Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security IT

Multiword Passwords Secure Or Not? 372

Posted by Unknown Lamer from the never-ending-passphrase dept.
A user writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"
This discussion has been archived. No new comments can be posted.

Multiword Passwords Secure Or Not? More

Multiword Passwords Secure Or Not?

Comments Filter:

  • LastPass (Score:3, Informative)

    by alphax45 ( 675119 ) <kyle.alfred@nOSPAM.gmail.com> on Wednesday March 14, 2012 @10:29AM (#39352199)
    I use and love LastPass. It has a really great password generator that I use for all sites. I always use the maximum number of characters and the largest character set (letters, numbers, symbols) the site will let me.

    My actual LastPass password (the single point of failure) is 32 characters long. It is a phrase in "leet" speak with symbols padding the start, middle, and end.

    I feel pretty safe with this.

    Just my 2c

  • Re:Obligatory xkcd (Score:4, Informative)

    by Jake73 ( 306340 ) on Wednesday March 14, 2012 @10:30AM (#39352219) Homepage

    Well, not exactly applicable but interesting to the discussion.

    I think the point is that consideration must be made for the "location" of the access portal. That is, if anyone with an internet connection can try their key in your lock, you probably want a pretty good lock.

    But for access to things that have additional security, the lock quality may be reduced in favor of a key that is easy to remember.

    1. Keep a good, long, easy-to-remember passphrase for access to your TrueCrypt partition that sits on a private computer inside your house.

    2. Store passwords inside this partition in something like KeePass. The KeePass password doesn't need to be industrial. It should be easy to remember, but non-obvious. You type this password a lot.

    3. Keep all internet passwords at maximum strength for the site and make them random from your password generator.

  • Like far too many researchers (Score:5, Informative)

    by Sycraft-fu ( 314770 ) on Wednesday March 14, 2012 @10:34AM (#39352283)

    They assume they get ideal circumstances, ie as many attempts as they want. As such their research is basically fucking worthless. The only time such a situation applies is if you have, say, encrypted data and an adversary has gotten that data. They can then try to decrypt it until the end of time and you can't change the password.

    That doesn't do shit for remote login. No system is so accommodating to let you just try and try. Even if they don't do permanent lockouts, they'll lock you out for awhile. Like our domain, you get 5 attempts and then it locks the account for 30 minutes. So you can get a whopping 240 attempts per day (presuming we don't notice and shut it down). Gonna take a LONG time to cover the password spaces they are talking about, LONG time.

    This also assumes that you know that someone is using a multi-word phrase, and that you know they aren't playing games with number substitution, caps, and so on. This is useful maybe in an intelligence agency type situation, where you can survey your target and you can learn about the kind of password they use, even if you can't find out the password itself, and restrict the search space. However in terms of randomly hacking things remotely, nope, not useful. There are too many possibilities for what the person could use and multi-word phrase is only one of them. You could try every single one of to 10 words, only to then discover your target doesn't use that, and has a simple password like password123 that wasn't in your search space.

  • Re:Obligatory xkcd (Score:5, Informative)

    by Culture20 ( 968837 ) on Wednesday March 14, 2012 @10:39AM (#39352341)

    There is something that always bothered me, how in the hell does the attacker knows if I am using words for my password or not? Second consider the following password where at one point was on my laptop: "A happy worker is mindless worker, so shut up and do your job!" I fail to see how this password is not safe just because I used actual words, wouldn't it take million of years(even with dictionary attack) to gess it ?

    It's more secure than 5#f^x902 in almost every way, except that it's easier to shoulder-surf in one try because it's a proper sentence. As long as they catch enough parts, they can guess the rest. Try adding purposefully misspelled words or bad grammar and it makes shoulder surfing hu23 sekane in the despondingly overstitch. Side effects of using passphrases like that include speaking random gibberish on occasion.

  • Re:Obligatory xkcd (Score:5, Informative)

    by gstoddart ( 321705 ) on Wednesday March 14, 2012 @10:40AM (#39352353) Homepage

    There is something that always bothered me, how in the hell does the attacker knows if I am using words for my password or not?

    They don't, but if they have the resources for a brute-force search, it's moot since in theory they'll just keep trying until they find it.

    Second consider the following password where at one point was on my laptop: "A happy worker is mindless worker, so shut up and do your job!" I fail to see how this password is not safe just because I used actual words, wouldn't it take million of years(even with dictionary attack) to gess it ?

    Well, possibly not. Think about a document with a password.

    If someone really wants to get into it, and is willing to invest the time and hardware, having a computer try millions and millions of permutations isn't as expensive as you might think, and it gets cheaper every year.

    Many forms of crypto have fallen over the years as the speed of computers has allowed what used to be an impossible task to be something which can be done in relatively short time. Even a couple of days or weeks of compute time would represent an absolutely vast amount of attempts.

    It's a damned find pass-phrase, but a computer is really good at doing an endless set of boring things. So, eventually even if it's a massive brute force attack, it could still arrive at the one that worked.

    However, this is the most telling part:

    The researchers found that film and book titles were effective in identifying pass-phrases in use - information readily available in list-form online suitable for dictionary-style attacks. The researchers used Wikipedia and IMDB lists, as well as slang phrases from Urban Dictionary. Researchers found users tended to favor simple two-word phrases common in natural language, though there is evidence that some users seek out seemingly-random pairings. The researchers also claim that there are "rapidly diminishing returns" for longer pass-phrases containing three or four words.

    So, if movie names and slang is what many people are using as their pass-phrases, a dictionary attack is a little easier.

    But, something like "cotillion squirrel hammer bollocks gouda inkwell" might be random enough that the sources people might use to try a dictionary attack won't be of any help. Whereas "The Dark Knight" or "Star Wars" might fall pretty quickly.

  • Re:Obligatory xkcd (Score:5, Informative)

    by Geoffrey.landis ( 926948 ) on Wednesday March 14, 2012 @10:49AM (#39352479) Homepage

    So you didn't bother to RTFA before posting that. They're trying to show that the easier to remember password may be easier to crack with a dictionary attack.

    And you didn't bother to read the xkcd before posting that. It showed with calculations that the commonly used "hard to remember" password has lower entropy than a much easier to remember multiword phrase. For reference, "higher entropy" means "harder to crack with a tailored brute force attack."

    In any case, though, the actual first thing you need to do is to make sure you never reuse a password on two different systems. And the xkcd for that is http://xkcd.com/792/ [xkcd.com]

  • Re:Obligatory xkcd (Score:5, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @10:49AM (#39352483)

    > Say you have a 4 word password and you publish your 2048 word dictionary on the internet, entitled "come at me". Is that more or less secure than a random 8 character password(upper, lower, numbers, 40 symbols)

    > 4^2048 vs 8^102

    You mean 2048^4 vs 102^8.

    2048^4 = 1.7592186 * 10^13
    102^8 = 1.17165938 * 10^16

    With only a 2048 word dictionary to choose from this is less secure than a random 8 character password.

  • Re:Obligatory xkcd (Score:4, Informative)

    by second_coming ( 2014346 ) on Wednesday March 14, 2012 @10:56AM (#39352585)
    according to https://www.grc.com/haystack.htm [grc.com] that's one hell of a password :)

  • Re:Obligatory xkcd (Score:2, Informative)

    by Anonymous Coward on Wednesday March 14, 2012 @11:24AM (#39352953)

    The XKCD's entrophy assumes an equal chance of any common word being used, not weighing the attack on begging with the most common words, thus its results are innaccurate. RTFA.

  • Re:Obligatory xkcd (Score:5, Informative)

    by buchner.johannes ( 1139593 ) on Wednesday March 14, 2012 @11:42AM (#39353231) Homepage Journal

    It assumes that the reader tries a dictionary, but it also assumes that words in the dictionary are equally probable. An English dictionary contains about 600,000 words. A typical English speaker uses 2,000 different words over the course of any given week and knows about 20,000. Depending on which of these numbers you use as the search space, the entropy is a lot larger. For example, XKCD's metric would regard 'Natalie Portman is superlatively callipygian' and 'I like to eat apples' as having the same entropy, but the former is probably a lot harder to find with a dictionary attack, because a list of 2,000 common words is not likely to contain callipygian and may not contain superlatively, while it will contain all of the words from the second example.

    Read it again. He assumes 16 bits of entropy for 'Troubadour', an uncommon word, and only 11 bits for the four common words. This *is* a lot, as you say, as bits (of entropy) are a log scale though, it doesn't look as impressive. The combination is what makes it so powerful (11^4 vs 16).

  • Re:Obligatory xkcd (Score:5, Informative)

    by realityimpaired ( 1668397 ) on Wednesday March 14, 2012 @11:55AM (#39353429)

    People are under the mistaken impression that would-be hackers waste their time trying to brute force passwords. They don't. They either exploit design vulnerabilities (in which case your password doesn't matter), or they try a little social engineering to get your password. The one thing the movie Hackers got right was the scene when Dade called up the night security desk at one of the places he was trying to hack, pretending to be an employee in a panic, and got him to read the phone number off the modem so he could dial in. That's how it really does work... you come up with a ruse, and convince somebody who doesn't know better to give up sensitive information that you can use to gain access to the system.

    And that's where passphrases have a huge advantage: they are easy enough to remember that they don't need to be written down.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close