Matthew J. Harmon: Minneapolis, Minnesota, États-Unis, Earth

Action and Adventure on the High Seas of Information Security

ARCHIVE: True story of password complexity

May 28, 2014

Archived from my G+ Feed.

True story of Password Complexity

Coming from the days of 6 character, 8 character and 14 character max passwords, over the years I've come up with some fun ways of generating strong passwords with high entropy (~70 bits with full char set), memorizable, and muscle memory re-using.

Long ago, in a network far far away, I reached my password change time (every 3mo) and decided to update it while remote. Anyone who has used common Windows VPN software knows the chance that if something goes wrong during the cache update, SSO or Kerberos token swap, you're going to have a bad time.

So I change my existing password:
Fr4nz!W#*SK3nK (69.5 bits of entropy, 72 character set size)
to...
$vF5maQ@EIDeHK(71.5 bits of entropy, same char set) and all appears well until the password change prompt shows up again.

Thinking maybe one of my characters in the new password may have caused an issue, I take the original password and add a "9" at the end (74.4 bits of entropy). Nope, doesn't like that, uniqueness is set.

So I try the new one again... Nope. Meticulously review my entry to make sure I'm not messing anything up. Nope.
Change some special characters around to the original... Nope.

Fine... Let's try this... Farfegnugen!123 (67 bits, same char size), success.

REALLY!? Lock and unlock a couple times... Authenticate everywhere... Oh, alright.

By contrast, the passwords I don't need to memorize look something more like this:

5u%^yj8vk@MX8P44Bnnh39raxHK88&BC

resulting in 162.1 bits of entropy.

Entropy measured using NIST SP 800-63, thanks to Tyler Atkins for his implementation at: http://rumkin.com/tools/password/passchk.php


Harmon, Matthew J. "True Story of Password Complexity." True Story of Password Complexity. Google+, 13 Jan. 2014. Web. 04 May 2014. https://plus.google.com/%2BMatthewJHarmon/posts/XbsNQWH99tb

Matthew J. Harmon
Matthew J. Harmon - http://www.linkedin.com/in/matthewjharmon/

Passionate security researcher, entrepreneur, consultant. Owner, founder, maker, mentor, teacher.

Loading Google+ Comments ...