You, Your Passwords, and You.

This week, the Guild Wars 2 twitter (@GuildWars2) account was reminding users to make strong passwords, and the topic of the XKCD password approach came up.  The main point of the XKCD comic is that we have made passwords hard for people and easy for computers—that is surely true.  But, the XKCD approach is flawed because it assumes the hackers will keep using a combinatorial approach to breaking these longer passwords, when dictionary attacks are much more common.

To illustrate, think on this question: Is the password “onetwothreefour” much better than “1234”?

The Guild Wars folks advocate what I call a “sentence mashing” technique. From their article:

  • Don’t use common words or phrases – instead, make up an abbreviated version of a personally meaningful sentence that wouldn’t make sense to anyone but you. Examples:
    • WIw7,mstmsritt. = When I was seven, my sister threw my stuffed rabbit in the toilet.
    • Itmcwloc&s = I take my coffee with lots of cream and sugar
    • I<3rbthtff! = I love rangers because they have the fuzziest friends!

They also advise using longer passwords, special characters, mixed case, a password manager, and never reusing passwords. Do all those things too.

Here is a very rough comparison of four password generation approaches and their search spaces.

1. First, a lame approach no one should use

As a horrible example, consider using only numbers. This means only 10 possible “digits”. A password length of 10 means 1×1011 passwords.

2. The Conventional approach

All letters (upper and lower case, numbers, and special characters) is about 72 possible “digits”. A password length of 10 means 7211 or 2.7 x1020 possible passwords.  That is a nice large space–the drawback is these are very hard to remember–especially if you actually make them even somewhat random.

3. The XKCD approach

This approach is to string together 4 random common words, which seems like it will generate very long unbreakable passwords.  But length is not the factor, it is information content.  Once this became a known method of password generation, new dictionary attacks could be brought to bear–attacks that exploit the very features that make it attractive.

The folks that make the Oxford English dictionary say roughly 1000-7000 words are “common”. 1000 words make up 75% of American’s vocabulary, and 7000 words cover 95%. So, that means 1000-7000 “digits”. Assuming four words strung together, as XKCD advises:

  • Low estimate: 10004 or 1×1012 (only slightly better than the lame approach)
  • High estimate: 70004 or 2.4×1015 (100,000 times worse than a conventional 10 digit password).

4. The Sentence Mashing approach

This password space is harder to calculate. My back-of-the-envelope method is same as conventional approach–but these can be made longer. The memorability of these constructed passwords makes that easy. Let’s say we make 13-character long passwords and (arbitrarily) assume a 100-fold “loss of randomness” since they originate from a sentence.

This effectively results in 7212 possible passwords, or 1.9×1022.   This is 100 times better than the conventional approach—and it has the bonus that you can remember it. Add a couple more characters to it, and spice it up with some special character substitutions and you have a rock solid password.

To Sum Up…

Trying to illustrate the differences between these approaches is hard to do graphically, because they don’t even fit on the same graph–but here they are, in order:

  • Lame is 10 times worse than XKCD low,
  • which is 2400 times worse than XKCD high,
  • which is 112,500 times worse than Conventional,
  • which is 72 times worse than Sentence mashing (length 13),
  • which is 5184 times worse than Sentence mashing (length 15).

One password to rule them all…

So, you can see I prefer sentence mashing–the approach spelled out by the Guild Wars 2 team. But in today’s world, there is still the issue of remembering many passwords—and which password goes with what. That is where a password manager comes in (e.g., LastPass, 1Password, SplashID). You can set these to generate completely random 20-character long passwords: a different one for each of your logins.

Then use the sentence mashing technique to make an impenetrable password for your password manager—since it is now the critical gatekeeper of all your passwords.

Also, I like to use multi-factor authentication for additional security, but that is another topic.

– Cheers, Ralff