Sentence Your Password

Tuesday, August 23, 2011

Christopher Hudel

B32b392ce3a707f05f4838c48c67d9cf

Sentence Your Password - or How to Make a Pass Phrase Meet Complexity Requirements in a Meaningful Way...

Within my community, I am promoting the thought that good passwords really should be called "good pass words" - that they can easily be formed by the combination of four or more apparently random words in a memorable way (see: https://www.xkcd.com/936/ for an example).

The struggle has been communicating how such a combination of words can meet up with programatically enforced constraints, such as those mandated by the "meet 3 of 4" complexity requirements within Microsoft Active Directory. 

Of course, it would be best if Microsoft AD would come up with some sort of entropic calculation for meeting password strength but until that time, I stumbled upon a very clear way to detail how to make a "compliant" password without, I hope, confusing the end-user.

Simply turn your four words into a sentence and like all sentences, start with a capital letter and end with a punctuation mark! 

This meets the complexity requirements without having to try and throw in an algorithm for users to remember how and where to place a combination of three of a {upper|lower|numeric|special} character set.

  • Correcthorsebatterystaple. (example from xkcd)
  • Funnyweathermousetoast.
  • Moneybrotherphonehelp!
  • etc...

I argue that knowing this information does not materially affect the ability for a system to guess or crack an individual password. 

Since the size of the "character sets" for capitalized and uncapitlized words are identical, could one demonstrate that there is actually no loss in the security of the password where this information is known to an adversary?

One risk is that by telling people to "Sentence their password", they may be steered unconsciously to create sentences that make sense which will significantly weaken the power of apparently random words.

And of course, apparently random words may ultimately prove not to be too random... And this does nothing for the pain of having to remember multiple passwords (use LastPass/KeePass, etc...)

As always, I'd love to hear the thoughts of the Infosec Island community.

Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

 

Possibly Related Articles:
8283
Network Access Control
Information Security
Passwords Authentication Access Control Infosec Password Management Microsoft Active Directory
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.