The Sophisticate’s Guide to Passwords

Reverse engineering a password hack

Photo: Wesson Wang

There are times in which a password is the only thing standing between you and a malicious attacker. Even worse, the adversary could be a relentless bot programmed for one thing: cracking passwords with the utmost efficiency. This article is aimed at how to craft your password for maximum security in an insecure world, and understanding why this is necessary.

First, it should be noted that if Two-Factor Authentication (2FA) is available, its use will be vastly more secure than using a password alone. 2FA should be used wherever available.

Second, passwords must not be reused in any circumstances. If a reused password is compromised due to weak security on one website, that password is now potentially compromised anywhere else that password is being used. To this point, password managers are preferable and there are a plethora of them available.

If you’re not much of a reader, or prefer to skip the explanations that follow here is a succinct takeaway from this document:

Password length is 99% of password security. Password complexity is a distant second when it comes to modern password security.

You might wonder why the password security paradigm has seemingly flipped in the past several years. After all, most banks require at least one uppercase character, one lowercase character, a number, and even a “special character”. Special characters generally refer to anything that isn’t a number or letter, such as “-“, “/”, or even a period “.”. Many websites don’t generally require a length greater than 8 characters. If length is so important, why do most websites emphasize complexity?

Let’s take a look at how modern attackers actually crack a password. First, they must obtain access to the password file or database containing the passwords. Second, the passwords stored in these files or databases are nearly always encrypted, meaning that the username is visible in plaintext, but the corresponding password is either represented by ciphertext, or by a cryptographic hash. A hashed password refers to a password that has been ran through a cryptographic hash algorithm. There are many types of cryptographic hashes, including MD5, SHA-1, SHA-2 and the upcoming standard, SHA-3.

Cracking a password secured with a cryptographic hash doesn’t involve decryption, that is incredibly complex and in some cases, nearly impossible. Cracking a password involves picking a string of characters and running it through the same cryptographic hashing algorithm that was used to initially encrypt the password. If the two resulting hashes match, the user’s password has been discovered.

For instance, if your password is “MyPassword” and it has been hashed with the MD5 algorithm, anyone that runs the same string through the MD5 algorithm will calculate the exact same resultant hash. Attackers use programs that try all words in a password dictionary, which is typically just a file of commonly used words in a given written language. These programs will even use combinations of these words, and permutations based on common replacements of letters with numbers or symbols. More importantly, these programs can run through thousands, and even hundreds of thousands of possibilities per second.

Ok, but why does complexity matter again? Password complexity was used as a form of security in the past, frankly because computers were slow, disk space was limited and operating systems were not designed with security in mind.

Let’s start with operating systems. In the 1970’s and 1980’s many UNIX operating systems could not contain a password longer than 8 characters. This was due to a limitation of one of the first encryption algorithms used for passwords, DES. DES passwords (also called keys) were limited to eight characters. Even still, most people don’t realize that only seven of the eight characters were actually used for the key. One byte was used for parity. Even if more characters were accepted by the password program, it wasn’t relevant as only the first 8 characters were used by the DES algorithm to produce ciphertext. In this scenario, length was limited, so complexity mattered.

If an attacker wants to crack every single possibility of a password between 1 and 8 characters in length, they simply start with running the cryptographic hash on the letter “a”, moving on to “b”, and so forth. Once they’ve gone through all possible single-character passwords, they move on to two letter words, “aa”, “ab”, and so forth. As we’ve mentioned, although computers were previously slow, they are at present quite fast. Modern computers can run through every single possible one-to-eight character password in minutes.

Now we come to the disk space limitations previously mentioned. With terabyte-sized disk drives as the new standard, there is virtually no limit on how much data can be used to crack passwords. This brings us to “Rainbow Tables”. Rainbow Tables are efficiently stored hashes of every password possibility for a particular hashing algorithm. This means if you generated rainbow tables for MD5 up to eight characters in length, complexity is irrelevant. Why? Because every combination of characters has already been automatically generated, and can be instantly looked up, in the Rainbow Table database. There are websites online that have Rainbow Tables available for query. Simply paste your hashed password into the website, and voila, the plaintext password comes back nearly instantaneously.

Finally we are back where we started, password length. While complexity does have an effect on the security of a password, it is nowhere near as important as length. Let’s use some simple math to find out why.

Compare the password “B5s9z-Qx” with the password “SophisticatedpwsRock!!”. The first is very difficult to remember, but it would suffice for the majority of all banking systems in the world. The second is quite easy to remember; breaking it down it says Sophisticated pws rock !!. There is some complexity in the second password, but nothing too difficult to remember.

On to the math, quite simply the formula is as follows for how difficult a password will be to crack, where the number of possible characters for use is C and the length of password is L, the equation would be C to the power of L (can’t figure out how to write a character exponent on Medium). This simple exponential equation is all it takes to determine total possible passwords.

For instance if there are 72 possibilities of characters, let’s say all lowercase(26), all uppercase(26), numbers(10) and SHIFT+Number(10) and a length of 1, the equation would be 72¹ or 72.

If the length was 2, it’s 72², or 5184 possibilities. A length of 3, 723 yields 373,248 password possibilities. That’s right, there are 373,248 unique possibilities in a password that’s 3 characters long. In this way, we can see that the length exponentially increases a password’s strength because each additional charac ter exponentially raises the possibilities and therefore makes it harder to crack.

Now let’s use our formula on the previously described passwords. The first would be 72⁸, or 722,204,136,308,736 possible passwords. This would take a desktop PC roughly 3 days to crack. Compare that with our second password, which would be 72²² or 72,663,267,215,268,556,211,671,874,973,277,863,542,784, that’s a lot of possibilities. This length would require tremendous amounts of storage for rainbow tables and would take a desktop PC roughly 100 sextillion years to crack.

So how do you choose a good password? Choose one that’s memorable, has some complexity and is long. Even though people will tell you “28su7SD_[!” is a great password, it’s hard to remember. Good passwords aren’t hard to remember. Passwords are for protecting you against hackers while allowing you to do your normal tasks. Passwords shouldn’t be a burden. Something like “GottaGetThat$$$Now” is a great start, or even “ILikeToEatLotsof^s”.

Finally, some trivia for the curious (and paranoid). Generally speaking, it’s not advisable to use a space in your passwords. The reason is that on most keyboards the spacebar makes a distinctly different sound than other keys and can be easily distinguished when typing. And on that note, Unir Sha naq Pubbfr Jvfryl! (13 is the magic number, can you decrypt it?)

David McKay is the Chief Technology Officer @PolicyGenius in New York City. A Cambridge University graduate and startup veteran, David was an early employee with both Google and AdMob (acquired by Google). Follow David on Twitter @DavidMcKayV