One of my favourite webcomics, XKCD, posted a comic regarding password strength, and how its better to use a long, but easy to remember password, over a shorter but more complicated password. I find that Randall (the author of XKCD) generally does some good research on all the concepts that he writes comics on, and I find that I agree with most of them, though this one particularly took my interest. Whilst I don’t disagree that longer passwords are going to be more secure against traditional brute force attacks, I want to look further into how much better having a longer password is.
Issue 1: Entry of the password
Mobile devices these days are more popular than ever, and its going to continue to increase. People are constantly asked for their password, and have to constantly type it in. Whilst the password “correcthorsebatterystaple” (the example used in the comic,) may be easy to remember, it’s also long to type it. If you have a different password for every website you use (which is a good idea,) people are going to find it hard to justifying typing in a 25+ character password for every website they visit.
Issue 2: Brute force isn’t really the main way to get passwords
Yes, the method used in the comic would make it very secure against a traditional brute force attack. That said, I suspect that brute force attacks are not really successfully used that much beyond dictionary attacks or passwords equal to or longer than 8 characters. There are other methods such as key loggers, malware, system vulnerability and social engineering (I have seen first hand someone emailing their username and password to their email account in response to a phishing email they received.) These methods can generally result in more passwords being discovered for the same amount of effort (if the goal is just to harvest passwords and isn’t targeted.) The length of a password doesn’t matter in instances like this.
Issue 3: Most online systems won’t allow passwords that long
OK, so this is more of a reason of why it’s not practicable rather than why it doesn’t really make a difference, but in short, quite a lot of online websites have a limited on the number of characters for a password. This isn’t a problem with the user though, I think that online systems should all allow for at least 32 character passwords.
Issue 4: Other security measures will/should kick in
Any website with good security measures should have a system in place that will bar login attempts for a particular account after a set number of unsuccessful attempts. In the case of having a long password because it makes it harder to brute force, a system like this would make that argument void. Any website that doesn’t have a system like this in place probably isn’t one that I’d want to have my personal details with.
There are exceptions where using passwords that the comic suggests would actually make an actual difference: encryption. This is because if someone has an encrypted file, it’s a lot easier to do brute force because the only limitation is the speed of your computer… you can’t be locked out of an account after any number of unsuccessful attempts, you don’t have to wait for the server to respond, and so on and so forth. In fact, TrueCrypt recommends having a password of at least 20 characters.
I am all for having a good password for every website you visit, but having a long one may not make that much difference for many online sites.