Right now for most of us the key to any security in our online life is the degree of entropy in our passwords. So what is entropy, and how does it affect our passwords?

Entropy is in general the degree of randomness or disorder in any given system. Sometimes it is very easy to assess, such as a password of “1234”, which all too many people use. Because it is a simple sequence, there is no real randomness at all, and would be quickly guessed. And as we saw in the last tutorial, such passwords are quickly discovered in a dictionary attack. There are things you can do to make it less likely that your password will be cracked and used against you.

The thing to keep in mind as we discuss password safety is that the objective is not to make your password ultimately uncrackable. That may be impossible in any case. If you are a “person of interest” to a determined government agency the odds are they can devote enough computing power to getting your password that their odds are pretty good. This is a simpler problem than cracking a good PGP encryption key, which right now is considered computationally infeasible even for the NSA and GCHQ. Passwords are a somewhat simpler problem. So the threat you should really be targeting is a criminal organization that wants to get your password and use it take your money. This is a threat you can significantly reduce by following sound practices.

### Don’t use the same password on many sites

Go back to our calculation of the total number of passwords in the password space. It had two numbers, the base and the exponent. The base was 26, because we could choose from among 26 lower case letters to construct our password. The exponent was 6 because we had 6 letters in our password. So how do we use these two numbers to improve things?

First, with the base, we can increase the range of characters. If we add upper case letters, that gets us 52, and 52 to the sixth gets us to 19,770,609,664. Well, nearly 20 billion is better than 300 million, but not enough better. Add in numbers, and you have 62 possible characters and that gets us to nearly 57 billion (from now on I am going to round the numbers), which is again better, but when an attacker can calculate billions of hashes in seconds (I have seen reports of bitcoin rigs that can calculate 800 billion per second) this just isn’t getting us there. Throw in the special characters, and you are up to 95 possible characters, but that only gives you 700 billion or so possible passwords.
So our conclusion is that a six-letter password created with maximum entropy can be cracked in an offline attack (i.e. where the attacked has copied the database and can run his scripts at will against the copy) in about a second.

However, we need to remember that this is an arms race, and that attackers and defenders are constantly adjusting to what the other does. If everyone adopted the Password Haystacks approach, could attackers come up with a different way of checking passwords that would make this feasible? I am not smart enough to definitely answer that question, but I know enough about the history of cryptography to know that unless you can prove it is mathematically impossible, there is an excellent chance that some smart person somewhere will come up with an ingenious solution to the problem. So I am not willing to completely rely on Password Haystacks. Nevertheless, it does reveal a profound truth that we can take advantage of. Length is definitely the best possible way to improve your password security, and that simply falls out of the math. But I think Entropy still has a role to play.

The problem can be stated as follows:

• You should use unique passwords for at least the important sites, even if you don’t care about some sites.
• Long passwords are absolutely the best protection.
• Length alone may not be enough going forward, so Entropy is good as well.
• Long, high-entropy passwords are just about impossible for most people to remember

The only downside to this approach is that you have to be connected to the Internet to access your passwords. In most cases, you are looking for Web site passwords, so you need to online to even need the passwords, but some things you need locally (like the password to your wifi router, perhaps?), plus I am kind of a belt-and-suspenders type. so I also use KeePass(x), which stores the data in a local database. That also means that if anything happens to LastPass I can still get my passwords. It means an extra step, since every time I create a new online account I not only have to add it to LastPass (which is virtually automatic) but also to KeePass(x), which is not at all automatic. KeePass(x) is cross platform so I can use it on both Linux and Windows, and stores its data in a password-protected database. And unlike LastPass, KeePass(x) is completely open source. Both programs are available for Android as well.

The Science Fiction writer Robert Heinlein once said “Keep all of your eggs in one basket, but WATCH THAT BASKET“, and he was quoting either Mark Twain or Andrew Carnegie. That is the essence of the password vault approach, and I think it is the best overall solution to providing good password security for real human beings, at least for the next few years. I suspect that biometrics will take over at some point, indeed, they are starting to now.

Listen to the audio version of this post on Hacker Public Radio!