SULAIR Logo SULAIR HOME | ACOMP HOME | SU HOME

January 12, 2005
Issue No. 67

Table of Contents

Computer Passwords Are Passé

Web View | Print View

by Jay Stamps

Did you know that, under certain circumstances, an 8-character perfectly random Microsoft Windows password consisting only of numbers and letters of the alphabet can be "cracked" in a few minutes using commercially available software?

Did you know (based on various informal studies) that the seven most common passwords are: 1) no password at all, 2) sex, 3) love, 4) god, 5) secret, 6) money, and 7) password? People also commonly use their own account names as passwords, or the names of family members and pets.

As passwords (or pass phrases) become longer, they become exponentially harder to crack. If you were to use a 15-character password for example, even if vast computing power were applied to the problem of cracking it...a hacker would need many years to discover it at last.

Computer hackers certainly know these facts. Using a variety of advanced tools and techniques, hackers can more or less easily guess or crack passwords that are based solely on combinations, inversions or other permutations of dictionary words (not just English words) and numbers, common personal or place names, even random strings of characters, provided that the passwords are fairly short.

Passwords Versus Pass Phrases

Instead of traditional passwords, you can actually use longer phrases (which are easier to remember and often easier to type) for Windows 2000 and Windows XP PCs, Macintoshes running Mac OS X 10.3 or higher (but not 10.2 and below), as well as for your SUNet ID.

As passwords (or pass phrases) become longer, they become exponentially harder to crack. If you were to use a 15-character password for example, even if vast computing power were applied to the problem of cracking it, on average, with existing methods and equipment, a hacker would need many years to discover it at last.

What about password complexity, which is another way of saying randomness?

The more random a password or pass phrase, the harder it is for anyone - including a password-cracking computer program - to guess. The randomness of your password depends on three related and quantifiable properties: the number of characters it contains (that is, its length), the size of the character set you employ (for example, upper- and lower-case letters of the English alphabet, numbers, punctuation marks, symbols), and the improbability of the order in which you combine those characters. An example of a very random 8-character password is 4(`S&zAp, while an example of a very non-random 8-character password is password.

As passwords become longer, however, the size of the character set that you choose from and the improbability of your ordering of individual characters begin to matter less. You can include dictionary words and still have a sufficiently complex password (or pass phrase) to ward off hackers and satisfy SUNet ID password complexity requirements, as long as you observe a few simple rules. A well-chosen, easily remembered 15-character pass phrase, in fact, is far more secure than a perfectly random, very unmemorable 8-character password.

Should You Use Pass Phrases Instead of Passwords?

For your Windows 2000 or XP user accounts, for your Mac OS X 10.3 and higher user accounts, and for your SUNet ID, consider changing your password to a pass phrase. The advice below is specific to Stanford and to the above-mentioned types of computer accounts. Not all operating systems and software applications support the use of longer pass phrases (for example, Windows 98 and Mac OS X 10.2 and below do not), or even the use of punctuation and special characters in conventional passwords.

When choosing a pass phrase, consider these suggestions:

If you're a reasonably fast typist, entering a 15 to 25-character pass phrase is no great burden. And if you're running Windows 2000, XP, or Mac OS X 10.3 or above, single sign-on (entering your pass phrase only once) permits you to use your pass phrase to log in to your PC or Macintosh, to log in to PC-/MacLeland, and so to log in to various restricted resources on the Stanford web, all at the same time. For more information about single sign-on, please refer to the PC-Leland and MacLeland documentation on the Stanford web.

Note that for single sign-on to work, your Windows or Mac OS X user name and pass phrase must match your SUNet ID and pass phrase exactly.

To change your SUNet ID password to a pass phrase, visit the StanfordYou web page.

For More Information

For information about password and pass phrase policies and guidelines at Stanford, see http://securecomputing.stanford.edu/passwords.