Building a better password

Conventional wisdom about what constitutes a good password is wrong

I am getting increasingly annoyed by trying to register on Web sites that ask you to set a password and then tell you that the password you just entered is not up to their standards. 

You might have entered what is actually a good password (that's "good" by any rational security standard) but the site tells you, no, you must have at least one upper case letter.

OK, so you try another version with some caps only to be told that at least one numeral is required. Then your next attempt is rejected because you haven't included any symbols and a long list is given. Now, completely frustrated and without looking too closely at the list you throw in an ampersand only to be told that that symbol isn't allowed.

This is obviously appallingly bad user experience design but I've seen similar issues with all kinds of online services ... I've even seen it with banks and financial services which you would think would know better.

What's so crazy about the password requirements of these organizations is that they want passwords such as "fzz$%C6k". While this looks good (albeit totally unmemorable)  according to How Big is Your Haystack? published by Gibson Research Corporation (GRC) the the time required to guess this password's space assuming one thousand guesses per second would be at most 2.13 thousand centuries (although if the NSA were on your case and using a Massive Cracking Array that could deliver one hundred trillion guesses per second it would only take up to a maximum 1.12 minutes). Of course no bank front end is going to allow one hundred trillion attempts per second but that's beside the point.

What about allowing simpler but longer passwords? Let's say your registration system allows a password such as "sofa-horse-apples-rain". This is not only totally memorable but now the one thousand guesses per second attack will take up to 2.94 hundred trillion trillion centuries while while the theoretical NSA Massive Cracking Array Scenario running at one hundred trillion guesses per second would take, at most, 2.94 thousand trillion centuries.

GRC includes some useful observations about what constitutes a strong password and one of the most interesting comments on the page concerns the concept of information "entropy": The site points out that the password "D0g....................." has a lower "entropy" than "PrXyc.N(n4k77#L!eVdAfp9" and most people would consider the latter the better choice but GRC notes that "when the only available attack is guessing, that long-standing common wisdom  . . . is  . . . not  . . . correct!"

Another useful piece of advice from GRC is: 

The example with "D0g....................." [being a strong password] should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "<->" or "[*]" or "^-^"  . . . but do invent your own! / If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

Of course how you determine the strength of a password is dependent on how you evaluate it and another resource for figuring out the strength of your passwords that gives far more conservative results than GRC's can be found at How Secure is My Password?. This site is sponsored by RoboForm, an excellent password management tool I've used for years. As the site (somewhat obviously) notes: "This site could be stealing your password... it's not, but it easily could be. / Be careful where you type your password."

HSIMP knows the top 10,000 passwords and figures that "fzz$%C6k" is not that secure estimating that "It would take a desktop PC about 3 days to crack your password" at 4 billion calculations per second. On the other hand HSIMP estimates "sofa-horse-apples-rain" would take "a desktop PC about 2 quintillion years" so the choice of password is obvious.

Of course, if you're building a registration system and you really want the users to be sensible about password selection you have to give them advice up front about your requirements and expectations rather than annoying them throughout the process. Ideally you should also give them instant feedback on the quality of their password choice. A great example of how to show users their password "quality" as they register and do so on the client side (so passwords aren't sent across the Intertubes) can be found on Silent Circle's subscription page. Note that the JavaScript-based quality testing includes a built-in list of the most common passwords.

So, which web sites have the worst password registration system? And do you have a scheme for your passwords to make them memorable?

Sign in below or to gearhead@gibbs.com then follow me on TwitterApp.net, and Facebook.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.