Password Insecurity

I’m going to be honest, I have a new pet peeve when it comes to passwords: anyone who insists ensuring your password has a least one of each of the following:

• Uppercase letter
• lowercase letter
• number
• symbol

You’re probably asking yourself why I can’t stand this advice anymore when it’s so ubiquitous and even the experts agree it makes sense. Allow me to explain.

The reason is really quite simple: People are predictable. Allow me to prove my point with the following question:

What’s the first thing you think of when asked for something to replace “e” with in a password? How about “a”, “i”, “o”, and “g”?

Answers: 3, @, !, 0, and &.

Admittedly, you may or may not agree with all of those, but I think you’ll agree they make a certain amount of intuitive sense which is exactly why you shouldn’t use them even though they conform to the usual advice stated above and are easy to remember.

The underlying reason is exactly as stated: people are predictable. As such, if I am an attacker, I will use this predictability by using such simple substitutions to expand my password dictionaries prior to any attack. Supposing a given password has at most n basic transformations such as the ones outlined above, there are a total 2^n ways to alter a standard word. It seems pretty big until you realize, for instance, in this paragraph there are very few words where you could use more than three or four and they’re all pretty long in the first place.

The point behind the advice I so loathe is to get you to chose passwords with a low probability of being in a password dictionary sufficiently small that your password can be quickly guessed. The first step is to avoid anything in Webster’s or the Oxford English Dictionary. After that, the next step is to get it out of what I call “words under the usual transformations” which are manglings of words using common rules such as the ones cited above which are examples of “l33t sp3@k”. There are some exceptions, but given the propensity of people to both chose (relatively short) everyday words as the basis for their passwords, to mangle them in predicable ways, and to reuse passwords, I would argue the advice I cite above is more about the illusion of security than actual security.

My advice? Make the advice as following:

1. Use at least two numbers
2. Use at least two uppercase letters
3. use at least two lowercase letters
4. use at least two symbols
5. use at least 10 total characters

Also, in an ideal world you would screen the password against a dictionary to ensure it is sufficiently obscure prior to accepting it an refuse to accept any password which is in said dictionary.

Me, I just stick to KeePassX’s random password generator.