I was working at a client that had recently changed their password policy from a minimum of eight characters to a minimum of fifteen characters. I was somewhat surprised at the reaction from a lot of the developers and business partners in the organization. I heard it mentioned derisively during several meetings, and was warned about it by co-workers who had recently had to reset their passwords. I applaud the security team for making this change, so I thought I'd try to give a high-level explanation of why password length is so important. This XKCD comic does a pretty good job of summing things up, but let's dive a little deeper.
When we talk about password "strength", we're talking about how difficult it would be to crack your password by trying all possible combinations of characters. The simplest calculation of password strength is XL, where X is the number of available characters and L is the length of the password. For example, if you can only use lowercase letters, x would be 26. If you can also use uppercase letters, x would be 52. The most common character set used in passwords today is 94 characters. This includes all alphanumeric and special characters on a standard keyboard. So, a 8 character password using this set would require 948, or 6,095,689,385,410,816, guesses to crack the password.
It's more common today to see password strength discussed in terms of "entropy". This value is based on information theory, and is measured in bits. The formula for finding bits of entropy is log2XL. If you're like me, and prefer not to dive to much deeper into the math, this article has a handy chart for calculating bits of entropy. Using that chart with the character set from the previous example, we see that each character in our password gives us 6.555 bits. So, at 8 characters we have about 52.44 bits of entropy.
Now, let's see what happens when we tweak the numbers a little. Say we decide to allow our passwords to use spaces (which you should). We now have a 95 character set, instead of 94. Using the same entropy chart, we now have 6.57 bits per character. With our previous 8 character password, that gives us 52.56 bits of entropy. So increasing the size of the character set by one increases entropy by 0.12 bits. Compare that with keeping the previous character set, and increasing the length by one. With 6.555 bits per character we now have 59 bits, an increase of 6.56 bits. As you can see, increasing the length has a significantly greater impact on entropy than increasing the size of the character set.
But wait a minute! According to that formula, the password in the cartoon would have an entropy of 72 but it says it's only 28 bits. What's the deal?
Well, that brings us to the real problem with calculating password strength. I won't go into the details of how the author came up with their number, but this StackExchange answer does a great job of breaking down the math, and it turns out, 28 bits is fairly accurate. The thing is, measuring bits of entropy using this formula only works when the password is completely random. And, it turns out that people are terrible at creating random passwords. So, how do you make a password more secure?
A passphrase consists of a set of words, rather than a set of characters. The one benefit of a passphrase is that it allows you to pull from a much larger "character" set. While a normal password allows you to choose from 94 characters for each slot, selecting a word from the dictionary provides a lot more options, as each word becomes a character. Now, not every word in the dictionary works well as part of a passphrase, so it is common to use a smaller list of fairly short words. A Diceware list for example, is a list of 7,776 unique words. With a set of this size, we can now get 12.925 bits of entropy for each character. This means a passphrase with just 4 words would have 51.7 bits of entropy.
The second benefit of using passphrases is that they tend to be easier to remember. This is the author's main point in the comic. When you make users choose a password, and then make weird manipulations to it, like capitalizing letters and adding symbols, it tends to be difficult to remember. On the other hand, 4 common words are generally easier to remember.
On the other hand, passphrases suffer from one of the same problems as passwords. In order to get the full entropy, the words need to be selected randomly. When it comes to passwords, randomness is the key to security, because it makes it impossible for attackers to use information about the victim to lower the number of guesses needed to crack the password.
So, are passphrases better than passwords? Unfortunately, this isn't a simple answer. This topic has long been debated in the security community, with supporters on both sides. A good rule to follow is: If you can use a password manager, use a password. If you need to remember it yourself, use a passphrase.
So yes, adding length to a password increases the strength exponentially, but as you can see, there's a lot more to password security than just length versus complexity. Randomness is the key to good security, but it makes passwords difficult to remember. This leads to users choosing insecure passwords. Here are some things you can do to make sure your passwords are as strong as possible:
If your a user:
- Use a password manager if you can.
- Try to use a password that is at least 12 characters in length.
- Use a randomly generated password (especially if the site limits your password length).
- Don't reuse the same password on multiple systems.
- If you have to remember your password, consider using a passphrase.
- If you have to write your password down, keep it in a secure place, like a locked file drawer. Don't leave it laying next to your keyboard or taped to your monitor.
- Enable 2-factor authentication if the site offers it.
If you're making security policy:
- Always use salted hashes to store user passwords.
- Make sure your policy requires at least 12 characters (more is better).
- Don't limit the number of characters allowed for a password
- Allow all typeable characters (including spaces).
- Don't require uppercase, lowercase or special characters.
- Only require a user to change their passwords if you believe your system has been compromised.
- Don't allow password hints.
- Provide users with a password manager that can generate random passwords.
- Use 2-factor authentication.