How Strong a Password?
© 2002 Lawrence I. Charters
Washington Apple Pi Journal, reprint
With the vast expansion of the Internet in recent years,
along with home and office LANs (Local Area Networks), not
to mention E-mail accounts, shopping via the Web, ATM
accounts and other facts of life, there has come a
corresponding demand for passwords. It seems that almost
everything wants a password so -- what is a good
Passwords come in two different flavors: PIN (Personal
Identification Numbers, which need not be numbers), and
user/password authentication pairs. A PIN is usually a
single string of characters, most often numbers but
sometimes including other characters, which confirms your
identity. A PIN is usually used in combination with some
other means of identification (a credit card, a Web cookie)
that, combined, verify you are who you claim to be. A user
name/password authentication pair is, as the name suggested,
a pair of two entries you need to make: your account or user
name, and the password for that name.
The constant demand for passwords can make life complex.
Let's start with a specific case: you have a brand-new
flat-panel iMac running Mac OS X, and you have a Brand X
E-mail account. You share your iMac with your significant
other, and they have a separate log-in identity on the iMac.
To read E-mail you must do the following:
- Enter your Mac OS X user name. This can be your full
name (Julius Caesar) or the "short name"
(Caesar); either are valid;
- Enter your Mac OS X password (vici)
- Launch Mail and tell it to get mail. You've
previously saved your Brand X E-mail account name
(jcaesar) and password (vici) so you won't
have to remember them.
You also like to shop on Amazon.com (account
jcaesar, password vici) and eBay
(jcaesar, password vici), and tend to use the
same account name and password for all the other various Web
sites that want you to register for something or enter a
contest. Plus, your mac.com mail address is jcaesar
with a password of vici, your dog's name is
Vici, and you have a personalized license plate that
reads VICI. Your PIN number for all your credit
cards, plus the pass code to your voice mail at work, is
8424, which happens to match the telephone keypad
numbers for VICI.
To make matters interesting, you sold your old Mac, a
beige G3, in order to get your new, flat-panel iMac. You
don't remember if you erased the hard drive after copying
everything over, but no loss. True, you've used the same
E-mail address and password for years, but you've never had
Now, before you laugh this off as an extreme case, I've
had the sad pleasure of helping two Pi members in the past
two months cope with "identity theft" that really wasn't
identity theft so much as "poor password security." Both
these individuals -- both of them -- used their passwords on
their car vanity plates. (Or, possibly, used the vanity
plates as an inspiration for their passwords.) Both rang up
significant credit card charges, not to mention a flood of
junk mail, after someone (or several someones) managed to
make a good guess at their user name and password and, as an
added bonus, their credit card PIN number. While individual
details vary somewhat, the "Julius Caesar" example shown
above illustrates almost exactly the clever way these
individuals managed to remember "all those passwords."
In addition to vici, these would also be poor
passwords for Julius Caesar: julius, caesar, veni, vidi,
gaius, 44bc, orange, dictator, marcus, antonius, marc,
antony, cleopatra, cassius, pompey, senate, senator, cicero,
gaul, rome, octavius, imperator, brutus, tribune, ides,
march, toga, dagger, casca, etc. Generally speaking, no
matter how easy it might be to remember, passwords should
not be words or phrases that can be easily associated with
you, your family, your pets, or your life history. (So why
is "orange" a bad password?)
In addition to avoiding the obvious, password length is
important, as is composition. Using just the 26 letters of
the alphabet, what kinds of passwords can you produce?:
- 2 characters = 676 combinations
- 3 characters = 17,576 combinations
- 4 characters = 456,976 combinations
- 5 characters = 11.8 million combinations
- 6 characters = 308.9 million combinations
While it seems that a six character password is quite
safe, a Power Mac G4/400, running a password cracking
program, could try them all in less than 30 seconds.
If you use both upper and lower case letters (52
characters), a six character password offers 19 billion
possible combinations; this will keep a Power Mac G4 busy
for about half an hour.
If you use upper and lower case letters, and throw in
numbers, you have 62 characters to work with. A six
character password offers 57 billion possible combinations,
which will keep a G4 busy for around 11 hours.
If you throw in upper and lower case letters, numbers,
and these symbols --
(plus the space character) -- you have 96 characters to work
with. There are 782 billion possible six character
passwords, which will keep a G4 busy most of a day. Make it
a seven character password, and you have 75 trillion
possible combinations, which will tie up the G4 for almost
three months. Add another character, and the G4 will be busy
for two decades.
What would be a good password for Julius?
And Julius should invent different passwords for various
services, rather than use the same one for everything.