Passwords: the balancing act of exclusivity versus complexity

This post was written by Jack, one of our Cyber Security Consultants.

Is password exclusivity more important than complexity?

Now bear in mind that complexity only protects you from password cracking attempts – let me explain…

First, my assumptions and some basics:

Your passwords should be random strings of characters. If you are considering using the ‘three memorable words’ method, don’t (you can read more on that here).

The cracking activities described below are working on the assumption that a site you use has been breached, and its hashed passwords have been leaked publicly. This is because the likelihood of your password being cracked using credential stuffing (the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts) on a live service is incredibly slim, unless you are personally targeted – and even then, it’s rather unlikely.

Why? Because most attempts at credential stuffing are more likely to DOS (denial of service) a site before it can effectively make enough guesses for even a single account password.

It is standard practice for online services not to store your password in cleartext (as it is typed); to do so would be a major breach of privacy as they would be privy to your secret data. Instead, passwords are stored as hashed strings, meaning the password you enter is converted into a random string of characters, of fixed length, in a one-way operation.

Doing this allows the service to store a secret value that you can easily recreate (by working from the original password), but that they, or anyone else, cannot easily recreate (as the algorithm only works one way, they cannot work backwards from the hashed string to get your original password).

Okay, basics out of the way, let’s get started.

Imagine this is your password: h5£yHHnTr

While it is only 9 characters long, it is pseudo-random.

Let’s imagine a computer is attempting to guess this random string. How many times must it guess? Well, let’s consider the amount of unique combinations there are for this length of ISO Characters password…

Unique lowercase: 26

Unique uppercase: 26

Unique digits: 10

Unique specials: ~20

82 possibilities for each character, let’s generously round up to 90. If chosen randomly, guessing correctly is a 1/190 chance. (In reality there are 94 ISO characters, but let’s keep it simple for now).

Now, for a two-character password you must guess correctly twice, but the system does not tell you if you get one character correct, which means the odds of guessing the first character correctly are 190 and the odds of guessing the second character correctly are also 190. This means that to guess both characters correctly simultaneously, the odds are 1/18,100. Hard for a human, yes, but a computer can do this many times a second.

From this, we can generalise that, for a password of length ‘n’, the odds of guessing correctly are: (190)^n

From this, we can deduce that a password with 9 characters can have 4.3046721 * 10^15 combinations. This number is around 4.3 quadrillion. This is difficult even for a PC to guess, but it may be done within a day with a modern computer.

This password strength, while not uncrackable, would take the devoted effort of a high-spec PC one day to crack. It would have to be protecting something pretty valuable for this to be worth it for an attacker.

10 characters may take closer to a week.

As you can see, as length increases, complexity increases exponentially.

Now 12 = 2.8242954 * 10 ^ 23, which is 0.2 septillion or 200 sextillion. This is nearly uncrackable for the majority of PCs, and would take several tens of thousands of millennia.

Great, now I have an extra-strong password that no one could possibly guess. I’m safe now, right?

Here’s the issue with complexity

It counts for squat once the password is compromised and, crucially, it’s harder to remember.

‘Well, complexity doesn’t make me more likely to have my password stolen’, you may think, but here’s why this can be a problem:

Imagine you are presented with a new site that requires a new username and password combo.

You think ‘hmm… well I have this very strong, uncrackable password already and it’s hard enough to remember, I couldn’t possibly remember two of them. I’ll just reuse that.’

It now turns out that the site was a phishing site and your username/password combo has been compromised. Consider also that this might not have been the first time you had reused the password and now you see the problem. You have used this password on many sites before and it is no longer secure. Can you remember every site where you reused it? Unlikely.

This once ‘uncrackable’ password is now unusable to you. now you must create another and remember it instead, and every time you are forced to do so it feels harder and harder to remember and the cycle continues; a downward spiral.

The lesson to be learnt here is that there is no single right answer. Complexity vs Exclusivity is a balancing act and you must make a trade-off somewhere; only you can decide where you must make a compromise

For instance, you may choose to use more memorable, 8 length, or word-based passwords for sites that contain little to no personally identifiable information, meaning you need only remember the really complex passwords for where it really matters. Or you may choose to use substantial 10-12 length passwords everywhere and simply reuse them on the less important sites. The third compromise you could make is to use a password management service, here you can use many complex, unique passwords with the caveat being that the confidentiality of these passwords is lost if the one password you use to secure them is compromised.

Of course, these are all less-than-optimal solutions, hypothetically we should all be using a minimum of 12 length unique, random string passwords on every site for maximum security, this is however, unrealistic as few people are capable remembering this much random data.

So, in summary, you must be aware of your own limit in this regard, you should decide your risk appetite for the sites you use and decide where you can afford to make compromises. It is in my humble opinion, however, that if compromises are to be made here, complexity should be the first area to do so as reuse is more dangerous than short passwords.

It should also be noted that there are extra steps that one can take to protect their accounts such as MFA, including the account of a password manager, though those lie outside the scope of this conversation.

One thing is for certain, technology will continue to improve according to Moore’s law. This means that password cracking times will reduce and as this happens our passwords must get longer. These will become increasingly hard to remember and as such we will probably start reusing them.

In which case, now may be the smart time to start using a password manager which can create long complex passwords for you, while you need only remember one. And if you do not use this password anywhere else and do not reveal it to anyone, you should be safe online.