Hello passphrase, goodbye password

passwordChances are you know the rules for creating a secure password. Don’t use a dictionary word. Use upper and lowercase letters. Use at least one special character. Unfortunately, most people don’t follow even these basic rules. Recently, advances in computational power have made them as obsolete as your AOL account. Say goodbye to the old rules, and the concept of a password. Hello passphrase.

How does an attacker crack a password? Two common methods are dictionary attack, and “brute force” attack. A dictionary attack uses a database of common words and likely character sequences to guess the password. A “brute force” attack tries every possible combination of the 95 characters on a keyboard until they find the right one. Obviously, a one character password would be easy to brute force attack, as it would require a maximum of 95 attempts. Adding a character makes it exponentially more difficult (by 95 times). For example, a two character password has 95 x 95, or 9,025 possible combinations. A 3 character password 9,025 x 95 (95^3), or  857,375 combinations.

Password length is the single most important factor in preventing brute force attacks. An 8-character password has traditionally been recommended as the minimum length to prevent brute force attack. It has 6,634,420,431,000,000 or 6.6 quadrillion combinations. A quadrillion is a number which is almost impossible to visualize. If you stacked 7 quadrillion pennies into a cube, it would be almost a mile wide on each side. 7 quadrillion seconds is 217 million years. Thanks to advances in computing power, even that large number is not enough.

Dictionary attacks have been relatively fast for some time, and are the reason your password shouldn’t be a word that can be found in the dictionary. The Oxford English Dictionary only contains full entries for 171,476 words in current use. That’s little challenge for today’s computers. Brute force attacks have traditionally been much slower, due to the larger numbers involved. However, serious number crunching has recently been democratized. While multi-core CPUs have become commonplace, the GPU or graphics processing unit is the real game changer. The highly parallel structure that results in excellent floating point performance and complex 3-D computer graphics, also makes them ideal computational workhorses for brute force attacks. Software designed to break passwords using GPUs is freely available on the internet today.

10 years ago — in the year 2000, the worlds fastest super computer cost $110 million and performed 7 trillion floating point calculations per second, or 7 teraflop. Today you can buy an nVidia GTX 480 or AMD HD 5870 graphics card for a few hundred dollars and get 2.5 – 2.7 teraflop performance. AMD even makes a graphics card with two GPUs, the HD 5970 offers 5 teraflops, and approaches that $110 million dollar supercomputer’s FP performance, for about $600.

What does all this performance mean in the real world? Recently, the Georgia Tech Research Institute used clusters of these off-the-shelf graphic cards to crack an 8 character password in less than 2 hours! They calculated that using the same processing power it would take 180 years to crack an 11-character password. 12-characters seem to be the sweet spot, requiring 17,134 years to crack using the same computing power.

Any passwords shorter than 12 characters could soon be vulnerable. Given the difficulty in remembering a 12-character password that isn’t a dictionary word, and future advances in computing power, many security experts are now recommending a passphrase, or entire sentence, instead of a password. Preferably, a sentence that includes numbers and symbols. Sentences have the advantage of being long and complex, but also easy to remember. Here are some example sentences, or passphrases from Carnegie Mellon’s School of Computer Science:

I have two kids: Jack and Jill.

I like to eat Dave & Andy’s ice cream.

No, the capital of Wisconsin isn’t Cheeseopolis!

Obviously, don’t use any of the examples above. Most importantly make it easy to remember. Even the most secure passphrase doesn’t do much good if you have to write it down on a sticky note attached to your monitor.

  • Jim

    I use a complex, 16-character password that I print out and tape to my monitor, carry in my wallet, and have several copies floating around on the web for reference if I'm somewhere online and forgot my printed copy. I use a 6x6 grid, and each grid has a randomly generated set of characters: 1 upper case, 1 lower case, 1 special character, and 1 number. Each of the 6x6 grid cells are labeled with the numbers 0-9 and the letters A-Z. So, for example, cell 1 might be: D$5t, cell 3 is H#e2, cell G is J*8i, and Cell Q is R$5w. My 4-digit "pin number" is 13GQ, and therefore my password is D$5tH#e2J*8iR$5w. A nice, complex, 16-character password that meets all requirements, and one that I don't have to memorize. I used MS Excel to generate the "randomly" generated characters in each cell. I have 3 sheets - 1 for my email accounts, 1 for my SNS accounts, and 1 for my banking accounts. While yes, it's possible that if someone "got" my password for 1 bank, they'd have my password for all of my banks... it's about as secure as it can be.