Blog

The Math Behind a Strong Master Password

Did you know?

A master password is a single password used to access multiple accounts or systems such as a password manager account or a secure keystore enclave that stores an organization's private keys. A strong master password is exceptionally critical since, in the case of a password manager account, unauthorized access could mean giving up the "keys to the kingdom" so to speak.

In addition to a master password's potential risk, its owner may be required to actually remember it, especially in the case of a password manager, while other service account passwords may just be stored within the password manager itself. It's worth mentioning that password managers should absolutely use multi-factor authentication such as one-time passcodes (OTP), biometric authentication, or hardware security tokens to add layered protection.

In today's blog, we cover some technical details to keep in mind if you want to choose a resilient password.

Master Password Length

Longer passwords are more resilient against brute-force attacks. Also, as computing power grows password and encryption key lengths must adapt and increase to remain safe.

Using the current standards, a password of 8 characters can be cracked within seconds to minutes, while a 12-character password may take hours to days. Increasing the length to 16 characters increases the average time for brute-forcing to several months, and a 20-character password could take decades to crack. A 256-bit AES encryption key, often used for safeguarding sensitive data, could take billions of years to crack even with a supercomputer.

As a general guideline, a safe password length is typically recommended to be a minimum of 14 to 16 characters.

What is Password Keyspace?

Keyspace is the total number of possible combinations that can be generated from a password ruleset and depends on both the ruleset's length and the variety of characters used.

Using just numbers (0-9) for a password, referred to as base 10, offers limited keyspace. Incorporating uppercase and lowercase letters expands the keyspace to base 62 (10 numbers, 26 uppercase, and 26 lowercase letters). Adding special characters, enlarges the keyspace even more, achieving a base between 92 and 102.

Here is the formal equation for calculating keyspace:

keyspace size = (number of possible characters)^(password length)

The maximum keyspace that a password can have is determined by the particular authentication system's architect. The designer sets the required password lengths and whether special characters are allowed or required. However, the end-user is responsible for making their password strong within those rules.

High Entropy is the Ultimate Goal of a Strong Master Password

Entropy measures the total amount of potential uncertainty or unpredictability that a password policy offers. Entropy depends on keyspace - and is commonly expressed in bits, and it is calculated using the following formula:

Entropy (in bits) = log2(N^L)

Where:

  • N is the number of possible characters

  • L is the password length

Entropy is an important factor for application developers, but setting a password policy with entropy-friendly keyspace doesn't guarantee that users will set secure passwords. As we will discuss next, a candidate password's randomness is also related to its level of protection.

Enforcing password randomness is more complex than setting minimum password keyspace, leading to a potential weakness in many authentication systems.  Randomness is typically left up to the discretion of the end-user -  who may try to game the app's password requirements to create a password that's easy to remember. 

Measuring Randomness Quantitatively

Along with high keyspace, randomness is the second most important factor in making a master password resilient to brute-force attacks. Computer science measures randomness as statistical unpredictability. For example, the Chi-squared test is commonly used to quantitatively measure randomness using character distribution and patterns. AI and ML algorithms can also assess password structure and calculate its randomness. 

A password candidate such as "JohnathanDoe2001!!" might technically meet a system's complexity requirements because it is sufficiently long and includes lowercase and capital letters, numbers, and special characters. However, the password has very weak overall randomness because the letters, numbers, and special characters are grouped together and the capital letters are only applied to the first letter of each word. The password is especially weak because it includes commonly used words such as someone's name making it susceptible to a dictionary attack.

However, system architects can enforce randomness by configuring rules that prevent users from creating passwords that contain known words or have too many numbers or letters in a row. Password generators are designed to maximize entropy by randomly selecting characters but remembering a completely randomized 14-character password could prove to be a challenge and writing down passwords has its own risks.

Calculating Time to Crack a Strong Master Password

Let's take a mathematical approach to password security. The average time required to crack a password that uses truly random characters can be estimated using the following equation:

time = (keyspace size) / (guesses per second)

If a password has a keyspace size of 56^8 (approximately 3.88 quadrillion possibilities) and a powerful supercomputer can make 10^12 (1 trillion) guesses per second, it would take approximately 3.88 million seconds (or around 45 days) to crack the password on average. However, it would take the average computer making 100 million guesses per second an astronomically long time, equivalent to over 1.22 trillion years, to crack the password on average.

If a password has a keyspace size of 90^14 (random 14 characters with special characters) a powerful supercomputer making 1 trillion guesses per second would take approximately 176,000 years to crack it.

Passphrases Are Low Entropy

A passphrase is a phrase or sentence used as a password. Passphrases offer a balance between security and convenience by increasing password length while remaining memorable. However, passphrases are more prone to dictionary attacks due to the use of common words. This vulnerability can be mitigated by using something known as "leetspeak" replacing letters with numbers or special characters, to increase keyspace and entropy.

Still, the leetspeak patterns are somewhat predictable and are well-known by attackers. While passphrases are a convenient option, they should be used cautiously, especially if using common words or phrases.

Conclusion

"Master passwords" are single passwords used to gain access to multiple accounts or systems, making them a crucial aspect of cybersecurity. Their strength is determined by two main factors: potential entropy and actual randomness.

The ultimate goal for master passwords is high entropy, achieved through length, varied characters, and high randomness, preferably generated using a random password generator, and it's important that application architects not only set password policy requirements with high enough entropy to discourage brute-force attack but also ensure that users are actually creating passwords with a high degree of randomness. Although passphrases may be easier to remember, they have lower entropy and are more susceptible to dictionary attacks. 

Looking for more ways to strengthen your organization's security posture? Our team is one click away.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.