The math is really simple. The odds of guessing a given password are 1 in x, where x is the character set of the password, to the power of the password’s length.
So what’s the number for the character set? If the password is just lowercase letters, it’s 26. If it’s mixed case, that’s 52. Add in numbers, and you bring it to 62. Add all those weird punctuation symbols on the keyboard, and you bring it to 94, not counting the space character.
Back when I enrolled in college and they gave me my first account on their ancient mainframe, they required my password to be 6-8 characters, with no special restrictions. Realistically, we all probably just typed something in lowercase. So, there were 26^6 possible passwords we could use if we just did the minimum–308,915,776 possible passwords. That’s nothing today, but in 1993, even that was an intimidating number. Creating a dictionary to store that many passwords to just try would consume 2.3 gigabytes of disk space, and in 1993, that was $4,700 worth of disk space. The SCSI adapter you’d have to plug it into ran another $300 or so. In 1993, that was an acceptable level of security.
Today, you can buy a 4 GB flash drive at any drugstore for 10 bucks and it can store that dictionary with room to spare. Then it’s just a matter of generating the dictionary with John the Ripper and writing a script to try each possible password, then wait for it to run. That’s why 6-character passwords are inadequate in 2011.
If you want the ultimate in security, you should use a password that’s 16 characters of pure gobbledygook, which mathematically works out to 94^16. Expressed another way, the chances of guessing that kind of password is a crippling 1 in 3.71574E+31. That number makes the national debt look like pocket change.
The problem is that you can’t make a unique password like [-r~1g4QI,’]-*6^\ for every web site you visit without writing them all down. They’re horrible to type, too, so if you’re using passwords like that, you probably have them stored on your computer somewhere so you can copy and paste them, which is even worse than having them written down. Or, more likely, you’re using short, memorable passwords instead. It sure would be nice to find some kind of compromise between security and ease of use.
Steve Gibson recently brought up the concept of “password haystacking” in his Security Now! podcast. His idea is that you take the manageable 8-character password that you’re probably using and pad it with gobbledygook. Let’s say your password for your Hotmail account is “aardvark.” If it is, I guarantee some guy is using your Hotmail account to send Viagra spam to everyone in the world, but we’ll run with it. A password of ====aardvark==== isn’t all that much better. If your password is aardvark, and you’re looking to upgrade, you have to go to something like 2!aQaardvark2!aQ.
Let’s do the math on how good a padded password really is, if you work from the (likely) assumption that a reasonable number of people decided to upgrade from an 8-character password via padding.
If you’re starting out with an 8-character password, the odds of guessing an 8-character alphanumeric password are 1 in 2.1834E+14 (62^8). That’s one in 218 trillion-plus.
Now let’s just say I know you have an 8-character alphanumeric password that you’ve padded with 8 characters of gobbledygook. My chances of guessing the gobbledygook are 1 in 6.09569E+15 (94^8).
It gets better. My chances of guessing both the password and the padding aren’t 2.1834E+14 plus 6.09569E+15, but rather 2.1834E+14 *times* 6.09569E+15.
So padding your 8-character password with 8 characters of gobbledygook realistically creates a set of 1.33093E+30 possible passwords. You probably have to quadruple that, since I don’t know whether you’ve tacked 8 characters of gobbledygook to the beginning, the end, or stuck your 8-character password in the middle of it. 5.32373E+30 is merely 1/111 the size of a pure 16-character password of gobbledygook (a set size of 3.71574E+31), but it’s still far, far bigger than anyone can store. It is a bigger number than 94^15 (3.95292E+29), making it stronger than a 15-character password of pure gobbledygook.
But let’s get realistic. You’re going to pad a pattern of symbolic characters on either side of that 8-character password, aren’t you? Because you’re one of those kinds of people, like they say in Office Space, who only does the minimum. 218-trillion times 32 to the power of four times 2 is 4.57892E+20–somewhere between 94^10 (5.38615E+19) and 94^11 (5.06298E+21) in strength, for comparison’s sake. More along the lines of a strong password 10-11 characters long.
One can argue the specifics, but there’s no question a padded password, even a predictably padded password, is better than something shorter. Realistically, you want to be better than the current 8-character industry standard, so that a password cracker passes you by in favor of an easier target. And if you want more orders of magnitude, pad the password and insert a symbol or two somewhere in the middle.
That’s looking at it from a pure brute force perspective. I ran this scenario past White, and he said that’s fine, but brute forcing isn’t the only thing you have to worry about. Even a strong 8-character password is impractical to attack solely by brute force in 2011.
If someone compromises an unencrypted password list, like what happened earlier this year with Sony, someone looking at a plaintext password list can easily recognize a pattern. And that immediately raises the question of whether that person is using the same pattern someplace else. And let’s face it. Some segment of the population is now taking a master password of 8 or so characters in length and using it everywhere, just padding it to each site’s maximum. And while the math says someone who does that is reasonably secure against brute-force attacks, they’re not much more secure against spillage than they were before. Because anyone who knows someone’s password seed and padding pattern is going to try variants of it other places to see if it works.
The money question: So what does White do? He uses Lastpass to generate and store long, nonsensical passwords for everything.