The United Kingdom’s National Cyber Security Centre (UK NCSC) recently released guidance for password security, stating that three random words strung together is a stronger way to build a password than enforcing arbitrary and random passwords.
This sort of debate comes up quite a bit in our line of work, especially when we are doing penetration testing engagements. During these engagements, we are constantly cracking passwords and abusing poor password choices.
From a hacker’s perspective, the essence of password security boils down to two things:
- If we are trying to guess our way into a system, how easily guessable is the password?
- If we uncover an encrypted version of a password, how easily crackable is the password?
To answer this you need to get into the theory of password entropy, which is a fancy way to describe how predictable a password is, as a measurement of strength.
The bottom line with entropy is that length matters most.
Why is that?
The number of trials an adversary would need to guess a password is an excellent measure of the password strength, because that is what hackers try to do in the real world! Therefore, in principle, the greater the password entropy, the better a password, at least when it comes to resisting brute force attacks.
So when creating a password that increases the character space by increasing the length, the number of possible password permutations increases exponentially.
So why are three words better than arbitrary random characters passwords?
The short answer is, more words strung together makes the password longer, which in turn makes the encrypted hash of the password much harder to crack or the password much harder to be brute forced/guessed.
A shorter password (say six characters) with random letters/numbers/characters would still be easily cracked or guessed. However, a password of 14 characters with just three words strung together would be significantly harder because it increases the character space exponentially. It would take modern password cracking programs exponentially longer, and it would be much harder to successfully guess.
You can do an exercise to calculate password entropy here: https://www.omnicalculator.com/other/password-entropy
As an example:
- A 14-character password with just lowercase Latin letters has an entropy of 65.8 bits
- A six-character password with three lowercase Latin letters, one upper case Latin letter, one digit, and one special character has an entropy of 39.33 bits (significantly less!)
What are some words people should use or avoid?
We recommend clearly avoiding anything that just strings three common dictionary words together, simply because password cracking programs will operate in a way to append common dictionary words together.
We also suggest NOT using words that are clearly attributable to you, because if you have a Facebook page or any other social media, a determined hacker might input your personal data (like your pet’s name) into their cracking systems.
So what's the best way to create a password?
Don’t create a password at all! Create a passphrase.
Think of a moment in your life that has a lot of meaning to you but maybe only you, or something that isn’t obvious to the external world. Then take three to five words and string a phrase together than reminds you of that time.
For example, “wintertriptovirginislands’ is much easier to remember because you associate that to a wonderful time in your life. It is far more memorable than “t5$j2$o2/” and to top it off, the entropy is much higher due to the length!