How to make a maximum entropy password Chris De Corte
[email protected] October 12, 2016
1
Key-Words
Entropy, password, weak, strong, bits, brute force attack. [1].
2
Introduction
In this short paper, I want to describe 2 methods about how one can generate his own completely random password and calculate for himself how strong his password is. One method will be done using a computer program (MS Excel), another method will be manually. Furthermore, I will give tips about how to store or hide your password. This paper is made for the novel scientist.
3
Password Entropy
Password entropy is defined as a password’s randomness, in regards to how difficult it would be to crack [2].
Entropy(bits) = # Chars · log2 (combinations)
(1)
Cracking time(years) = α · 2Entropy(bits)
(2)
In the first formula, the password entropy is calculated. It uses the number of characters (”a”, ”;”, ”Z”, ...) and with it the number of possible combinations apparently possible. With this 1
4
GENERATING A PASSWORD IN EXCEL
”apparently”, I mean, that I can well make a password with only the last 3 letters of the alphabet in capital (”X”, ”Y”, ”Z”) but for an attacker, who doesn’t know this, it would still seem like I used all 26 letters of the alphabet in small and capital combinations. Of coarse, for this attacker, the number of combinations to crack my password would be much higher than the number of combinations I had to create the password. The second formula uses the entropy calculated in the first formula to come to the cracking time an attacker would need to crack my password. Of coarse, this cracking time will depend on the power of that computer and therefore, the formula is linked to a constant α that depends on the processing power and is different for each computer. When one wants to generate a maximum entropy password, 2 factors play a role: first, it is the purpose to use as many different characters as possible and second it is necessary to mix them with as much randomness as possible. In our examples below, we will use what is called the Base-75 character set consisting of: 26 small letters (a-z), 26 capital letters (A-Z), all figures (0-9), and 13 special characters. About the randomness, there is an issue with computers as they are using an algorithm to achieve randomness. Now, an algorithm is never random, as it is a complex formula that is used many times starting from an initial value (the seed). So, theoretically, if one knows the seed and the formula used in a certain computer program, it could run the same program as many times as necessary until it hits the used password.
4
Generating a password in Excel
For achieving randomness, MS Excel is using the rand() function. This rand() function has the reputation that it can’t be seeded and I have found no documentation about how the seed could be generated. Nevertheless, before using the rand() function to select the characters for my password, I have put all the possible 75 characters in a random position using the same rand function. Therefore, I have calculated for each character a random number between 1 and 1000 and afterwards, I have sorted my characters based on this random number. This step of sorting all 75 characters in a random position has been demonstrated in figure 1. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. So, in the next step, I have used the goal seek formula in MS Excel together with formula 2 to derive the constant α. This is shown in figure 2. In the next step, I have calculated a random offset number as to where in the random character set, I will start picking up characters for my password. I have used passwords of different length and calculated the respective cracking time. Starting from passwords with 12 characters, the cracking time is more than 800 years and hence almost impossible to crack. This is shown in figure 3. 2
7
5
REFERENCES
Generating a password manually
Of coarse in modern world with all hacking possibilities, the best way to create your passwords is manually. Therefore, you could for example create wooden chips for all 75 characters as in figure 4. Then, you could throw them in a box, mix, them up and start randomly picking out chips and writing down their character (figure 5). It is up to you to throw the chips back in the box each time you took one out or not. Anyway, a potential hacker wouldn’t know this and would have to scan for the worst case scenario.
6
Common remarks
Once you determined your passwords for your different mailboxes, ... you would have to write them down somewhere. As an extra step, you could replace the character of a certain position in your password with a character that you might not easily forget like for example, the first letter of the website for which this password will be used. This is shown in figure 6. As an extra step, you could also replace the character of another fixed position with a fixed character that you have in your mind. You might only do that when you type in the password on the website and not on the written down version to be on the save side. To make it completely paranoid, you could hide your passwords under a random angle in a picture or in different pictures. We know which passwords are for which web service as we know the position (in this case 3) where we have stored this information. Next, we save the picture with a different extension and store it in a non related folder of a cloud service like Dropbox, Google Drive, ...
7
References 1. https://en.wikipedia.org/wiki/Password_strength.
2. https://ritcyberselfdefence.wordpress.com/2011/09/24/how-to-calculate-password-entrop 3. Wikipedia. Random seed. 4. Wikipedia. Pseudorandomness.
5. https://www.ablebits.com/office-addins-blog/2015/07/08/random-number-generator-excel/
3
7
REFERENCES
Figure 1: In this figure we show how we first list all members of characters and add a random number next to them that we call ”sort index”. Afterwards we sort on this random number. The new column F will be used to randomly pick characters out.
Figure 2: As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. So, in the next step, I have used the goal seek formula in MS Excel together with formula 2 to derive the constant α.
4
7
REFERENCES
Figure 3: In this figure we offset with a random number from our randomly positioned character set to determine the passwords for different lengths. We demonstrate the years it will take to crack the password.
5
7
REFERENCES
6
Figure 4: In this figure we show the different blocks we use to make up our password.
7
REFERENCES
Figure 5: In this figure we show how we mix the blocks in the box so that they come into a random mix.
Figure 6: In this figure we replace the character at a certain secret position with another character that we can well remember and that we preferably don’t write down anywhere.
7
7
REFERENCES
Figure 7: In this figure we hide our passwords under a random angle in picture. We save the picture with a different extension and store it in a cloud service like Dropbox, Google Drive, ...
8
