Minimum Password Length

Introduction

Lately, passwords — in regards to security — have been the topic of many conversations. More specifically, cyber security has taken main stage for many companies due to the prevalence of hackers and/or data breaches. However, passwords are one of the oldest forms of security. Having been used as physical security at some point, they have come a long way from guarding entry ways to now guarding livelihoods and even entire companies. There has been countless debates as to how long a password should be, though generally speaking, the longer it is, the better. But at what point is a password considered “secure”? A paper published by the International Journal of Cyber Security and Digital Forensics ( IJCSDF ) takes a deep dive into the question and provides a mathematical approach to the answer.

Why Should we care about Information Security?

Information security has become a pressing issue in recent years and has forced companies world wide to reevaluate their policies and/or systems. For instance, in September 2018, a story broke about Amazon employees taking bribes in exchange for modifying or leaking company data. In this instance, the company wasn’t hacked in the traditional sense, but was compromised by its own unethical employees. Amazon launched an investigation and assured the public that the employees responsible would face legal and criminal penalties. A spokesperson from Amazon took the opportunity to reiterate that they have a zero-tolerance policy when it comes to abusing their systems and those responsible for bribing would face swift action as well. In November 2018, days before Black Friday, Amazon addressed yet another breach, this one due to a “technical error.” This involved users’ emails being exposed, however, Amazon stated in an email to those affected that there was no need to change their passwords or take any other action. And in an attempt to make right by the situation, the company offered those affected gift cards ranging from $5-$100. If that doesn’t raise your concern for security, take the Equifax hack of 2017. Hackers used An Apache Struts vulnerability to gain access to login credentials, from there, they had access to another 48 servers that had personal information stored on them. They carefully extracted data, and after 76 days, they were detected. This was one of the most impactful hacks ever because millions of Americans’ data was exposed. And a year later, not much has been done about it. Equifax hasn’t faced any consequences and continues to make profit off their failure.

History of passwords

Shifting back over to passwords. Passwords are known to be one of the oldest forms of security dating backing to the 11th century B.C. As recorded in the book of Judges ( 12:6 ), it is said that a group of Ephraimites sought to escape a group of Gileadites by crossing the Jordan back into Palestine. In the process, they were stopped and questioned. They attempted to pose as natives from Gilead, but when they were asked to pronounce the word “shibboleth,” their accent gave them away. Fast forward to modern times, passwords have come a long way. The first recorded instance of a digital password was in 1961 at the Massachusetts Institute of Technology ( MIT ) for use with the Compatible Time-Sharing System ( CTSS ), a computer designed to accommodate multiple users. Inevitably, the machine’s security was defeated in 1962 and suddenly password security became an issue. Of course methods of hashing were developed and implemented so that even if a system was defeated, the passwords on the machine weren’t immediately compromised.

“A Mathematical Model for Resolving Minimum Password Length Controversy”

Again, backing up a bit to passwords. Besides hashing it, what exactly makes a password secure? In order to understand password strength and security, we have to understand what a password is exactly, or at least the definition for the scope of this study. According to “A Mathematical Model for Resolving Minimum Password Length Controversy,” password is defined as a character or sequence of characters used to determine that a device user requesting access to a system is really that user. With that out of the way, how do we make sure it meets minimum standards? Here’s where the real questions start. The study begins with surveying 23 popular websites and analyzing their password requirements. Adobe requires a password to be between 6–100 characters long, Amazon requires it to be 6–128 characters long, Apple requires it to be 8–32 characters long, Ebay requires it to be 6–64 characters long, and Facebook requires it to be 6–2001+ characters long. From these entries it’s easy to see that there’s no real standard for a minimum or or even maximum length. However, since the study focuses on minimum password length, another study of 74 websites found that the minimum length for passwords was between 1–12 characters. A third study of 150 websites found that 123 of them ( 82% ) imposed a minimum password length while the other 27 ( 18% ) didn’t. From these initial findings, the authors of this paper determined that there was no consensus for a minimum password length.

Bit Strength & Entropy

The authors determined that entropy and bit strength were the appropriate mediums in determining password strength. But if you’re like me, you’re wondering what entropy and bit strength actually means, so we’ll explore it. Entropy, at least in the scope of this paper, means the degree of randomness. The equation given for password entropy is the following:

Total Bits of Entropy = Length of Password * Log2( Number of Possible Characters ).

If we break it down even further, we can find the entropy for every character set with the given formula: Total Bits of Entropy of Character = Log2( Number of Possible Characters ). Total bits of entropy basically means: how many bits are necessary to represent all possible outcomes. For instance, to have 8 combinations, at least 3 bits are necessary to represent all possible outcomes, or Log2( 8 ) which equals 3 ( 000, 001, 010, 100, 011, 101, 110, 111 ). Conversely, we can see that 23 equals 8. Let’s say we want an 8 character password that uses only numbers. If we plug that into our formula, we get: TBE = 8 * Log2( 10 ), which equals 26.57 bits. This means that there’s roughly 100 million possible combinations for the password, or 226.57. So, the more characters and different character sets you use makes your password stronger. However, the more random it is, the harder it is to remember. It’s also important to note that higher bits of entropy only helps against brute force and dictionary attacks.

Bit strength can be seen clearly. It’s used to determine minimum entropy required to withstand brute force attacks. However, to put it in a different light, we can look at encryption. A ton of great work has been done in the area of encryption, but in order to understand where we’re at, we have to look at where we came from. 56 bit encryption was defeated in less than 3 days using specialized hardware. 64 bit encryption was defeated in 1,757 days or 4 years 9 months and 23 days. Work on the 72 bit encryption was started in 2002 and as of July 29, 2017, it was only at 4.677%. The National Institute of Standards and Technology ( NIST ) recommends 80 bit to ensure security, as such, the authors adjusted for this recommendation.

Human vs Machine

So the longer the and more random the password is, the better? Take the word: “supercalifragilisticexpialidocious”. This word would be as easy to crack as the word “cow” because they’re both in a dictionary. However, if you replaced some characters with numbers and/or symbols, it would increase the bits of entropy, but it would make it extremely difficult to remember. This is where the human vs machine argument comes in. In theory, what I just mentioned makes sense: a long password with multiple character sets makes for a strong password. But how feasible is that really? A human is more likely to pick a word or variation of a word as their password whereas a machine can come up with a totally random one. Does this mean that everything we’ve looked at so far doesn’t matter? Not quite because we can adjust for that as well. In our previous model for entropy, it suggested the ideal situation. But since humans are not the most ideal creatures, our passwords obviously lose some degree of randomness. According to the study, when a human generates a password either using all lower case or all upper case, the randomness of the password is estimated between 2 to 3 bits per character, compared to the ideal 4.7 bits. This means it loses anywhere from 36% to 57% of its randomness, or 1.7 bits to 2.7 bits. To adjust the password entropy formula, a penalty of 1.1 bits, or 67% of 1.7 bits, was introduced.

Total Bits of Entropy = Length of Password * ( Log( Number of possible characters ) ) / ( 1.1 * Log( 2 ) ).

Taking the TBE, we can get the length for a computer generated password with the formula:

Computed Password Length = ( TBE * Log( 2 ) ) / ( Log( Number of Possible Characters ) ).

And the length for human generated password with the formula:

Human Password Length = ( TBE * 1.1 * Log( 2 ) ) / ( Log( Number of Possible Characters ) ).

Results

But having multiple answers doesn’t help anyone, especially when you want a straight answer. This introduced the idea of merging the two length models and implementing the 80 bit recommended by NIST. The following formula, takes into consideration both humans, computers, and 80 bit security:

Length = ½ ( ( Log( 2 ) / Log( Number of Possible Characters ))*( 168 ) ).

The results are the proposed minimum lengths for each password, given each character set:

Numeric only : 25

Lowercase only : 18

Uppercase only : 18

Special Characters only : 17

Numeric + Lowercase : 16

Numeric + Uppercase : 16

Numeric + Special Characters : 15

Lowercase + Uppercase : 15

Numeric + Lowercase + Uppercase : 14

Numeric + Lowercase + Special Character : 14

Numeric + Lowercase + Uppercase + Special Character : 13

I’m sure it was no surprise that a password using every character set requires the least amount of characters. This means that the password is as random as humanly possible and can withstand substantial attack. Again, to reiterate, this is the safest minimum length that a password should be, not the max. Personally, my shortest password is less than the recommended, however it uses all character sets and is pretty close, so I feel a bit confident about it. With this knowledge, I can apply what I learned in order to be certain that my passwords will stand up to brute force attacks and make my information that much harder to steal.

References

  1. Agholor, S., Sodiya, A.S., Aborisade, D.O. ( 2018 ). A Mathematical Model for Resolving Minimum Password Length. December 7, 2018.
  2. Speiser, E. (1942). The Shibboleth Incident (Judges 12:6). Bulletin of the American Schools of Oriental Research, (85), 10–13. doi:10.2307/1355052. December 7, 2018.
  3. Hiscott, Rebecca. ( 2013, December 13 ). The Evolution of the Password — And Why It’s Still Far From Safe. https://mashable.com/2013/12/30/history-of-the-password/?europe=true#cdwZXIpO7ZqA. December 7, 2018.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store