Tag Archives: password

Musings on Password Lengths

I’ve been thinking about password lengths, complexity, and how much strength is really required.

Random Passwords

I use LastPass for all of my passwords an never really calculated how long I need to make my passwords secure assuming they’re fully random. Since AES with a 128-bit key is considered sufficiently secure, I want my passwords to have at least 128-bits of strength. Doing some quick math based on a standard US ASCII Keyboard, the bits in strength in each character classes are as follows:

  • lowercase – 26 ≈ 4.7
  • uppesrcase – 26 ≈ 4.7
  • numbers – 10 ≈ 3.3
  • symbols – 30 ≈ 4.9

I assume that every website will accept alphanumeric passwords, so that gives 62 possibilities. Each character has just short of 6 bits of strength. 128 / 6 ≈ 21.3, so a random 22 character alphanumeric password has more than 128 bits of strength.

If the website accepts all special characters, that 92 possibilities. Each character then has just over 6.5 bits of strength. 128 / 6.5 ≈ 19.7, so a random 20 character password has more than 128 bits of strength.

"Human" Passwords

Human passwords are much more difficult to estimate the strength of. I like to use a variant of the xkcd: Password Strength method of using a combination of words, numbers and symbols. This changes/adds the number of possibilities based on the number of words. The Oxford English Dictionary indicates that there are about 600,000 words in the English language. Assuming that half of these are between 3 and 6 characters, each word between 3 and 6 characters has about 18.2 bits of strength.

If an attacker knew the composition of a password that followed the pattern word, symbol, word, number, word, symbol, word; this password would have 18.2 + 4.9 + 18.2 + 3.3 + 18.2 + 4.9 + 18.2 = 87.7. While a password like this doesn’t quite reach 128 bits of strength; it is reasonably strong, should be easy to remember, and fairly easy to type. Also, an attacker probably wouldn’t know the password composition method, making the actual strength a bit higher. If science and technical terms are included, that will increase the strength per word. Just make sure you pick your words randomly.


The 24+ character random passwords for websites are unnecessary, especially when the password reset functions generally have limited security.

I should add a little more length for my master passwords that are susceptible to an offline attack (e.g. LastPass). Fortunately most passwords like this use PBKDF2 to increase the computing power necessary to perform a brute force attack.

My Heartbleed Recommendations

There are plenty of good resources (and a lot of not so good resources) with information and recommendations regarding the Heartbleed Bug, CVE-2014-0160. My top resource:

If you use LastPass to store your passwords, you can use the LastPass Security Challenge to have LastPass check all of your stored passwords.

LastPass’ checker provides a nice Assessment that tells you whether to chance you password now or to wait.

Once you’ve determined which sites need to update your password, make sure you do the following:

  • Change your password
  • Because Session Cookies may have been compromised – Sign out all sessions. Some examples:
    • In Gmail, scroll to the bottom of you mail window, click ‘details’ in the bottom right, and click the ‘Sign out all other sessions’ button
    • In Facebook click the downward pointing triangle, click ‘Settings’, click ‘Security’ in the left sidebar, click ‘Where You’re Logged In’, and click ‘End All Activity’
  • Remember to change your app specific passwords. While these usually have restricted access to your accounts, these passwords would have been vulnerable to compromise too. Some examples:
    • For Google, go to Account Security Settings, click ‘App Password Settings’, revoke all of your existing App Specific passwords, create new application-specific passwords.
    • For Yahoo!, go to your account settings, click ‘Manage your app passwords’, click ‘Remove All’, and regenerate passwords.

Edit 4/16/14: Removed references to the CNET affected sites list, because it seems to contain false positives. Added a link to The Register’s technical explanation of the bug.