How strong is your keychain?

Password strength is always relevant, with security vulnerabilities being exploited all the time. Nobody is immune to attacks: within the past 9 months, Twitter, ABC Australia, Yahoo, and LinkedIn have all had their passwords leaked.

Of course, there are many factors at play beyond the strength of your password. Using a slow algorithm like bcrypt to secure passwords is generally more important than having a strong password in the first place. But, as an average web user, you don’t have control over the security infrastructure of websites you visit. So what’s the best password strategy?

We’ve always been told to use uppercase and lowercase letters, numbers, and special characters in our passwords. These are good rough guidelines, but a complex password is not necessarily a secure password. As illustrated by this excellent XKCD comic, it’s more important to have a long, easy-to-remember password than a short, complicated one. The reason? The longer one has more bits of entropy. Measuring the entropy of a password is a better way to determine how difficult it would be to hack in the real world:

A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 2⁴² attempts to exhaust all possibilities during a brute force search.

— Wikipedia

There are a number of calculators out there that figure out how many bits of entropy are in a given password. I like Dropbox’s calculator, since it breaks down the method that would be used to guess each part of the password.

Most of the discussion centres around the strength of an individual password. But if you use the same password on every site, it only takes one of them to fail for someone to have access to your Facebook account, email, banking information, and more.

The reality is, most people reuse their passwords. So how strong does a password need to be for you to safely use it everywhere?

Here’s a randomly-generated 6-character password with letters, numbers and symbols: vL5e$Q. It has 39 bits of entropy - that’s less than desirable, but not bad (correcthorsebatterystaple, the password used in the XKCD comic, has 45). If you log in to, say, 50 websites with different randomly-generated passwords of this kind, your entire keychain has 1,950 bits of entropy.

So how long does a single password need to be to achieve 1,950 bits of entropy? Well, you’d have to type out the first 15 or so verses of Genesis to get 1,950 bits with lowercase letters.

The moral of the story: even if you have a strong password, you’re doing yourself a disservice if you use it everywhere.

Sam Nabi