post-6871

Password Not Acceptable

ModSquad

Password not acceptable.  Must contain symbols and numbers.

Pretty much everyone who does anything online has been frustrated by a message like that when setting a password for an account.  “Does it even matter!” we want to shout.  Why must we be inconvenienced with arcane-sounding requirements for passwords?  Isn’t a simple PIN or six ordinary letters good enough?  Why must our favorite Web sites or our company’s IT department heap yet another layer of complexity onto our already overburdened lives?  What difference do numbers and symbols make, anyway?

As it turns out, quite a lot.

I decided to game out the math involved in password complexity using WolframAlpha, the Internet’s go-to site for anything involving calculations and mathematical geekery.  A bellwether of the effectiveness of a password is how many possible combinations of letters, numbers and everything else there are.  The question to ask is: How long would it take someone (or, more accurately these days, their hacking program) to attempt every possible combination to try and happen upon the one that you have chosen as your password?

The math for this is pretty simple as math goes.  To find the number of possible combinations in a password, take the number of digits of the password, and raise it to the power of the number of possible characters in each digit.  Here are some examples:

  • One digit numerical password: any number 0 through 9, so ten possible combinations.  10^1=10.
  • Two digit numerical password: any number 0 through 9, so two numbers 0 through 9.  It could go from 00 to 99, a hundred possible combinations.  10^2=100.
  • Imagine if we had a eight-digit password… but the only character available for use was “1”.  The only possible password would be “11111111”.  (Don’t laugh: for 20 years, the launch code at U.S. Minuteman missile silos was 00000000.)  So only one possibility.  1^8 is still just 1.  If we went binary, and allowed 0’s and 1’s, we would have 2^8, or 256.  If that number seems familiar, you’ve probably been in IT for awhile.

To move to more real-world examples, a numerical password is base 10, so the number of combinations is 10^x, where x is the number of digits.  For alphabetical passwords (lowercase only), there are 26 letters in the alphabet, so it’s 26^x.  If you allow uppercase letters too, you’re at base 52, so it would be 52^x.  Allowing numbers and letters extends this to base 62.  Throw in the symbols (the stuff on top of the numbers, the brackets, and punctuation and the tilde key to the left of the 1), and you’re at base 88.

When they ask you to include symbols and numbers and uppercase letters, the IT folks are trying to increase the base factor discussed above.  As it turns out, boosting the base has a ginormous impact on the number of possible combinations.  If we take just a four-digit code and increase the base from 10 to 26, we expand the number of possible combinations by a factor of over 45!  Adding digits counts, too, but it’s expanding that base that seems to pack the most punch in terms of increasing the security of your password.  For maximum effect, you want to do both: make the password longer, and make each digit have more possible characters.  Of course, this is exactly the stuff that annoys users.   Simply going from a 6-digit passcode without capital letters to an 8-digit code with caps may be inconvenient, but it boosts password complexity by an astounding 100,340 times.  It’s the power of the base.

unnamed

A couple caveats:  Mere complexity is just one factor in how secure a password is.  If your password is “password01” or “pa$$word”, hackers will break it sooner rather than later.  Most hackers go down a list of commonly used words and phrases to try first before just feeding in random sequences.  A rule of thumb: If it’s in the dictionary, or the name of a person, it shouldn’t be in your password.  It’s also not much use choosing an uber-complex password if you sticky it to your monitor, or even the inside of a desk drawer, thereby permitting a passer-by or amateur thief to view it.  Companies can also do dumb things like storing your password unencrypted within their servers (you hardly ever hear of a plain-text password hack these days, but it will probably happen again somewhere).  IT departments should be mindful that overbearing complexity requirements will probably result in monitor-stickied passwords, thereby defeating the purpose of increasing complexity by pushing users into opening other security holes.  There are also other methods of hacking passwords besides brute force.  But in the end, it’s the campers and hungry bear principle: you don’t have to be Superman to survive a hacker bear attack. You just have to not be one of the slowest campers who uses “pa$$word” or “(TheirName)123.”

Sometimes, adding a little complexity to your life can be good. Like now.

Benjamin Stockton
Project Manager