11

This might sound like a stupid question, but hear me out. If I'm encrypting my financial information and sensitive data via a program like TrueCrypt, the strength of the password is going to matter a great deal.

The common advice is not to use dictionary words. I understand that. But what happens if I use common words on top of an already strong password/passphrase? My theory is that it adds complexity to the password by adding to its length. But I also remember a windows program that used to crack windows passwords by finding dictionary words within the larger password. So I'm not sure if I'm helping or doing harm by adding common words to a password.

Password A: ,74{x4K79*ER2R[=}@PR

Password B: ,74{x4K79*ER2R[=}@PRCorrectHorseBatteryStaple

Which of the two is stronger theoretically and in the real world?

If it matters, suppose I plan to encrypt my data with cascade AES-Twofish-Serpent encryption with Whirpool hashing.

Thank you in advance.

7 Answers7

8

There's no problem with dictionary words to make passphrases; its a very good method of making a high-entropy password that you can actually remember. I recommend using four random words as a bear minimum; I typically use 6-10 diceware for to encrypt my ssh keys and encrypted password lists (about 80-128 bits of entropy if out of a ~7000 word dictionary or 100-166 bits with a ~100000 word dictionary).

If your password above was actually randomly generated from a set of 80 symbols and was 21 chars long it would have had an entropy ~132 bits.*

Yes, its well-known that you shouldn't use just a dictionary word (or two or three) with only minor modifications (capitalizing a letter or two; adding a number or random character at the end), as that will create low entropy passwords.

Your biggest worries with passwords are (a) password reuse (never share the same passwords with different entities), (b) passwords being logged or forced out of you (don't use passwords on systems where you may be keylogged), and (c) using very low entropy passwords (e.g., using a dictionary word with a couple numbers at the end). I recommend using a password-management system like keepassx shared among your trusted computers in encrypted form, with a unique randomly generated password for each specific application you use; and encrypt that password list with a high entropy passphrase.

*As a digression, this specific password doesn't appear to have been randomly generated. My guess was typed on a keyboard to generate it as two very unlikely patterns happened in the data: 18 of the 21 chars (everything but , K and x) came from the top two lines of the keyboard (keys from the bottom rows should have occurred about half the time), and there was only one lowercase letter (should have occurred about 1/3 of the time). For a truly random password these types of rare events (or worse; e.g., zero lowercase letters; or less than three chars from the bottom rows) should have happened only 0.07% of the time and 0.3% of the time respectively. Granted you have to slightly discount that there are many tests to be applied (e.g., only left side of keyboard; etc). Generating a non-random password potentially reduces the entropy significantly if the attacker can exploit it.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
5

The second one is stronger, theoretically and in the real world. A long password is more secure than a short one, unless it is all dictionary words.

fh438&^&*g8 is weaker than fh438&^&*g8AllSortsOfStuffAdded because their are more possibilities in a longer password, it will therefore take longer to guess.

If there are just dictionary words, or if you substitute dictionary words for the numbers and symbols, it will then be easier to guess.

BenjiWiebe
  • 152
  • 8
  • 1
    Assuming that the real world site isn't silently truncating your password, in which case both passwords would be identical. E.g., [DES passwords in old-school unix crypt truncated everything after the first 8 chars](http://security.stackexchange.com/questions/29368/is-this-acceptable-login-security/29371#29371), [Microsoft's LMHASH truncated after 14 chars](http://en.wikipedia.org/wiki/LM_hash), and [MS truncates (previously silently) MSDN at 16 chars](http://security.stackexchange.com/questions/19028/how-can-microsoft-validate-a-shorter-password-on-microsoft-accounts-msdn). – dr jimbob Jan 31 '13 at 18:38
  • Also see [this question](http://security.stackexchange.com/q/9691/836) for more information on passwords made solely of dictionary words including entropy calculation as well as the [most upvoted](http://security.stackexchange.com/q/6095/836) question we've ever had. In appropriate cases, they can work. – Jeff Ferland Jan 31 '13 at 19:16
  • To elaborate on the point that a long password is more secure unless it's all dictionary words, a single randomly-generated character chosen from a corpus of lowercase letters, uppercase letters, common keyboard symbols, and all the digits has roughly `log_2(26 + 26 + 10 + 32) = 6.5` bits of entropy. An 8 character random password thus has around `6.5 * 8 = 52.5` bits of entropy. A randomly-chosen common English word has around 11 bits of entropy, so a passphrase consisting of four of these words thus has around `11 * 4 = 44` bits of entropy. – Stephen Touset Jan 31 '13 at 19:25
  • @StephenTouset - When most people create 8-char passwords they aren't random -- look at any disclosed password list; you'll rarely see randomly selected patterns, but easily find slightly disguised meaning in most (substitutions; symbols added at start/end; sequential keys). A four word diceware passphrase (7776 words for five dice rolls) is equivalent in entropy to 8 *random* characters from an 88 char keyboard. For secure passwords I have to memorize, I find passphrases lead to better mnemonics: `B'n?(6N[frLj!Q` or `fork scorn loss cope endow yin` (same entropy)? See http://xkcd.com/936 – dr jimbob Feb 01 '13 at 17:23
  • They aren't, but that's why I stipulated that they were random in my response. I took the 11 bits of entropy value straight from that comic (I assume Randall did the calculation properly). – Stephen Touset Feb 01 '13 at 19:35
3

Adding anything to a password cannot make it weaker (except if the system is sufficiently stupid to truncate passwords -- old Unix and Windows systems did just that).

A password is as strong as it is "unguessable" which is measured in the number of tries an attacker must do before hitting the "right one". This is called entropy and entropy adds up (because it is a logarithmic scale): if you have a password of entropy 20 bits (meaning: on average, attackers will find it after half a million tries) and another password of entropy 25 bits (32 times stronger than the other one), then the concatenation of both passwords results in a big password with 45 bits of entropy.

Of course, replacing parts of a password with another may weaken the whole thing. But simply appending, no, it will not.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
1

Adding the dictionary words does make the password stronger because it increases the entropy(randomness), but if you are going to create a random password of that length anyways you may as well use random characters for the whole password because that is even stronger.

1

Anything that makes the password longer is good. Of course, if you're using a password that's going to be mumbo jumbo, making it into longer mumbo jumbo is always better (instead of tacking on dictionary words).

But there is very little advantage to adding x characters of random symbols over x characters of dictionary words, if the password has at least a few symbols in it. Why? Simply because password crackers generally don't consider this possibility. They are well equipped for short, mumbo jumbo passwords, as well as medium-sized dictionary passwords with a few symbols. A long password with both dictionary words and symbols, however, will never be cracked both by both a brute force cracker as well as a dictionary cracker that allows for some random strings in any reasonable amount of time. The password you've given is very long, and contains a bunch of symbols. The only danger you have is if you tell someone the format of your password (symbols then dictionary words) -- this makes it possible to tailor a password cracker to that format. Still will take pretty long, and will probably be unfeasible.

If you want a password that is extremely secure and easy to remember, use a random string of words (I'll use "Correct Horse Battery Staple" here), and some sequence of symbols that you can remember. For example, I'll use this small string of fish like objects: <><~ . Now, insert one symbol every x characters. So, you get Corre<cthor>sebat<terys~taple (x=5 here). Do this with a more special characters (and make x smaller), and you have something that is pretty much impossible to crack via any brute force/dictionary attack. Even better, device your own algorithm for mixing symbols and words.

Manishearth
  • 8,257
  • 5
  • 35
  • 56
1

Entropy is the measure or randomness in the password. A secure password has high entropy which makes it hard to guess because there are more things that would need to be guessed. Adding any additional information to a password will not decrease the entropy of the password. It might not increase it by much, but it is always slightly harder to guess even if you simply add "thisismystackexchangepassword" at the end. The amount of additional security might not be worth the extra time it takes to type in the case of something that simple, but the key concept is that you can't reduce entropy by adding more information.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110
1

Since others have explained the password entropy issue in detail, I'll address your other concern:

But I also remember a windows program that used to crack windows passwords by finding dictionary words within the larger password.

It's true that - assuming an attacker have access to a computer you've used - some programs can scan the persistent storage searching for good password candidates. This is possible not only in case of written down passwords, but there's also a chance that a password once present in the computer's memory (just after being typed, for instance) ends up in the virtual memory, swap files, core dumps, etc.

The only program of this type I know of, AccessData's Forensic Toolkit, scans the hard drive for "every printable character string", as described in this Bruce Schneier post. In principle, it does not make passwords containing dictionary words weaker (since all passwords will consist of "printable characters"), however the way the program sorts this string set before feeding it to a password guesser might have an impact on how likely it will be found. Quoting the post:

When attacking programs with deliberately slow ramp-ups, it's important to make every guess count. A simple six-character lowercase exhaustive character attack, "aaaaaa" through "zzzzzz," has more than 308 million combinations. And it's generally unproductive, because the program spends most of its time testing improbable passwords like "pqzrwj."

In other words, having a huge set of strings won't necessarily help you even if one of them is the password you're looking for, since you have no way to recognize it as a password before testing it (against a hash or an online service). But if you sort this set according to some heuristics dictating "how likely this string is a password", then including dictionary words to it might move it closer to the top of the priority list, increasing the likelyhood it will be found in a timely manner.

That's why I advocate using the first letters of each word in a phrase, instead of using the words themselves. Sure, you'd need a longer phrase to achieve a similar level of entropy, but you'll end up producing a password that "looks like" garbage, instead of one that looks promising. But YMMV.

mgibsonbr
  • 2,925
  • 2
  • 21
  • 35