The Science Behind a Strong Password

Did you know that, on average, Americans have 19 passwords for online services? Studies suggest that approximately 25% of people use easy-to-remember passwords, and most use the same password for everything.

This is bad. This is really, really bad.

Length and entropy (randomness) play a large role in the strength of a password. Let’s get in to the science behind a strong password to demonstrate why.

Password Length

In the land of mathematics, as well as many other scientific fields, we have what is known as exponential growth. Loosely translated, this means that the more items you add to a growing set, the faster that set of items grows in quantity. Think of the common Internet question that was passed around where you are offered a million dollars or a penny a day, doubled for 30 days. Everyone knows that the 30-day wait is well worth it, and the same applies to password length.

Let’s say that you have a password that can only consist of numbers, and it happens to be only 2 characters in length. That’s 10 possibilities for each character, but to get the total number of possibilities you need to multiply 10^2. This means that there are 100 permutations of your 2-character password. Add in a third character, change the math to 10^3, and the number increases to 1,000. The inclusion of the third character didn’t increase the number of possible combinations by 50%, it increased it by a factor of ten.

In real life, the numbers get really big really quickly. If you have 95 possible characters to choose from (lower case, upper case, numbers, and special characters) you’ll get numbers like this:

  • 2 characters: 9,025 possibilities
  • 4 characters: 81,450,625 possibilities
  • 16 characters: 44,012,666,865,176,569,775,543,212,890,625 possibilities

So Many Possibilities!

These numbers represent what is called the “search space”. You can drastically improve password security by increasing the time it takes to iterate across all possible passwords in your search space by increasing the number of characters in your password. As computational power increases, allowing faster iterations while trying to brute-force crack a password, this becomes critical.

The total search space an attacker would need to traverse is the total of all of the possibilities combined. For example, the total search space of a 4-character password includes the sum of all 4, 3, 2, and 1-character possibilities, assuming the attacker doesn’t know the actual length of your password.

Password Entropy

Math is powerful, but this doesn’t mean that all passwords with 20 characters are equally as defensible against attacks – and this is where entropy comes in. A password consisting solely of absolutely random characters is statistically the most secure. A password consisting of words, better known as a passphrase, may seem mathematically sound due to its length, but attackers have honed their tools in accordance with common password practices.

When going through all possible password combinations, they’ll first start by using common words found in the dictionary. Now the math gets a bit more complicated, especially when you begin substituting symbols for letters, etc., but the point still stands: brute forcing a password consisting of completely random characters is statistically harder than brute forcing a password made up of known words when the passwords are the same length.

Password Guidelines

Now that we’ve jumped in to the science behind secure passwords, here are some recommendations to help keep your passwords, and personal information secure:

Use two-factor authentication whenever possible, requiring services to use a token in addition to a standard password. Try to avoid using text messages to transmit tokens and opt for an app that is supported, if possible. Authy and Google Authenticator are excellent choices.

Tip: When using a one-time password app, be sure to print your QR codes and store them in a safe place. If your mobile device is damaged or lost, you won’t have to jump through a ton of hoops to be reunited with your account(s). On new devices with a new one-time password app, simply snap a pic of each printed QR code into your app.

Use a password manager. If you don’t have to remember your passwords in your head, you can make them as long and complex as you see fit without having to resort to memorizing them or worse – writing them down on sticky notes.

If you have passwords that absolutely cannot be placed inside of a password manager, make sure to apply these basic principles to each:

  1. Make your password a long, memorable, passphrase
  2. Go back and make your password longer than that
  3. Go back and make your password longer than that
  4. Go back and make your password longer than that
  5. Repeat

If you use a service offering password reset questions like your “Mother’s maiden name” or similar, enter a ridiculous password or phrase for each, and store them in a password manager. We live in a world where information, including what you may use as answers to similar questions, is just a Google search away.

Finally, do not enter a password hint if offered the chance to do so. Doing so simply helps an attacker, much like how the winner of Wheel of Fortune immediately get R, S, T, L, N, and E while attempting to solve the final round. And remember, this is your password. The winner gets your information – which can be much more valuable than a new car.

Related Posts