# Passwords: So Important, Yet So Misused

• Print

The mathematics behind possible passwords are called permutations. It had been some time since I had studied permutations, but reading the "Windows Server 2008 Security Guide" reminded me. It explains the importance of password length, creating a larger pool of passwords to guess. Let's review the permutation theory behind passwords.

We want a password that's very difficult to guess yet reasonably easy to remember. Let's start with a simplistic password, three letters long (English) and uppercase letters only. Because our password can repeat letters and combinations, we can express the potential number of passwords as 26 (the number of letters in the English alphabet) to the third power (263). The result, 17,576 passwords, sounds like a lot of potential passwords, but today's very fast computers can blitz through those combinations in record time.

But what happens when we add a few letters to our password? Let's continue with those uppercase letters only, but let's make it a six-character password. That gives us 308,915,776 potential passwords, if my Windows calculator gets it right. Doubling the password length increases the number of potential passwords by a factor of over 17,000! Long passwords clearly are better than short ones.

Of course, those 308,915,776 passwords can be cracked more quickly if you're someone whose password is slightly guessable. Live in Chicago and use "DaBears" (your favorite football team's popular nickname) as your password? You're asking for a quick compromise of your account.

Let's improve even more on password length by creating a password consisting of both uppercase and lowercase letters. That gives us 52 total characters. Even our three-character password now has 140,608 potential passwords! That increases the potential passwords by a factor of eight, without struggling to remember more letters. Add some of the eight "\$peci@l" characters that some password systems accept as valid, and now we can use 60 potential characters. With a three-character password, this provides us with 216,000 possible passwords. Review this math carefully: Adding eight more potential characters gives us a little more than 150% more passwords, even with a three character minimum password. And if we go to an eight-character minimum and 60 potential characters, we have a possible 167,961,600,000,000 passwords.

So what can we conclude? Choosing short, predictable, and simplistic-character passwords is bad. With just a little work, adding in some special characters and creating a longer password, we can make the hacker's job much more difficult. Avoiding predictable values (your town's favorite sports team, for example) can make the password even more difficult to crack.

In fact, you can e-x-p-a-n-d your passwords by creating and using passphrases. Let's face it, "E3lif&lsk" can be a bit difficult to remember. Now consider this passphrase, which is acceptable on many modern operating systems: "MoronsCrackPasswordsThatDoNotMatter!" Sure, that's a lot of typing, but it will survive a few brute-force attacks. Under most multiuser attacks, your account will stand long enough to convince the attacker to focus on the administrator's account—the one using "happiness" as its password. (This was the password the Twitter administrator used. This simple password and the lack of account lockup helped the hacker. A lot.)

Now that we have a world full of websites that implement security inconsistently, we all need to review site security carefully. You don't want to become (or remain) a member of a site that has lousy security policies. If you use the same or similar passwords on all websites, the website with the poorest password abilities will force you to have a lowest-common-denominator password, significantly weakening your security across the Internet.

Even keeping different passwords can have its issues, though. If you have an email account on a system with poor password abilities, that still weakens your security a great deal. How? Many websites send password-reset email to your email account. So if your email can be compromised, that email account could be used to receive password reset notices—ironically, for those accounts that have stronger password policies. A weak password scheme trumps stronger schemes every time.