Should passwords be truly random?

Question

When generating a password, should it be "truly random" or should I make it a little less random by enforcing some rules?

If a password is generated at random, it could come out all-lowercase letters ("password"), or consist of only a few repeated characters ("abababab"). I'm thinking that this could be a problem, since brute-forcing would be easier.

So, what about making sure that a password consists of at least one character from several "classes", e.g. lowercase, uppercase and numbers? Or making sure that all characters are unique?

Answer 1

The point of randomness is to gather entropy.

Let's take an example: I choose my password from the 4 first digits of the website plus the character ! and a number consisting of the ASCII number of the first letter.

Example: PayPal -> payp!70 ; amazon -> amaz!65

The entropy of this password is 0. Because the method is always supposed to be known, and nothing is random in this scheme.

If you use alternatively two passwords, the entropy is 1 bit. (2 choices possible)

On the contrary, if I use a 7 generated letter password with random selection, the entropy raises to log₂(26⁷) ≃ 32.9

(26 characters possible for each position then reported in term of bits)

The more you add possible characters (that are random) the more the entropy raises. Each "rule-driven" selection of letters do not add entropy (so for same length passwords, entropy is lower).

So in theory this second password has more strength than the previous with non alphanumeric characters. The problem of password is always the same : remembering the password. This means you need to lower the entropy for yourself. Such algorithm as the first presented above enable your to remember a complex password. The "security" given by this approach is a bet over the knowledge of this algorithm (also called "security by obscurity"). This is considered a bad security practice: a targeted attack on yourself (with knowledge of your scheme) will succeed. But usually it's a concession you make for practical use.

Making sure password uses alphanumeric characters + cases changes + non alphanum charcaters + ... is a practice driven by the goal of making a password with great entropy for brute forces attacks, i.e. attacks which consider no particular scheme in password generation. But for each type of attack your password would have different entropy, possibly 0.

To conclude, entropy stays a theoretical measure of password strength, in real life crackers will use a given method based on assumptions. So even if a truly random 6 characters password is consider equally secure if it contain only lowercases letter or both, in practice crackers may choose a method that will lower it.

Answer 2

A password should have a sufficient degree of entropy. Any aspect of the password that is truly random contributes to entropy, while aspects that do not are relatively worthless in terms of entropy (although they may aid in memorizing the password).

For example, if you have a password that is known to come from a dictionary of 1024 existing words, then you have 10 bits of entropy (2 ^ 10 = 1024), even though the password itself contains a lot more bits. OTOH, if you have a password consisting of 8 random characters from a set of 64, then that's 48 bits of entropy (6 bits * 8 characters).

Also note that in order to retain the full entropy, you need to use a cryptographically strong RNG (most general-purpose RNGs are partially predictable, which is enough to severely reduce the strength of the resulting passwords), and you have to accept the first password it produces - if you keep generating passwords until you get one you like, you're again reducing entropy.

And be sure to read the discussion Rory Alsop linked to - it explains password strength and entropy in great detail.

Answer 3

As stated, the point of "randomness" is to increase entropy. The math supports it, but we don't need to get in to that. I'll address this topic simply.

People starting saying "make a random password" as use of the internet dramatically increased and people were using things like their birthday, password1, and other common, easy-to-guess words and phrases.

Random in this sense means words and characters that aren't easy to deduce through simple research about you (or the things laying on your desk), such as in the XKCD comic so popular now (correct horse battery staple literally means nothing, thus for password reasons it is "random").

Direct answer: probably not. If you're thinking "generate random characters in a sequence" that's fine, but you will have a hard time remembering it and will probably have to do something not entirely safe (like write it down). It's important to remember you don't, and most people probably shouldn't, generate random characters and throw them together, but make a password whose topic cannot be guessed ("random") and follows some rules (such as length and different types of characters).

If you look at the passwords tag you'll find lots of hints on how to make passwords.

Answer 4

Most human generated passwords are more than averagely predictable, with some characters and sequences more frequent or in more predictable sequences such as dictionary words. Because of this, hackers develop algorithms for optimized sequences to test passwords in brute force attacks. In other words, they try the most frequently used passwords first, then test for dictionary words, then append numbers on the end etc.

So the best password is Pseudo-Random. That means it is generated from a random number generator, and then subjected to an anti-algorithmic algorithm, eg. in case 123456 pops up purely by chance and to make sure that typical known hacker strategies will be ineffective.

Most people think that the more complex a password is, the harder it is to remember. But here I disagree, and I invite you to see for yourself at my website. www.passwordgear.com

Answer 5

I dont know if this is a solution or not, but I thought a lot about my own passwords, and what I tend to do is, have a prefix, this is not random and can be something like "kX=!" the " is not included, what I do afterwards is, my first impression of a site, for example, your first impression of Google can be Lego (Because of the colours perhaps?!) what you do then, is take the prefix and add the word "lego" what i then do is switch out the letters E and O with 3 and 0, leaving it at kX=!l3g0. This does have a prefix, and if the prefix is guessed, you just have to guess the following "personal word", I think this word is quite impossible to guess, and you have to know Lego.

It is not bulletproof, but for passwords for gmail, facebook etc, it is a good way to remember your passwords by. :)