Drew Griscom Roos

Blog

A Plea for Password Usability

tl;dr– Just Say No to caps and punctuation in passwords

It’s great that password security has gotten so much attention is recent years. However it has given rise to what I see as an annoying trend. Every so often at work I need to access a new machine or service and I’m confronted with credentials like these:

qx4tIH7&yPi2XsIg$XJI
R!anFzzIF*gHRj$jNtiX
Ee6lc!PFNeVkcPbjLqKX

Behold the raw, alien, unrelenting randomness that would make even the NSA supercomputers quiver in their cryogenically-cooled bunkers!

But as secure as these passwords are, I feel they ignore the fundamental principle that passwords are meant to be used by humans. Look at those passwords above… Who can type, let alone remember all that!? They’re practically designed to be intimidating. These are not legitimate passwords; they are cryptographic keys.

Somewhere along the way, password strength became all about maximizing entropy per fixed length. No doubt this arose due to misguided systems that placed arbitrary limits on password length. But this is rarely an issue these days (and for the select few systems that are still restricted thusly, this advice obviously may not apply). The focus should instead be on maximum entropy per unit of human effort.

Human effort for password entry falls into two categories: memorizability and typeability. Memorizability has been addressed elsewhere and at length. I will focus primarily on typeability (though I will note that easier-to-type passwords are inherently more memorable).

So what do we actually get out of these über-cryptic passwords? Let’s examine the ‘bang for the buck’ of various schemes.

Entropy (bits) per char Avg. # shift keypresses per char* Entropy (bits) per keypress
diceware (i.e., word list) 3.05 0 3.05
lowercase + numbers 5.17 0 5.17
mixed case + numbers 5.95 0.26 4.70
all ASCII printables 6.57 0.28 5.12

* empirically determined

What does this tell us? Well, comparing two passwords of equivalent strength – one with only lowercase alphanumerics vs. one with mixed-case – the mixed-case password will be 15% shorter, but actually require 10% more typing overall! And god forbid if you ever tried to relay that password over a voice channel, you’d find the mixed-case version could easily take 10x the effort (“lowercase J… uppercase I… no, UPPERcase I… lowercase M… EMMM!”).

So all else being equal, passwords containing capital letters and punctuation are harder to type, harder to speak, and harder to remember. Basically their only redeeming quality is increased information density, and thus less space to store… optimizing for the machine, at the expense of all factors optimized for the human.

Below are sample passwords of equivalent strength (64 bits of entropy*) for each scheme.

* “How much entropy is enough?” is a whole separate discussion, but I would consider 64 bits to be a very strong password, and the strongest I would use in practice.† This high level of strength was chosen to accentuate the differences in the examples below.

† and if you disagree with me, note that the issue is completely orthogonal to how that entropy should be encoded into a password

xkcd-style lowercase + numbers mixed case + numbers all ASCII printables
gauntcrankjuryguruoooh
adieudearswanheelenemy
splashcoppermareddytimid
hermitmendsupperbroilfasten
chemoyummymemoglyphswing
e5h2or905vez8
2brdtm84vtvxm
lnictofzl9591
cpefnvi505ikp
ux9rgp2vpkunh
5syRoCpbSzB
fOdnT6Zm7n2
meGestI9UIq
9ROabqYyoA8
nLUmUCyQVkE
5NRZS8yx%S
8pUs::W9I1
xq{M_C0FKR
B]wn;\z>UR
%,2T4,("cX

Which would you rather type?
Which are less ambiguous to read (1 vs. I, 0 vs. O)?
Which would you prefer when you need to divulge it over a crappy skype connection in an emergency?
And which do you think will develop muscle memory after just a few attempts?

Some would argue that the whole issue is irrelevant, as most passwords will never be typed at all, but rather just copy/pasted directly from your password vault. But if so, what is the harm in using the human-friendlier version? If it’s an automated process it won’t make a difference either way. The software dev’s world is not always one of seamless integration– clipboard incompatibilities between different platforms, remote desktop sessions… such are situations that will thwart your ability to enter a password without actually having to touch it.

So make your life a little easier for when you do.

PS: a new consideration is mobile devices, where even typing numbers requires shift (and much more laborious shifting at that). If any of your passwords will be primarily entered on mobile devices, lowercase letters only is a prudent choice.


comments powered by Disqus