A Good Strategy For Life And Passwords

by Izaak

Note: I am not a security professional. Don’t take advice from me that seriously.

I.

Let’s say you want a secure password. Generate a random string of letters (assume case doesn’t matter for this post) and numbers; that’s pretty secure. But its length is much more relevant than the fact that it includes letters and numbers, actually. A ten character length password of letters and numbers has 3.66 x 10^15 possible options. Let’s say you want to reduce it to just letters, though. A ten character string of letters and numbers is obviously more secure than a ten character string of just letters. But how long does a string of letters have to be to match the security of letters and numbers? 11 characters long, actually. 11 characters of letters has 3.67 x 10^15 options. And a string of just numbers? This is an easy calculation; 16 characters of just numbers gives us 10^16 possible options.

So what’s my point? My point is that increasing complexity is rarely as useful as increasing length. You want a secure password? Length is the key. Changing your complexity from 10 different possible symbols (numbers) to 36 possible symbols (letters and number) is the exact same as increasing your length by 6. Changing your complexity from 26 possible symbols (letters) to 36 possible symbols (letters and numbers) is the exact same as increasing your length by 1.

One of the most famous xkcd comics is this one, which makes the same point that complexity isn’t necessarily the best path, mostly for reasons of how hard it is to remember passwords with high complexity. If you want, you can even get a password generated in the xkcd style here.

But then I read an interesting objection to this stye of password. Someone brought up the point that, in this scenario, someone could simply search through dictionary words instead of searching through every combination of letters. Let’s do the math; there are about 1 million words in the english language, but linguists estimate that most people only have 20,000-35,000 words in their vocabulary. Let’s use the 35,000 number; this means that a four word phrase has 1.5  x 10^18 different possibilities.

That’s quite a lot, but it’s still true that it means that a four word phrase isn’t as secure as you would think if you only searched through combinations of letters. If the average word has 6 letters in it, and you choose 4 words, that’s 24 characters. thats 9.1 x 10^33 possibilities, a much higher number than it actually is. To give a visual analogy, the difference between these two numbers is the same as the difference between an average human, and a red blood cell in that human.

So once again, length is more important than complexity; by choosing a scheme that uses only words, we’ve accidentally reduced our length from 24 to 4!

II.

There’s a really weird hidden assumption in the arguments above, though. The assumption is that the person trying to hack your password knows what search to use. If you have a password that’s just all numbers, and the guy is trying a dictionary search, they will never find your password. If they guy is using a number and letter search, and you have 4 words in the dictionary, then he has 2.2 x 10^37 options to search through.

In order to combat this, the algorithms used to search passwords have to compromise and use a bunch of different schemes to try and find passwords the quickest. First they’ll search through the most common passwords, like “password” and “1234567890”. Then they likely look through all of the really short passwords, and then they go through one word passwords and one word passwords with a number or two in there somewhere.

So what’s your best bet? What’s the safest password that isn’t something like “&@4#R!10O8>wL9g”? What’s an easy password to remember that isn’t going to be guessed immediately?

The goal here isn’t to think of something that’s arbitrarily strong. The goal is to think of something that’s outside of the scope of the algorithm. Sure, maybe the algorithm looks through common English words and phrases fairly quickly. What about in french? Or even if all the common languages are in the algorithm, there’s thousands of languages out there. Take the latin-alphabet transliteration of a word in Thai, or Burmese, or Xhosa, or Maori, or Basque, or Gadal, or Saami, or Gagauz. Maybe a three word phrase in one of these languages only has 10^8 or so possibilities… but that assumes that someone knows what language you’re using. If you use a three or four word phrase from a random language somewhere in the world, not only is this actually pretty easy to remember (I should know, most of my passwords are like this), but there are 10^33 different possible passwords.

But most likely, the algorithm searching through passwords won’t be searching through each and every language. They’ll have to be searching through each and every character combination to find your passphrase.

III.

This is pretty good advice when it comes to a lot of things. Don’t defeat the theoretical perfect; defeat what the other guy actually has. Sure, if you defeat the theoretical perfect you’ll also defeat the other guy. But if it’s a lot more time and effort to defeat the perfect, than you’ll just end up wasting time.

I was prompted to write this post when I saw this article about real-world security. The article talks about how they’ve developed a key that can curve, and a lock that has a curved passageway. It links to a video from a famous YouTubing lock picker, who says in his video “This is not going to be a lock-picking video, simply because I cannot pick this lock.”

This man has hundreds of videos on his channel where he picks widely used and supposedly secure locks. But they all use the same sort of mechanism, and once someone changes things up, uses a flexible key? It’s impossible.

Similar ideas can be applied in different areas—maybe it’s not the same exact argument, but the spirit is the same.

In stock market investing, you don’t want to invest in a company that’s going to do well. You want a company that’s going to do better than people think it will.

When applying for a job that’s competitive, you want to spend time looking awesome in the ways that other people often neglect.

When the goal is to beat other people, try to beat them in ways they’ll never see coming, not the ways that everyone expects you to do.

IV.

Back to passwords for this last section—almost any of what I suggested is a ridiculously good password. If you have a password that’s a couple words, or 10 random letters long, you’re safe from that sort of brute force attack. The only time you should really worry about that is if you’re using a very short password or a very common password, or if you’re protecting something that people would spend years devoting computing power to hacking.

The real dangers are usually password reuse (another xkcd) and social engineering.

So remember this every time a website forces you to use a number and a capital letter in your password. It doesn’t do a whole lot to increase entropy, or even security (password1 fits most criteria and is still incredibly weak). It’s just annoying.

 

 

Advertisements