Randomizing Password Length - Worth It?

Ledgem

I'm not a security expert by any stretch, but a thought occurred to me recently that I wanted to run by people with more understanding.

When it comes to password cracking, the more information you can provide about the password, the easier the password is to crack. Randomizing characters and expanding the character set makes the guesswork difficult, but there's another unknown factor to the password cracker: the password length. A longer password is obviously more difficult to crack than a shorter password, but a long password of unknown length is harder to crack than a long password of known length. The reason is that if you know that a password is 30 characters in length, you can skip all of the password combinations that were shorter than 30 characters.

This may also be a bit of a philosophical or situational issue to consider. If your account information just happens to be a part of a website breach then it's unlikely that an attacker will be brute-forcing with the assumption that everyone has the same password length. In that case, going for the longest password possible is ideal. On the other hand, if you're specifically being targeted then having a long password of unknown length (say, somewhere between 30-50 characters, with the exact number being unknown) would be stronger than simply setting the password generator to 50 each time.

Is there any merit to this idea? Would security be improved if 1Password were to make the password length randomized, as well?

jpgoldberg

This is a great observation, @Ledgem‌!

All other things being equal, keeping the length secret would add to the
strength, but it turns out that when you do the math, the gain from the kind of
scheme you suggest would be small in comparison to the disadvantages.

Let's work though some specific examples for help illustrate what the gain is.
Let's consider passwords that are randomly generated letters and digits. There
are 52 (upper and lowercase) letters and 10 digits for a total of 62 characters. Now lets contrast two schemes:

1. A random 15 character passwords picked
2. A password length, L, between 10 and 14 is picked, and then password of length L is picked.
   With the first scheme there are 62^15 possibilities. Let's call that number "Fred". With the second scheme there are 62^10 + 62^11 + 62^12 + 62^13 + 62^14. Let's call this second number "Barney".

Now it turns out that Fred is going to be a larger number than Barney. Fred is about 60 times bigger than Barney. So for this case, it is clear that scheme 1 is better than scheme 2.

Sometimes more is less

So now lets consider another scheme. Instead of the Barney scheme, we will have the Bambam scheme. The Bambam scheme picks a length between 1 and 15. So Bambam possible passwords are 62^10 + 62^11 + 62^12 + 62^13 + 62^14 + 62^15.

Now Bambam is bigger than Fred, but not much bigger. Bambam is only 1.6% bigger than Fred, so the apparent gain is small.

I said "apparent" gain in the previous sentence because the Bambam system is actually much weaker than Fred, even though it has more possibilities. Here is where the math gets hard, subtle, and a bit confusing.

I've often said that the strength of a password depends on the number of ways that you can get a different result using the same system. And if you were to take me at my word, that would mean that a password generated via the Bambam system should be stronger than a password generated by the Fred system. But sometimes you shouldn't take me at my word. Comparing the number of possibilities only works if each possibility is just as likely as any other possibility. That uniformity doesn't hold in the Bambam (or Barney) system.

Urned non-uniformality

Imagine five urns (because people who talk about probability can't be bothered to come up with new examples). Urn A has one marble in it. Urn B has 1 × 62 marbles in it. Urn C has 1 × 62 × 62 (3844) marbles in it. Urn D has 1 × 62 × 62 × 62 marbles in it (238328). And urn E has 1 × 62 × 62 × 62 × 62 (4776336) marbles in it.

If you have a one in five chance of picking Urn A, then you will pick that one particular marble in urn A one out of five times. If you have a one out of five chance of picking urn B, then you have a 1/5 × 1/62 = 1/310 chance of a particular marble from that urn being picked. When we get to urn E there is a 1/5 × 1/14776336 = 1/73881680 of a particular marble in there getting picked.

The Bambam system is just like this. Any particular 10 character password is far far more likely to get generated than any particular 15 character password. And what this means is that the optimal guessing strategy will be to start with the 10 character password. An attacker who works through all of the 10 character passwords will have a 1/5 chance of hitting the correct password. An attacker who works through all of the 10, 11, 12 character passwords will have a 3/5 chance of getting the right password but will have done hundreds of times less work than going through 15 character passwords.

No consensus on strength comparison

The typical notion of "entropy" for talking about password strength is only applicable when the distribution of possible passwords is uniform (each one as likely as another). Any non-uniformity weakens the system, as it means that the attacker can start with the more likely passwords. So even though the number of Bambam possibilities is 1.6% bigger than the number of Fred possibilities, Fred is actually a much stronger system.

There is no consensus among researchers for how to define the strength of non-uniform systems. If you want to watch a boring talk with too much math, please take a look at something I presented last summer at the Passwords13 conference.

hawkmoth

Once more a very illuminating discussion @jpgoldberg‌. Thanks for teaching!

Ledgem

Agreed, thank you @jpgoldberg‌ for taking the time to explain it and illustrate with an example!

Jasper

On behalf of @jpgoldberg, you're welcome. Please let us know if you have any other questions! :)