In a perfect world, certain things wouldn’t need to exist. Packets of detergent wouldn’t need warning labels regarding ingesting them, I wouldn’t need to verify my age for my Steam account for the thousandth time in nearly ten years, and, most relevantly to today’s topic, there’d be no need for passwords.
But of course, our world is imperfect and we do need passwords, or more specifically, we do need authentication. In the world of software, authentication is the practice of verifying a user is who they claim to be. Most people would recognize this as in the form of logging into any service that requires a password. While that is the most common form of authentication, it’s not the only form it can take.
Authentication comes in three flavors which are commonly related as: something you know, something you have, and something you are. A password would be “something you know” as it…is…something you know. Intuitive. Another example of something you know would be the unlock pattern on your phone, if you use that method of securing it. An example of something you have would be a keycard and an example of something you are is a fingerprint or retinal pattern.
For most of the digital age, consumer facing services relied on a single point of something-you-know authentication: the password. There are a couple reasons for that. For one, implementing either of the other two flavors of authentication wasn’t feasible for a consumer facing service. At the risk of dating myself, America Online couldn’t very well ask its users to supply a fingerprint with their 90s editions Compaqs. But for two, passwords were “good enough.”
However, while we might not live in a perfect world, we do live in an evolving one. The other two flavors of authentication are becoming more and more common even for consumer facing services. Our phones have the capacity for fingerprint and facial recognition. Authenticators are issued for many online games. Yet, the password holds its place as the first line of authentication and it’s no less important for them to be strong.
So, what makes a password strong? The first thing we should understand before trying to answer this question is that hackers, just like programmers, are lazy. Their attempts to breach databases are typically going to be automated and their method of cracking passwords, if they’re going about it the direct way and not through the human vector, is going to be elegantly blunt in its simplicity: they will try various combinations of words and letters until one is successful. This is called a brute force attack, and is the primary thing that a password needs to be able to resist.
A password’s power to resist a brute force attack can be rated by its entropy. If you’ve ever made an account somewhere that showed you the strength of a prospective password, entropy is likely what was being graded. Basically, entropy is a measure of how unpredictable a password is. The higher a password’s entropy is, the more guesses, on average, a brute force attack will need to crack it.
There’s quite a bit of math involved in understanding it on a deeper level, but the big takeaway here is that a password’s entropy increases with the number of characters in it. This is why websites require your password to be of a minimum length.
So, make long passwords of incomprehensible garbage for flawless security, got it, great blog everyone, see you back here in a couple weeks.
Sarcasm aside, that actually is not far off from a great solution. A password that is a long string of indecipherable nonsense does afford great protection against the things that a password is meant to protect against. The difficulty of remembering such a password though would tempt many users to compromise their security by doing things like writing it down on a post it note under the keyboard.
So, we want the strength that Zodiac Killer ravings offer, but we also want ease of use so that users won’t shoot themselves in the foot. There’s a way to have both! If you use Chrome or Firefox as your browser, you may have already opted into using it. A password manager, which are independently available as well as built into some browsers, generates absurdly strong passwords and then stores them to be used whenever you need to log into the account that password is associated with.
This leaves us with the need to remember one password (which needs to be super duper ultra secure) and on that front, I offer this suggestion: