Password size does matter

Length is more important than complexity when it comes to secure passwords - and here's a $100 wager to prove it

This week’s scheduled column on security maturity has been rescheduled for next week.

It's because I can’t take the misinformation anymore.

I was recently contacted by the company that manages my stock to open up a new Web site log-on account. During new account creation, it asked me to input a secure password. So, I put in my normal password that is 21 characters long followed by 10 characters that are unique per Web site, but only uses lowercase letters. The length of the base password prevents basic password cracking and guessing, while the additional characters make the overall password (or pass phrase) unique so that no two resources ever have the same password.

At 31 characters long, my password is all but unhackable. Attackers will need to find another way to compromise my account rather than trying to guess it or crack it with brute force.

But of course, as usual, the finance company's Web site required that my password be complex, using three of four presented sets of characters, such as at least one uppercase character or one nonalphanumeric symbol. So although the password could be only six characters long, according to their policy, it also had to be complex.

The conventional thinking is that the additional complexity presents such an increased workload for the hacker that complexity is the holy grail of password hacking prevention. After all, conventional wisdom says that all the good Web sites require complexity. Heck, a Microsoft Windows log-on password requires complexity. Every new password policy I read requires complexity -- but gives scant consideration to the equal (or better) importance of longer password length.

They're all wrong! Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords.

For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.

Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

But conventional wisdom will have you believe that increasing complexity forces the password attacker to use significantly more possible characters in their attack. In the X^L formula example, forcing the use of capitalized letters requires the value of X to go from 26 for all possible lower case letters to 52 for both upper case and lower case letters. And if you include nonalphanumeric characters, X goes up to 94 to support all the normal single characters you can type on a 101 keyboard. Windows will allow you to use any Unicode character, which includes upwards of 65,000 different symbols.

Of course, most people only use the 94 standard keyboard keys. And if people actually evenly used the 94 characters of potential complexity, short passwords would be uncrackable, because 94^8 = 6,095,689,385,410,816 possible passwords -- which is uncrackable using anything known today or in the near future.

The problem with this analysis is that complexity cannot be guaranteed, and for the most part will be circumvented by your end-users. Whether you give them 94 characters or 65,000 characters to choose from, most will choose to include the same 32 characters (several studies have discussed this, including this Microsoft debate).

This means that the effective password space for most environments is 32^L, plus a few more characters. In the study cited above, 10 percent of the cracked passwords only used the included 32 characters. It's important to note that this was a sample of passwords within a company that had a higher state of security than most organizations.

And because most users also use dictionary words as the root to their “complex” password, and follow other common conventions (capitalized letters are at the beginning, numbers are at the end), a simple hybrid attack will break most of them in less than a day. Trust me, I know -- I do it for a living.

There is no easy way to force true password complexity in most environments without a software addition, other than to generate truly random passwords and hand them out to users. They will probably hate you for doing so, but the greater concern is that writing down their passwords makes them even weaker than noncomplex passwords.

If you can’t guarantee true password complexity (and you probably can’t) length is your best bet. I’d guess that a typical good, knowledgeable password hacker can crack up to nine-character passwords within normal levels of ability and resources. At 10 characters, it becomes very hard to crack, regardless of complexity.

So, when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity. For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity -- at 15 characters-plus, they are all but uncrackable.

If you still don’t believe me, participate in my password cracking challenge. Win $100 and books. Odds are that you’ll crack the 10-character complex challenge long before the 15-character no-complexity password.

Copyright © 2006 IDG Communications, Inc.