Multiword Passwords Secure Or Not?

A user writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

Re:Obligatory xkcd

[zero.kalvin]

There is something that always bothered me, how in the hell does the attacker knows if I am using words for my password or not? Second consider the following password where at one point was on my laptop: "A happy worker is mindless worker, so shut up and do your job!" I fail to see how this password is not safe just because I used actual words, wouldn't it take million of years(even with dictionary attack) to gess it ?

Its a Trade-Off

[Anonymous Coward]

Getting joe public to use something other than "password" is hard, but its easier to persuade Joe to use a phrase like "HomerLovesDonuts" than some random string of letters - we all know the random string will just get written down.

Re:Obligatory xkcd

[Anonymous Coward]

So I did not bother to read the RTFA, but I can tell you if it is any good it will be attacking this directly at the entropy level. Entropy in information theory is a very well-defined concept despite it definitely not being a lay-person topic. The xkcd is a direct take-off of an entropy observation and some commonly published information on the topic.

I assume the paper is claiming that some entropy measures may be ill-considered... but then again that isn't telling anything new.. People have long suspected (and we have evidence for passwords) that humans within a certain culture (and even independent) are heavily biased.

The pass phrase with words concept only works under the assumption that the phrase is *generated* under a high entropy process. The effectiveness theory follows from the assumption that this allows both high entropy and ease of recall/memory. If you throw away the former, then no shit they won't work.

Re:Obligatory xkcd

[Anonymous Coward]

Say you have a 4 word password and you publish your 2048 word dictionary on the internet, entitled "come at me". Is that more or less secure than a random 8 character password(upper, lower, numbers, 40 symbols)

4^2048 vs 8^102
approx 1.04*10^1233 vs 1.2*10^102

So even if they know which dictionary you are using, it doesn't matter. And you can type your password into just about any device without figuring out how to make all the symbols on a rotary phone.

This does assume that they can't hear you typing and count the number of characters in your password to reduce the possible combinations, that will drop the security.

Re:Secure, how times do I get to try?

[CubicleZombie]

If someone has a one in a million chance to determine my password how much of a threat is that to me if the site that requires the password only allows a few attempts before it locks the account?

When I see this implemented, it's usually like 3 attempts until lockout. Make it a few hundred. That's enough that a forgetful human has plenty of tries but a brute force attack will fail.

piffle

[koan]

Just hold down shift and type in your 10 digit phone number.

  (@)%%%!@#$

Re:Obligatory xkcd

[micheas]

Pulling one example, I was asked to see if I could recover the password on pdf to allow editing. IIRC, the cypher was 256 bit AES. When trying to find the password to edit a pdf, my really ancient dual core athlon64 took under 2 minutes to try every unique word in the OED.

The password of the pdf (which was sanfrancisco2) took me about 15 minutes to find using standard password dictionaries. Theoretically, a 13 character password with a number in it should take an insanely long time to crack, reality was well under an hour.

my strange variation

[way2trivial]

For myself, I have three phrase+number complex passwords which I use, one for financial sites, (online banking, amazon, anywhere I shop & my plastic is stored) one for places I expect to use regularly (such as slashdot) and one for trash sites where I gotta register for whatever it is I want, but don't likely expect to be back. The variant thing is, I have my own domain with a catchall address (similar to gmails + system) and for all domains I use the domain name plus my @domain.com

assuming the method show in the cartoon was automated checking of the password email + combo-- it'll fail because I wouldn't use the same email address at ANY website.

Re:Obligatory xkcd

[ArundelCastle]

Try adding purposefully misspelled words or bad grammar and it makes shoulder surfing hu23 sekane in the despondingly overstitch. Side effects of using passphrases like that include speaking random gibberish on occasion.

I think this is always the key point. Other than the usual 1337 to text substitutions, which are easily predictable, I have never seen or heard of a "typo dictionary" attack. At that point it diminishes to raw permutations unless you start scripting likely pairs of consonant and vowels, which would differ between languages no matter their character set (ie. Hawaiian vs. French). Even lolcat is a language of randomness, ackshuilly. ;)

Mix it

[Kjella]

My recommendation for a really secure pass phrase:

1. Pick a phrase like "maryhadalittlelamb"
2. Add (or replace) with one capital letter, one number, one special character. Don't use l33t-speak, just at random.
3. Remember your three weird words like "maVry" "li6ttle" and "lam!b", it's much easier than when it's all just a hopeless mess.
4. Your password is now "maVryhadali6ttlelam!b", there not a password cracker in the world that'll find this.

It's way, way too long and uses from all the character sets for a brute force attack. As for a dictionary attack, there's way, way too many permutations. It could just as easily be "mar#yha1dalittlelRamb" or "m%aryhadalitOtlela9mb" or a million other combinations based on "maryhadalittlelamb", even if you knew that was the basis. Of course the biggest risk is the computer you're typing it into, for example I feel my mail is now much safer now that I can log into it from my smartphone rather from any random webcafe/desktop/laptop I happen to have available. It's a lot more difficult to get a spy app installed or bug my hardware than if I type it in on machines I don't control.

If I remember correctly, this is how our university got breached once, they bugged a desktop in the computer lab, trashed the software a bit then waited for an admin to come and try cleaning things up with the admin password. Boom, they got admin rights to every desktop on the network. Against that it doesn't matter if your password is a kilometer long, if you can't trust the console it doesn't matter. It only matters if your data is stolen and they never got the password, which is of course one important vector with stolen laptops and all, but it doesn't protect against other threats. All in all I consider my password complexity as being a very low-risk threat. No point in a bullet proof blast door if a burglar would use the window.

Re:Obligatory xkcd

[Ihmhi]

I had a customer who was in the military who was really concerned about his privacy. He had an ex-wife who was really vindictive and trying to get into his e-mail, Facebook, anything just to fuck with him. So he asked me for some advice on how to make a secure password that will stop casual attempts.

ME: "Okay, you were a soldier, so you know NATO phonetics right? [wikipedia.org]"

HIM: "Yeah..."

ME: "What year were you born?"

HIM: "1982."

ME: "Give me the individual letters of 'apple' in NATO phonetics."

HIM: "Alpha Papa Papa Lima Echo."

ME: -writes down- "alpha1papa9papa8lima2echo". Here's your password. We're not going to use this, but when I finish unfucking your Windows registry I'll ask you again.

~1 hour later~

ME: "So what was that password?"

HIM: "Alpha one papa niner (lol) papa eig- holy shit, I remember it!"

ME: "Right. Now do something similar, but create something I don't know about. I don't like to know my customer's passwords."

Teach someone to use mnemonics and patterns and you can create something interesting and easy to remember. There's no reason the "random letters, numbers, etc." and "leetspeak" methodologies need to be mutually exclusive.

I use a similar logic of patterns and the like for myself. My bank's website only allows letters and numbers for the password (and only up to 20 characters, lame) so I use a pattern on the keypad to remember it via muscle memory. (I "draw" a particular shape using the number keys in my head., and then some letters, and then some more numbers. My e-mail password is 30+ characters long. I have half a dozen pretty strong passwords floating around in my head and I'm not going to forget them anytime soon because I created a pattern that is personally easy for me to remember but cryptographically difficult to discern or break.