Tangential comments about Software Development

Friday, April 12, 2013

When easier passwords are better

Which is more secure - an eight character password made up of upper and lower case letters, numbers and punctuation, or a twelve character password made up of lower case letters?

Run the maths. On my laptop keyboard there are about 32 punctuation items you can use. So there are 26 + 26 + 10 + 32 = 94 different symbols available. There are 94 to the power 8 combinations, which Excel's POWER(94,8) gives as 6.09569E+15.

Twelve lowercase letters can be combined in POWER(26,12) ways or 9.5429E+16 ways. Divide that by the previous number, and we see that's 15 times more secure.

Now here's the funny thing. Try typing Pa55w*rD (capital P and D, 5 instead of s, * instead of o). Then type it on a tablet, then on a smartphone.

Now type thispassword. Repeat on a tablet and a smartphone.

Defenders of horrible passwords may complain that thispassword is easily crackable, skating over the facts that people have to write down complex passwords, and conventions like 5 for s are so common they are useless. The answer is just to increase the minimum length. A twenty letter password thispasswordisenough has an awesome number of combinations.

I'm just off to see the security dudes at my customer. Save everyone time and increase security - what a no-brainer!