It keeps surprising me: minimum length, at least one number, special characters required, do not use your username as a password..., and just recently I stumbled upon a website that said my password was too long!

But why all the complicated requirements? Aren’t there other solutions? Simply put, no. Despite many attempts, a widely accepted alternative for a password is still far away. Recently a relatively well-known company decided to get rid of the mandatory password in favor of a smartphone-app. Right when we’re on the brink of mainstream 2-factor authentication, second-factor becomes first-factor and we shift-delete the first factor. Usability? Perfect. Security? Well… let’s say there are doubts.

So I remain steadfast in regards to passwords: we still need them. Strong ones, in fact. The reason for that is twofold: first to protect passwords from being guessed, but that is pretty old-school. The second and main reason is to prevent passwords from being brute-forced (i.e. cracked). The easier a password, the less time needed to crack. Not to go into too much detail, this has to do with the number of possible combinations of a certain number of characters. Nowadays experts consider 128-bit encoding to be safe[1], which translates to 22 characters at 6-bit per character. So yes: a safe password consists of 22 random characters or more. No special characters needed. Just 22 or more.

With a 128-bit password there are 2128 possible combinations, meaning that even the largest hashing network today, the bitcoin network, still requires millennia to generate enough combinations to eventually land upon your password. And because of the time this takes, a 128-bit password is considered safe.

But let’s turn this around. Instead of taking the side of the attacker, consider the consumer: if we let the consumer enter any password he or she likes, we could hash[2] this password as many times as we need to get end up with a safe set of characters. For example: a password of 20 characters (which can be stored in about 120-bit) should be hashed 64 times (28) to end with a decent 128-bit password. A password of 10 characters should be hashed 268 times to end up secure. Even a password of 1 single character can be turned into a safe password, we just need to hash it 2122 times.

Isn’t that cool? With just a new perspective on a current problem, we removed password complexity, anyone can enter any password and everyone has a password that is equally strong! And there is only one drawback: after you enter you password it may take a while before you are actually logged on. It may even happen within your lifespan, assuming no systems are rebooted… Security? Perfect. Usability? Well we still have some doubts...


  1. https://www.keylength.com/ ↩︎

  2. https://en.wikipedia.org/wiki/Hash_function ↩︎