Official Site of Author SJ Parkinson
  • HOME
  • AUTHOR
  • TITLES
  • BLOG
  • FAQ
  • LINKS - CONTACT

Effectiveness of “Strong” Passwords

9/25/2014

0 Comments

 

Last week, I signed up on a new web forum. On registration, the following text popped up:

To enhance our site security, your password must be a minimum of eight characters long, contain one upper case letter, a number and a special character.

I signed up for the site, but wondered later just how much more effective this style of password was. I’ve seen that same text on multiple sites and where I work, we have the same password policy in place. I simply wanted to see how much more effective that enforced password policy was. Plus, I wanted to confirm that we were taking proper steps to protect our users.

I composed the below Excel chart over a lunch break and the results shocked me. While a “perfect” password had over six quadrillion combinations, a policy enforced password of the type described above was actually less than half as good as a purely lower case one that we’d been warned against using.

As a simple example, the entirely lower case password robocat is more than twice as effective as $5Montyz

I ran a series of combinations and found overall that passwords where content was not dictated by policy were more effective than those that were.

I had a hard time seeing the overall impact, so I added a money column as everyone can relate to cash. If a perfect password was worth $100,000 then a policy enforced password was only valued at $1.62 where an entirely lower case password was equivalent to $3.43.

Random generation of a password is the typical way to get around this. However, a password of R#<,.mL6 will only result in it being written onto a sticky note then being placed on their monitor.

To generate a password of reasonable effectiveness (and also being user friendly) an upper and lower case password should be used in place of a policy dictated one. Plus, a longer password or passphrase would be much better than a short one.

Using the same logic as above, the passphrase    MyCatIsQuiteCute   a sixteen character upper and lower case password would be worth $46,884,649,035,711,300.

NOTE: This is by no means an exhaustive analysis. This is a oversimplified demonstration based purely on the mathematical number of possible combinations. Many other factors would come into play in real life.

(Click on below image to load larger version)

Picture
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    SJ Parkinson

    Dark thoughts from an enlightened mind.

    Archives

    March 2016
    April 2015
    March 2015
    October 2014
    September 2014
    June 2014
    December 2013
    October 2013
    March 2013
    November 2012
    October 2012
    September 2012
    July 2012
    May 2012
    April 2012

    Categories

    All
    Amazon
    Author
    Batman
    Bioshock
    Capcom
    Catwoman
    Computer Games
    Constitution
    Courts
    Ebook
    Edit
    Editing
    Editor
    Elite Dangerous
    Female
    Frontier Developments
    Gamergate
    Google Docs
    Government
    Half Life 2
    Horizons
    Htc Vive
    Hugo
    Hugo Award
    Kdp Select
    Kindle
    Lara Croft
    Law
    Libreoffice
    Linux
    Mac
    Mass Effect
    Mmo
    Monitoring
    Novel
    Novelette
    Novella
    Nsa
    Oculus Rift
    Paperback
    Pc Game
    Police
    Predation
    Projects
    Proof Read
    Publication
    Rabid Puppies
    Resident Evil
    Rome 2
    Sad Puppies
    Sasquan
    Snowden
    Standards
    Surveillance
    Tomb Raider
    Total War
    Ubisoft
    Valve
    Video
    Virtual Reality
    Windows 10
    Windows 7
    Windows 8
    Windows Xp
    Women
    Xbox

    RSS Feed

Site powered by Weebly. Managed by Bluehost