Skip to content

Password Security

In the realm of blockchain security, protecting passwords is paramount. To ensure your data and everything it represents remain impervious to unauthorized access, let's delve into the nuances of password security.

Password Strength

Likely enough, you may have previously encountered recommendations on how to come up with a strong password. These may entail such advice as minimum password length, addition of special characters, etc. Such recommendations aim to increase the strength of your password that hinges on entropy, i.e. randomness of the password.

So, what defines a strong password? A strong password is a password with high entropy.

To calculate the entropy of a password, we may follow the Entropy formula:

Entropy formula

— Password length; number of symbols in the password.
— Character set; size of the pool of unique possible symbols.
— Number of possible combinations.

The resulting number is the amount of entropy bits in a password. The higher the number, the harder the password is to crack.

Knowing the entropy value, the amount of attempts required to brute-force a password with said entropy can be derived by using the following formula:

There is no universal answer as to how high the entropy of a password should be. For financial organizations, it is advised to keep the entropy of their passwords in the range from 64 to 127 bits (128 bits or more is generally considered to be an overkill). However, keep in mind that GPUs keep constantly evolving, and the time required for password cracking keeps decreasing over time.

Following the entropy formula, let us compare the following two examples:

  1. A 16-character password with the character set utilizing only lowercase letters of the modern English alphabet (26 characters) yields approximately 43 sextillion () possible combinations.
$$Entropy=log_2(26^{16})=log_2(43,608,742,899,428,874,059,776)=75.20703...$$
  1. A 16-character password with the character set expanded to 96, including uppercase letters and special symbols, inflates the number of possible combinations to a staggering 52 nonillion (), improving entropy significantly.
$$Entropy=log_2(96^{16})=log_2(52,040,292,466,647,269,602,037,015,248,896)=105.35940... $$

As can be seen, even by only expanding the character set from 26 to 96 symbols, the number of possible combinations that a malicious party would need to bruteforce has expanded by times.

Additionally increasing the length of the password, will grow the number of possible combinations even further, therefore enhancing the entropy—strength—of the password.

However, instead of wrestling with complexities, we advise using a password manager program—like KeePassXC (for more details, see Adding a Password Manager Program and Configuring KeePassXC)—to generate and securely store your passwords.

TIP

Certain websites limit the maximum possible entropy of passwords, i.e., either limit the maximum password length or the set of accepted characters, or both.

Keep this in mind when using such websites and aim to periodically update your passwords.

Password Vulnerabilities

Passwords can fall victim to brute-force attacks, typically executed using powerful GPUs in conjunction with dictionaries or exhaustive iteration through all possibilities. To thwart such attempts, craft a unique password devoid of personal information like birthdays, addresses, phone numbers, or social security numbers. Avoid providing attackers with easily guessable clues.

So, how hard it is to crack a modern password? It really depends on who you ask.

With a setup like Kevin Mitnick's cluster setup housing 24 NVIDIA® GeForce RTX 4090's and 6 NVIDIA® GeForce RTX 2080's, all of them running Hashtopolis software, he used to crack passwords that supposed to take a year in mere half a month.

However, let's now compare it to a single RTX 4090, capable of processing through 300 H/s using NTLM and 200 H/s using bcrypt, as outlined in this tweet.

As an extension of our previous entropy calculations, let's now examine the following projected cracking times:

  1. There are seconds in a regular non-leap year. Assuming the worst-case scenario with NTLM, at the speed of H/s, it would take a single RTX 4090 approximately years to crack a 16-character password with a character set of 26 letters of the modern English alphabet.

  2. If instead of NTLM we use bcrypt, therefore reducing the iteration speed to H/s, while also expanding the character set to 96, including uppercase letters and special symbols, the time to crack soars to about years, far surpassing the age of the universe.

So, simply picking higher entropy raised the time it takes to crack a password to unfathomable numbers. Yes, the process may be sped up by using multiple GPUs, however this method pales in comparison with the XKCD approach.

It is important to note that an extensive character set isn't always necessary to reach high entropy. It can be obtained by using multi-word passwords, or lengthy sentences in particular. The classic XKCD comic illustrates this concept eloquently.

WARNING

Avoid writing your password down anywhere. Store your password recovery phrase securely. If the phrase is too long, you may write it down, ensuring that you can read it out and type it out later. Store the physical copy of the phrase in a secure location and/or container.