The Goldilocks Password Principle

April 13, 2011


There seems to be something polarizing that happens when it comes time for someone to choose their online password.

There seems to be something polarizing that happens when it comes time for someone to choose their online password. The password selected is either too short or too long; a simple string of characters or a random jumbling; required to change every month or never. Being in the middle, in most instances, is just right.

In December of 2010, hackers gained access to thousands of passwords from the Gawker Media suite of sites, which include the sites Lifehacker and Gizmodo. The hackers then posted the top 50 most frequently used passwords they were able to decrypt. The most frequent password was “123456.” Second on the list was “password,” followed by those who, apparently being a bit more diligent, went with “12345678.” Research by other groups have revealed similar patterns from online users.

Rewind to 2002, when Scotsman Gary McKinnon was busted for hacking into multiple US military computer networks, including those of NASA, the Navy, the Air Force and the Department of Defense. During an interview BBC’s Spencer Kelly, McKinnon had this to say:

SK: “How did you go about trying to find the stuff you were looking for in Nasa, in the Department of Defense?”

GM: “Unlike the press would have you believe, it wasn’t very clever. I searched for blank passwords, I wrote a tiny Perl script that tied together other people’s programs that search for blank passwords, so you could scan 65,000 machines in just over eight minutes.”

SK: “So you’re saying that you found computers which had a high-ranking status, administrator status, which hadn’t had their passwords set - they were still set to default?”

GM: “Yes, precisely.”

Types of Attacks

How Gary got access to the networks was one thing; how he got into the actual machines was quite another. At this point I would like to use the word “unbelievable,” but it just isn’t. As such, I’d like to talk about a few practical principles regarding secure passwords. But before we get to the principles, let’s have a look at two popular types of attack methods - the Dictionary and the Brute Force. Understanding hacker methods will help to choose a secure password.

Dictionary Attack

In this approach, a whitelist of character combinations is used to try and guess a password. Think of a document in which you’ve placed every word you can think of that might be used for a password. Dictionaries used by hackers are much more comprehensive than this, but the same concept applies. This whitelist is then enumerated through until a successful password is found. When effective, this method is a relatively quick way to gain unauthorized access. The downside, however, is that there must be a predefined list to use.

Brute Force Attack

This approach is much more, well, brutish. A whitelist of characters is used (e.g. a-z,) but their particular arrangement is not defined. Rather, the characters are enumerated successively. What this means is, I would start with a, then b, and so forth, 26 times until all the single characters are tried. At this point, you would add another character, and try aa, then ab, all the way through to az. At this point, you would increment the previous column’s character to b, then begin again looping through your whitelist of characters with ba, then bb and so forth. The strength of this approach is that random character strings can be matched without having to first compose a whitelist of particular arrangements of the characters. The downside is the increased amount of time it takes to crack the password, as with each additional character, length of a password, or increased character set, the time it takes to crack the password grows exponentially.

The Goldilocks Principle

If you’re not familiar with the Goldilocks Principle, it refers to something falling within certain margins, and not reaching the polar ends or extremes. You don’t have to use a 20 character password and change it every month, and it doesn’t have to be “H&e4j_V0#X2.” Let’s be realistic about how we can stay both safe and sane at the same time. How’s that sound?

1. Not too long, and not too short

Using only the characters a-z and A-Z, a 5-character password might take a standard Windows computer 1 hour to crack. This same computer, using the same character set, would take 17 years to crack an 8-character password! The more characters that are in the password, the longer it would take to crack because the possible character combinations grow exponentially with each additional character.

2. Not too simple, not too complex

A good rule of thumb here is to use a combination of simple words and numbers that, strung together, are meaningless. For example, “Table76Plug#.” Never use words that would appear in a regular dictionary. Such combinations are meaningless, and with a little creativity, you can create something that is highly unlikely to be included in a hacker’s dictionary.

3. Not too hard to remember, and not easy to guess

The downside of that strong password that was assigned by your network administrator is that you can’t remember it. So inevitably, it’ll be written down and put in your desk drawer, or heaven forbid, stuck to the side of your monitor. The password should be something that you can remember without too much effort, but not too simple as to be easily guessed.

4. All your passwords don’t have to be unique, just difficult to guess

I don’t use a unique password for every site. I have four passwords that I use across many sites. These four passwords are varying degrees of complexity, but all are difficult to guess. For sites that contain highly sensitive information (e.g. a bank account,) I would use the most secure password I have. For email, I would use a moderately difficult password. For sites that I don’t really care about, I might use an almost simple password. My logic here is to categorize my passwords / websites I use by threat level if breached. If my Gmail password is cracked, the hacker would not have access to my bank account.

References & Geeky Stuff

Gary McKinnon BBC Interview
The Top 50 Gawker Media Passwords
Statistics from 10,000 leaked Hotmail passwords
Password Recovery Speeds




Comments have been disabled for this entry.