Sunday, October 20, 2013

Length trumps complexity

The idea of password length trumping password complexity has been around since before "correcthorsebatterystaple", but lately it's been on my mind because I'm in a class that covers permutation and combination.

The idea can be miss leading. While working out some stuff on a scratch pad the first thing I chose was a five character password comprised of only lower case numbers. The math comes to

26^5 = 11.8 million unique passwords

Increasing the length by one creates 26x more unique passwords.

26^6 = 308.9 million unique passwords 
But doubling the complexity creates 31x more unique passwords.
52^5 = 380.2 million unique passwords
What was my problem? The math seems simple enough, but the problem is I was only considering a simple case. The real world is a bit more complicated than lower case and upper case characters. (also, the interesting thing about exponents is they are exponential).

A better, more real world, example. Consider the complexity of an eight character password that could be made with lower case, upper case, digits, and 14 special characters. This gives 76 characters to pick from.
(26 + 26 + 10 +14)^8 = 1.1 quadrillion unique passwords (short scale)
That's a lot of passwords. But to me that begs the question, "Well how long would it have to be to make 1.1 quadrillion passwords if it was made up of only lower case letters?" The answer is surprisingly short.
26^11 = 3.6 quadrillion unique passwords
We had to go to 11 characters because 26 to the power of 10 is only in the trillions. For three more characters I can make more passwords using only lower case letters. It's a neat little Sunday afternoon experiment, but is this important in any way?

My take away from this is that long simple passwords are going to be easier to remember and more secure. I'm a second year computer science major and have worked in IT for about almost a decade, and I know it is easier for me to remember "icanhazpassword" than "P@sSw04d".

icanhazpassword = 26^15 = 1.7 sextillion possible passwords assuming the attacker knows it is only a lower case password.
 P@sSw04d = 95^8 = 6.6 quadrillion, that is using all ASCII printable characters 
Which brings me to my point; do attackers even bother to check for lower case only? I don't remember the details (and the information is now burred in the Internet), but a while back when the bitcoin exchange mtgox.com was hacked a list of usernames and passwords made it's rounds on the bitcoin forums (all dead links these days). My passwords was 10 characters long and was exposed, in plain text right next to my email. That's an eye opener for anyone. Granted my password was lower/upper and digits (no special characters) but there were plenty of other passwords on there that were more complex.

Now I can't go back and say for sure because I don't have the data, but it would make since the cut off was length not complexity. Odds are they ran a dictionary attack to get all the easy passwords (mine would not have been picked up in a dictionary attack), then a brute force attack for anything else. Based on my password, the brute force attack looked for at least lower/upper and digital characters. Which makes me think even if my password was all lower case, but really long, an attacker isn't going to know to check only lower case. Just to be sure, I like to have something more than just lower case though, but knowing what I know now I don't go nuts with the complexity.

Side note: you look way cooler entering a 32 character password you know well than hunting and pecking for 8 characters and toggling the shift key.