Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don’t need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
Most encryption programs don’t ask the user to enter the encryption key itself, but a password which is then used to generate the final key. Like any password, one for an encryption program should be relatively complex. A hundred years ago a password like “King Richard” would have been adequate. But today it could be cracked within seconds, using a dictionary attack.
Just ten years ago, 40 bit keys and passwords were seen as “secure enough”. But once again, today it would take just a couple of hours to try all the possible variations.
Nowadays, 128 bit should be the minimum and 256 bit is becoming the standard. This is where the problem lies: if the data itself is protected using a 256-bit-key, the password should be the same length, otherwise the high-level encryption itself is useless.
Let’s assume that upper case, lower case and numbers are all valid password characters – that gives 62 possibilities per position. With 43 positions, there are about 1.18e+77 possible variants, which is close to a 256 bit key (1.15e+77 possibilities). But who can memorize a password with 43 characters- for example, “jZ85xfbgGjf52d2sS8gd43ahfFR5rG3qZ4wF425FfVf”? And who has enough time to even type such a random string of letters and numbers? And such passwords are hardly likely to motivate users to change them regularly, which is of course recommended.
So what other options are there? Tips like creating passwords using the initial letters of easy to memorize sentences (e.g. “My cat likes to bounce off my furniture” -> “Mcltbomf”) aren’t very helpful – the statistical likelihood of certain letters occurring decreases the randomness of such a password, and therefore its usefulness. Such passwords might make the user feel better, but they don’t provide any real security.
Let’s face it: the power of today’s decryption technologies has overtaken our ability to memorize complex passwords. Until someone invents a way to extend human memory, a password stored on a USB token or other device is the only answer – with the associated risk that the device might be stolen together with your encrypted data.
It’s sad, but true – when it comes to data encryption, the password has had its day.