July 11, 2014

For better or worse passwords are how we authenticate ourselves with the plethora of appplications we use every day online.

Unfortunately the accepted wisdom about strong passwords is filled with half-truths, myths, and outdated recommendations. Keeping up with the latest information based on the latest cracking techniques is a big task even for full time security researchers.

My own personal journey into understanding password strength started innocently enough. A comic about battery horse staples made me question the convential wisdom. This triggered my own struggle with Drupal's recommendation engine which in turn opened my eyes to how complex the underlying issue really is.

The components of a strong password storage system


A password hash is the stored result of a hashing function. It typically takes the form of a hexadecimal string that represents the value in its hashed form. Hashing algorithms are written and designed by people a lot smarter than the average prgorammer, so the best advice here is to pick one that is recent, publicly respected, and well used. At the time of writing SHA256, SHA512 or SHA3 are all good options. One quick sanity check is to search for '$nameofalgorithm cracked' in Google to see if your first result is how the hash was broken. These algorithms are compromised regularly so make sure what you are using is still up to date. On a related not if you still run a Drupal 6 site it is in your user's best interest to install PHPass. Using history as our guide it is not a matter of if but when the hash you picked will be compromised so prepare your software to adapt to that situation when it occurs.


Based on what we've already seen it shouldn't come as a huge surprise that just hashing passwords isn't enough. We need to add a little flavor to our hash to make sure it can't be matched up against a table of known hashes. Adding salt to the string before it is hashed helps prevent the use of rainbow tables to identify hashes associated with known passwords. For the salt to be effective it needs to be random and unique for each hash.


Another tool to strengthen stored hashes is what is called stretching. When it comes to computing a hash speed is not really a good thing. Hashing a password many times means that additional computational overhead will be required to decrypt the hash. Moore's law assures hackers that over time the speed with which they can brute force a password will increase. Stretching may add a tiny bit of overhead to very busy authentication servers, but the upside is that this also makes it time consuming and expensive for attackers to run through password hashes to find the values.

The Components of a Strong Password

Now that we have a system that is storing password values that are properly salted and hashed and stretched if someone nefarious gets their hands on our password table our user's accounts won't immediately be compromised.

Unfortunately we only solved half of the problem. For a truly secure system we also need to rely on users to select passwords that are not easily guessed.


We are all used to being asked to add numbers capitals and special characters to our passwords. These recommendations individually only increase the entropy of our password by a small amount. These rules also provide signposts to attackers letting them know exactly what style of passwords to expect and to modify their dictionaries accordingly. The quickest way to significantly increase the entropy of a password is by increasing the length. That being said it never hurts to add more complexity as well. Lack of entropy allows hackers to quickly crack passwords less than 8 characters. This safe baseline number continues to increase as computers become more powerful so make your password as long as you can get away with. If a site warns you that your password is too long you should seriously reconsider creating an account unless you are providing an absurdly long password.


The simple recommendation to greatly increase length isn't enough any more. There have been several large plain text password leaks that have been made available online. These dumps combined with large lists of common words and their use frequency and the full text of famous documents online make the compilation of dictionaries far easier. Hackers have been able to greatly increase the size and complexity of their dictionaries. Attacks that used to be limited to single words and the incredibly easy to guess patterns of substituting numbers for letters (h@ck3r anyone?) have grown up to include common phrases and their easily generated variants. A good rule of thumb to follow is that if I can find your pass phrase in a Google search there is a good chance some attacker somewhere already has it in a dictionary. "Battery Horse Stapel" gets us part of the way there but doesn't approach the strength of "64n8oHiHgphHLFcl14h&Z!^$c"

What to Do?

Multifactor Authentication

Multifactor authentication is an enhancement to password based authentication. Instead of trying to solve the problem of ever longer ever more complicated passwords multifactor takes a different approach. The password is something a user knows (factor 1). This is combined with something the user has (factor 2). In most implementations this takes the form of a one time token generated by a piece of software on a persons phone. This can also take the form of a token sent via text message to a registered number. Because the token must be generated from a specific device the site can assume that a person knew the password and had a particular device in their possession. Suddenly schemes to hijack an individuals account start to look a lot like a James Bond movie and less like a kid in his parent's basement typing away at a terminal.

Password Management Software

Another tool to help solve the password problem is password management software. The main goal here is to empower users to generate long, random, and secure passwords for every site they visit. These unique passwords replace their short, easily-remembered, often-re-used passwords. The software becomes responsible for generating, storing, and securing your passwords and the user is only responsible for remembering a single password that unlocks the password store.

A few options I have personally used and can recommend:

With passwords properly stored, and as long, unique and full of entropy as possible we can now sleep a little easier. Until our devices start taking DNA samples from the touchscreen no solution will be completely secure.