Passphrase using same word several times

Question

I used a trivial 3-letter dictionary word five times in a row (smth similar to pwdpwdpwdpwdpwd), and am surprised to find my self in the list of hacked accounts in a penetration test using a dictionary attack. I did pass the bruteforce attack though.

After reviewing the entropy of the idea of joining repeated words in a password I am no longer surprised. Here's my simple analysis as I understand it: (top part of blog entry, and sorry if it is a bit trivial, I'm trying to explain to my GF(non-math person) various aspects of IT)

Question: Is there any conceivable situation in which repeating a word in a password to reach >15 characters usefully gives more security?

Example idea:

1. pwd= "pneumonia" (9 char) => pwd(15)= "pneumoniapneumo" (15 char)
2. pwd= "cherrycake" (10 char) => pwd(19)= "cherrycakecherrycak" (19 char)
3. pwd= "aliens" (6 char) => pwd(15)= "aliensaliensali" (15 char)

Perhaps the concept of using a short pwd/passphrase and repeating it to some cut-off point (remember number of chars or last cut-off letter) is a viable password approach?

Answer 1

Your analysis is correct in this: randomness is everything. The attacker will try "potential passwords" and will be defeated only by choosing your password in a large enough set, so that the number of "potential passwords" far exceeds what the attacker may practically try with the computing power and free time available to him.

In practice, repeating the same word several times is a classic trick, which many people use because of the widespread myth that longer passwords are stronger: this is wrong, but many people nonetheless believe it. Since many people follow the repeated-word strategy, password cracking tools follow it, too.

Therefore, the best you could hope for the entropy of a repeated-word password is the sum of the entropy of the base word, and the entropy of the repeat count (or total password length)(this is a sum because I am expressing the entropy in bits, which is a logarithmic scale). For instance, if you choose the base word in a list of a bit more than 30000 possible words (which is an already quite large vocabulary, by today's standards), then that's 15 bits for the base word. If you then repeat the word to achieve any length between 12 and 27 characters, with the length being chosen randomly, then that's 4 extra bits (16 choices for the length), for a grand total of 19 bits of entropy -- i.e. not a lot of entropy after all.

An extra point to consider is that password length may leak. Not in the hash, but in other contexts:

• "Shoulder surfers" may have a peek at your screen when you type the password. They will only see a collection of bullets (password entry fields are hidden), but they could see how many such bullets appear, yielding the password length.

• In a similar context, people within earshot may try to work out the number of keystrokes, there again yielding the number of passwords.

• In an HTTPS context (i.e. a login form of the Web), the password you type will be sent into the SSL tunnel, encapsulated in a Web form. Eavesdropper on the line will not be able to see the password (SSL does encryption) but they will be able to see the length of the HTTP request, because data length leaks from SSL (with single byte accuracy when an RC4-based cipher suite is used, as Web servers are prone to enforce in a slightly misguiding attempt at defeating the BEAST attack -- which does not work anymore, by the way).

---

Summary: the repeated-word strategy does not yield a lot of extra security, possibly none at all if the password length has leaked, which happens in several password usage contexts. As such, this strategy is not a good usage of the user's willingness to type a complex or long password (and that is a scarce resource).

Answer 2

"Is there any conceivable situation in which repeating a word in a password to reach >15 characters usefully gives more security?"

Yes.

---

I'm not entirely sure that I agree with your blogpost. Both length and randomness add reslience to a password; of the two, length is far cheaper than randomness. How much depends on the attack techniques and motivations of your adversary. If your only goal is to survive an opportunistic attack (to be better than the other guy), then length has the cost benefit analysis. If your goal is to survive a targeted attack, then the password is your problem - you need to move to a higher assurance credential.

You might want to read Steve Gibson's analysis of Password Haystacks.
Update The relevant quote is about 2/3 of the way down the rambling, disorganized page,

Once an exhaustive password search begins, the most important factor is password length!

Just as importantly read technoprobe's criticism of the Haystacks argument. Here the core concept is that the attacker will adapt their strategy based on knowledge of the defender's technique. 'Assuming' that the attacker's motivations require adaptation.

It may also be relevant to your question to read what SEC:SE seems to acknowledge as the seminal work on password length. The argument here isn't purely for length, but again, making reasonable assumptions about the attacker's strategy (and assuming that the attacker does not adapt his tactics in response to you publishing yours), the argument is that length can contribute more than complexity in increasing password resiliency.

You asked if there were situations where length mattered more than complexity. Yes, there are. The more vital question is whether those situations are common, and whether the situation you face is one of those situations.