Security, how to create a good password

I have known for a long time, that ridiculously complex passwords, containing all sorts of special characters, doesn’t necessarily increase entropy – Or reduce the likely hood of that your account will be hacked.

Purely logically, and mathematically, it often makes for much stronger security to use a sentence as a password. Preferably a sentence that is highly localised, and not something such as “I love myself”. And also a fairly long sentence. Simply put, because due to the math behind password breakers, it makes the job of cracking your password much harder. A password such as “I freakin’ adore Lofoten, especially during summer”, creates an entropy of 248.2 bits, and is actually much harder to crack than a password such as “$€%fF25x”, which only creates 42.2 bits entropy.

Hence, the first password, is actually much harder to crack, and therefor safer. In addition, it is much easier to remember, and will therefor reduce the likely hood of the user having to reset his or her password. When WikiLeaks released Vault7, they chose “I will scatter the CIA to the winds of the world” as their AES password for its content.

Today, there’s an interview with the guy who “invented” these weird passwords, requiring special characters, small and capital letters, with at least 1 number in them, between 8 and 16 characters long – And he is confessing that he actually regrets it, since it is purely statistically less safe, than a password where the user is freely allowed to write anything he wants to write.

In fact, in P5 and Sephia Five, I have long since implemented the ability to create any passwords you wish. There are no special constraints on adding special characters, no demands to max or min length, no constraints forcing the user to use small or capitalised letters, and no constraints on adding at least one number to your passwords, etc. And according to the math, this purely statistically, makes it easy for you, to create more difficult to break passwords, than services that requires of its users to use all sorts of special characters.

Of course, you could also utilise the best from both worlds, and create a password such as “1 am a mean a$$ security machine from Narvik”. The 1 and the $$ are basically substitutes for the letter “I” and the letters “s”, and hence becomes easily remembered. Now of course, typing that password on a phone, is difficult – However, you can easily choose for your client to remember your password, without significantly reducing your security, due to the way password vaults are normally implemented.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s