Passwords and Cryptwords: The Final Limits on Lengths

Abstract

Computers get faster every year; brains don’t. Passwords and other memorized credentials have unique usability advantages over tokens and biometrics, so we desire to design secure systems that maintain lengths that users can memorize. Some passwords are subject primarily to online attacks, and are simple to defend with rate limits and lockouts. Others, used to generate encryption keys, must be secure against offline attacks. We coin the term “cryptword” to distinguish these from passwords subject primarily to online attacks. Authentication passwords do not need to get longer as computers get faster, if protected by rate limits and lockouts. Using password key derivation functions (pwKDFs) — a class of preexisting cryptographic algorithms — we show that cryptwords can also remain the same length and maintain their security strength despite advances in computation. We achieve this by regularly updating the pwKDF parameters and regenerating the derived key from the cryptword. In cases where it is not possible to meaningfully regenerate the derived key, such as archival data or public verifiers, cryptword lengths should be chosen to last the lifetime of the data. We provide simple equations that end users and system administrators can use to determine minimal assigned password and cryptword lengths based on personal threat models. We also show how to use the capabilities of cloud computing providers to estimate attacker costs. These same equations give a timeframe for cryptword and secret rotation once the encrypted data leaks. Because these equations do not rely on the current date or current hardware capabilities, they show that if regularly used, password and cryptword lengths can remain constant despite improvements in hardware.