Things about Passwords you never knew. Number 3 will SHOCK you!
Posted by Rubin Bennett on 06 April 2017 11:32 AM
Passwords: You hate them. We hate them. We make you choose strong ones, and then we make you change them. You get frustrated. We get frustrated. We all agree that passwords, and managing them, suck.|
There's an XKCD that we often quote:
It talks about the importance of entropy in passwords, and how what we think of as 'best practice' for passwords, isn't.
In the past year or so, we've done some experimenting around passwords, and as a result of our experimentation, we've adapted the approach in the XKCD comic slightly.
We love passphrases, but the problem with dictionary-word-only passwords is that rainbow tables and other modern password cracking tools are getting better and better. It's a constant cat-and-mouse game.
Here's our current best-practice for passwords that are strong and easy to remember. Use a phrase you'll remember, and do some simple letter substitutions. Sprinkle in some special characters (see footnote about those!). Length trumps complexity, and by extension, complexity is just a tool to stop crackers from compiling lists of common phrases, like "The quick brown fox jumps over the lazy dog". Here's an example:
"this is my super secret email account"According to Keepass, that has 96 bits of entropy. Pretty good! But let's make it more secure.
"This is my super secret email account."OK, we're up to 105 bits now, and we didn't make it appreciably harder to remember at all.
Now, if you use *consistent* substitutions, it makes it slightly harder to remember, but significantly more secure.
"!Th1s 1s my sup3r s3cr3t 3mail 4cc0unt."
We're now up to 138 entropy bits according to Keepass, which by the XKCD formula would take... well, 2^138/31,536,000 seconds in a year = 1.104924986450535852950582185471e+34, which equates to, roughly, a very long time. Effectively uncrackable, by today's standards.
1. NEVER use the same password in multiple places.