|
|
Your password(s) - how strong are they AND WHY...
The reason that many people use poor passwords is that they have no method
of telling what is good or bad AND WHY! The latter is a critical factor in
educating people about strong passwords - hence the logic below - feedback is very
welcome because I have never seen this attempted anywhere - not even the WWW.
You will not be asked to enter your password! as that is obviously
the last thing you or I would want. Instead you will be asked a series of
questions about it from which you can simply calculate a numeric figure
which approximates to its strength.
Please note that:
- This method is not intended to be scientifically or mathematically
'correct' because it takes my judgement of what a hacker is going to try
before they give up and switch to stealing the password rather than crack it.
Also, most advice that goes into the maths of password ignores the fact that
to make them memorable, people have to link them to something in the real
world and therefore dictionaries of all sorts are in abundant use by hackers
as their path of least resistance.
- The method has had no formal rigour applied to it apart from that of
peers and as such you make any judgements and take any and all risks based
on your own knowledge, skill and common sense, not mine.
How to assess the strength of a password:
- Firstly what is the variety of the characters used,
score the following starting with a count of 0 for variety:
- Add 2 if there is a lower case character - i.e. a-z
- Add 1 if there is a Numeric character - i.e. 0-9
BUT NOT if the only one is a single digit at the start or end
- Add 2 if there is an UPPER case character - i.e. A-Z
BUT NOT if the only one is the first character of a word
- Add 3 if there is a punctuation character - for examples see the
keyboardS that you will use (may be more than 1!) for examples
- normally the top row when Upper Cased for instance.
Note that I have referred to these as punctuation but I am
including what are often called 'special' characters.
You now have a rough measure of the variety (or entropy) of your password,
high is very good but anything less than 4 is poor, 5 is OK as long
as your password is sufficiently complex.
The maximum score is 8.
- Now for the complexity of the characters in the password,
start at the top of the list below and when you match what is said with the
description you remove that part of the password and work with the rest
FROM THE TOP AGAIN but not resetting the score to zero.
Start with a count of 0 (for complexity):
When there are no more characters left (you remove them after they match!)
you can leave this list with the score for complexity.
This list is trying to tell you what is good (high is GOOD) and bad
about the different parts of your password and of course - how many of them
there are - i.e. how many times do you come back to the top - MANY is GOOD,
even if there are few high numbers.
- Add 4 for any set of characters that could be at all related to the
resource that the password secures or what it does or what most users
will be thinking about at the prompt, not just their user name but what
they could be doing instead of keying in that password - yes -
drinking beer, getting a tan, party-related phrases etc. are all included!
- Add 5 for any name OR PHRASE - place, person, animal, quotations, lyrics
- especially if famous, popular, very common, trendy etc.
- Add 7 for any word that is in the dictionary and in common use
- Add 5 for any character repetition or similar
sequence of characters that can be derived from the
alphabet, keyboard (any direction) or other simple rule.
- Add 8 for any of the top 4 items if the word / character string has only
trivial transpositions - 5s to Ss, bs to 6s or Bs to 8s as one example
or taking the first letters of each word of a phrase, lyric etc. as another.
- Add 9 for any of the top 4 items if there are moderate but single
complexity transpositions - removing vowels, first vowel for instance,
reversal of characters etc.
- Add 12 for any of the top 4 items if there are complex or multiple
transpositions - i.e. 2 transpositions on 1 word or 2 different
transpositions on different words.
Don't forget with the above (and below) - REMOVE WHAT MATCHED (Word, name,
character etc.) and go back to the top of this list
- Add 6 for any numeric character left
- Add 8 for any lower case character left
- Add 9 for any UPPER case character left
- Add 11 for any character left - by now you should be able to simply
count them and multiply by 11 if you have got this far.
Now add the length of the password to the score, divide by 5 and round the
result - up or down.
You now have a rough measure of the complexity of your password,
very high is very good but 6 and below is poor.
There is no maximum score but a password such as '9ebgreNcT,A'
from above would score 12 on this measure - counting 4 for eBay plus
9 each for Green and Cat plus 6 for '9', 9 for 'A' and 11 for ','
making 48 + 11 for length gives 59 divided by 5 is 12.
FYI 'Z4bvrlBA' would score 7 when rounded up,
counting 4 for BA, 7 for bovril, 6 for '4' and 9 for 'Z'
plus a length of 8 making a total of 34 before dividing by 5.
Also FYI - 'beckham99' gives a score of 5, 'password1' gives 3.
You can now make a judgement about how strong a password is by putting
the last number into a calculator and then multiply it by itself as many
times as the score you have for variety.
So what I described as poor above was 6 for complexity which is multiplied
by itself 4 times which is the 'poor' score for variety. 6 * 6 * 6 * 6 is
1296.
You can use the calculator to the right to do the arithmetic
but the important thing is that you saw where the figures came from!
You can see the effect of using different characters and that long
words, names etc. don't really add to strength.
In terms of bad and good strength scores:
- 1,000 or less is very bad -
'beckham99' gives a score of 125 (5**3), 'password1' gives 27!!! (3**3).
-
Between 1,000 and 10,000 is simply from very bad to OK - 2,000 might be
acceptable for no-risk sites and 5,000 for sites where someone could
'have fun' with your account but there should be no risk taken - remember
that even on a bulletin board you can be sued for libel for instance!
- 10,000 or above is OK for resources where you have little or nothing
to lose and presumably hackers have little to gain
(The level 2 example of 'Z4bvrlBA' gives 16,807 - 7**5
but if 'BA' was replaced by my '2 bottles of champage' example
then 'Z4bvrl2boc' would be a serious 370,000 - 13**5 - i.e. no increase
in variety but the '2boc' adds so much complexity because to the hacker
it has no relationship to the site.
- 100,000 would be reasonable where being compromised would
cause little inconvenience and half an hour to remedy
- 1 million (1,000,000) would be reasonable where being compromised would
cause inconvenience and a few hours of effort to remedy.
It may be difficult to get higher than this on some sites - typically
because they don't allow punctuation characters.
You may need to use 3 'unrelated' words rather than 2 to get his high
or maybe add another unconnected upper or lower case character.
- 10 million would be acceptable for small financial risks and
significant inconvenience and time to remedy.
- Over 100 million (8 zeros) would probably be adequate for serious
financial risk as long as you were not targetted but in that situation
the password would be stolen by other means.
('9ebgreNcT,A' is over 400m)
It has to be stressed that mathematicians will not approve of the above
method at all but the problem with presenting the topic in a 'pure' manner
is that:
- Any 'simple' mathematical approach is totally flawed because the
probability of using letters, words, names etc. dwarf any algorithm that
simply looks at the character set (roughly equates to variety)
and the number of characters used - on that basis 'Beckham1' would be
as good a password as 'Z4bvrlMu'.
- When a classical rigorous approach is taken it loses any clarity
whatsoever because authors with that understanding of the mathematics
will expect their readers to have a deep understanding of that subject
otherwise they would not be reading it.
What I hope that readers will
be able to at least understand the consequences of using words, names
and phrases in common use etc. and the dramatic impact of variety.
Just try the calculator with variety increased by 1 or 2 - a BIG difference!
a simple addition of a 'disconnected' capital letter and number can do it...
This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions
Links and other information last validated on 7th August 2007.
Please use the Contact us page to suggest any additions or revisions.
News
Windows XP Remote Assistance now provides in-work training and assistance, as and when needed to more than a dozen customers
What's Hot
April'08 Keep Spammers out of your InBox - starting from 30 UKP p.a. including your own (UK) domain.
|
© |
Business before Technology |
Making the Web work for business
|
|
|