New Password Recommendations

It has been reported in the press (e.g. The Verge, SC Magazine) that Bill Burr regrets the advice he gave in 2003 regarding the creation of secure passwords. His rules were:

1. At least 8 characters
2. Usage of lower and upper characters
3. Usage of numbers and special characters
4. Change password regularly
5. Each service has its own password

These rules are theoretically correct but not useful in daily practice. People do not create absolutely random passwords like "Xr4>a(k.%T" because they cannot remember them but often use a common word with some substitutions and extensions. So, for example the password "P@ssw0rd_1" that originates from "password" and is changed regularly to "P@ssw0rd_2", "P@ssw0rd_3" etc. satisfies the criteria (1) - (4) but is easily guessed (see also xkcd).

According to the new recommendations (unfortunately not clerly formulated in NIST), users should use 3 - 4 concanated words like "CorrectHorseBatteryStapple".

In my opinion this new advice is again dangerous in practice. People will probably tend to use simple combinations like "DogAlwaysBarks" which are not difficult to guess. Suppose an English user choose 3 words from his limited vocabulary of say 10'000 words. There are (10⁴)³ = 10¹² such combined phrases (suppose the first letter is written in upper case). When we assume about 10⁷ guesses per hour then the password is cracked in 1 day. The problem is that even if the individual words are long the complexity is not increased because the words are taken from a dictionary. The problem with remembering all the different phrases for different services also remains.

The randomly selected characters have much higher complexity. There are about 100 printable ASCII characters (exactly 94, not counting the space " "). There are (10²)⁸ = 10¹⁶ passwords with 8 random characters so the cracking would take about 10'000 days. The same complexity would be achieved with a 4-words phrase like "DogAlwaysBarksLoudly" but then 20 characters need to be typed in.

So what to do? A possibility would be to use a password manager (e.g. Last Pass, Dashlane, RoboForm, KeePass, StickyPassword). Then only one complex password phrase needs to be remembered, all other passwords are stored on the server. The password manager Last Pass recommends strong master passwords like "soexcitedtoStartCollege!thisfall". But how do I remember this? Which words started with a capital letter and which not? Where did I put the "!"? Was it "excited" or "soExcited"? And can I trust the password manager at all? What happens when it is cracked?

There is just no end ...

Comments