Password security and a comparison of Password Generators

There are two general approaches to password management:

Password generators which use a hash function, like the SS64 password generator, are easy to use and will repeatedly regenerate the same password when given the same inputs but they do have limitations - the only way to change a password is to enter a different master password or a different salt value. All the generated passwords are the same length.

Password managers which store passwords have the flexibility to apply different complexity rules to each password or to store a pre-existing password - often required when a password needs to be shared between a team of people. The downside of the storage approach is that the password storage (file/database) needs to be managed carefully - secured, backed up and synchronised to all the devices where you will need to use the passwords. If the password store is lost or corrupted you will lose all the passwords! Destructive viruses such as CryptoLocker can also make a password store unreadable.

What makes a good password?

The capacity of a password can be calculated from length + complexity, to give a measure of password entropy. A password containing only upper and lower case characters has 52 possible characters in each digit, adding numerals and other characters will increase this further.

Entropy denotes the uncertainty in the value of a password and is conventionally expressed in bits. If a password of k bits is chosen at random there are 2k possible values

  Complexity
Password Length Numbers
0-9
a-z a-z, A-Z, 0-9
8 26 bits 37 bits 47 bits
10 33 bits 47 bits 59 bits
11 36 bits 51 bits 65 bits
12 39 bits 56 bits 71 bits
13 43 bits 61 bits 77 bits
14 46 bits 65 bits 80 bits
15 49 bits 70 bits 89 bits
20 66 bits 94 bits 119 bits

Maximum Time to crack a password based on its entropy

Entropy Maximum Time to crack
at 350 billion guesses/Sec
47 bits 0.223 Hours
59 bits 457.50 Hours
65 bits 3.342 Years
71 bits 213.92 Years
77 bits 13,690 Years
80 bits 109,527.95 Years
89 bits 56078315.93 Years.
119 bits 6.0213633 e+16 Years

High password entropy will help to protect against 'old school' brute force attacks, but passwords like aaaaaaaaaaaaaaa or schoolofhardknocks or any common phrase or saying will still be less secure than a random string of the same length. This is because a rainbow table can be used to lookup almost any known phrase or pattern very quickly.

For non-random passwords the calculation of entropy can be modified by applying a set of rules to account for typical language patterns (Shannon Entropy).

There is no definitive answer to the question of the password strength required to resist a brute force attack but NIST recommend 80 bits for the most secure passwords.

Sensitive systems or situations will demand longer passwords, but high entropy long passwords containing random characters and numbers are more difficult for anyone to memorize. Truly secure passwords quickly become impractical unless you use software to automatically retrieve (or generate) the passwords.

Pass phrases (also known as Diceware) a long password consisting of several random words such as correct horse battery staple have been popularised by XKCD. Pass phrases don't offer any significant advantage or disadvantage compared to a traditional password of the same entropy: Research paper (PDF). Novice typists may find the longer length difficult to type and they may exceed the password length limitations of some websites.

Some badly coded websites only store the first 10 or 15 characters of a password, if a long password is silently truncated to correcthorse thats suddenly a lot less secure than you would expect. Up until 2012 Microsoft Hotmail did this.

Good password management solutions should be able to cope when a website changes it's url e.g. signup.example.com changes to login.example.com

It is possible that an intruder could attack a popular password generator by passing a rainbow table of common passwords through the same hash algorithm to generate potential passwords in bulk. To prevent this, it is still important when using any password manager to choose the master password carefully, a long, random, difficult-to-guess string.

Password expiry

Although rarely enforced for website logins, there are some advantages to changing passwords on a regular basis. If the length of your password means that it could be brute force cracked in 50 days, then changing the password every 49 days makes it impossible for such an attack to succeed.

Conversely if the password is truly strong, there is little to be gained in changing it. Mathematically, moving from never changing one’s password to changing it at every single login attempt (pass or fail) will on average only double the number of attempts it would take to brute force the password. In comparison, adding a single extra character to the password length will make it an order of magnitude more secure.

The one advantage of forcing password changes is that it makes it more difficult for people to reuse the same password on multiple sites.

If a sensitive password has been discovered by a third party, then changing it after 30 days will revoke that access, but in many cases this will be locking the stable door after the horse has bolted.

If you do need to change passwords regularly then a password manager with an encrypted database will allow individual passwords to be changed as required.

Password resets

On-line services often provide a password restore function that can be used to reset the password. It is good practice to setup complex answers to such security questions particularly if the 'true' answer would be very simple for an attacker to discover. Password reset answers should be managed just like actual passwords.

Social Engineering

As shown by the August 2014 celebrity photo leaks, even a strong password can be vulnerable to a targetted social engineering attack based on user name, security questions and reset/recovery options. One extra defence against this is to have a separate email address which is not tied to your identity in any obvious way and is used only for website logins. So for example you might have Joe.Bloggs@outlook.com as your real email address and Fred.Flintstone@gmail.com used only for logins.

Comparison of Password Generators


Password Hash Password Store

Nic Wolff’s password generator
The first javascript password generator - The idea is that you choose one master password to secure all your others. Supported on: IE, Firefox, Chrome, Safari and anything else that can run a web browser.

Creates 10 character passwords. (SHA-1 hash)

PasswordSafe
Free open source software that encrypts passwords in a storage database. Created by Bruce Schneier and Counterpane Labs for MS Windows users.
By default PasswordSafe creates 8 character passwords.
Supported in: Windows, Linux (in beta), Password Gorilla (cross platform port)

SS64 Password Generator - javascript password generator that creates passwords for several popular websites in one step + a custom option for others.
Creates 10 character passwords (SHA-1 hash)

SS64 Extra Strong Password Generator - as above but creates 20 character passwords (SHA-256 hash).
Supported on: IE, Firefox, Chrome, Safari and anything else that can run a web browser. Also a command-line version.

Lastpass
A browser plug-in that encrypts passwords in a storage database and automates website logins. The basic plug-in is free but 'premium' features require a yearly subscription. Lastpass includes a strong password generator and can sync between devices. For syncing to take place, the encrypted passwords are stored online, which does require a certain amount of trust in the LastPass security team. LastPass offer a secure bookmarklet for the situation where you can't use a LastPass browser plugin.
By default Lastpass creates 8 character passwords.
Supported on: Firefox, Internet Explorer, Safari, Chrome, Opera, Windows Desktop, iPhone, iPad, Android, Blackberry.
Pwdhash (MD 5 hash)
A javascript password generator from Stanford security lab. Creates domain-specific passwords with defense against password phishing scams.
The default password length is proportional to the length of the master password.
Supported on: IE, Firefox, Chrome, Safari and anything else that can run a web browser.
Dashlane
A browser plug-in that encrypts passwords in a storage database and automates website logins. The basic plug-in is free but 'premium' features including promotional discount coupons require a yearly subscription. Dashlane includes a strong password generator and can sync between devices (encrypted passwords are stored online). Founded by Bernard Liautaud of Business Objects
By default Dashlane creates 10 character passwords.
Supported on: Firefox, Internet Explorer, Safari, Chrome, iPhone, Android.
SuperGenPass (SHA-1 hash)
A javascript bookmarklet password generator originally created by Chris Zarate based on Nic Wolff’s original password generator.
SuperGenPass will generate the same password for different subdomains of the same website.
One downside is that the bookmarklet code contains a large number of hard-coded URL/domains, this may become difficult to keep up to date given the increasing expansion of top level domains.
By default SuperGenPass creates 10 character passwords.
Supported on: IE, Firefox, Chrome, Safari and anything else that can run a web browser.
KeePass Password Safe
An open source application that encrypts passwords in a storage database. Includes a strong password generator. To sync between devices either copy the password database manually or use cloud storage (DropBox etc.)
By default KeePass creates 20 character passwords.
Supported on: Windows, Linux, Mac OS X, Andriod. Requires the Microsoft .NET Framework or Mono.
KeePassX is a compatible version for Mac OSX and Windows.
PasswordMaker (MD 5 Hash or a choice of 12 others)
An open-source javascript password generator. Desktop ,iPhone and Browser Add-In versions are also available.
Has an unparalleled level of control over password generation, but this does mean that you have to remember all the options you have chosen in order to regenerate the same password.
By default PasswordMaker creates 8 character passwords.
Supported on: Windows, IE, Firefox, Chrome, Opera and anything else that can run a web browser.
RoboForm
A commercial application that encrypts passwords in a storage database. Strong support for Enterprise features. It has a browser plug-in to automate website logins and a strong password generator. The passwords are encrypted and stored on individual clients or optionally on a USB Flash Drive.
By default RoboForm creates 8 character passwords but this is fully customisable via policy.
Supported on: Windows, Firefox, Internet Explorer, Chrome, Safari, iPhone, iPad, Android, Blackberry.

Hashapass - A free javascript password generator with plug-ins for Firefox, iPhone, android, unix, Mac & Windows Gadgets.
Hashapass creates 8 character passwords (SHA-1 hash)

1Password
A commercial application that encrypts passwords in a storage database. It has a browser plug-in to automate website logins, a strong password generator and an option to sync between devices. There is no plug-in for Mobile Safari but they do have a workaround.
By default 1Password creates 20 character passwords but this is fully customisable.
Supported on: Mac OS X, Windows, Linux, iOS, Andriod(read only)
Labnol/CtrlQ - A free javascript/jquery password generator. Passwords are variable length and include punctuation charaters (@#&>'*\[%]=;+^) which may not be accepted on all websites. github (bcrypt hash)  

“I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them” ~ Jesper Johansson (Microsoft)

Related:

A really strong password is one that nobody else has ever used - Joseph Bonneau (University of Cambridge)
NIST password recommendations (PDF)
Password entropy does not improve security Florida State University (PDF)
Research paper on browser-integrated password managers
XSS risks around bookmarklets.
GPU computer clusters can cycle through as many as 350 billion guesses per second.


© Copyright SS64.com 1999-2014
Some rights reserved