My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Thursday, October 14, 2004
« Authentication/Authorization and Defense... | Main | Marketing at Microsoft...  »

There has been much talk about what is considered a secure password. So it was a true pleasure for me to recently read a fascinating study on this topic that provided some hard numbers to back up the claims.  The study was published in the current issue of IEEE Security and Privacy and is titled "Password Memorability and Security: Empirical Results" by Jeff Yan, Alan Blackwell, Ross Anderson and Alasdair Grant.

First some background. Per the article "Human memory for sequences is temporally limited, with a short term capacity of around seven, plus or minus two items. In addition, when humans do remember a sequence of items, those items be familiar chunks such as words or familiar symbols. Finally, human memory thrives on redundancy-we're much better at remembering information we can encode in multiple ways"

So what these folks did was have three separate test groups:

  • The control group were asked to choose a seven-character password with at least one nonletter
  • Second group chose passwords by closing their eyes and pointing randomly to a grid of numbers and letters
  • The third group was instructed to chose passwords based on mnemonic phrases and given examples of how to go about doing so

Then the testers ran the following types of attacks against the passwords:

  • Dictionary attacks: Simply use different dictionary files to crack the passwords
  • Permutation of words and numbers: For each word from a dictionary file, permute with 0, 1, 2 and 3 digits and also use common number substitutions such as 1 for an I and 5 for S etc.
  • User information attacks: Exploit user data that is collected from password files such as userid, full name etc
  • They also tried brute force attacks (Try all possible combination of keys) against passwords 6 characters long.

Pick up and read the article itself for the details and the numbers, but the conclusions are interesting. The permuted dictionary attack was the most successful and the brute force attack successfully cracked all six-character passwords. 

They also confirmed the two folk beliefs that "... user have difficulty remembering random passwords and that passwords based on mnemonic phrases are harder to guess than naively selected passwords." They have also debunked the folk beliefs that "... random passwords are better than passwords based on mnemonic phrases. Each appeared to be as strong as the other" and that "... passwords based on mnemonic phrases are harder to remember than naively selected passwords. In fact, each type is as easy to remember as the other".

Some of the key take-aways were:

  •  "... security can be significantly improved by educating users to select mnemonic passwords
  • Size of the password matters
  • Entropy per character matters, so instruct users to choose passwords containing numbers and special characters as well as letters."

So what does this mean for me?  Well from now on, my password selection page is going to have the following (Some of the content is adapted from the directions that were given to the mnemonic group in the test):

  • Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 to 9 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well.  An example is the phrase "It's 12 noon and I am hungry" which can be used to create the password "I's12n&Iah".  All passwords will be checked to make sure that the following complexity requirements are met: 

    • Must be at least 9 characters
    • Must contain at least one lower case letter, one upper case letter, one digit and one special character
    • Valid special characters are -   @#'$%^&+=
The key point here is not to just to show them the 3 above bullet items but to provide explicit guidance on how a password should be chosen to meet the outlined complexity criteria.

Oh yes, as a bonus here is a regex that will enforce the above complexity requirement:



Tags:: Security
10/14/2004 7:24 PM Eastern Daylight Time  |  Comments [5]  |  Disclaimer  |  Permalink    Tracked by:
"Bad passwords bypass great security every time..." (Observations from a Tech Ar... [Trackback]
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
Interesting results, Anil!
Scott Allen
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
But what about passphrases? Once you get past a certain number of characters in a passphrase, it becomes difficult, if not impossible to brute force a passphrase. And as a bonus, you can stop worrying so much about the complexity requirements that force users to use passwords they can't remember in the first place.
<br>The post that started it for me:
<br><a target="_new" href=""></a>
<br>and my take on some of the stupid things we do in the name of &quot;security&quot; with passwords and validation:
<br><a target="_new" href=""></a>
G. Andrew Duthie
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
.net DElirium
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
Andrew RE: Pass Phrases. As we all know some systems arbitrarily limit the number of characters that you can use in the password field. The empirical results showed that the use of mnemonic triggers actually allowed people to remember a complex password and that it was not any more difficult that remembering a randomly chosen password.
<br>So one of the major points to keep in mind here is that it is indeed possible to have a secure password without resorting to a large character set .. a la pass phrase.
Anil John
Sunday, May 8, 2005 12:06:43 AM (Eastern Daylight Time, UTC-04:00)
Comments are closed.