Chained-word passwords

Tom Gatermann asked me about a new password concept. How about, instead of 16 characters of gobbledygook, you chained together three unrelated words and separated them with garbage characters?

It would be easier to remember. But is it strong enough?

I think he’s just trying to get me to do math. But let’s look and see.

If you use 16-character passwords, there are 9516 possible passwords. You can also think of that as 4×1031 to make the number easier.

Gatermann proposed #Nerd*milk*waterfalL& as an example. Breaking it down into a problem for a computer to solve, you’d have to guess three words, with a capital letter either at the beginning or end or all lowercase, along with four garbage characters. There are roughly a million words in the English language. Make it three million if you mix the case like that.

There are 81 million combinations of garbage characters. That’s the easy part.

The words part? That’s three million cubed. That’s 2.7×1019, give or take.

Multiply the two together, and you get  2.2×1027 possible passwords. 1027 is a big number, but it’s a less than 1031. The question is, is 1019 big enough?

Presently, it’s possible to try 33.1 billion passwords per second using four high-end Radeon GPUs. That’s why single-word passwords aren’t good enough anymore. A million words is nothing in the face of that.

It’ll take 4.2×1013 years to guess every possible 16-character password at that rate. Technology will have to advance an awful lot for computers to break that password in our lifetimes.

So what about Gatermann’s proposed password? It’ll take 2.1 billion years to guess every possible password at the seemingly blistering rate of 33.1 billion per second. At least that number is comprehensible, but it’s big enough to make George Burns’ lifetime look insignificant.

Something about the idea of just stringing words together to make passwords makes me uncomfortable. But the math says it’s good enough. I suppose if you’re still uncomfortable in spite of the math, you can just add a couple more filler characters, or add another word.

If you found this post informative or helpful, please share it!

3 thoughts on “Chained-word passwords

  • May 22, 2012 at 4:13 pm
    Permalink

    For more on this,

  • May 24, 2012 at 12:24 pm
    Permalink

    What’s funny is that human beings and computers see things differently. To people, “pancake” and “pan cake” look very similar, but to a computer, they are very different. “pan cake” (with a space) is not in the dictionary. For the first you’re talking one in a million, wheres the second is one in a million times a million.

    Take that and consider the password, “Mom sure loves pancakes!” At that point (assuming no sentence logic goes into the password guessing) and I assume (?) you are just as safe as you are with a (counting) 24 character randomly generated password.

    When the song “Enter Sandman” from Metallica came out, I was using the password “Exit Light, Ent3r Night.” It far, far exceeded our minimum password requirements at the time. and was simple to remember.

Comments are closed.