Posted by on April 28, 2014

For what I hope are obvious reasons, over the last few years I’ve become a more security conscious, is particular, with regards to password selection. I only actually remember two passwords, both of which are fairly strong but easy for me to remember, each of which is used in exactly one place, the account on my Mac and the key to unlocking my 1Password database. Given my use of 1Password, if I know only these two passwords, I can get access to any other. All other private information is also stored in 1Password, including recovery codes for two-step authentication and my FileVault2 recovery key.

My other passwords, randomly generated by 1Password, therefore tend to be very strong. My default recipe in 1Password uses 20-character passwords that include upper and lower case letters, digits and punctuation.

An yet, for various reasons, some web sites won’t allow such passwords. Sometimes there’s a limit on the password size, usually around 15 or 16 characters. Sometimes the site won’t allow punctuation, or particular symbols. And honestly, I’ve never understood why. Is it so much more difficult to store a hash (and I do hope they’re storing hashes instead of plaintext) of “n3X8P6T9s>^j*/Gvws(3” than “8uTZTau9PBiP663”?

There are investigations and discussions about the issue, but I find it shortsighted for at least two reasons. All of us who aren’t criminal hackers benefit from strong passwords. I read an article just now that mentioned it would require 218 trillion tries to guarantee cracking an 8-character password with letters and numbers and goes on to say that forensic software that can try 2.8 billion guesses per second would go through that many possibilities in about 22 hours.

The second reason is purely a user interface problem. I assume that whatever password I enter, if it’s long enough (generally at least 6 or 8 characters for most web sites to have a minimum length requirement) will be accepted. When it’s not for some reason, I have to see why. Was it too long? Did it include illegal punctuation characters? Whatever the reason, now I have to adjust 1Password’s recipe, generate a new password, use that, and then return to the recipe so that I can revert it to my default. Each time this happens it’s one more reason for me to forego the signup process and find what I want elsewhere on the Internet.

How strong is the recipe I use? Each letter available twice, once for upper and once for lower case, each digit available, and all of the punctuation, which a quick count on my keyboard reveals at least 32 more characters, for a total of 94. Raise this to the 20th power for 20 characters in the password and we get about 3×1039 possibilities. Assuming the same forensic software speed from the article, it’ll now take longer than the age of the universe to crack my passwords. In fact, it would take approximately 2,400,000,000,000 universe ages to crack them (thank you WolframAlpha).

As I think it about it more, I’m unsure why I use only 20-character passwords. 1Password has a maximum password generation length of 50 characters (30 if you’re using the 1Password mini menu), and I’m not accessing them other than to either have 1Password fill it out for me or to copy and paste it myself. The time to crack passwords is limited only by computer speeds, which are still increasing, so perhaps I should just start using passwords like “7C,8Uv73nU{KubcHYpW;m[:GG7UBL226C4oTKyEY##,hKt4)Tu”.

At least when the web sites will let me.

Posted in: Articles


Be the first to comment.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>