The Myth of Password Complexity

The newspapers have finally reported what thinking people have already figured out for themselves. What we have been told for decades about setting password policies is based on illogical thinking.

The Fallacy of the Complicated Password
If you have set up Active Directory, LDAP, or any application with its own user store then you probably have seen that you can write password rules. Typically those rules require that passwords have a certain number of uppercase letters, numbers, and non-alphabet letters .  They also require a certain length.  Some even require that the password contain no words from the dictionary.

The result is instead of having passwords like “password123” or “name_of_pet.” They have something like “$%Lxxhh3.”

But that is only difficult for a human being to remember. Punctuation symbols and odd characters are not complicated for a computer.

So people are forced to use passwords that they cannot remember. The result is that people do what you would think they do and write these passwords down. Writing them down in a Word document is bad policy as that can be stolen.

The difficulty of typing and remembering a password has nothing to do with its security. There is one and only one factor that determines how difficult it is for hackers to attack a password: length.

The Limits of the Brute Force Attack
First, know that the brute force attack of trying every combination of letters and characters does not work on many systems for practical considerations. For example, the iPhone is designed to run slower each time someone enters an incorrect password. So the time it takes to run through all possibilities grows exponentially slower.

Also a corporate LAN that users Active Directory will most likely lock the password after a certain number of tries. So brute force does not work there.

the myth of password complexity

The items that are subject to password brute force attacks are offline data and things that have no password locking. The first item includes data sessions that have been recorded and are protected by some kind of key. The second includes items like firewalls, database credentials, Linux logins, and stolen encrypted disk drives.

Even when there is a locking mechanism it is sometimes possible to bypass that. For example, a hacker can take a phone apart and use a soldering iron and other devices used to repair cell phones and brute force attack the device by bypassing the mechanism that would otherwise lock the phone or erase the data there.

Password Complexity
If a password was only numbers, like the passcode on an Android screen, and if there are 4 numbers there there are only 10,000 possible combinations (10 raised to the 4th power). If the password characters are letters of the alphabet, and only lowercase letters then there would 26 raised to the 4th power possibilities.

To understand that, suppose the first letter in a password is an “a.” Then there are 26 possible numbers to pick from for the second letter, because there are 26 letters in the alphabet. So pick “b” for the first letter. There are 26 possibilities for the second letter again. And since there are 26 letters in the alphabet, there are 26 x 26 = 676 possibilities for a two-letter password.

So in general the number of possible passcodes a hacker would have to guess in order to attack a stolen Oracle database or any other data is:  (number of character allowed) raised to the (password length) power.

The Ideal Password
So, the ideal password is a sentence and not one word. A sentence is long and a word is short.  And a sentence is easy to remember. So there is no risk that a hacker will learn the password by copying it from a stolen Word document since there is no need to write it down.

So the user’s password could be:

“the.rain.in.Spain.falls.mainly.on.the.plain.”

That’s 84 letters. If any letter in the 256 character ASCII character set is allowed that is 256 raised to the 84th power possible passwords. That’s 1.9 followed by 202 zeroes.

Now, have you ever noticed that when you login to Ubuntu it takes the computer almost a full second to check your password? That is because it has to run its cryptographic routine to check that against what is stored in its password database. The same is true when you try to login to Oracle, a firewall, or any software or devices. That is because cryptographic calculations are expensive computationally, meaning that math is complex and takes some CPU cycles.

So you might look at 1.9 followed by 202 zeroes and think a computer could run through that entire fairly quickly.  Perhaps. But they could not do that and also try to login into Ubuntu or Oracle in any amount of time that is reasonable.  Just take that enormous number and think of it as seconds. That’s still 3.7 with 195 zeroes number of days.

So change your password policies to get rid of complicated letters and just make passwords very long. This is especially true for routers, Linux system, database logins, and other devices that do not support two-factor authentication. For everyone else use two-factor authentication.