Saturday, July 6, 2013

how strong is yours?

We've all seen those online password strength checkers; doesn't seem like such a good idea to type any of your actual passwords at those sites, no matter how trustworthy they might seem to be. But, check out this web page: https://www.grc.com/haystack.htm

The idea here, as explained further down at that web page:

"Virtually everyone has always believed or been told that passwords derived their strength from having 'high entropy'. But as we see now, when the only available attack is guessing, that long-standing common wisdom  . . . is  . . . not  . . . correct!"

So, consider the two password examples given:

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

Note the number of characters in each of those examples -- the password length. The idea is that, contrary to what one might think, the first password is actually the stronger of the two. Here's what the authors of the web page wrote:

And here's the key insight of this page, and “Password Padding”:

Once an exhaustive password search begins, the most important factor is password length!

- The password doesn't need to have “complex length”, because “simple length” is just as unknown to the attacker and must be searched for, just the same.
- “Simple length”, which is easily created by padding an easily memorized password with equally easy to remember (and enter) padding creates unbreakable passwords that are also easy to use.
- And note that simple padding also defeats all dictionary lookups, since even the otherwise weak phrase “Password”, once it is padded with additional characters of any sort, will not match a standard password guess of just “Password.”

Fascinating stuff; and, that info might make you change the way you create your passwords (and eliminate any need for a password strength checker!).

No comments: