How Strong a Password?

© 2002 Lawrence I. Charters

Washington Apple Pi Journal, Vol. 24, no. 4, July-August 2002, pp. 37-39.

With the vast expansion of the Internet in recent years, along with home and office LANs (Local Area Networks), not to mention E-mail accounts, shopping via the Web, ATM accounts and other facts of life, there has come a corresponding demand for passwords. It seems that almost everything wants a password so — what is a good password?

Passwords come in two different flavors: PIN (Personal Identification Numbers, which need not be numbers), and user/password authentication pairs. A PIN is usually a single string of characters, most often numbers but sometimes including other characters, which confirms your identity. A PIN is usually used in combination with some other means of identification (a credit card, a Web cookie) that, combined, verify you are who you claim to be. A user name/password authentication pair is, as the name suggested, a pair of two entries you need to make: your account or user name, and the password for that name.

The constant demand for passwords can make life complex. Let’s start with a specific case: you have a brand-new flat-panel iMac running Mac OS X, and you have a Brand X E-mail account. You share your iMac with your significant other, and they have a separate log-in identity on the iMac. To read E-mail you must do the following:

  • Enter your Mac OS X user name. This can be your full name (Julius Caesar) or the “short name” (Caesar); either are valid;
  • Enter your Mac OS X password (vici)
  • Launch Mail and tell it to get mail. You’ve previously saved your Brand X E-mail account name (jcaesar) and password (vici) so you won’t have to remember them.

You also like to shop on Amazon.com (account jcaesar, password vici) and eBay (jcaesar, password vici), and tend to use the same account name and password for all the other various Web sites that want you to register for something or enter a contest. Plus, your mac.com mail address is jcaesar with a password of vici, your dog’s name is Vici, and you have a personalized license plate that reads VICI. Your PIN number for all your credit cards, plus the pass code to your voice mail at work, is 8424, which happens to match the telephone keypad numbers for VICI.

To make matters interesting, you sold your old Mac, a beige G3, in order to get your new, flat-panel iMac. You don’t remember if you erased the hard drive after copying everything over, but no loss. True, you’ve used the same E-mail address and password for years, but you’ve never had any trouble.

Now, before you laugh this off as an extreme case, I’ve had the sad pleasure of helping two Pi members in the past two months cope with “identity theft” that really wasn’t identity theft so much as “poor password security.” Both these individuals — both of them — used their passwords on their car vanity plates. (Or, possibly, used the vanity plates as an inspiration for their passwords.) Both rang up significant credit card charges, not to mention a flood of junk mail, after someone (or several someones) managed to make a good guess at their user name and password and, as an added bonus, their credit card PIN number. While individual details vary somewhat, the “Julius Caesar” example shown above illustrates almost exactly the clever way these individuals managed to remember “all those passwords.”

In addition to vici, these would also be poor passwords for Julius Caesar: julius, caesar, veni, vidi, gaius, 44bc, orange, dictator, marcus, antonius, marc, antony, cleopatra, cassius, pompey, senate, senator, cicero, gaul, rome, octavius, imperator, brutus, tribune, ides, march, toga, dagger, casca, etc. Generally speaking, no matter how easy it might be to remember, passwords should not be words or phrases that can be easily associated with you, your family, your pets, or your life history. (So why is “orange” a bad password?)

In addition to avoiding the obvious, password length is important, as is composition. Using just the 26 letters of the alphabet, what kinds of passwords can you produce?:

2 characters = 676 combinations
3 characters = 17,576 combinations
4 characters = 456,976 combinations
5 characters = 11.8 million combinations
6 characters = 308.9 million combinations

While it seems that a six character password is quite safe, a Power Mac G4/400, running a password cracking program, could try them all in less than 30 seconds.

If you use both upper and lower case letters (52 characters), a six character password offers 19 billion possible combinations; this will keep a Power Mac G4 busy for about half an hour.

If you use upper and lower case letters and throw in numbers, you have 62 characters to work with. A six-character password offers 57 billion possible combinations, which will keep a G4 busy for around 11 hours.

If you throw in upper and lower case letters, numbers, and these symbols — !”#$£%&'()*+,-./:;<=>?@[]^_`{|}~ (plus the space character) — you have 96 characters to work with. There are 782 billion possible six character passwords, which will keep a G4 busy most of a day. Make it a seven character password, and you have 75 trillion possible combinations, which will tie up the G4 for almost three months. Add another character, and the G4 will be busy for two decades.

What would be a good password for Julius?

vote4mE!

And Julius should invent different passwords for various services, rather than use the same one for everything.