A Guide to Stronger Passwords – How Big is Your Haystack?

Every password you use can be thought of as a needle hiding in a haystack” ~ Steve Gibson

finding-a-needle-in-a-haystackRenowned security expert Steve Gibson has recently created a new component of the GRC (Gibson Research Corporation) site called “Haystack” with a view to helping users better understand what sorts of passwords can best protect them from hackers.

Mr. Gibson bases his advice on the premise that, while a stronger password will not necessarily provide 100% security, it will almost certainly keep you ahead of the pack. To use the ‘two people confronted by a lion’ analogy – you don’t need to outrun the lion, you just need to outrun the other person.

Mr. Gibson presents a number of interesting twists on password creation, at times flying in the face of convention. For example; the Haystack site presents the following comparison between two potential passwords:

haystack-which is stronger

Now, I’ll bet you chose the bottom (second) password. Wrong! According to Mr. Gibson, the top (first) password is the stronger of the two. Why? Simply because it is longer. Yes folks, when it comes to passwords, longer is better. And, apparently, it makes little difference if the password is simple long or complicated long. Mr Gibson also uses this example to show how “padding” (introducing a specific repeated character) increases length thereby creating a password which is stronger yet easier to remember: “The whole point of using padded passwords is to adopt a much more you-friendly approach to password design“.

Conventional wisdom has always maintained that passwords derive their strength by including a high level of entropy (or randomness), Mr. Gibson says, and I quote: that . . . is  . . . not  . . . correct! He goes on to explain that a password is a complete unknown to the attacker, and simple length is just as unknown as complex length so also equally effective.

It’s a very interesting and thought provoking read and one which I recommend you take the time go through. The site also includes a password checker of sorts, although Mr. Gibson emphatically exclaims: It is NOT a “Password Strength Meter”:

This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths.

I input one of my stronger passwords into the calculator and these were the results:

haystack - calculator

(Sorry Steve, but it looks a heck of a lot like a password strength meter to me) 🙂


Posted in:
About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

There are 2 comments

Your email address will not be published. Required fields are marked *