Why use random characters in passwords?

Question

I've seen some similar questions but maybe not exactly what I'm asking. Also I can't say that I've followed all the technical jargon in previous posts and am really after more of an intuitive understanding.

So let's say I'm allowed ten characters. The usual requirement is to use numbers, symbols, etc. But why is #^Afx375Zq more secure than aaaaaaaaaa? The hacker doesn't know that I've repeated a character ten times, so doesn't he still have to go through the testing of all possibilities or are things like repeated characters tested first?

Similarly, suppose I use a 21-character passphrase such as

I like Beatles' songs.

Now someone might say that that's a common type of statement but again the hacker doesn't know that I'm using a passphrase instead of

DD63@*()ZZZ125++dkeic

so why is it (I assume) less secure? Are passphrases tested first?

Answer 1

The strength of a password is determined by its scheme. A code like aaaaaaaaaa must be assumed to have a scheme of "ten letters" and is therefore trivially cracked compared to the scheme we must assume from #^Afx375Zq.

Attackers prioritize the simplest arrangement that meets the password scheme: start with a capital letter, end with a number and then punctuation, fill the middle with the minimum lowercase letters, starting with words as sorted by frequency. I have such a dictionary, so I could start with Anything0! through Zzzombie9~, then progress to the non-word combinations of Aaaaaaaa0! through Zzzzzzzz9~ before different variations.

Ensuring your password is more complex than the minimally permissible code gives you a slight advantage; #aaaaaaaaa should take a few minutes longer to crack as aaaaaaaaaa. #^Afx375Zq will take a good amount longer because it mixes four classes of characters and only uses three lowercase letters.

Always assume attackers know your scheme. You may get lucky and be able to hide behind some obscurity, which is certainly worthwhile, but it must not factor into your math. Don't try to be "clever"—Kaspersky's attempt at this ended in failure; they made assumptions about the attack order that ended up creating much weaker passwords.

Forcing users to add complexity to the characters in their passwords forces attackers to increase the complexity of their brute-force attacks, though it actually weakens the overall entropy. It prevents lazy and easily-guessed passwords like aaaaaaaaaa by removing them from the possible password list. There are 94⁸ possible eight-character passwords (60 quintillion, entropy = 52), yet requiring a lower, upper, number, and special reduce that to 26×26×10×32×94⁴ (16 trillion, entropy = 43).

I like Beatles' songs. is neither random nor unique. Unsurprisingly, Google has hits for it.

If a Google query for your password (quoted & de-0bfuscated) might get hits, it is weak.

Passwords must actually be random (not arbitrary! not obscure! a pseudorandom number generator is okay), by characters (for passcodes) or by words (for passphrases). I like Beatles' pants. is more unique, but it's arbitrary, not random. You cannot "make up" a random phrase without assistance (ideally using a generator), only one that seems random. It's okay to generate several phrases and pick one that you can make a creative story around.

I calculated a word is worth 2.5 characters, so for equivalent entropy to a passcode with 10 random characters, log₂(94¹⁰) = 65, you'd need a passphrase with 4 random words, log₂(100000⁴) = 66. That's on the weaker side, and again: a passphrase that is a sentence is not secure.

Length isn't everything. Don't be fooled by the impressive length of a passphrase. Sure, your musical preference is 21 characters, but even if we assume it's random and not known to Google, it's four words with some punctuation thrown in: log₂(100000⁴×32²) = 76. Compare that to random lowercase letters: log₂(26²¹) = 98. Compare those to random characters: log₂(94²¹) = 137.

A summary of my password advice: The world has gotten sophisticated enough that it's impossible to remember your fully-random and unique-per-account passwords (be they codes or phrases).

• Use authenticator apps for 2FA or passwordless access when available
• Use a password manager to generate and save passwords
• Lock your password manager with a strong password with 90+ bits of entropy,
  say with a generated 4char code randomly placed within a generated 4word phrase,
  entropy = log₂(100000⁴×94⁴×5) = 94, like junkie unknotted 7!cT opposite litter.
  Make a story to remember the words and keep the 4char code in your wallet if needed.

Answer 2

If you were to generate a totally random password that is 10 letters long and can contain lower and upper case letters, numbers and common symbols, then you are equally likely to come up with #^Afx375Zq as you are aaaaaaaaaa. So from that point of view you're right that the passwords are equally secure.

However, most passwords are not generated randomly. They are chosen by humans, and humans don't pick a completely random series of characters. They choose something that they will be able to remember, and clearly the second password is much easier to remember than the first.

Therefore, if you take a large enough database of user accounts, you are likely to find that far more of them have chosen your second password than your first. As an attacker I can use that knowledge, so I'll test easy to remember passwords first.

Answer 3

Attackers try the most common passwords first, because they're the most likely ones that will work. So they might start with things like password or Password1 or common patterns such as 123456, 1qaz2wsx or aaaaaaaaaa

For example, there's a common technique called "password spraying", when rather than trying lots of passwords against one account, you try a few common passwords (such as Password1) against lots of different accounts. This is useful when you want to compromise any account, rather than having a specific target.

If they don't have success with common passwords, then they'll try increasingly uncommon things like longer words, using rules to mutate the words (such as adding numbers on the end or capitalising them), combining multiple words together, or even exhaustive brute-force attacks of shorter lengths.

One method of creating lists of potential passwords is to crawl websites for words and phrases (especially as more people have started using phrases). So a passphrase such as I like Beatles' song. might appear in one of these lists, because it's a phrase that might appear on the Internet somewhere. But a long random string will never appear in a wordlist (unless you post it on Stack Exchange), and 21 characters is far too long for an attacker to brute-force).

If you want to create secure passwords, the best options are either a long, random string like the one you posted (which is what most password managers do), or a series of multiple unrelated words. So rather than a sentence (like the example you gave), just pick four random words (such as the famous XKCD example of CorrectHorseBatteryStaple).

Answer 4

Most people, including lots of them who write password policies, don't actually understand passwords. Exhibit A: The original author of the "complexity" rules is now sorry for his mistake.

We now know that length is more important than complexity. We also know that you do not want your password to be:

a) something common, like 12345678 (yes, that's a very common password) which any of the available tools will try within the first five seconds.

b) something easily guessable like your dog's name that anyone somewhat familiar with you (or following you on Facebook) would try in a targeted low-effort attack.

Beyond that, fuck all the rules, they're silly. Most attacks on passwords don't brute-force. Most compromised passwords are leaked in one way or the other, in which case it really doesn't matter if your password is 123 or +)r%rARAT:Am))17z(rZk!,%ODbsz0

So why do you want to use some randomness in your passwords? Because of b) - humans are terrible at making something random or difficult to guess. Include at least a random part. Something like "I was born in (random three-digit number)" is a ton better as a password than whatever the complexity meters tell you.

Your phrase is pretty good - unless it is true. If it is true it falls under b) and trying out fifty statements each in a hundred different phrases and spellings is easily scripted.

Unless you're a high-profile target, stop worrying beyond that. You are much more likely to be compromised by software vulnerabilities than by someone spending the resources to brute-force even a mildly good password.

Answer 5

Before the advent of password managers, because people needed to be able to remember passwords, they had a tendency to pick simple passwords.

Simple passwords are extremely common. You know, "password", "123456", "qwerty", and so on. Don't laugh, those are actually 3 of the most common passwords in use! But there are looooong lists of common passwords, and hackers usually start with those (dictionary attacks). And yes, aaaaaaaaaa is in the top 10 000 most common passwords (along with various other lengths).

So, in order to force people to come up with something a bit different, rules like those were introduced. Are they good rules? Apparently they do help, as none of the most common passwords contain the often required combination of lower, upper, symbol and digit.

The next issue after that is that once people have found a password which fits those rules AND they can remember, they re-use it everywhere, and from there you have the issue that a leak on one site will affect your accounts on all other sites where you sued the same password. This is why the current best practice is to use password managers (but that is not something sites can enforce, this is a user-side policy), which will generate and securely store random passwords for you.

If passwords are actually generated randomly rather than chosen by humans, then the goal is to have a level of entropy matching whatever requirements you set (in bits, or number of combinations, which is the same). There are two approaches to increase this: increase the number of possible symbols, or increase their number (or both, of course). A random 10-character lower-case password has roughly the same entropy as a random 8-character lower/upper/digit/symbol password. But if it's really random, it's nearly impossible to remember anyway, so it will end up being written down.

Phrases are an alternative. Here you replace characters by words. If you pick 4 random words from a 5000-word dictionary, you have again roughly the same entropy as above, and it's probably a lot easier to remember.

However, if you are not picking random words out of a long list, but an even easier-to-remember sentence which actually makes sense, then you fall in the same traps as with the usual passwords: are you sure the sentence you chose is not so common that it will end up in dictionaries?

Answer 6

Any reasonable system will prevent a cracker from repeated attempts to brute-force a password by, for example, imposing a 'lock-out' period after a few failed attempts, or imposing a longer and longer pause after each failed attempt.

It follows that beyond a certain relatively low point, the complexity of your password is immaterial. For example, a password that is known to be of 4 digits (ie, a PIN) can be brute-forced inside three attempts in only 0.03% of attacks. Repeated attempts at such attacks should be detected by the system or its administrator, and blocked. Brute-force cracking is only feasible under that constraint if the system has already been compromised and the password encrypts are available to the cracker.

If the system administrator insists on a long and complex password, then that is an implicit admission that she/he has little faith in the security of the system and her/his ability to keep the password encrypts out of crackers' hands.

However, if you re-use on a high-value target the credentials (username, password) that you have used on a system that may be cracked, then you can expect trouble.

Answer 7

I'm a fan of randomly generated passwords.

I use a password safe and randomly generated passwords. I also use my own password generator. No. I won't post it here, but you can get some good ideas from Bruce Schneier's Applied Cryptography. My passwords have any of 51 different characters, and each password has 16 characters. 51^16 = 2.1 x 10^27 possible passwords. A brute force attack would be exceptionally difficult for a classical computer. Perhaps a big quantum computer could get it. The down side of it, of course, is that my passwords are pure gibberish. Here's an example: 57x]Vb1R+}m2nh. Ugly, huh? I put them into a password safe and copy/paste them from there. So. You'd need to hack into my computer, run the password safe, guess that password, and you're in. Is this perfect? Probably not:

Smart people think they can come up with an unbreakable code, and the smarter they are, the more certain they are that they can do it. -- Charles Babbage.

Finally, most security breaches are because of social engineering by clever attackers, and laxity by the defenders. Brute force attacks on a well defended system rarely succeed.

Answer 8

I am not a security expert, but I feel like I need to add two points.

1. Tools that brute-force passwords will simply start at 000000 then 0000001 and aaaaaaaa is really, really easy to get in the first few seconds of that "set" of N digits. I don't know of any exact tools, but this is what I learned from ye olde tutorials on astalavista, before it became ads, and was a hacker search.

2. The top answer, which states "aaaaa" is just as likely strikes me as mathematically inaccurate. Even-distribution algorithms have a bias to not give the same thing they just did. They're not unbiased, it's just split among all numbers instead of a specific number or set of numbers.