Saturday, November 5, 2011

Simplifying Your Passwords

A few months ago, I came across three great items regarding passwords.

The first is an excellent comic on  It helps to debunk a common misinterpretation about passwords:  that passwords must be "complex" in order to be effective.  Or perhaps more accurately, it reframes the concept of "complexity" with regard to passwords.

It makes the great distinction that "hard to remember" (for humans) and "hard to guess" (for computers) are two very different things, and demonstrates that it is possible to have a password that is easy for you to remember, yet very secure against brute force attacks performed by a computer.

It's an excellent explanation in comic form, and great lesson about how to think differently about passwords.

The second resource is an informative article and tool by Steve Gibson at

Steve's "password haystack" concept is insightful, and is very similar to the XKCD lesson.  Steve's calculations with "search space" are different than XKCD's calculation with entropy, but Steve explains that in terms of brute force password guessing (versus attacking the underlying encryption algorithm or keys), it's the search space that matters, not entropy. 

And the key lesson is that increasing the search space is MUCH easier than increasing the entropy. 

He provides a nice demonstration comparing two sample passwords:



Which one do you think is more "secure"?

Which one is easy to remember and type?

The first password, "D0g", followed by a bunch of periods, theoretically wins on both counts.  As he points out, the first one may have much less entropy, but when it comes to brute force password crackers, the only aspect of entropy that matters is making sure that you are using at least one character from each "type": uppercase letters, lowercase letters, numbers, and symbols.  Once you have at least one of each of those (preferrably more than just 4 characters), you can then start using padding to dramatically increase your search space.

The third item is a comment that a friend made when I discussed this topic with him.  He works alot with IT security, and he pointed out that "password" is semantically flawed.  We should refer to them as "pass-phrases".   If we can transition away from the idea of using a single "word", to phrases that can contain multiple words, it should increase the search space, and also increase the ease of memorization.

Together, I think these provide a great basis for how we should start thinking about passwords, and how they should educate users about passwords.

Users hate passwords like "dqkGx^D,c=41S5a", but something like "Fargo Is #1!!!" can be memorized very quickly, and can be recalled very easily.

So, having learned all of this, how do I use it?

I have been using RoboForm for securely managing all of my passwords, so in theory, I only have to remember one "master password" for RoboForm.  I can then let RoboForm use high entropy, difficult to remember passwords, like "dqkGx^D,c=41S5a" for my various web site logins.  But in the rare occasions when I have to manually login to a site without RoboForm, those cryptic passwords are a hassle, so I may just convert most of my passwords to "haystack" style passwords.

Unfortunately, there are probably some applications or web sites that will make it difficult to use these passwords, such as ones that may limit password length, and others that require combinations of passwords and PINs.  And there are quite a few "random password" generators that are widely used (including the one in RoboForm) that don't support this methodology, so you will need to come up with your own technique for generating the pass-phrases and using padding.

Steve Endow is a Dynamics GP Certified Trainer and Dynamics GP Certified IT Professional in Los Angeles.  He is also the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

No comments: