Another take on passwords: entropy vs length

Shortly after writing about password strength, Linkedin managed to loose 6.5 million hashed passwords. The hashes have been made public by the crackers responsible for the attack. Posting so many password hashes in public is quite interesting. For starters, the hashes can be analyzed. Now we can read in the news what the most popular passwords for Linkedin are. After reading this list, it is pretty clear to me that there are many people who simply do not care about the security of their Linkedin accounts. Some companies were also extremely fast to provide extra tools such as  Linkedin password checker – I guess a case like this is good advertisement for LastPass.

As you can imagine, I was less-than-amused to find out my password was leaked, too. Granted, only the SHA-1 hash was leaked and my password was a random string. However, the geniuses at Linkedin forgot to salt the password hashes, making them easier to crack. I also do not quite understand why it took Linkedin longer to send me a warning email than Lastpass to write the password checker tool.

After changing my password and making sure I did not re-use this password on other sites, I started reading some more articles about password strength. One of the more interesting ideas was to pad random passwords with easy to remember strings. The article argues the password “D0g…………………” has the same length as the completely random “PrXyc.N(n4k77#L!eVdAfp9” but is much easier to remember. The latter has a much higher entropy which is usually considered as more secure. However, the author claims that padding passwords with easy to remember strings does not make them less safe unless the cracker knows the padding system. If the system used to pad the password is not known to the attacker, brute force is the only valid strategy to crack the password. The author concludes that password length beats entropy in most cases.

I agree with the basic conclusions of the GRC password strategy. However, looking at the most popular cracked passwords list cited above, I believe most people will just use very few padding strategies. Once these are known, password crackers can update the brute force algorithms to make guesses for the padding, effectively decreasing the security of these passwords.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s