The Trouble with Troubadour:
One of the things that really annoys me when I sign up for things on the Internet is some of the really silly password rules that web sites make you use. I must have hundreds of passwords. In fact I currently have 347 passwords in my password bank and this month in particular, I have created more than a dozen new passwords due to setting up this new blog and related activities.
Have you ever wondered about password strength?
What makes one password stronger than another?
Why do some experts believe that using symbols & numbers is a security risk?
The above comic by the amazing people at https://xkcd.com/936/ explains it really well in my opinion. But since entropy is a complex subject well beyond the scope of those who aren’t technologically minded, some of you may still need help understanding this comic. Let me put it all into ordinary English for you, leaving out the stuff that the average computer user doesn’t need to know.
First, who am I? I am a blogger/creative writer who part owns an Internet Security business with my ex-husband, Pete McCormick. He is the brains behind the business and one of his greatest strengths is his ability to translate technical jargon into understandable information for his customers. So I’ve relied on him heavily to edit my explanation.
Scientists please look away now.
Despite the fact that Peter works solely with large scale businesses, using very expensive pieces of hardware, ultra-complex networks and latest technology, he has always maintained that one of the biggest security risks is the simple misuse of passwords. He says the most common misuse can be found in most offices around the world—which is writing the password on a post-it-note attached to a screen/desk/memo-board, etc.
This practice will never be stamped out, if every six weeks well-meaning IT departments require their staff to change their password to a 12 character non-word, with digits, capitalisation and …. arghhh! symbols. Who can remember all that?
The trouble with Tr0ub4dor& (in the comic-strip example above), is that for starters it is difficult to remember. When asked to recall your password, your train of thought might go something along the lines of, “Was it a play on the word Trombone or the word Troubador? I remember it was tr-something. No wait, was it Tr-something. Did I use zeros, capital O’s or little o’s. I know it had a symbol in there somewhere, but was it before the last character or at the end?”
Chances are, just when you have learned the password, and mastered how to type it quickly, you are requested to change to a new password.
The other major problem with a password like Tr0ub4dor& is that despite what we are lead to believe, it is actually relatively easy for a hacker to crack. In the above example, experts at XKCD have worked out that it contains approx 28 bits of entropy (statistical uncertainties). At a plausible rate of 1000 guesses per second, they claim it would take 3 days for a computer program to crack that password. And not knowing the mathematics myself, who am I to doubt that? Calculating entropy is not an exact science. Even things like how many keys are on the keyboard could influence the entropy. As just one example, if you were working out the entropy of a particular symbol, it would depend on how many symbols were available on the keyboard and some that don’t need the space bar may be favoured more.
Let’s take a look at their suggested alternative: correcthorsebatterystaple All one word without spaces. Using a quantum formula for estimating entropy, XKCD have worked out that there are 44 bits of entropy in this phrase, taking the same computer program used for the other password a massive 550 years to crack it. After half a millennia, one would expect an important password to have been updated, rendering the hack useless.
These four random words seemingly have nothing to connect them together, but the average human mind can make nonsense connections fairly easily. We may not be able to explain out loud how we connect those words, but in a password situation we don’t need to. Phrases (without spaces) are nearly as good, so long as they are not commonly known. For example, it wouldn’t be wise to use thelongandwindingroad. Notice also, how in the XKCD example, they use four words with a minimum 5 characters in each, ie: correcthorsebatterystaple. Using short words such as the/and/long/road reduces the phrase’s entropy.
Entropy explained (sort of)
Entropy is a measure of randomness which relates to just about everything.
Physicists have a favourite saying: “The only thing that is certain is uncertainty.”
Entropy is a concept that you can’t simply explain in one paragraph. So, putting aside the multi-disciplinarian aspects of entropy, I’ll just try to explain it where it pertains to password hacking, using analogy.
Supposing you have a brand new pack of 52 cards and asked someone to choose a particular card. Each card in the deck has an equal probability of occurring so, if they were shuffled properly, it would be unlikely that you would guess correctly. The entropy is very high and only sheer luck or cheating would enable you to choose the card. But if you knew the deck was arranged by suit and number, then your chances of picking correctly are greatly increased. The entropy in this latter case is lowered through “educated guess”.
Odds and entropy are slightly differing beasts. I used to be a roulette dealer at a casino. A favourite bet of many punters was a 1:1 bet on red or black which gave them a 18/37 chance (probability of 48.6%) of winning. It’s not a 50/50 bet because of the single green number, but at nearly even odds, it’s about as close to a 50/50 bet as you can get in a casino, where the odds always favour the house . In theory each spin of the wheel is completely random and so (the croupier’s idiosyncrasies aside), the entropy should equal the odds. However, on some tables there was a digital readout showing the past ten or so winning numbers. In all the time I worked there I never saw more than 5 or 6 same coloured numbers come up in a row. Therefore, by that knowledge gained a punter could be looking for tables where say 4 or 5 blacks had been rolled in a row. They could rush over and drop a cash bet on red next time. At the very least they’d expect to win in 2 bets – increasing the second bet to cover the loss of the first. (Now don’t blame me if this doesn’t work for you. As I said the odds always favour the house in the end and an experienced croupier can influence the spin slightly.) The entropy in this example is lower than the odds because of knowledge gained (the knowledge that the house never had more than say, 6 same coloured numbers come up in a row.)
Calculating entropy is an inexact science
Coming back to password hacking, this educated guess or information gain is the key to a successful brute force attack. A password cracker can try every possible combination, and just like a thief picking a pin-lock with a hairpin, can check each combination for a match before it goes onto the next.
Most password cracking software use a technique called “brute force attack” whereby they simply go systematically through known combinations until they gain entrance. The gambler, the lock-picker and the password hacker may all potentially strike it lucky in their early attempts, so it is in your best interests to make your passwords as random as possible to increase the level of entropy.
Basic brute force attacks typically uses lists of common passwords and dictionary word lists, or known limited number pools (eg: PINs of 0-9, Lottery numbers 1-40, birthdates 1-31). More sophisticated software goes further by including every known altered word, eg: substituting zeros/o’s and ones/l’s/i’s, or changing out vowels to digits; common phrases, proper nouns, etc. A personalised attack may try combinations of your vital statistics and known personal information. Stringing random words together without spaces fools cracking software, because unlike picking a pin-lock with a hairpin, the software isn’t programmed to think “Aha, I’ve found one word, now time to move on to the next.”
There are many more issues with passwords besides entropy and ease of recall. I might cover these in further blogs. Keep watching this space.