About password complexity: Are we fooling ourselves?

Many of the beliefs we have around what constitutes a “good” password are created by what default policies in software, such as Microsoft, teach us. We are led to believe that a minimum length of 8 characters, a good mixture of UPPER and lower-case, numbers characters automatically make a good password. So what constitutes a strong, but also an easy password to remember? Are they in conflict with each other? Not necessarily.
Let’s delve a little into the analysis behind today’s passwords.

What we need to keep in mind is that computing power has been increasing at an incredible rate and access to this computing power has become easier and easier. Lately, harnessing the power of multiple GPU’s has become the standard method to crack passwords. A recent password cracking cluster built with easily accessible hardware, managed to show that it could crack every standard Windows password in less than 6 hours (GPU Cluster cracks passwords).

Gone are the days of setting a password and never touching it again – at Windows complexity levels, that is. Even changing passwords regularly is no guarantee against a machine that only needs 6 hours to crack open ANY Windows password.

What shall we do?


First of all, we need to understand what makes a password difficult to crack. The key here is LENGTH. Sure, complexity plays a factor, but complexity becomes self defeating if a user cannot remember their own password. Force them to change this complex password every week or month and they WILL start writing it down. This then defeats the object of the exercise, as written down passwords can be snooped and are a very high risk.

Some examples:

A password of 8 characters (only a-z + A-Z) can be cracked by a Supercomputer in approx 5 millionths of a second (0.0005s) or in about 11 seconds by a PC + GPU. This password has an entropy (password strength) value of 45.6 bits.

A password of 8 characters containing a-z, A-Z, 0-9, special characters (`~!@#$%^&*()-_=;:’”,?) will take a Supercomputer 0.06 seconds to crack, and a PC + GPU defeats the password within: 20 minutes.

Just adding another 2 characters now makes our 10 character password crackable in 9 minutes by Supercomputer, but our PC + GPU will now take 125 days! Password entropy has now increased to 65.5 bits.

If we use the calculator at http://www.passwordstrengthcalculator.com then we get this table (if we make a standard password of a-z, A-Z, and 0-9):

– Supercomputer (relatively) –
8 char , 47.6 bits : 0.002 Seconds
11 char, 65.5 bits : 9 min
12 char, 71.5 bits : 9 hours
13 char, 77.4 bits : 22 days
14 char, 83.4 bits : 4 years
15 char, 89.3 bits : 244 years

– PC + GPU (relatively) –
8 char , 47.6 bits : 44 seconds
11 char, 65.5 bits : 120 days
12 char, 71.5 bits : 20 years
13 char, 77.4 bits : 1,269 years
14 char, 83.4 bits : 78,652 years
15 char, 89.3 bits : 4,876,393 years

(I wrote relatively because the time it really takes depends on what encryption/hashing is used on the system/password, type of hardware (how many it can take; 1500 tries vs 15.000 per second), method of cracking, complexity… there are many variables here.)

Should we become a bit creative and construct our password as an easy to remember object of some length such as “Mywifeisallmylove” (17 characters) with an entropy of 96.9 bits, our Supercomputer now needs 47,125 years and our PC + GPU needs about 942 million years to crack this! (Again, depending on method/hardware). On top of being very difficult to crack (by a computer), our password has the advantage of being easy to remember.

This does not mean that ALL restrictions must be removed from password complexity. A good requirement would be 13-16 characters, at least 2 Uppercase and no more than 2 consecutive repeated letters. Maybe throwing in a number or a special character. The 16 character limit allows the password to be used in a Windows environment. The above password would have to be changed to “MydogsNameisBint” (Entropy value of 91.2 bits). It’s kind of impalpable that Microsoft still has that limit. A Unix/Linux system has no such 16 character limit, though.

In general, an entropy of over 80 is considered to be a very strong password. To have 80 bits of security, a password should be 13 or more characters, while a passphrase only needs about 5-7 random words! The bottom line is that a user can not only have a strong password, but also something that is easy to remember.

1. https://en.wikipedia.org/wiki/Password_strength
2. https://en.wikipedia.org/wiki/Password_policy
3. https://redmondmag.com/articles/2013/08/14/password-complexity.aspx
4. http://arstechnica.com/security/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/
5. https://redmondmag.com/articles/2013/08/14/password-complexity.aspx
6. http://www.passwordstrengthcalculator.com/index.php
7. http://thenextweb.com/microsoft/2012/09/21/this-ridiculous-microsoft-longer-accepts-long-passwords-shortens/
8. http://arstechnica.com/security/2013/04/why-your-password-cant-have-symbols-or-be-longer-than-16-characters/
9. http://xkcd.com/936/