Rethinking Passwords

When we think about passwords, we usually consider uncommon words.  Maybe a word coupled with some number which holds some sort of special significance to us.  Maybe just the name of an object in the room when you are asked to set your password. Sometimes you’ll be required to add something like a number or special symbol, perhaps a special character, so maybe you stick that onto the end because you’re supposed to.  

When we think about “good” passwords, we usually think about how difficult they are for someone to “guess.” We want to make a password that we think a person would have a hard time “just figuring out,” so we think of something that WE would have a hard time “just figuring out.” We imagine an actual person sitting down and trying to cleverly deduce our password.  Most of the time, the “guessing” is being done by a computer that’s running through thousands of guesses per second in an effort to find your password by sheer brute force. As a result of this, the actual words that we choose when putting a password together are becoming less and less relevant when it comes to devising a good password. This is where Information Entropy comes in.

Instead of how uncommon a given word is in the dictionary, password strength should instead be thought of in terms of Information Entropy. Information Entropy is a concept that “tells how much information there is in an event. In general, the more uncertain or random the event is, the more information it will contain.” Explaining exactly how this entropy is derived would require a journey into mathematics which is well beyond the scope of this article. To put it simply though, every character that you use in your password has a certain amount of entropy associated with it (typically, this is around 6 bits), and we should be thinking in those terms instead of how difficult we think it would be for someone to guess. A password with 42 bits of entropy using random common words is going to be nearly as difficult for a computer to break as a password with 42 bits of entropy that’s using complex words and symbols.

Randall Munroe, a webcomic author, does an excellent job of illustrating this concept in the following comic from xkcd.com:

pic.png

If you are like me, then when you look at Tr0ub4dor&3, you immediately assume it’s a great password. It’s got extraneous capital letters, numerical substitutions, and even an ampersand! I can barely remember how to type it, how can a hacker possibly figure it out? But remember, the threat is a computer, and to a computer, it’s just 28 bits of entropy and not terribly hard to guess. Now let’s look at correcthorsebatterystaple. It’s just a series of unrelated words, nothing fancy at all, but with its 44 bits of entropy it’s exponentially more difficult for a computer to figure out.

Of course, no password is ‘uncrackable’ and all the entropy in the world won’t stop a hacker if they get a hold of your bank’s login database. However, we can still protect ourselves better by remembering that computers are going to be trying to crack our passwords, and we should be focusing on their weaknesses, not ours.


John Puma Team Lead Engineer

John Puma

Team Lead Engineer

John Puma manages a team of engineers in Gravitas’ New York office, provides operational oversight for a large subset of Gravtias’ clients, and is looked to as a primary escalation point for high-priority issues that require senior level attention. John joined Gravitas in August 2012 after five years at Eze Castle Integration, where he was a Senior Systems Engineer. Recently, he has been expanding his role to include Sales Engineering and Solutions Architecture.