One day I caught my wife resetting her password to access a website. Turns out that she could never remember the password and always reset it to access this website. Come to find out, she also used this strategy to manage the passwords she needed for other websites.
Needless to say this started quite the discussion about passwords and how to deal with them. We talked about a few ideas to both help her situation and improve her overall online security. Here’s the short list:
- What makes a good password? Why are strong passwords important?
- What is Two Factor Authentication? And why would I want to deal with the hassle?
- Password Managers – A way to keep everything organized.
- Biometrics – How secure are fingerprint scanners (Touch ID) and facial biometrics (Face ID)?
What makes a good password?
Passwords have been a staple of internet security for decades now. It seems that every website that you use today has a password. You may have hundreds of passwords, each for a different website, some of which you use every day and others that you may not access for months at a time.
This is complicated by the fact that every site has a different set a password requirements. Most sites have a minimum length. Some sites require that you include numbers, special characters, or uppercase characters in your password.
But why are you, the user, required to jump through all of these various, complicated hoops? Why is one password better than another password?
As it turns out, website organizers are trying to get their users to create strong passwords. Restrictions on passwords are simply a way to coax users to select passwords that are stronger than they normally would choose on their own.
Why Strong Passwords are Important
User information is valuable. It can be sold for monetary gain or used to steal someone’s identity. A password is a primary safeguard against this kind of behavior. Having a stronger password can help to protect this information. As more and more companies digitize their records and systems, there is more information that needs to be protected. But how do we quantify the strength a password?
The strength of a password is sometimes measured by a term called password entropy (usually measured in “bits”). The higher the entropy of a password the longer it will likely take to guess the password. What this means is that we are trying to increase the number of guesses a hacker might have to make to guess or “crack” your password.
Let’s play a guessing game! I am thinking of a number between 1 and 10 (including both 1 and 10 as possibilities). Now you take a guess…
How many guesses did it take for you to get the right answer? Hopefully it took you less than ten guesses, considering that there were ten total possibilities. But most likely it didn’t take all ten guesses to get the right answer. Ten is only the maximum number of guesses that it could have taken. There was also a 10% chance of getting the correct number on our first guess.
Now, what if we take our guessing game and make it a bit harder by adding 26 english letters to the mix? A number between 1 and 10, in addition to 26 characters is 36 possibilities in our guessing game. We could also make a distinction between upper and lowercase letter and treat those as correct or incorrect. Now we have 62 possible answers. Adding in a list of special characters like: !@$%^&*_-=+ increases that number to 74 possibilities. Now your chance of guessing it on the first try is 1 in 74.
Let’s apply this to passwords. We can calculate the entropy of a password using this formula:
E = Log2(RL)
Calculating Password Entropy
Where E = password entropy, R = pool of unique characters and L = the number of characters in the password.
For example a password of “password123” has an entropy of 57 bits. Taking the characters in the password and assuming that the requirements were 26 English characters and 10 digits, that’s 36 for our unique pool of characters (or R). Next the password is 11 characters long. Thus our equation becomes: E = Log2(3611).
Let’s try a more complicated password. Say we are using the password “P@s$w0rdL2E”. This password has an entropy of 68 bits. This is derived from our equation of E = Log2(7411). As you can see, adding the extra complexity did give an improved entropy, but, not by an extreme amount. We increased the pool of characters (R) to 74 in this example, but the length stayed at 11. Also, this is a much more difficult password to type. Seriously, trying typing that out 20 times as fast as you can.
Instead, lets tweak the length of the password. Say our new password is “josephisamadman”. Now we only are using lowercase Enlgish letters, which means that our pool size (R) is 26. The length of the password is 15 characters. E = Log2(2615). This makes our password entropy 71 bits. And this password is MUCH easier to type.
A simple solution to increase the strength of your passwords is to use a few common words strung together or use a simple phrase. This works two fold. It makes your password longer (thus increasing it’s entropy), but it also makes it easier for you to type and harder to guess for a hacker. The web comic XKCD has a great panel about this password security method here.
Conclusion
Passwords have long been the guardians of our internet security. They protect the information that we exchange on the internet. However, the venerable password is now not the only method that we can use to authenticate to a website. Many services are turning to Two-Factor Authentication, Device Authentication, and even Biometrics for security. Let’s investigate some new methods for security and talk a bit more about authentication in the next post.
