Your Passwords Don't Suck — It's Your Policies 487
First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"
Re:This is too simple to fix (Score:4, Interesting)
because "This chicken tastes like shit!" password is more or less a "5-character password", but characters are selected not from ~26 but from say 50000.
My guess is that after the referred xkcd strip brut force algoritms also put more emphasis to natural language sentences, etc.
Re:This is too simple to fix (Score:4, Interesting)
Funny.
According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"
Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.
Re:XKCD (Score:0, Interesting)
But its not?
Its 4 WORDS
that is extremely important. You can use a dictionary attack on words. Not on random characters.
A dictionary attack rules out a lot of tries. A huge lot.
While I don't doubt that his math is in essence correct, I doubt that he takes care of the fact that this is words vs random characters. That said, his example of the other password was a word as well, so thats not exactly a lot better.
Of course, you still have to know your user is using 4 words. But on the average site, anything harder then the easiest 50% is probably enough to keep yourself safe. Why would you waste a lot more time as an attacker breaking the lot harder passwords then all the simple ones that are up for grabs. But even then, a dictionary attack isn't exactly that much more effort. While the password is a lot longer, it requires a lot less possible combinations. And if you allow users to use dictionary words, they are going to chose easy ones. All in all. I still doubt that it would be a lot better to use his kind of passwords. In the end, if you want your password to be hard to guess for others, you gonna have to make it hard enough for yourself as well.
Re:XKCD (Score:4, Interesting)
No, it would be "weaker by half" if the alternative was a single capital letter at the beginning of the password.
In fact, the alternative is that any, some, or all of the 28 characters could be capitalized or not.
So the first character halves the password's strength if it is predictably lower-case.
and the second halves it again.
and so does the third.
Incidentally, halving or doubling the key space is not "a lot," not by any cryptologist's standards.
Re:This is too simple to fix (Score:2, Interesting)
Re:This is too simple to fix (Score:3, Interesting)
Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"
Because 12ol3jkh!!asrdfw9g8 is a good password and This chicken tastes like shit! is a terrible password.
Please quote that XKCD comic all you like, it doesn't make it right.
"Entropy" (can we please stop misusing this word?) is only a useful measure of password strength if you're brute forcing.
Password crackers employ methods that are a teeny bit more sophisticated than brute forcing.
Re:XKCD (Score:5, Interesting)
The only thing going for it is that you don't know that it's only lower case letters.
I think this is a very important point that lots of people overlook.
By prescribing the use of various character classes, you are actually weakening the password.
A proper password should allow the use of those classes, but not prescribe them.
When I was a kid, we had a game called "Mastermind". One person selected various coloured buttons and hid them behind a screen. The other person had to guess the colours / sequence.
We had various house rules about difficulty levels. One of the easiest ones was if they had to tell you the pattern. eg:
* double colour
* blank
etc
Same thing with passwords
Randomly-generated passwords (Score:5, Interesting)
I use randomly-generated passwords (generated by reading /dev/random) that are at least 16 characters wrong. I restrict the character set to [A-Za-z0-9] which is a touch under 6 bits per characters, so I have about 95 bits of /dev/random-quality entropy.
The passwords are stored in a file encrypted with a long passphrase. The long passphrase is probably the weak link, but by not reusing passwords across different websites and using randomly-generated ones, I'm fairly well-protected if one of the sites I visit has its password file stolen.
Re:This is too simple to fix (Score:4, Interesting)
I tried out the Analyzer program, and discovered that it only seemed to look for *English* words. Simple, easy-to-remember phrases in Tongan or French were rated as extremely strong (taking centuries to break).
Re:This is too simple to fix (Score:5, Interesting)
Actually, it's "correct horse battery staple". And the funny thing is, I didn't even have to look it up. As the comic says "you've already memorized it".
Re:This is too simple to fix (Score:5, Interesting)
I have 3 different bank accounts, 3 different credit cards, a HSA, a Roth IRA, and a 401k that I should probably make sure have secure passwords. (And I am sure there are a couple more non-financial ones that should also be secure). In an ideal world, that would be 9 different 6-8 digit random character passwords. That is assuming that all of the other accounts (like /.) have less secure passwords. That doesn't even take into account changing the password semi-regularly. Even if you feel it is unnecessary, some websites enforce it on you. I am a pretty smart guy, but I might have a little trouble keeping them straight. How many different 6-8 digit random character strings do you have memorized? And how often do you change passwords on your account? Do you change them all at once (and memorize all new passwords), or do you spread it out?
It only doesn't seem hard if you are not doing it right.
Re:Wrong (Score:5, Interesting)
Most people's vocabulary is not that large.
Let's use the xkcd example: correct horse battery staple.
Using a list of the 5000 most commonly used words, I was able to find rankings for 3 of the 4 words:
"staple" doesn't even appear on the most common 5000 word list. But let's assume it did at 5000. That means your dictionary now is 5000 words large. 5000^4 = 6.25 * 10^14.
Now let's address your suggestion:
you don't really have a key space much larger than normal 7 character or so passwords offer
Now your average English keyboard has 47*2 = 94 type-able characters. 94^7 = 6.48477594 * 10^13. The xkcd example assuming it was smaller than it really was beat your suggestion by an order of magnitude.
Now let's address how large people's vocabularies are. According to wikipedia:
This translates into a wide range of vocabulary size by age five or six, at which time an English-speaking child will have learned about 2,500-5,000 words. An average student learns some 3,000 words per year, or approximately eight words per day.
But 6 year old kids don't have much interesting personal information that people are really after like credit cards. Let's read further:
A 1995 study estimated the vocabulary size of college-educated speakers at about 17,000 word families, and that of first-year college students (high-school educated) at about 12,000.
http://en.wikipedia.org/wiki/Vocabulary [wikipedia.org]
So let's re-do the calculations with 10,000 words: 10 000^4 = 1.0 * 10^16.
Things will only get worse if you tell people to use numbers, names, special abbreviations, etc. For example it will be highly unlikely the following phrase will be in your dictionary: "5000 most common vocabulary". People can also use natural language and still fall way out of your dictionary: "yummy carne asada dinner". They can also use personal and vulgar language: "Stupid bitch Alice, never again".
Re:This is too simple to fix (Score:2, Interesting)
Add to that rainbow tables, and you're basically screwed with anything under 8 characters + mixed case + at least one special character (ideally an uncommon one like ^, %, or &, less likely than !, @, $, or * to be in a character set).
Highly secure NSA and DoD passwords (Score:5, Interesting)
The highly secure NSA and DoD password policy is very thorough, but one thing was left un-noticed about this policy. You can create a valid password by merely running your finder down a colum of the keyboard, and then holding down the shift key and doing the same thing. Really!!
To wit, this password is valid. Run your finger down the left-most column of your keyboard: 1qaz2wsx
Then hold down the SHIFT key and type !QAZ@WSX
Presto, you have a valid password that meets all the security requirements the NSA and DoD have imposed upon you.
Now that's okay for creating system images for deployment.
In 45 days when you need to change your password again, just shift to the next row of your keyboard. This will keep you okay for a couple of years or so until you run out of keyboard rows to use. Then, you just do it backwards. It really is that simple.
Try it!! It's almost unbelievable.
Major bugs (Score:4, Interesting)
Start with "awesomepasswordtoday"
1 year, 8 months
Go to "awesomepasswordtoday000"
7 centuries, 8 decades
Go to "000awesomepasswordtoday000"
less than 1 day
This tells me there is something in the logic that makes it a pretty unreliable metric of password strength.
Re:XKCD (Score:5, Interesting)
Your password complexity requirements are worthless, users will pick easy to remember, insecure passwords no matter what the requirements are. They will, of course, literally fullfill the requirements. The difference is that you are much more likely to get user cooperation if password changes consisted of the computer picking 4 random words for them, rather than 12 random alphanumerics with a side dish of ASCII barf. The only reason users pick their own passwords for sensitive applications is that they'd write that shit down and stick it on the monitor (or under the keyboard, for the ones who "understand security") if you made it truly secure (i.e. generated it for them).
Right now your users pretend to pick secure passwords and you pretend that they do. You don't want to know how shitty they are, they don't want to tell you. As long as you don't find them on post-its and there is no visible compromise everyone is happy. Of course they should have PIN-secured, challenge-response based one time password generators, but let's face it, your systems just aren't important enough to secure them in a thoroughly user friendly manner. So if you actually do care beyond your users picking the simplest password that passes your requirements you very well might think about randomly generating 4 word passphrases for them, I think you even have some volunteers for a trial.
Re:This is too simple to fix (Score:5, Interesting)
Users were permitted to choose their own password. These passwords could be long. We had guidelines as to what were good schemes, but there was no enforcement of rules.
However, we also
If your password was cracked by the quick checker, it was rejected and you had to choose another.
If the background checker cracked your password, you were locked out. When you tried to log on and couldn't, and called to find out why, you were told your password had been cracked and you needed a new one. (Actually, I think we emailed you then locked you out, so if you were on-line, you could choose a new password then and there).
It worked.
Re:This is too simple to fix (Score:5, Interesting)
but I do know many dictionary cracking programs implement mixing of words on the list - meaning "correct horse staple battery" will be cracked in SECONDS, not centuries.
There are approximately 6000 common words in the English language, so if you just pick 4 random words, there are
6000 ^ 4 = 1296000000000000 possibilities
If you pick a truly random 8-character password, there are:
140 ^ 7 = 1054135040000000 possible choices.
Even at 1,000,000 crack attempts per second, it still takes on average 16 years to crack a password formulated using either method. way.
Re:This is too simple to fix (Score:4, Interesting)
I take it you've never seen a wordlist for a dictionary password cracker. I don't have any on me to see if that specific string is in them (quite possible, based on some of what I remember), but I do know many dictionary cracking programs implement mixing of words on the list - meaning "correct horse staple battery" will be cracked in SECONDS, not centuries.
No it won't. I recommend some math instead of faulty intuition:
Let's assume a word list of 5000 entries (that's very low, the OED
counts over 150000 words in current use).
Four words out of this gives us 5000^4 (word repetitions are allowed),
or 6.25e14, that's 625 trillion. At a million cracking attemps per second,
that gives 19.8 years for an exhaustive search.
So, a random four-word passphrase made up from a 5000 word list
will take nearly 10 years (exhaustive/2). And that assumes the passphrase
only contains words from the list. Unlikely.
Of course, 10 years isn't that impressive. But even a single changed
character somewhere – or just a word not on the list! – will require a full
brute-force search on the character level instead of at the word level.
Hello bazillions of years.
Re:This is too simple to fix (Score:4, Interesting)
You can always use a password manager (ex: http://www.clipperz.com/ [clipperz.com] ). I actually don't even know most of my passwords. Don't need to.