Musings on Password Lengths

I’ve been thinking about password lengths, complexity, and how much strength is really required.

Random Passwords

I use LastPass for all of my passwords an never really calculated how long I need to make my passwords secure assuming they’re fully random. Since AES with a 128-bit key is considered sufficiently secure, I want my passwords to have at least 128-bits of strength. Doing some quick math based on a standard US ASCII Keyboard, the bits in strength in each character classes are as follows:

  • lowercase – 26 ≈ 4.7
  • uppesrcase – 26 ≈ 4.7
  • numbers – 10 ≈ 3.3
  • symbols – 30 ≈ 4.9

I assume that every website will accept alphanumeric passwords, so that gives 62 possibilities. Each character has just short of 6 bits of strength. 128 / 6 ≈ 21.3, so a random 22 character alphanumeric password has more than 128 bits of strength.

If the website accepts all special characters, that 92 possibilities. Each character then has just over 6.5 bits of strength. 128 / 6.5 ≈ 19.7, so a random 20 character password has more than 128 bits of strength.

"Human" Passwords

Human passwords are much more difficult to estimate the strength of. I like to use a variant of the xkcd: Password Strength method of using a combination of words, numbers and symbols. This changes/adds the number of possibilities based on the number of words. The Oxford English Dictionary indicates that there are about 600,000 words in the English language. Assuming that half of these are between 3 and 6 characters, each word between 3 and 6 characters has about 18.2 bits of strength.

If an attacker knew the composition of a password that followed the pattern word, symbol, word, number, word, symbol, word; this password would have 18.2 + 4.9 + 18.2 + 3.3 + 18.2 + 4.9 + 18.2 = 87.7. While a password like this doesn’t quite reach 128 bits of strength; it is reasonably strong, should be easy to remember, and fairly easy to type. Also, an attacker probably wouldn’t know the password composition method, making the actual strength a bit higher. If science and technical terms are included, that will increase the strength per word. Just make sure you pick your words randomly.

Conclusions

The 24+ character random passwords for websites are unnecessary, especially when the password reset functions generally have limited security.

I should add a little more length for my master passwords that are susceptible to an offline attack (e.g. LastPass). Fortunately most passwords like this use PBKDF2 to increase the computing power necessary to perform a brute force attack.