Wednesday, 30 March 2011

The ghost of password future

I was reading about Pico and it raised an excellent point regarding the recommended length of passwords that got me thinking about the long term feasibility of passwords.  For as long as I have been in the security industry (just over a decade) an 8 character password (involving 3 character sets) has been considered, in rough terms, 'good enough'.  The reason that 8 characters is 'good enough' is if you do the math on how long it would take to brute force then the resulting time it would take is 'long enough'.

So what about Moore's Law?  Moore's Law says that we will double the number of computations every 18 months (the actual law is transistor count every 2 years), and these days the law relies on multiprocessor cores in order to be true (which is fine for this discussion since brute forcing passwords can be done in parallel). 

So according to Moore's Law, we need to increase the length of passwords by 1 bit every 18 months to keep constant the time it would take to brute force a password.  Unfortunately we use 8 bit bytes to represent characters in passwords (actually only 7 bits are used).  So this means every 10.5 years (7 bits x 1.5 years), call it a decade,  we need to add a another character to our passwords in order to protect them from brute-forcing. 

So in 2050 the recommended password length will be 13 characters.

A quick Google did not reveal a definitive answer to the length of password that people can typically remember, but I don't think it's a stretch to go with; shorter easier, longer harder.

So what does the future hold for passwords?  It looks pretty grim.  The length of passwords will need to go up, but our ability to remember long strings of characters is unlikely to change.  People will do what they always do and find a way to satisfy the password length requirement by creating a password that is easy to remember but which does not necessarily gain any security benefit from being longer.

[I have glossed over many of the technical details of brute-forcing, Moore's Law, processor power, character sets, etc. because I wanted to focus the point of the post on the fact that password lengths seemingly must get longer.]

No comments:

Post a comment