## Password Security

### June 8th, 2016

**Password Strength and Your Password Security Policy**

Much has been written about the strength of passwords and what your organization’s password security policy should be. Instead of a one-size-fits-all solution, I think each individual situation needs to be looked at in context AND looked at from the perspective of the user who, in the end, may be the weakest link in the security chain.

To get started, we need to understand password strength. Wikipedia defines Password strength as a measure of the effectiveness of a password to withstand guessing or brute-force-attacks. It estimates the number of guesses required, on average, to identify the password of a user. Password strength then is a function of length, complexity and unpredictability.

Password strength is usually measured in bits of entropy. Entropy is the base-2 logarithm number of guesses needed to find, with certainty, a password. As an example, a password with 10 bits of entropy would require 2^{10} attempts to exhaust all possibilities using a brute force attack. Adding one bit of entropy doubles the number of guesses required. However, on average, it only takes half of the possible guesses to obtain the password.

A mathematical formula can be used to calculate the bits of entropy, per symbol, based on the symbol set used.

For example, here is a chart from: http://study.ncmco.us/password-entropy-chart, licensed under https://creativecommons.org/licenses/by/3.0/ and shows the bits of entropy, per symbol, of varying symbol sets.

Using this chart, we can see that a 10 symbol length password using Case insensitive Latin alphabet will have 47 bits of entropy (4.7 x 10).

**Size Matters** – When I look at this, the point I take away is that the length of a password is more important than the character set. In fact, the draft specification for Special Publication 800-63-3: Digital Authentication Guidelines recommends a minimum of 8 characters and should allow a maximum of 64. A common approach is to use passphrases, allowing all common punctuation and any language to improve usability and increase complexity. Georgia Tech researchers, in a 2010 report, recommended use of a 12-character password, which in using Case insensitive Latin alphabet would give 56 bits of entropy.

**Rate of Guessing Matters More** – However, the rate at which an attacker can submit guessed passwords to the system is probably the most important factor in determining system security. In an offline environment, computer clusters such as a specialized five-server system using virtualization software and 25 AMD Radeon graphics cards can achieve 350 billion guesses per second. . Yet, that is not the model you will normally see in a web environment. In a web or server environment you could see 1, 10, 100 or maybe 1000 guesses a second. At 1000 guesses per second, the guaranteed time of password crack for 38 bits of entropy would be 8.7 years or an average time of crack of 4.4 years as can be seen in this chart.

This corresponds to an 8 character lowercase password. Increasing the minimum length to 10 characters would increase the guaranteed time to crack to 8.7 millennia (of course, on the other hand, a lucky guess could result in the correct password on the first try).

There are different techniques used in off-line password cracking of encrypted passwords. I haven’t covered those here, but I will cover some additional security measures system administrators should take to improve security to prevent access to the set of encrypted passwords in a later post.

When attempting to secure systems from brute-force attacks, the take-aways are that longer passwords and rate limited systems are the methods that significantly decrease password cracking vulnerability. Even more secure are the systems that impose some sort of time-out after a given number of failed attempts. If you can implement these, you’ve taken great first steps to secure against brute-force attacks.