Can we use our understanding of the Forgetting Curve to help users not only remember passwords but also make them stronger?
Incremental strengthening of passwords
Suppose a user creates an 8 character password and uses this until he knows it very well (for a single login, of course!). After one month, the user lengthens this password by a single character. This can be a voluntary act, or enforced by a password policy, Active Directory, IDM... By repeating this process over several months, the password becomes incrementally stronger over time with a lower risk of forgetting.
How much of an improvement can this yield? An 8 character password composed of upper and lower case alphanumerics, numbers, and symbols can be recovered in fewer than 57 days (the benchmark date in this post), but recovery speed is dramatically affected by each character you add. For example, and again using upper and lower case alphanumerics, numbers, and symbols, here are 2010 estimates of how long it would take to recover a:
- 9 character password - 12 years
- 10 character password - 528 years
- 11 character password - 71,000 years
- 12 character password - 5 million years
- 13 character password - 423 million years
- 14+ character passwords - 5 billion years and beyond
The Catch
This is a feasible strategy for a single or perhaps a few passwords at best. It's also feasible if users complement this strategy by using a password manager (and begin by strengthening the password for the manager). However, left without reinforcement, users may not implement this strategy. This is where the reinforcement techniques that Lance suggests in his article about security awareness may be effective for an organization (or even an ISP).
To re-purpose the suggestions for reinforcing key points that Lance shares in his post from security awareness to strengthening passwords, consider some method to:
- Present the concept of "incremental strengthen your password" to your users.
- Reinforce within 48 hours using as Lance suggests, a follow up survey that asks users what they remember about the concept and what actions they have taken; for example, have they installed a password manager, strengthened a password, etc.
- Reinforce within two weeks. Advise your users that password policy is changed, and raise the minimum password length by one character. You may reinforce this by central desktop administration, IDM, or whatever is appropriate for the login you are trying to protect.
- Raise the bar by increasing minimum password length quarterly (or more gradually) until you reach a target strength.
- If your organization hasn't implemented single sign-on, repeate 1-4 for another login.
For residential users, adopting a password strengthening strategy will be more like dieting or training: you have to want to protect against password-based attacks badly enough to make the effort. But you get more immediate benefits than dieting or training even if you only increase your online bank password from your current 6, 7, 8 characters to 10.
This strategy is not a panacea for all the password-related issues we face. But passwords aren't going away and experimentation of this kind may reduce some aspect of password problem space for you or your organization.
Stephanie, hello!
You are absolutely right about optimistic estimations and that I didn't consider the highly motivated, highly proficient attacker scenario. My objective though, was to encourage adoption of longer passwords by easing folks into using them. Given this, I chose a convenient way to illustrate strength. As you point out, if you are one or among a set of chosen targets, it's quite possible that your attacker could use parallel methods; hopefully, other brute force detection or countermeasures will intercede.
Posted by: Dave Piscitello | Monday, 10 December 2012 at 04:59 AM
The time to crack for various lengths is an overly optimistic estimation of the time needed. Resistance to brute force should always considered against the worst case, rather than the "ideal" conditions displayed here.
For example, http://technewspedia.com/cluster-with-25-gpus-sprayed-passwords-lm-ntlm-windows/ - under some operating systems (XP/2003), apparently, arbitrary 14 character passwords fall in *minutes* rather than the billions of years the estimates you cited.
At this point, it's safe to assume that anyone seriously cracking passwords is going to be using paralel methods, and they may have access to GPUs, and in this case, better to assume the worst, because the worst might just happen.
Posted by: Stephanie Daugherty | Sunday, 09 December 2012 at 11:55 PM
Hi Scott,
I like pass phrases but I'd be cautious to use something too familiar in pop culture. Rather than impossible to remember strings of characters, I'd suggest you consider borrowing a page from a one time password generator and string together several words that you'd remember, or something more obscure from a book you'd recall but are pretty convinced no one else would associate with you, for example:
begoneyousilly1eyedmoose!
1lovesalmonandbacon@Noon
amoralalligatorS1:
Posted by: The Security Skeptic | Monday, 05 November 2012 at 01:11 PM
Cool idea, Dave! It's great to realize how much power users can get simply by adding ; or ~ to a password.
Do you agree with the advice of using quotations as pass phrases? For example, "The Force is strong with this 1." is a very long, easily remembered password that, according to your chart above, should stand against 5 billion years of cracking... but will dictionary attacks undermine its theoretical resistance to the point where 9 nonsense characters would make a stronger password?
Posted by: Scott Pinzon | Monday, 05 November 2012 at 12:40 PM