Need a Bigger (Password) Haystack

The old expression “like finding a needle in a haystack” is usually uttered in frustration, like it’s a bad thing. But today I’m going to give you at least one case where you want that haystack to be huge… massive, even. Because the needle you’re hiding in that haystack is your password.

Source of Inspiration

A couple months ago, I told you about a tool called ShieldsUp from Steve Gibson. I first found Steve many years ago when I discovered the Security Now podcast. I reference Steve a few times in my book and he’s influenced the style of my own podcast. (And I was absolutely thrilled when they mentioned my book on their show).

It you listen long enough, Steve will mention his many other free software and web-based tools, and I want to introduce you to a few that I think are particularly useful and/or interesting. I’ll be bringing out more of them in the coming weeks and months, focusing on one at a time. Feel free to poke around on your own, of course – there’s a lot there.

What Makes a Password “Strong”?

The first rule of creating a good password is to not use anything guessable. That is, you can’t use your name, birth year, alma mater, favorite sports team, dream car, or really any simple dictionary words. That includes “clever” twists like writing them backwards or replacing “a” with “@” and “O” with zero. Hackers have figured ALL of those out already and can crack them in literally seconds (see rainbow tables). Basically, this means that you can’t use any character strings or patterns that you can easily remember. (That’s where password managers come in.)

The basic premise is this: assuming your password is truly random (not guessable or “high entropy”), then the only option remaining for guessing it is to try every possible password until you find the one that works. This is called a “brute force” attack and this is exactly where you want to be.

Password Haystacks

And here’s where the concept of the “password haystack” comes in. The needle in the haystack metaphor here means that you want to bury your needle under the biggest haystack you can. That is, you want to make it essentially impossible for anyone to figure out your specific password among all the possible passwords. This is why using upper and lower case letters, plus numbers and special characters, makes your password stronger. It means the bad guys have many, many more possible options they have to try for each letter of your password.

Now, given that you’re using a mix of all of these character types, the only way to make your password stronger is to make the password longer. If your password used all the characters available, but was only one character long, that would only be about 95 possible choices. But every character you add to that length increases the possible combinations by 95 times. Two characters gives 95×95 or 9,025 possible passwords. Bump that up to 10 characters, and you now have a whopping 60,510,648,114,517,017,120 possible passwords. That might seem like a lot, but a massive hacking array could theoretically try all of those combinations in about a week. But every character you add increases hacking time that by almost 100x.

Try Out the Password Haystacks Tool

And that brings us to Steve Gibson’s Password Haystacks web tool. Try it out. Play around with different types of characters and password lengths, and you can see how long it would take to crack that password using three different techniques: slow, online attacks; fast, offline attacks; and crazy fast supercomputer attacks. (Keep in mind that computers get faster every year, and you may want to protect your stuff against hacking at least until you’re dead). It’s pretty amazing to see how much difference one or two more characters can make. And if you’re using a password manager, length doesn’t matter – why not go for 20 characters? Using Steve’s estimates, that would take a super computer 11.52 thousand trillion centuries to guess!