this made me smile

May. 4th, 2006 01:34 pm
jenk: Faye (Tea)
[personal profile] jenk
Myth: Passwords Must Be Complex to Be Strong.
[...] Of course passwords need to be complex to be strong. No, they do not! They need to be looooonnnngggg. In fact, really, really, long passwords, by their very nature, are often much stronger than a short but complex password.

To see why, consider the prototypical terrible password: Seattle1. It is complex according to most definitions. It is eight characters long, has three of the four character sets in it, and fulfills the complexity requirements in the operating system. It is also hopelessly weak.

Let’s try to make it a bit more complex: Se@ttle1. Did it get any better? Not really. This password now contains all four character types, but it will take only marginally longer to guess. You may want to try this password or a slight variation, in a password complexity checker. The checker will probably claim this password is at least medium strength. Clearly, just because a password is complex does not make it strong. But then, that is not actually what the myth claimed either. It claimed that all strong passwords are complex.

Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker’s dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power.

Oh, but you may argue that these are all words, so we just try combinations of words. Fair enough. Let’s say you even know that it is picked from the password checker dictionary and that you know there are eight words in the password. That improves your ability to crack it significantly. It will now only take 1,948,790,798,336 years to crack. If we remember correctly from physics class, the universe is about 5,000,000,000 years old, so that means it will take you 390 times longer than the existence of the universe to crack this password, assuming you don’t have to restart your computer to apply a service pack before then. Since our policy forces us to change passwords every 90 days, there is a pretty good chance we will have changed passwords by the time you are finished cracking it.
Of course, the fact that I find this funny might just show I'm not normal.

Source: Microsoft TechNet, emphasis added.
  • Current Mood: amused
Tags:
  • Add Memory
  • Share This Entry
This account has disabled anonymous posting.
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting
 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

jenk: Faye (Default)
jenk

June 2025

S M T W T F S
1234567
891011 121314
15161718192021
22232425262728
2930     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 2nd, 2025 12:35 am
Powered by Dreamwidth Studios