Explain the concept of the GRC Haystack
I was wondering how sound is the concept presented by the Gibson Research Corporation about simple passwords with the addition of padding.
I understand what Gibson is getting at with increased search space, etc., but I was wondering if this applies to real world scenarios, i.e., everyday use for your accounts and peace of mind that the passwords are 'secure' even if their entropy is super low.
Gibson has a search space calculator which indicates what is the search space for a given password. The search space depends on length of passwords and characters that form the password itself (letters - uppercase and lowercase - and/or numbers and/or symbols)
He then goes on about the importance of the length of a password and the mixture of letters, numbers and symbols. Everything does make sense, but then, he argues that "entropy" is not important, in his own words:
ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of “entropy” or the randomness and unpredictability of data. If so, you'll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom . . . is . . . not . . . correct!
He refers to 2 passwords:
- 1) D0g.....................
2) PrXyc.N(n4k77#L!eVdAfp9
And argues that although the first one is infinitely more memorable than the second one (and even contains a dictionary word) the time to 'crack' it is orders of magnitude greater than the required time for the other, hence, it is more secure. Is this concept sound? In lay terms... Shall I change all my passwords to something like the first one (super easy and super long) or is this just asking for trouble in today's hyper-connected world? :)
Is entropy completely useless in the "online account passwords" world?
The concept of GRC haystack is explained as, entropy theoretically makes a password stronger but from the perspective of a password cracker the first password likely would take much longer to crack. This is because of the length of the password--this argument would probably not be valid with a short password. It is something I have written about before myself
- Consider how password cracking software attacks a password:
- Try all words from a massive dictionary of words including common passwords.
- Try common permutations (password1, password123, p@assw0rd, drowssap, etc) of each dictionary word.
- Brute force every password trying every possible letter combination.
As long as a password doesn't fall under the first two categories and the software must perform a full brute force, the first password is strongest because it is one character longer and yet utilizes the same keyspace (upper, lower, numbers, and symbols) as the second password. The first password is 24 characters long and therefore potentially has 95^24 (291,989,024,338,773,000,000,000,000,000,000,000,000,000,000,000) possible permutations. The second password has 95^23 (3,073,568,677,250,240,000,000,000,000,000,000,000,000,000,000) permutations. As you see, that 24th character makes a huge difference.In practice, if the password was ....g..................... it would likely take much, much longer to crack than the other two because even though it just uses two lower case letters and a symbol, the password cracking software would still attempt using uppercase letters and numbers and it is two characters longer. Keep in mind, however, that if a bunch of people started following the concept of padding then it wouldn't be difficult to build password cracking rules to try padding all passwords. You are better off mixing the padding throughout the password, alternating multiple characters, or simply adding a couple more semi-words to your password.
When it comes to passwords, lack of entropy and lack of character sets can always be made up for by increasing the length of a password. Nevertheless, having said all this, you still need to be smart and not reuse the same password or even the same pattern on multiple systems and you really should only rely on stuff like this in cases where you have to memorize a password. Using a password manager with a random password generator is still the best practice to follow.