Everyone always tells you the importance of having a strong password that is be hard to guess. Use letters and numbers they say.... Did you listen?
I've recently been doing some reading on passwords and crypto [1] and came across the best explanation for the need for strong passwords and I wanted to pass it on.
Consider for a moment if you have an application that uses DES as a cryptographic algorithm. DES requires a 56-bit key, which means that a good DES key has an equal probability of falling anywhere in the range of 0 to 2^56-1. A big number!
Ah, Ha! Not so fast. Take as an example an english language user. When asked for a password, we will typically pick something easy to rembember, most likely containing ASCII values such as A-Z, a-z, 0-9 and possibly punctuation marks.. Guess what, you just cut down (waaay down) on the number of possible values for a password that an attacker needs to try and guess. The attacker simply has to attempt to guess easy-to-remember ASCII groups of values.. Yikes!
Now, let me show you the bit that REALLY brought this home to me about how bad passwords could be! Given that DES has a 56-bit key and is considered INSECURE for long-lived data, take a look at these very common scenerios regarding the available character pool size and the password lengths that are required to create an equivalent 56-bit and 128-bit keys.
Available Characters and Password Lengths for Two Keys [2]
| Scenerio |
Available Characters |
Required Password length for 56-bit key |
Required Password length for 128-bit key |
| Numeric Pin |
10 (0-9) |
17 |
40 |
| Case-insensitive alpha |
26 (A-Z or a-z) |
12 |
28 |
| Case-sensitive alpha |
52 (A-Z or a-z) |
10 |
23 |
| Case-sensitive alpha and numeric |
62 (A-Z, a-z and 0-9) |
10 |
22 |
| Case-sensitive alpha, numeric and punctuation |
93 (A-Z, a-z, 0-9 and punctuation) |
9 |
20 |
SCARY! When was the last time you created a 8-10 character password that contained case sensitive alpha, numeric and punctuation? Hmmm...?
[1] "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc
[2] Table 8-1, "Writing Secure Code, 2nd Edition" by Michael Howard and David LeBlanc
BTW, I can't recommend the second edition of this book enough!
10:52:52 PM 
Comment
