Why size matters with passwords

Posted on December 18, 2019

 

The recently published list of this year’s most common passwords shows that in these times of increased cyber awareness, there are still millions of people using extremely basic passwords that can be cracked in an instant. However, it’s easier to criticise than to suggest a solution, so what attributes should a strong password have?

Special characters?

Many websites that require a password will no longer allow you to choose one as simple as ‘password’ or ‘12345’. For a start, they may ask for a minimum length, but they may also require you to have a mixture of upper and lower case letters, and at least one number or special character, such as a question mark or ampersand (&).

This makes a lot of sense, because if you limit yourself to lower case letters, you have only 26 characters at your disposal. The inclusion of upper case immediately doubles this to 52, the digits 0-9 at a further 10, and there are hundreds of other characters that could be used, including some not on the keyword. The greater the pool of characters used, the less crackable your password will be.

The problem is that the insistence upon including numbers and upper case letters has led people who would otherwise use ‘password’ to use something only marginally more secure, such as ‘Passw0rd’. It’s because of this that even Bill Burr, who is credited with popularising the advice to use a mix of characters, now admits that he regrets saying it.

Longer is stronger

Many password gurus now advise that it’s better to favour length over complexity, and that using two or three everyday words makes for a safer password than a short, nonsensical alphanumerical combination. Thus, a password like ‘chicken wardrobe igloo’ may actually be more secure than a much more cryptic-looking one like ‘z$T28’.

To illustrate this, sport lovers who enjoy betting will likely have had experience of accumulators. These rely on a number of outcomes being correctly predicted in order for the punter to win the bet, and the more bets they add to it, the greater their pay-out will be. The problem is that with each bet added, the probability of success becomes smaller, and it only takes one outcome to be predicted wrongly for the entire bet to be lost.

A football fan looking at last weekend’s fixtures might have correctly thought that Premier League leaders Liverpool were sure to beat bottom-of-the-table Watford, and that Manchester City would probably be too strong for an out-of-sorts Arsenal with no permanent manager in place. However, they make also have assumed that in-form Leicester City would overpower struggling Norwich City at home, but this game ended in a 1-1 draw, and Chelsea’s 1-0 home defeat to Bournemouth also went against the form books. This shows that even though four individual events may be likely, it’s unlikely that all four will produce no surprises between them.

To apply this to a choice of passwords, let’s keep it simple by assuming that you’re sticking to the 26 lower case letters. If you had a one-letter password, there would be a 1 in 26 chance of guessing it. This might seem small, but bear in mind that an intruder can have a few attempts, and there are programmes that can help with password cracking. By increasing it to two letters, there is now a one in 26 chance of guessing both letters, and if you multiply 26 by itself, you get a one in 676 chance of guessing the password correctly – much more unlikely, but still not strong enough.

If you have a 20-character password, there are 19,928,148,895,209,409,152,340,197,376 different possible combinations, which can be written as nearly 20 octillion. For some kind of perspective, there are estimated to be around one septillion stars in the universe, so we have 19,928 times more password possibilities here than stars. That’s without including anything but lower case letters!

You might argue that ‘chicken’, ‘wardrobe’ and ‘igloo’ are English words and are therefore more guessable than random characters. Even so, the Oxford English Dictionary contains 171,476 words, so by choosing just three of them in a certain order, you have created a password that is one of more than five trillion possibilities (171,476 cubed) using that method.

Tomorrow, we will look at an example of how combinations of three simple words are being used in technology, with potentially life-saving results.

John Murray

Content Team Leader at Engage Web
John works for Engage Web as a Content Team Leader and regularly contributes to the website and programmes of his beloved Chester F.C.

Latest posts by John Murray (see all)

Like us on Facebook to see more posts like this

Call Now Button
>
%d bloggers like this:

We have worked with:

TEL: 0345 621 4321