Building Better Passwords: Complexity Versus Length

Red Argyle logo

Passwords are your first line of defense for all kinds of electronic devices and services, and Salesforce is no different. While Salesforce gives you a wide variety of ways to help secure your system, a solid password is absolutely critical to protect you from unwanted access. But what makes a good password in the first place? And how can you ensure that your users are helping you keep Salesforce secure? In my next couple of posts, we’ll look at some counterintuitive facts about good password policy, focus on building strong passwords, and explore effective password expiration policies.

 

We’ll start with one of the great debates, and, in my opinion, great misconceptions of password security. By now we’re all familiar with websites that require us to create a password with a variety of capital letters, punctuation marks, and numbers. You probably have similar requirements for your own Salesforce password right now. But why did this practice get started? And does it really help make your passwords harder to crack?

 

Let’s Write Some g1BBeri$h

A good password works for two very basic reasons: It’s not widely known, and it’s hard to guess. Most of the password advice you’ll ever get focuses on the first half of that statement, making passwords more complex. This is the reason why a lot of systems will require you to insert numbers or punctuation into your passwords; it helps to make sure they’re more difficult to guess easily.

 

In technical terms, the difficulty of guessing a password can be determined by its “entropy,” a measurement of how much randomness the password contains. This is an important defense against a fundamental weakness of any password-based security system: the brute-force attack. A brute-force attack is a way of trying to break a password by trying every possible value that the password could be. For example, let’s say you have a combination lock that requires 3 spins of a 40-digit wheel. A brute-force attack would try to open that lock by trying each of the 64,000 possible combinations.

 

Cracking passwords is a math problem, and computers are math experts. Let’s look at a worst-case scenario: Someone has access to your system and has a machine that can try a trillion passwords every second. (This isn’t an insanely large number, either–a high-end gaming computer can probably hit these speeds easily.) The only thing standing between the attacker and your data is your password. We’ll assume that your password is 8 characters long. Given the following types of password complexity, here’s roughly the longest amount of time it would take the password guessing machine to find your password and unlock your data.

 

8 lower-case letters (“meanbear”): 0.2 seconds

8 mixed-case letters (“MeaNbeaR”): 1 minute

8 alphanumeric characters (“M3aNbeaR”): 3 minutes

8 alphanumeric and symbol (“M3@Nb#$R”): 1.7 hours

 

Bigger is Better

So, as our example above demonstrates, making your passwords more complex definitely helps. But here’s something that a lot of people miss: When calculating the complexity of a password, increasing the number of available characters is important. But increasing the length of the password helps much more. Let me add one more figure to that chart above.

 

11 lower-case letters (“bigmeanbear”): 1 hour

 

So how does adding 3 letters do almost as much good as turning my password into something that looks like a digital hiccup? The secret is in the math. To find the total number of possible combinations for a password, you take the number of possible values per character and raise it to the power of the password length. So for the gibberish password, that’s 94 (the number of characters on a standard QWERTY keyboard, not counting Enter or Space) to the 8th power, or 94 * 94 * 94 * 94 * 94 * 94 * 94 * 94. But the simpler, longer password has a larger exponent, at 26 (the number of lowercase letters in common English) to the 11th power. So it makes up for its simplicity by having more characters to guess.

 

Just by adding another short word, I’ve managed to achieve about the same level of difficulty that I did by manipulating my password into looking like someone tapdanced on my keyboard. The point I’m trying to make here is that while making passwords more complex definitely helps, you get a LOT more mileage out of just making them longer.

 

But In All Honesty…

At this point, I need to point out a pretty grievous issue in my password above. With the math I outlined above, I just suggested that cracking “bigmeanbear” would require a computer to search through 3.7 million billion possible combinations. In reality, that number is probably closer to 1 billion, which means our password cracking system above would bust it in about a millisecond.

 

How is that possible? Well, if we assume that each character in a password is random, then each additional letter adds a lot of complexity. But the letters in my password aren’t random; they’re 3 of the thousand most common words in the English language. Human beings are bad at remembering truly random things, and the people who crack passwords know this. They focus on common words and common spelling and capitalization variations of those words. I’d be surprised if even something like “B1gM3@Nb#$R” would last more than a couple seconds.

 

Taking Action

So how do we get around the fact that we’re not good at remembering truly random things? Are we all doomed to have passwords like “ajt&(*79” that are more secure but impossible to remember? While it may be tricky to build a good password that’s easy to remember, it’s far from impossible.

 

One method I’ve found recently that looks very promising is called Diceware. It’s a resource that helps you develop passwords that are both complex and memorable, using nothing more than some regular 6-sided dice (or your favorite random-number generator). First you roll the dice to generate some 5-digit numbers. Then you use their word chart to turn those numbers into a word. Because they are fairly common words, they are easier to remember. But because it’s long, it’s very difficult to crack. As an example, let’s take a password I just rolled up and see how long it would take on the trillion-guess machine I described earlier.

 

Six pseudo-random words (“virgocolonysnoozemuzakcoke”): 7,000 years

 

Not bad for something you can probably memorize in a couple of minutes. Just make sure that you let the system pick the words for you; the goal is to minimize your own influence on the password as much as possible.
I’ll be writing more blog posts over the next few months on passwords, and I hope this first post has helped you get some ideas for improving your password security. Do you have questions about password security, tools for generating strong passwords, or ideas that you think we’ve missed? Feel free to get in touch via Twitter or in the comments below.

Red Argyle logo
Red Argyle logo

Related Blog Posts