Hello, fellow Cybrarians!Today I would like to introduce you to the fine art of password creation. In the first part of this article, we will discuss the anatomy of a password, and the definition of entropy. In the second part, we will look at some real life examples of easy to generate but hard to guess passwords. So without further ado, let's begin!
According to the definition, a password is a string of characters or words which are used as an authentication tool for users to provide identity.Some of the key attributes of a password are:
- It must fit into the CIA (Confidentiality, Integrity, Availability/Accessibility) triad.
- It has to be easy to remember for the user for everyday use.
- Not easy to guess or brute-force.
- Can be entered in less than ten seconds to avoid frustration and mistyping.
- Contains upper and lowercase characters, as well as numbers and non-alphanumeric symbols, like;#&!%() etc.
A really simplified explanation of entropy: Entropy (more specifically, Shannon entropy) is the expected value (average) of the information contained in each message. (Wikipedia)The Shannon entropy is usually used for calculating password strength. In a nutshell, the higher the value of the Shannon entropy, the bigger information chunks we have to deal with, which increases the possible end results. This makes the adversary's work harder and harder. Of course, this is a really dumbed down explanation. Further information can be acquired from the provided links, at the end of this article.Some common entropy values are:
- Less than 28 bits: Very Weak
- 28-35 bits: Weak
- 36-59 bits: Reasonable
- 60-127 bits: Strong
- 128+ bits: Very Strong
As the human mind have the tendency to remember things we do often (habits), we own (items), we are (attributes, characteristics) or are trained to remember (encyclopedic memory) we can utilize these feats.For example, you can remember what you did in the morning, what you ate during your last meal, what items are in your immediate proximity.Let's say, you have a big monitor in front of you, three pens nearby and ate boiled eggs for breakfast.Using the principles above, we can generate 3 passwords:
- Ihave1BigMonitorinfrontofme Entropy level: 128.7 bits, password length: 27
- Thereare3PensonmyDesk Entropy level: 97.1 bits, password length: 21 -Iate2BoiledEggsforBreakfastthisMorning Entropy level: 186.4 bits, password length: 38.
These simply generated passwords can be used in a weekly/monthly rotation plan, are easy to remember, definitely hard to crack. (Assuming one hundred trillion guesses per second the shortest one will take
1.04 hundred million trillion centuries. Good luck with a dictionary attack.) :)If someone has roughly 5 minutes, and an excel spreadsheet she or he can create a buffer of 30-60 passwords of this kind. Using some kind of password management system, this person has the luxury of almost a year's supply of secure, easy to remember passwords.Utilizing the same principle, one's can create a different set for work (with workspace items), one for social media accounts (household items), and another one for general use (finances, other needs).Feedback is much appreciated, and thank you for your attention!
Password strength meter and entropy calculator: http://rumkin.com/tools/password/passchk.php
Brute-force time calculator: https://www.grc.com/haystack.htm