead of calculating vectors, the effective unit of calculation within a GPU, you could use it to calculate passwords. Companies such as Elcomsoft claim that their product that can crack passwords at a rate of 2.8 Billion per second. So looking at my CVC example… carry the one… divide by the second order prime… you would have the password probably by the time you had opened up solitaire.

Normal Password Life

Ok, so few places will use CVC. It’s a lot more likely that you have a normal alphanumeric password policy and I’m going to prove the POWER OF MATHS by showing you two examples of complex passwords, one at 8 characters and the other at 12.

Lots of organisations run with an eight character complex password, which is one that uses the numbers, symbols, upper and lower case letters, you have on a standard UK English keyboard. This gives you about 96 different options. $latex 96⁸approx7.21times10^{15}$ or 7.21 Quadrillion short-scale numbers. At 2.8 Billion guesses that would take 2.6 Million seconds or about 7 hours.

Now if you consider a complex password of 12 characters, and crunching the numbers once again we get $latex 96^{12}approx6.13times10^{23}$ which is 613 Sextillion, which is a number with twenty-one zeroes after it (or in engineering terms a big number).
Using the same software again $latex 6.13times10^{23}div2.8times10^{9}approx2.19times10^{14}secs$. I wont bore you with the rest of the maths but that comes out at 6.9 million years.

Great! You’ve stopped me getting hacked…

You could just take a view that, “Oh well, users will just need to remember longer passwords…”, and indeed you could. This might not, however, be the best long term option. After a lot of Binging and researching I found a paper from the University of Cambridge, The memorability and security of passwords some empirical results.

Users assigned to the random password group reported that they found their passwords more difficult to remember (significant at t = 8:25, p < :001), and that they carried a written copy of their passwords for far longer (significant at t = 6:41, p < :001).

If a password is harder to remember then people will, statistically, be more likely to forget it. If they forget it then they will have to call the helpdesk to get it reset. It stands to reason that if you have a longer password then it will be harder to remember and BANG there’s a call to the helpdesk to get it reset.

So instead of losing money through an attack, you lose money in helpdesk calls.

Argh!!!

Yes, argh indeed, but it needn’t be. Technologies like Identity Management and Two Factor Authentication can let you fix both the problem of not really wanting to get hacked and the problem of not really wanting to take so many helpdesk calls; and these will be my blog subjects over the next couple of weeks.

FIN

*Probably
**This sum is the number of consonants and vowels, taken to the power of how often they are used in the password.
***That’s a 9999 PIN plus 1 :)

PS: My maths could do with checking on this one, if you notice a problem let me know!
PPS: An interesting article on this can be found at Ars Technica

Show your support

Clapping shows how much you appreciated John Bradshaw’s story.