Passwords should be safe. That’s a no-brainer. But it can be quite a challenge finding a safe and at the same time manageable password. My opinion: There really is no satisfying solution to the password dilemma today. Let me explain why.
How people handle passwords
How do you handle your internet security? Which passwords do you use? And do you think they’re really safe? Generally, how people handle their password security can be divided into three categories:
1. People who do not care at all. Their main goal is to be able to remember the passwords. Often they usetrue gems like “qwerty”, “123456”, “password” or the name of their pet (or wife/husband). The password is the same on each login page, for all accounts. I don’t have to point out that this is extremely unsafe.
2. People who make a science out of it. They use different passwords for each login and choose passwords with maximum security (mixture of letters, capitals, numbers, special characters). Those can only be stored in password safes, because nobody can remember them anymore. (A password safe is an encrypted piece of software storing lots of passwords together with information like username, URL, etc. Usually you just need to remember one single password to unlock it.)
3. People who mainly use one password, but it’s a tough one. Like sentences with some characters replaced or jumbled up (e.g. “n0b0Dyc4Nr3aDTh!s”).
Unfortunately, each of these solutions comes with its own problems:
1. It’s obvious that the first group is at a high risk of being hacked. Their easy-to-remember-passwords can be also easily be guessed and attackers then have access to all accounts of the victim.
2. This is VERY secure - isn’t it? You would think so, but the answer is yes and no. The weak point here is the password safe that can usually be opened with one single password, again providing access to all of the complicated passwords within. In addition it’s very clunky - and while you’re on the go, you can’t login anywhere. So that’s kind of annoying as well.
3. This looks like a good solution, BUT here comes the problem: each website has its own set of rules for how a password MUST look like. Some require letters or at least one special character while others do not allow those characters at all. Some require a specific minimum (and maximum) length. So you end up with a few instead of just one password and need to guess again for each login that isn’t used regularly.
It looks like a dilemma nobody can ultimately fix. And we can’t provide the ultimate solution here as well. I do hope there will be a simple solution in the future, like a secure iris scanner (technology exists already, but is not yet advanced enough - See for instance this video, how easy current iris scanner can be hacked), an automatically generated and submitted key from your mobile phone to identify yourself or something like that.
Until then, my suggestion is: we should all agree on a standard minimum password requirement for all login pages, such as default minimum length and set of characters. If that were the case, password option three would become much more attractive and realistic to handle.
Let’s say we took the ASCII Standard Code (this character set is one of the most common standards on electronic devices) with 95 printable letters as the allowed set of characters. By standardizing the amount of allowed characters, for example a length of 10 characters, it would allow
possible passwords, which is a bit stronger than a 64 bit key strength. Sure, it’s not that strong that brute force wouldn’t be able to crack it, but in combination with re-captchas or a limited number of tries per hour, it would at least allow to use the same (or slightly adjusted passwords) for different pages.
If we’d increase the allowed length to 32 characters, for instance, we would need max. 32 byte disk space per password and it would allow
possible passwords, which is comparable to a 210 bit key strength - that’s pretty strong already and most likely much stronger than your current password.
Why special characters do not help
A common misunderstanding is that adding additional possible characters (like special characters) is the best way to increase security on a password. Mathematically speaking, the strength of a password is defined by how many guesses a brute-force attack would need to simply guess the password (We treat each combination equally here. In reality, please also avoid using real words that are contained in books of written language. Those combinations are tested first from password crackers usually).
The maximum needed guesses for a usual toss of dice are for instance “6” - while we only need 3,5 guesses on average.
Our latin alphabet has 26 characters (we can double the number with capitals) and by allowing numbers we can add another 10 possibilities. In total we have 62 options now.
While the allowed charset defines the number of options, key factor in terms of security is the length of a password: each additional digit increases the power by 1:
- simple alphabet (26 chars) and a length of 6: 308.915.776 possibilities
- dice (6 chars) and a length of 26:
Another comparison: given is a character set of 26 characters (alphabet) and a length of 10. The following chart shows the evolution of complexity by adding chars vs. the evolution of complexity by adding 2 characters versus increasing length by 2:
In easy terms: Adding length increases complexity of passwords much faster than adding additional characters.
How should you approach the dreaded password dilemma now? While it’s still not the perfect solution, I would suggest a combination of some of the methods mentioned above as the best approach. A simple (long) sentence is stronger than a mix of characters that you can’t remember. A password safe like KeePass or Lastpass can help you “remember” all passwords for your different accounts. Let’s hope that one day, a brilliant solution will be invented, so that we can smile and reminisce: “can you still remember the time when we needed to remember passwords…” ;)