Improving password security
Your hometown, mom’s birthday, or first car may make for great memories, but they don’t make for the most secure passwords. Sal Khan explains the ins and outs of creating stronger passwords.
You’ll also hear people or people will tell you to use a variety of characters. When they’re talking about that, they’re saying, “Don’t just use numbers, don’t just use lower case letters, don’t just use upper case letters, don’t just use special characters, use a combination of all of the above.
So for example, when we’re talking about special characters, we’re talking about things like the exclamation mark or the “@” symbol or the hashtag. And so use that in combination with numbers, in combination with upper and lower case, upper and lower case letters.
And then the other thing that people will tell you is that the length of the password matters. So longer, longer password is good. Now what I want to do in this video is really appreciate why these, I guess we can say, rules of thumb, matter. And to think about that, we just have to think about how a password can be broken.
So if you’re – if a human being is trying to snap, is trying to snoop around, and so let’s say this right over here is the thing that’s trying to break the password, so in this case it’s a human being, what would they do?
Well, they would just try out – they would try out password number one. And maybe it doesn’t work. And then they would try out password number two, and then maybe it doesn’t work. But they would just keep on doing that until maybe they get to password number – you know, maybe a human being could go up to maybe 100 and maybe eventually they’re able to find the password.
And it would surprise you how frequently people use passwords that could be guessed in this short a period of time, because they use passwords like the word “password” or they use their user name as their password or they use their password “one, two, three, four, five” or, “one, two, three, four, five, six, seven, eight, nine.” Or something that is very, very, very – or they use their date of birth. Something that is very, very guessable. In that situation, even a human being might be able to try out, in a reasonable amount of time, and stumble upon the password.
Now, as you could imagine, human beings are not the only things that are trying to break into people’s accounts. A malicious individual could write a malicious program that is trying to do this and programs are much, much faster at trying out all of the possibilities.
But you might say, “Hey, look, in the English language. If you look up, you know, in the dictionary, there’s roughly about 200,000 words, and then if you include proper nouns and different verb tenses and all of the rest, you’re going into – you’re going to one million plus words. And you might say, “Well, you know, surely, you know, clearly a human being couldn’t try out all these possibilities and probably would take a computer a long time.”
But you have to remember how incredibly fast computers are. Probably in your pocket you have a Smartphone, or even maybe a not so smart phone, so let me just make this clear. So a computer, and your phone – or most people’s phones, are now computers – a computer can do in excess of two billion instructions per second.
Instructions – instructions per second! And this number is by Moore’s Law – which you could look up as a fascinating dynamic in the computer industry. This is doubling every 18 months. So even a fairly inexpensive phone can now do two billion instructions per second.
And it doesn’t take that many instructions for them to try out a new password. So you could imagine that a computer could actually try out all of these possibilities fairly quickly. There might be some things slowing it down, it might take some time to test out the password, or they might have to interact with some other system, but it would not take a computer a long period of time. And a computer does not get bored, and a computer can be very, very, very persistent.
Fair enough. So now I’ve convinced you don’t use words. Now what about this whole idea of using a variety of characters? And to think about why a variety of characters, and frankly, why longer passwords are good, we just have to break out a little bit of our high school mathematics. And remember a little bit about how many possible passwords, or the number of – how the number of passwords increases as we use more characters and we make a longer password.
So for example, if you had a one character password, and you only used numbers, there would be ten possibilities. The one character password, it could be – it would be – it could be one, two, three, four, five, six, seven, eight, nine, or a zero. Now if you had a two character password – so each of these little blanks I’m putting here is another, is one of the characters – then the first one could have ten possibilities, the second one could have ten possibilities, and so you have a total of 100 possibilities for two character password that only uses numbers.
Now if you were to go all the way to an eight character password that uses only numbers. So let’s do that – so three, four, five, six, seven, eight – so I’m going to take, I’m going to take eight tens and multiply them together, which is the same thing, if we remind ourselves about what exponents mean – that’s ten to the eighth power. That is one followed by eight zeros. One, two, three, four, five, six, seven, eight.
So this is – there’s 100 million possible passwords – eight digit passwords – where we are only using numbers. So once again, you might feel pretty good about that. But look at this number: two billion instructions per second for even a fairly inexpensive computer. We’re not talking about you know, a super computer or a whole bank of computers someplace.
So you say, “Okay, I kind of see that.” But one thing you do appreciate immediately is every time that you add another character, even if you’re limiting yourself only to the numbers, to the digits zero through nine, every time you increase a character, you’re increasing the number of possible passwords by ten. So if you have a ninth character, now all of a sudden there are going to be one billion possible passwords.
So that’s why we have the idea that the longer the password the better. Now why does the special – why does using a variety of characters help? Well, then there’s more possibilities per character in this password. So if you have an eight – if you have an eight character password, so that’s four, five, six, seven, eight – and let’s say you’ll extend it to letters and numbers. So there’s 26 letters and there’s 10 numbers, so that would be 36 possibilities for the first one, 36 for the second one, 36 for the third one, 36 for the fourth one, so on and so forth. And then you would multiply those 36’s which is going to give you a much bigger number.
Or if you were to even extend it even further – if you were to say, “Look, we have ten numbers, or I guess we could say we have 10 digits. We have ten digits.” We have ten – and there’s actually more than ten. But let’s say the easy to get to special characters right over here. So we have 10ten special characters. There’s actually more at your disposal. Ten special characters. You have 26 lower case letters, and 26 upper case.
So now if you use this as your arsenal for each of the characters of the password. That gives you a total of, let’s see, this is 52 plus 20, that gives you 72 possibilities for each of these blanks. And now things get much, much – they get big faster. You get more possibilities faster as you add more and more characters.
So for example, now, we are talking about a scenario where every time you add a character, if you pick from an arsenal – from this arsenal, 72 times 72 times 72 – every time you add a character, you get 72 times 72 times as many passwords. And that – so let’s see, that’s eight 72s. So that’s 72 to the eighth power, and I’m going to need a calculator for that one. That is 72 to the eighth power, which gets us to – and I won’t write this whole thing – roughly 7.2 times 10 to the fourteenth power!
So this is – let me write this. Approximately 7.2 times 10 to the fourteenth power. And just to give you an idea of this, this is roughly a seven followed by, or you know, this is approximately, we could say, this is approximately seven and then you have a two and then we have 13 more zeros. One, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen zeros!
So now we are dealing with, let’s see, this is million, this is billion – 720 trillion possibilities. Is that right? This is million, billion – 720 trillion possibilities! So when you expand it this way, you have now gotten – so if we divide that by 100 million, so let me do that just for fun, this is actually quite exciting -
So if you divide that by 100 – that’s 100,000 – so 100 million, make sure I got that right – one, two, three, four, five, six, seven, eight – just by increasing your arsenal of characters, you have 7 million more possible passwords. It would take someone or a computer 7 million times longer to break your password in this situation, assuming it isn’t one of the kind of easy, low-hanging passwords to guess, and every time you add another character, it increases the number of passwords by 72.
So hopefully this gives you an appreciation why people give you these rules of thumb when you are selecting your password.