A Guide to Stronger Passwords – How Big is Your Haystack?

Every password you use can be thought of as a needle hiding in a haystack” ~ Steve Gibson

Renowned security expert Steve Gibson has recently created a new component of the GRC (Gibson Research Corporation) site called “Haystack” with a view to helping users better understand what sorts of passwords can best protect them from hackers.

Mr. Gibson bases his advice on the premise that, while a stronger password will not necessarily provide 100% security, it will almost certainly keep you ahead of the pack. To use the ‘two people confronted by a lion’ analogy – you don’t need to outrun the lion, you just need to outrun the other person.

Mr. Gibson presents a number of interesting twists on password creation, at times flying in the face of convention. For example; the Haystack site presents the following comparison between two potential passwords:

Now, I’ll bet you chose the bottom (second) password. Wrong! According to Mr. Gibson, the top (first) password is the stronger of the two. Why? Simply because it is longer. Yes folks, when it comes to passwords, longer is better. And, apparently, it makes little difference if the password is simple long or complicated long. Mr Gibson also uses this example to show how “padding” (introducing a specific repeated character) increases length thereby creating a password which is stronger yet easier to remember: “The whole point of using padded passwords is to adopt a much more you-friendly approach to password design“.

Conventional wisdom has always maintained that passwords derive their strength by including a high level of entropy (or randomness), Mr. Gibson says, and I quote: that . . . is  . . . not  . . . correct! He goes on to explain that a password is a complete unknown to the attacker, and simple length is just as unknown as complex length so also equally effective.

It’s a very interesting and thought provoking read and one which I recommend you take the time go through. The site also includes a password checker of sorts, although Mr. Gibson emphatically exclaims: It is NOT a “Password Strength Meter”:

This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths.

I input one of my stronger passwords into the calculator and these were the results:

(Sorry Steve, but it looks a heck of a lot like a password strength meter to me) 🙂


2 thoughts on “A Guide to Stronger Passwords – How Big is Your Haystack?”

  1. Fascinating! I have been a fan of Steve Gibson for many years and respect his advice. All these other advisers talk about all the things you need to do to get a good password. There is no way to follow their advice and remember the password. Then Steve come up with a simple suggestion, that I know he researched, to just lengthen the password. Use whatever you want and pad it with nonsense characters you can remember.
    Oh, I am going to change a few that I have to enter repeatedly.

Comments are closed.

Exit mobile version