What’s in a password?

Cracking the code of security

Setting passwords is a chore. You know to avoid choosing your dog’s name, or your grandma’s birthday. But then you’re faced with website constraints. It labels you ‘weak’ and demands a number. You insert a ‘1’ at the end of your simple word. A ‘123’ if you’re feeling particularly adventurous. Insistently, the website now requires a ‘special character.’ Unsure of any others, you add an exclamation mark. Your password is as secure as Alcatraz. Right?

Actually, your security could be hacked in a couple of seconds. Websites insist on a host of requirements for passwords in an attempt to increase strength and reduce hackability. Considering hackers are well aware of these, it can be counterintuitive. Behavioural security studies conducted by software researchers Florenico and Herley in 2007 also suggest that if there are too many constraints, users feel overwhelmed and subsequently create the simplest possible password to meet the demands.

It is unlikely you can think of a website that does not mandate password constraints,  including Sydney Student. AppleID constraints are notoriously prescriptive, requiring the inclusion of a number, capital letter, and symbol; additionally, the password must be at least 8 characters and not contain 3 consecutive identical characters. The latter constraint actually decreases the amount of possible passwords that could be chosen. Users should be wary of any means that decrease possible password options, as this increases the likelihood of hackers making accurate guesses.

Websites utilise the mathematical property of entropy, which favours passwords with a higher range of possible characters. If a password includes only lowercase letters, there are 26 possible characters per space, which is known as the alphabet size. A password with lowercase and uppercase letters, numbers and special symbols increases this to 84, clearly amplifying strength. Florencio and Herley developed a formula that measures the bit-strength of any password, as follows: log2(alphabet size^n), where n is the character length of the password. You can use this formula to evaluate the bit strength of your own password! For comparison, the average password has a bit strength of 40.54, with a password over 60 bits attaining the goal of ‘strong’.

Constraints such as those set by Sydney Uni can be potentially satisfied with simple and common passwords — for example, ‘Password1’ would meet the requirements, yet it was named in the Global Security Report in 2012 as the most frequently employed password. Despite the majority of websites stipulating certain criteria, password security expert Mark Burnett found that 91% of passwords can be found in the list of the top 1,000 frequently used passwords. Without extensive password-setting guidance, our passwords are often rendered less secure due to constraints as they encourage us to choose less unique passwords. If your password is P@ssw0rd, I suggest you change it immediately.

American whistleblower Edward Snowden heavily criticises the modern culture surrounding password-setting, and proposes a new method of the ‘pass-phrase.’ This collates four random words to form said password. This ‘pass-phrase’ would not meet the requirements for most websites, but mathematically it is very strong, as character permutations are replaced with possible words. The inclusion of four words ensures the password string would be very long, which typically signals a ‘strong’ password. Additionally, considering the almost unfathomable range of the English dictionary, the entropy of any pass-phrase is very high. 

Obviously, if the pass-phrase becomes standard practice and a known constraint, hackers could develop software to target commonly used phrases. Instead, it would be better for people to begin adopting similar password construction methods on their own. In terms of security, it appears that we should send websites the message, ‘less is more.’