“Password must be at least 12 characters.” “Password must contain at least one number.” “Password must have at least one capital letter.”

We have all encountered these frustrating red errors at one time or another. Often, we respond simply by appending an extra exclamation point or a single digit to the end of our go-to password. So how do these requirements hinder hackers, and are they working?

The intent behind password guidelines is to expand the realm, or “space,” of possible passwords. Take, for instance, a 6-character password of only lowercase letters. For each character, there are 26 possibilities, giving a total of 266 = 308,915,776 possible passwords. If, however, a password is 12 characters instead, and can also contain uppercase letters, numbers, and any of ten symbols, there are exponentially more options. Now, we have 26 + 26 + 10 + 10 = 72 choices for each character. That produces a password space of 7212, which is about 19 * 1021 and includes 62 trillion times more choices than the 6-character example.

Mathematicians often analyze password spaces by calculating the binary digits, or bits, in the number of possibilities. These bits are also described as the “entropy” of a password space, or how unpredictable its passwords can be. A space of N possible passwords gives an entropy of 1+ ⌊log2 N⌋ binary digits, where ⌊log2 N⌋ is log2 N rounded down to the nearest integer.

Why does password entropy matter? The larger the possibility space, the more difficult it is to crack a particular password in that space. Returning to the above examples, the 12-character password has an entropy of 75 bits. The 6-character password has an entropy of only 29 bits. This means that if it only took one second for a computer to run through all of the viable 6-character passwords, it would take the same computer two million years to explore the 12-character password space.

The French National Cybersecurity Agency, or ANSSI, explains that password entropies of 64 bits or less are “very weak”. Spaces between 64 and 80 bits are considered “weak”, and those between 80 and 100 bits are “moderately strong”. ANSSI claims that any passwords or keys being used for encryption must be at least 100 bits in order to ensure security.

Even so, a password that is safe today may no longer be safe in ten, twenty, or fifty years, as computers become even faster in accordance with Moore’s law. Only password spaces with at least 128 bits will, without question, remain secure for many years. Such passwords, however, would need to be at least 16 characters long, with 200 choices for each character – in other words, they are nearly impossible to remember. For this reason, while passwords generated and stored by machines might belong to a space of this size, those remembered by users are typically of only low or medium strength.

To compensate for weaker passwords, systems often have other checks in place to impede hackers. Many will temporarily lock an account after three failed attempts. More recently, some system designers have suggested doubling the waiting time after every unsuccessful try and unlocking the account after a maximum of 24 hours. These measures, however, cannot safeguard against hackers who remain undetected by the system.

Perhaps more importantly, hackers almost always utilize strategies other than brute force to crack passwords. Dictionary attacks, for example, exploit the fact that user passwords are far from random – only a fraction of the complete password space is used in practice. In this type of attack, hackers methodically scan through password dictionaries, or lists of passwords in order of decreasing frequency. At the top are the most common user passwords – simple words, short phrases, sequences of numbers, names. In one such dictionary from 2017, the first entry is “123456”, with “password”, “qwerty”, “123456789”, “letmein”, “football”, “iloveyou”, and “trustno1” all in the top 25. While strict password requirements discourage these targeted searches, dictionary attacks remain remarkably effective.

So the next time your favorite password fails to pass a length, number, or symbol requirement, switch to a completely different one. Consider using some random password-generating software. Perhaps even consult a secure Web tool to confirm that the password you are committing to hasn’t already been hacked. Just remember, those provisions are there for your protection.

Sources
https://www.scientificamerican.com/article/the-mathematics-of-hacking-passwords/
https://www.carbonblack.com/2016/09/07/dont-be-cracked-the-math-behind-good-online-passwords/
https://security.blogoverflow.com/2013/09/about-secure-password-hashing/