Passwords – Where Size Really Does Matter

Sep 30, 2021 | Uncategorized

You may have heard that you need to have a “strong” or “complex” password in order to protect information and/or accounts. We’ve covered the idea before here. We’re going to really deep dive into password strength and complexity and show you the exact reasons why you need to use strong passwords. Forewarning: here there be math! Never fear, we will walk you through it so that you will come out the other side with the ability to wow the people you meet at your next cocktail party with your vast knowledge of password complexity.

What is a strong password?

There is no hard and fast industry standard for what constitutes a strong password. That said a strong password is generally considered something along the lines of:

  • At least 8+ characters long
  • A mixture of upper case, lower case, numbers and symbols (such as !, @, #, etc.)
  • Nothing easy to guess by knowing you, for example: not your birthday, name of a pet , child, or anything similar

Ideally, your password should not even be a word found in the dictionary, or a combination of words found in a dictionary. However, if you have a 50 character phrase you use, you’re probably ok, for now.

How the bad guys guess passwords

To really understand why complex passwords are important we’re going to start by looking at how the bad guys can actually guess your password.

Password Acquisition

The common way that bad guys acquire user names and passwords is they breach a company and get a list of usernames (email addresses) which are not encrypted and passwords which are hashed (you can just think of these as encrypted).

Password Cracking

Once the list of (hashed/encrypted) passwords is acquired, the bad guys will attempt to figure out the unencrypted passwords. The most common way to do this would be a dictionary attack. They will use specially constructed computers and freely available software to run through a generated list of the most common passwords and variants and then they will go through the dictionary (ALL of it). They will even do things like append numbers before, between, or after words or replace letters with numbers that look like them (so instead of the letter “l” they would sub the number “1”). These guesses can be done very quickly and are going to be the first thing checked, so using random characters or things that are NOT found in the dictionary are the way to go.Eventually the evildoers will run out of words to try. At that point in time (if they are so inclined) they would resort to a pure brute force method of getting the passwords. They would try every combination of letters, numbers and characters (also known as a “rainbow table” attack because these are based on lists which contain all the combinations of the “rainbow”).There are freely available software tools that do most of the heavy lifting for the bad guys, so they don’t need to possess mad hacking skills. They may also employ special hardware that is designed to be used for this purpose. Back in 2012 there was a computer system that was created that could check 350 billion (350,000,000,000 or 3.5 x 1011) passwords per second that were encrypted in the standard Windows format. It was able to try all possible combinations of an 8-character password in only 5.5 hours!

Warning! There is MATH below!

How password length really changes things

For the purposes of this conversation, we are going to assume that we have a piece of hardware that can only guess 1 billion (1,000,000,000 or 1 x 109) passwords in a second.Bear with me for a moment here…If you are only using lower case letters in your password, there are 26 possible letters for each spot in your password. For example, if your password is only 1 character long, then there are only 26 possibilities. If, however, your password is 2 characters long there are 26 possible letters for each spot or 26 x 26 or 262, which is 676.The mathematical formula for possible lowercase passwords is 26 to the power of the length (number of letters) of the password. So, a 5-character-long password has 265 possibilities. In other words, if your password is only 5 characters long, there are only 11,881,376 combinations. This means that our piece of hardware can try ALL possible passwords (including yours) in just about 0.01 seconds!Going from 5 characters long to 6 characters long means you have 308,915,776 combinations and our computer would take 0.3 seconds to try them all. Increasing your password to 7 characters long increases the time to 8 seconds! While this still is not very long, we are definitely getting more secure. Going to the 8-character password length we mentioned earlier increases the time to try all of them to 208 seconds, or about 3.5 minutes.But wait! Did I not just say that you should have a password at least 8 characters in length? If that only gets is to 3.5 minutes, shouldn’t we have a longer one? The answer to that is, yes, you really should, BUT there is something we are missing here, and that is the extra complexity afforded by adding in uppercase letters, numbers and special characters.

The case for all those weird things in your passwords

So, if you were to only add in the ability to use upper and lower case letters into your password you the increase the number of possible combinations for each spot from 26 to 52. So that 5 character long password now has 525 or 380,204,032 combinations. That is more combinations than the 6 character long password that only had lower case. For just upper and lower case letters your 8-character password would take 53,459 seconds or almost 15 hours to try all possible passwords. If we add in the numbers and special characters, you would have about 95 possible combinations for each spot in the password. This means that for an 8-character password our hardware would take 6,634,204 seconds (almost 77 days) to try all possible passwords. Simply increasing your password to 9 characters would mean it would take this hardware just about 20 years to guess.

Things to bear in mind

A computer that can guess 1 billion passwords in a second is actually pretty slow. Getting hard numbers on how fast computers can crack passwords is rather difficult. Technology continues to advance and it would not be unreasonable to assume that there is now hardware freely available that performs at 10 times the capability of the special computer we mentioned earlier (the one that could guess 350 billion passwords a second). So I would say that for some types of encryption you could now expect to be able to guess at well over 1 trillion times per second. That means instead of taking about 20 years to try all possible combinations for that 9 character password, you would only need about 7 days.Not every encryption algorithm is created equally and some take a LOT longer to try than others. There are various ways this is done, but all of the ways involve really, really, really complicated math (no, seriously, we mean really complicated. Here is a beginning MIT course on cryptography, but it is really fascinating, if you like that kind of stuff. The idea is that instead of 1 trillion guesses per second that same hardware is going to only do 100 million. So, that 9 character password now takes just about 200 years to guess.

Whew! Math is over!

Wow, that was a lot of math and I think I may have drooled on myself some. So what does Sawyer Solutions do?

We use Lastpass to store passwords. This allows us to use unique, strong passwords for things. Personally, my default is a 12 character random string (5.4 x 1023 possible passwords), but for really sensitive things I’ve been known to use 35 random characters (giving a space of 1.6 x 1069 possible passwords). If you had a computer that could guess 1 trillion trillion passwords per second (this is known as a Septillion and is a 1 followed by 24 zeros, or 1×1024) then it would still take that computer over 1×1045 (also known as a Quattuordecillion) years to guess all possible combinations. So I feel pretty confident that that password is un-crackable.Need some help with your password posture? We’d love to talk to you. Our initial consultation is always free of charge. Click here to schedule yours!