Safe and Secure Password (Part II – Strong Passwords)

January 13, 2012

By Shaun Whitlow

As we covered in the last post, two of the most common methods used to compromise a password are guessing and brute force attacks. A password’s ability to resists these two attack methods determines its strength. In this post, we will look at what makes a strong password.

Password strength is determined by its length, complexity, and obscurity. Short passwords are more easily broken than longer passwords. Passwords based off of common words are likewise more easily cracked than passwords containing obscure words, numbers, and symbols. 

A password’s strength is typically measured in terms of its entropy value. A password is assigned a number of entropy bits based upon the characters contained within the password. The entropy bits make up the base-2 logarithmic number that represents the number of attempts a brute force attack would require to exhaust all password possibilities. For example, 128 bits is a common benchmark for secure data storage and communication. 128 bits represent 2128 permutations, which would theoretically require a supercomputer over 149 trillion years to crack in a brute force attack.

Next, we will examine two forms of strong passwords: Traditional complex passwords and common word based passwords.

Traditional Complex Passwords

For a traditional complex password, the following guidelines are recommended:

* Use a minimum of 8 characters

* Use both Upper- and Lower-case letters

* Use at least 1 number

* Use at least one non-alphanumeric character (~`!@#$%^&*()_-+=:;’,.?)

* Use random passwords whenever possible

Some examples of traditional complex passwords (with their entropy value) are listed below:

Pe$p*qewED (46.1 bits)

7u-uCre2a& (50.3 bits)

pr$Sw+wR7d28 (60.3 bits)

These passwords, while secure, are generally not easy to remember. Another option is to use a common word based password.

Common Word Based Password

Common word based passwords are fairly non-traditional, but can often be even more secure than the traditional complex password. These passwords employ four or more common, unrelated words put together in a nonsensical phrase. The key to the password’s security is its length and the unrelated nature of the words. Here are some examples, with their entropy values:

Between Third Jumps Steady (120.5 bits)

Umbrellas Dim Lively Integers (127.6 bits)

Saving Influence Drowns Wrongly (146.1 bits)

As you can see, these nonsense phrases are much more secure against brute-force attacks and guessing, and are likely to be much easier to remember.

Your password is the one thing that can provide an intruder with unlimited access to your account and any personal information contained therein. To keep your personal information private, be sure to protect your password and use a strong password whenever possible.