Better Passwords with a Reasonable Effort

In this note, principles of good password creation are offered and discussed. At the end of the note, a process is offered to create passwords that follow the presented principles and require a reasonable mental effort.

Many “easy” tricks are offered over the web. It is up to the reader to analyze those approaches against the principles offered here.

Related topics:

Principles

Characteristics of a good password:

  • a password should be used only once for a given purpose
  • the compromise of one password should not compromise other passwords
  • a password should contain a large amount of entropy

Password used only once:
It is necessary to use a password only once. This is important in case one of your password is compromised. For example, let’s say you have an account with two services (Google and Facebook). If the same password is employed for both services, then an attacker who becomes aware of the password for one service can also access the other service.

Password compromise:
Passwords should not be related in such a way that knowledge of a password for one service reveals passwords for other services. For example, although the following passwords “123google”, “123facebook” and “123amazon” are different, an attacker discovering one would easily guess the others.

Entropy:

Entropy represents the amount of chaos associated with an entity. In the case of passwords, entropy is related to the number of tests an attacker would have to conduct to test all the possible passwords.

For example, if a bike lock was made of 4 numbers ranging from 1 to 8, then the total number of possible combinations would be 8 * 8 * 8 * 8 = 4096 combinations. Therefore, an attacker without knowledge of the proper combination would have to try at most 4096 different combinations to unlock the bike.

Entropy is expressed in the number of bits required to hold the total number of combinations. In the bike lock example, 4096 can be expressed in a value with 12 bits. This can be verified since 2 to the power of 12 is 4096. Each rotating wheel in the bike lock contribute 3 bits of entropy since each wheel can have 8 different position (2 ^ 3 = 8). If the same lock had only three wheels, the lock would provide only a total of 9 bits of entropy.

In the bike example, if each wheel could occupy 10 positions, instead of 8, then each wheel would provide 3.32 bits of entropy (2 ^ 3.32 = 10) and a bike lock made of four of those wheels would provide a total of 13.3 bits. Indeed, the lock provides 10 000 different combinations, which is 2 ^ 13.3.

What needs to be remembered from this exercise are the following concepts:

  • each position in a lock provides an amount of entropy
  • the larger number of combinations in a position means a larger amount of entropy
  • the total amount of entropy provided by a lock is the sum of entropy provided by each independent position in the lock

Passwords are similar to Bike Locks

A password is similar to a bike lock where each character in the password represents a mechanical wheel that can take a number of different values.

If a password is made only of lowercase letter (26 values), then each character is worth 4.7 bits of entropy.
If a password is made of lower and upper case letters (52 values), then each character is worth 5.7 bits of entropy.
If a password is made of lower and upper case letters, along with numbers and special characters (72 values), then each character is worth 6.2 bits of entropy.

To be safe, a password should have at least 64 bits of entropy. A great password should have 128 bits of entropy.

A question easily comes to mind: should each password be at least 11 characters? The answer is yes. Continue reading, a trick is given below on how to create long passwords and easily remember them.

Entropy Revisited

Astute readers might offer a password made out of words such as:

OrangeApple

There are 11 characters in this password. Since characters range in lower and upper cases, then each character offers 5.7 bits of entropy, which would mean 62.7 bits of entropy, right? No. If a password is made out of words, then the characters are related and not independently random. Therefore, an attacker trying words and not characters might find the password in a smaller amount of tries.

There are 171,476 English words in current use (between 17 and 18 bits of entropy for each word), so OrangeApple is worth only 34 bits of entropy, not 62.7.

Password Principles Restated

Characteristics of a good password:

  • a password should be used only once for a given purpose
  • the compromise of one password should not compromise other passwords
  • a password should contain a large amount of entropy (minimum 64 bits, better if 128 bits and above):
    • many characters in the password
    • varied characters (lower and upper cases, numbers, special characters)
    • unrelated characters (avoid whole words)

Mental Approach to Creating Better Passwords

Create passwords by combining the following tricks:

  • high entropy constant reused between all passwords to provide a minimum amount of entropy
  • add a variable component based on the context the password is used
  • use a mental transformation known only to you

Constant Component
Create a long string of seemingly random characters by using a saying you want to repeat yourself. Use a phrase that means something to you. Make it a message that will improve your life, since you will type it all the time. For example:

RoYoTiEv8Ki!

The above string of characters can easily be remembered if one uses the phrase: “Rotate Your Tires Every 8000 Kilometers!”. This component yields approximately 72 bits of entropy.

Variable component
This is the easiest part. The variable component should be based on the context in which the password is used. If this is a password for Google, then the variable part could be “google”. If the password is used to unlock your laptop, then the variable part could be “laptop”. The variable component should be easy for the password owner to recall from the context in which the password is used.

Mental Transformation
The aim of the mental transformation is to hide the variable part from a potential attacker. Continuing the examples above:

Password for Facebook: AfRoYoTiEv8Ki!cebook

Password for Google: OgRoYoTiEv8Ki!ogle

In these examples, the mental transformation consists of:

  • taking the first two letters of the variable component, reversing them and putting them in front of the constant component; and,
  • taking the remainder of the variable component and appending after the constant component.

In these examples, the entropy provided by the password is always at least 72 bits. The approach follows the presented password principles and, with a bit of practice, requires little mental effort.

Each reader should find for himself/herself a suitable mental transformation which is personal and original.

Leave a Reply

Your email address will not be published. Required fields are marked *