Password strength + special characters

I have quite a lot of accounts - emails, facebook, skype, straight dope, kerbal space program forum, steam… and most of those places are pretty straightforward regarding passwords: 6-20 characters and that is it. There are some places, however, that ask you to use lower and upper-case characters, numbers, special characters, midget porn and ancient English words as a password. Does that actually help cracking a password? Even banking passwords are shorter and easier to remember…

Mostly these requirements stop you from using one of the ridiculously easy-to-guess passwords that people are wont to use, like “password” or “12345”. Certainly “password1#” is not that much more secure than “password” just because it has a special character and a number, but it’s something that’s easy for an automated system to check.

More characters means a bigger search space. Most password attacks use precomputed rainbow tables on the password hash (a one way process that reduces a password to a nearly unique numeric value). The longer the password and the larger the acceptable character set, the longer it takes to compute the rainbow table and the larger it ends up being. This significantly increases the difficulty. A simple Google search for rainbow tables demonstrates that they get very big when you throw in punctuation and numbers as well as upper/lower case characters - over 1Tb. Of course, many hackers just use complex dictionary-based attacks that do have a measure of success, too.

Relevant XKCD: xkcd: Password Strength

Hard to remember = likely to written down or saved in a text/doc file = why crack passwords when you only need to find them?

In my humble opinion, complex passwords are the least secure.

I also think that requirements for special characters can be counter-productive. In addition to being harder to remember, they’re also harder to type. If you limit yourself to lower case letters, that’s about 4.7 bits per character, assuming totally random character selection (I actually prefer to use pronounceable nonsense syllables or random words, easier to remember).
If you include upper and lower case, numbers, and symbols, it goes up to about 6.5 bits per character. But if you measure it in bits per keypress (including Shift as one keypress), the supposed advantage disappears.

Example:
**ywdgvoiehfht **is about 56 bits in 12 characters (assuming randomly-chosen lower-case letters only), since it is 4.7 bits per character.
yWdGVo!3)FhT is about 78 bits in 12 characters, but 17 keypresses. That’s 4.58 bits per keypress.

Of course, the standard advice is that you should use a password manager rather than trying to remember passwords. But that’s not always practical.

The processing time to crack a password using brute force goes up dramatically (exponentially?) with the number of characters in the character set. But you have to actually use some of those extra characters to get the benefit; a cracker that assumes you’re not using them will be able to crack your password faster.

For the same reason, it’s probably a good idea to use punctuation other than period and dash, which I would guess are the most common punctuation marks we use when we’re required to use them.

Of course, rarely would a brute-force approach be used. Instead, they tend to use dictionary attacks (using common words plus any personal info they can get) since they’re much more efficient. If you don’t use a word but use a mixture of words, that ups the ante: they have to use a more sophisticated (and time consuming) approach. But the effort still increases dramatically with the size of the character set simply because there are more options to try.

I’m not an expert in computer security but I did study it carefully when designing the solution for a project my company at the time bid on and won (but did not do because the company hiring us did not win their bid with a telecom service provider). We also did a security-related project for a major vendor’s government security group. One of the things I learned is that there is no perfect security. The more important it is to protect something, the more you need to do to protect it.

I apply this concept to my use of passwords. For things where security isn’t really very important, I use a small set of fairly simple passwords to make my life easy. For example, my password on this forum is the same as or similar to my passwords on a number of other similar forums. If someone gets it, it’ll be a minor hassle as I explain “I didn’t post that crap” and open new accounts. Much bigger risk on Facebook and personal email accounts, so I use a better one there. I use my strongest passwords for work and financial accounts, where it would really matter if I got hacked.

I use Password Corral to keep track of them. It’s free and works great. There’s another tool very similar that lots of people use whose name I don’t recall but that would be fine too. You protect your passwords on your computer with one password. If anyone gets access to your computer and gets that password, you’re really out of luck. I would take considerably more car for matters of national security, or if it could make a hacker a very rich person – matters where the hacker would be highly motivated and highly funded.

Fortunately (ha ha), I don’t have enough money to be a serious target. Nor do I keep any US defense secrets.

Good point. However, if you use just a few special characters or uppercase, but in unpredictable ways, you can dramatically increase the attack time required without increasing the number of keystrokes that much.

I hardly notice use of shift key as a keypress, but I do notice that and shifting to punctuation or digits on my phone. That’s the case where your point is particularly valid: it’s probably better to use a much longer password, to maximize security per keystroke. Regardless, we have to follow the rules for a given site.

Unimportant passwords can be optimized for phone use, but I’d strongly advise against using such tricks for an important password, because no doubt the hackers know the tricks too.

Here’s what I have to put up with:
a) Must be at least 15 characters long
b) Must not contain the username
c) Must contain at least two lowercase characters: abcdefghij etc.
d) Must contain at least two uppercase characters: ABCDEFG etc.
e) Must contain at least two digits: 0123456789
f) Must contain at least three special characters: ~!$^()`*,-/:;<=>?_@#
g) Must not contain a “bad” special character: Space.|{][}+&%
h) Must start with an alphabetical character.
i) Max of 2 repeating characters: i.e. not “111”.
j) The first 8 characters must contain at least 1 digit.
k) The first 8 characters must contain a special character.

Instead of ‘words’ or phrases, we often use keyboard movements instead like:

1qaz@WSX#EDC4rfv

or

WW##33asdfghjkl

Try them; you might like them!

You can just add a number or letter to the end to make them ‘unique’ between different accounts.

Your way of dealing with those [expletive deleted] rules is a great example of how too many rules can lead to very bad passwords. Security fail!

My employer requires us to change passwords every 6 months, and it can’t match any of the last 6 or 8 passwords. I bet you can guess what that leads to.

I’m guessing lots of sticky notes “cleverly” hidden underneath keyboards.

I ran into this yesterday in going through and updating some passwords. I was using Keepass to generate random passwords, and the one it gave me for Facebook included a . Not a ', mind you, but a .

Copying and pasting it into Facebook on my PC, I didn’t even notice the difference. But entering it on my Blackberry caused me to look much more closely. :slight_smile:

When I see weird rules like that I always wonder what kind of password mechanism they’re using. A hash function shouldn’t care whether your password contains spaces or the other excluded characters that you mention. It just treats your password as binary data.
I like having spaces in passwords, but yes, many sites don’t allow it. Sometimes I use periods instead, they’re generally OK with that, and the period symbol is easy to type even on phone keyboards.

It’s not a limitation of the security software, it’s a policy selected by the administrators to help ensure that stronger passwords are used.

A problem I have with security (such as at my workplace, and at many websites) is that the security team seems to be answerable to nobody. They can make your life miserable but you can’t complain. They’re encouraged to do everything possible to increase security, without much regard for the productivity hit it entails.

So, this means I need to frequently enter cumbersome passwords (many, many times a day). The ability to remember passwords in the browser is defeated (not quite successfully). When I’m watching a presentation or in a meeting, I have to remember to hit a key every 10 minutes or my screen will go blank and I’ll have to re-enter my password. I frequently get updates installed on my computer that breaks stuff that was working fine. The list goes on and on.

It’s a thankless job, and I hate the guys who do it, but on the other hand I’m glad that they do it. I just wish there was a way we could let them know what a pain in the ass they are!

Sorry, rant over!

Oh sure, some of the rules JerrySTL mentions may serve that purpose, but I don’t really see how prohibiting characters such as [space].|{][}+&% makes a password stronger, or the one about “must start with an alphabetical character”.

I think the XKCD comic linked upthread is one of the best, in terms of being both concise and informative, examples of why a lot of the complexity requirements on passwords are ridiculous and pointless. What ends up happening is where I might use “password” if I’m required to have capitals and numbers and special characters, it becomes “Password1!” which hardly adds anything to the computing time, just a constant factor and, in fact, anyone who knows the complexity requirements can fairly easily add a few extra steps.

The problem is, when they do the entropy computations they make a bad assumption that passwords are random character choices from the available sets based on the complexity requirements, but that just isn’t the case. We have to have a password that is easy to remember or it’s essentially useless. And if we go with random-looking complex passwords along the lines of 1qaz@WSX3edc$RFV, keyboard patterns are also worked into any decent modern password cracker as part of the dictionary.

That all said, I think the XKCD suggestion is generally good, but in some places, that isn’t possible because of complexity enforcement. So, instead, I’d recommend using pass phrases, that way you can include punctuation and capitalization naturally. The one constraint I would put on that is to avoid well known phrases as modern dictionary attacks are starting to include variations of famous quotes, move lines, etc. Instead, I try to think of something that I can easily associate with a particular site or service and have a phrase related to that. So, as a lame example, I might use a passphrase for a bank account along the lines of “ScroogeMcDuckHas$80Billion.” It’s easy to remember and associate with a bank, it naturally has multiple capital letters, lower case letters, 2 numbers and 2 special characters, it’s fairly long, and it’s not going to be hit by a dictionary or common phrase attack.

So, beyond that, the other really big mistake people make is using the same password for multiple accounts. The problem there is, if you share those passwords, if any of those accounts get compromised, potentially any other account using the same password could also be compromised. I make sure to have distinct passwords for my primary email, bank, facebook, and a few other sensitive accounts, but I do share passwords for accounts that I don’t care if they get compromised, mostly the sorts of websites where they require an account for some reason and I probably even use a bogus email for it anyway.

Anyway, though, I think password complexity requirements are, in general, a sense of false security. I’d rather just see us educate people on good password practice or, better yet, work toward using other methods of authentication, like password managers or two-factor authentication.

Some of that is because Unix and Oracle don’t like some things with their passwords. One example is that Oracle doesn’t like a special character in the last position. You have to do work-arounds to get such a password to work.

One funny this is that up to version 9, Oracle wasn’t case sensitive. Making someone type combinations of upper and lower case characters did nothing in older versions of Oracle. Oracle 10, 11, and 12 have fixed that - mostly…

Neither requiring it to start with an alpha character nor prohibiting certain characters will increase security in any way at all: Quite the contrary, both of those will shrink the password space. Both of those are signs that they’re using a really crappy method of storing the passwords, and if they’re doing something so clumsy with the passwords, the rest of the security setup is probably equally half-assed.

Or even worse, maximum-length requirements. OK, there realistically needs to be some maximum, but I’ve seen them as low as 12, and a 20-character maximum is fairly common (for comparison, that Scrooge one is 27). Worse yet, sometimes a site will have a maximum length but not tell you what it is, or enforce the length for entering a password but not for setting it, so if you try to use a long, secure password, it’ll cheerfully lock you out of your account.

The worst I ever saw was a campus data management system-- IT sent out memos urging everyone to change their passwords to something complex, with at least 8 characters and including letters, numbers, and symbols… Except that the actual system itself wouldn’t accept anything except four-digit numbers.

AND set it to all caps. I’m looking at you, Travelocity.

Sadly, the “good” part was, when you tell it you forgot your password, it emails it to you in the clear.

:rolleyes:
ETA: In fact, fuck them. I’m going now to see how to just delete my damn account.

ETA again: Dammit.