Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Stats

Cracking Passwords With Statistics 136

New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.
This discussion has been archived. No new comments can be posted.

Cracking Passwords With Statistics

Comments Filter:
  • by Anonymous Coward on Tuesday April 14, 2015 @09:28PM (#49475655)

    They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

    Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

    • by Anonymous Coward

      I do something similar by continually incrementing the numbers on the end like: password1 ...30 days later... password2 ...30 days later... password3 ...30 days later... password4 ...30 days later... password5 ...30 days later... password6 ...etc.

      This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder.

      • by AK Marc ( 707885 ) on Tuesday April 14, 2015 @11:25PM (#49476047)
        I've had my first day include complaining to the head of HR that the HR documents on passwords were wrong. The rules were at least one upper, at least one lower, at least one number, and no shorter than 8. However, the password policy described by my peers was "pick a 6-letter word, start with a cap, and put 00 at the end. When you increment it for the 30 day expiration, you can last past the 1-year no reuse policy." The funny thing was, I followed the policy and came up with one that used special characters. Not accepted. And one that used an 8-character word. Not accepted (the password must be exactly 8 chars, and can't include special characters, despite the rules not directing such). The head of HR gave me the same rules as everyone else. So nobody in the company uses a secure password, and the rules on the password are mis-documented. Chairs00. Shh, don't tell anyone.
        • The best passwords are the random ones generated by password managers, but the silly rules prevent you from using them. They also prevent people from using secure "personal words" like that weirdly named village you passed through once on vacation. All passwords-by-rule tend to deteriorate to obvious word with initial capital with a 0 or a 1 on the end.

          • by AK Marc ( 707885 )
            An unguessable personal word worked well for me for 20 years online, until places started checking them unencrypted against dictionaries. Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack. But would be banned by many places I have passwords now. Like Scunthorpe is banned from most user names and some passwords because it contains a "banned" w
            • Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack.

              Are you crazy? There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities. 2^40 possibilities, which will fall rapidly to a dictionary attack. It's as "strong" as 6 random, typeable characters.

              The point of TFA is that while "12 characters, including three different character classes" sounds like 2^84, the reality is that people meet those conditions by using a real word with the first letter capitalized and a num

              • There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities.

                This is why I use 7 numbers in my password, Jenny8675309.

              • by AK Marc ( 707885 )
                How do you know I'm using a 6-digit number?

                It's as "strong" as 6 random, typeable characters.

                That's still better than most passwords.

                Your dictionary attack will only work if you are 100% correct about your guess. If you don't know the length of the number, then your attack will fail.

            • Frankly guys, I believe you are complaining the belly full. At my place, everything is so obscure and cryptic that even the guys responsibles for the DNS succeeded to defeat the purpose of a DNS in first place. It is almost easier to remember the hosts by their IP addresses than by their names. Imagine now the password rules.
          • by Buchenskjoll ( 762354 ) on Wednesday April 15, 2015 @03:46AM (#49476791)

            "personal words" like that weirdly named village you passed through once on vacation.

            True. I spent last summer in Wales and the landscape is scattered with good passwords.

      • "This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder."

        But as your password pique causes its assets to shuffle off to Nigeria, you won't be working there much longer.

      • by Creepy ( 93888 )

        That works great if you aren't forced to have 6 characters different, as well. Our rules were 8+ characters, 20x without repeat, 6 char difference in each password, 30 day forced changes, at least one upper case character, and at least one punctuation. Through trial and error, I found the 6 characters different were based on position, so my solution was rotation - Pa$$w0rd becomes a$$w0rdP and then $$w0rdPa, etc. Works for a few months at least, and I only needed to memorize three strings. Never got cracked

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday April 14, 2015 @09:44PM (#49475721)

      It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.

      1. keylogger
      2. some reduction attack
      3. pass the hash
      4. fake authentication request & server
      5. etc

      By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.

      For non-work websites just remember 2 things:
      a. DO NOT USE THE SAME PASSWORD
      b. If it is financial, don't use the same username/email-address as other sites.

      • I do reuse the same password in places, but only on sites where I don't care if it gets hacked (and it amazes me how many times I've had to use it). What annoys me though is that I can't always use it as sometimes it's too long (?!), and I've had to adapt to having a version that includes digits and mixed-case (despite the fact that even the basic all-lowercase version is pretty much unhackable - hint: it's more than one word, it makes no sense, and it's not even English). But for important sites (banks, e

        • by Creepy ( 93888 )

          I have throw-away passwords I sometimes reuse as well, also for sites I need to register on and don't particularly care about (they also get a junk email account I never check). I will vary this password by using a trick - I use the last character in the site name as the first character in the password so it is rarely the same. Still not exactly secure, but easy to remember and varies the password by site. The rest of the password is usually some fantasy character name with flipped calculator/leetspeak lett

        • Brute force hasn't been a threat for years.

      • by Tom ( 822 ) on Wednesday April 15, 2015 @12:55AM (#49476309) Homepage Journal

        Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

        Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

        Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

        I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
        My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

        And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

        • by vux984 ( 928602 )

          . One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).

          And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.

          I had a similar system for a while. The problem? One of the sites that had one of my passwords got hacked. Then I had to change it for every other site in that "category" which was a lot of sites, and I'm sure even now that I've missed some. Plus now I have to remember a new password; but still the old one for any sites I missed...

          Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.

          Because if some rinky-dink f

          • by JazzLad ( 935151 )
            I used to have a favourite keygen (for some obscure program, I don't recall which), I would use the webpage address as the name & whatever key it spit out would be my password.

            I have no idea why I stopped doing this ... I may start again :)
            • by Vesvvi ( 1501135 )

              I discussed the details of how you can do it here: http://it.slashdot.org/comment... [slashdot.org]

              It's really the only solution. There are 2 modern threats to passwords: computationally weak passwords and compromised servers with poor practices.

              It's easy to make a computationally strong password, and it's not hard to make it memorable. But poor HR/IT policies such as described here compromise good passwords (forcing rapid changes, disallowing long passwords, etc). So memorable passwords are not easy, in practice.

              On t

              • by vux984 ( 928602 )

                I read your link.

                The only problem left is that we can't compute hashes in our head, but there are hardware answers to that.

                At which point using a password safe(s) on a trusted device is basically the same thing. Except more convenient. Since you can have as many safes as you want, with an arbitrary number of records in them, protected by passwords as is suitable to the class of passwords in them. Its less data entry on average to retreive a password, and it eliminates having to worry about which sites you need a 123!@# tacked on the end, and which sites don't, etc.

                Decent password safes also let you securely sto

                • by Vesvvi ( 1501135 )

                  They're close to the same thing, but they differ in the important places. An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".

                  It could possibly store non-sensitive data, like usernames, "123!@#" modifiers, or notes, but it's not required.

                  I will admit that it could be inconvenient, but I think it's a reasonable tradeoff for the simplicity and securit

                  • by vux984 ( 928602 )

                    An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".

                    That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)

                    Its not a practical solution if it doesn't actually exist.

                    Although there might be a market for a such a device.

                    It also still requires you need to memorize a password (even an easy one) for each situation. I have well over 100 passwords; and could not

                    • by Vesvvi ( 1501135 )

                      That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)

                      It doesn't require the dedicated hardware, it's just an option (that doesn't exist yet...). I think it's likely a better option than products like the Mooltipass.

                      I use this approach currently, since I basically trust my desktops. I can also ssh to a server I trust, which is capable of doing it. You could do it now on a smartphone, but that's a tough platform to lock down. If you're desperate, you could find a website that can do it for you (googled quickly): http://pajhome.org.uk/crypt/md... [pajhome.org.uk]. Regardles

          • by Creepy ( 93888 )

            You could also use a system to vary the passwords. I use the last character of the site name (as I stated in a different post), but I've been migrating to a new system in the past couple of years, which is why I didn't care about divulging it. Let's say the new system is the first and last characters of the site (it is not) - I could then have sPa$$w0rdT for the password to Slashdot, and while it is essentially the same, it varies for most of my accounts. One hint - my new system sometimes excludes RSTNLE,

            • by vux984 ( 928602 )

              You could also use a system to vary the passwords.
              [... describes system loosely...]

              The problem I have with systems like this is:

              One site won't let you have punctuation... another site requires it. One site says your password is too short. Another says its too long. A site that was happy with your "system" password gets hacked and you have to change it.... and these exceptions build up over time rendering the system an excercise in futility.

              Then eventually you get fed up with the exceptions devise a new system and start all over again...

              But if you miss any sites when you switch over you ha

              • by Vesvvi ( 1501135 )

                You're making the mistake of thinking that your password system and their requirements need to integrated: they don't. You can concatenate a strong password system with their weak requirements, and the result is still strong.

                The only time it gets weaker is when they enforce a maximum length. Then you have to start dropping your secure input in favor of their weak requirements. But in this situation, your (internal) password/phase isn't compromised, only the public version they get. Too bad for them.

                • by vux984 ( 928602 )

                  You can concatenate a strong password system with their weak requirements, and the result is still strong.

                  But this requires I memorize "their weak requirements" for each site as this is not usually disclosed on the usual login page?!

                  And it still doesn't address the fact that if they get compromised I have to CHANGE my password.

                  If I'm using a 'system' to generate passwords, then I can't use that system for this site anymore, because the password the system generates for the site is compromised.

          • by Anonymous Coward

            He's a self-described security expert, though, which trumps all of our real world experience.

            Mat Honan's experience tells us that all it takes is ONE bad pick of an "unimportant" for re-using your password. I wonder if Tom here burns with a desire to address this point in his post, as well as adding something about personal security questions.

            http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

          • by Tom ( 822 )

            Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.

            Yeah, that sucks.

            I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.

            You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.

        • Re: (Score:2, Insightful)

          by khasim ( 1285 )

          Read to the end for a secret revelation.

          One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.

          The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

          One is for sites that I have some stakes in, like accounts

          • The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

            Use a password manager with a really good password.

            When you create an account, pick a "secret question" randomly, note it in your password manager, then MAKE UP an answer. "What's your mother's maiden name" - "Merkava". "What's the name of your first pet" - "Norelco".

            Hard to guess the answer to a secret question when it has

            • Instead of writing these made up answers to the "secret question" it's far better IMHO to just have your password generator generate a new 40 random character string and use that.
              • Instead of writing these made up answers to the "secret question" it's far better IMHO to just have your password generator generate a new 40 random character string and use that.

                Which I would then have to store in the notes section just like I do with the made-up answers?

          • by Tom ( 822 )

            The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

            These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.

            Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.

            Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.

            Banks are among the few who actually t

            • by dave420 ( 699308 )
              My bank has pretty decent security - after logging in with a very long string of numbers & password combination, to do anything with the bank accounts one must use a TAN generator into which they place their card, then place it on the screen in order to generate the TAN itself, which is typed back.
        • Comment removed based on user account deletion
        • by bwcbwc ( 601780 )

          I have a similar categorization scheme, but I "salt" the PWs with a mnemonic that I use to vary the PW within each category. That way I only have to hurry and reset all my PWs in the category if two or more sites in the category get compromised, which increases the risk that the mnemonic can be derived. For a brute-force attack, if someone knows my password MiXedABUPC, it's just as hard to decrypt MiXedxyUPz as it is to decrypt adfOYcqC1B. Of course if you know (or assume) that I use a pattern, it's probab

        • What about using the same password for everything, just changing them *all* every 2-3 months?
          • by Tom ( 822 )

            Changing passwords doesn't make them magically more secure.

            What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.

            You're doing a lot of effort for - what? If you can't answer that question, don't d

        • Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

          Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

          Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

          I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
          My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

          And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

          I' m with you. I have a common password for 90% of my websites. I have only 1 credit card, one bank, and one bill payment account. All others I pay via direct visit to the bank or via cheque. For the 1 and 1 and 1, I have three reasonably long passwords.
          By the way, my passwords are characters from utf-8. So that you know, € and ¥ are used for some of my pwds. Not sure you can enter the euro or yen symbol on the default US keyboard layout. My financial passwords exceed 10 characters in length a

      • by AmiMoJo ( 196126 ) *

        a. DO NOT USE THE SAME PASSWORD

        There needs to be a better mechanism for doing that easily. Extensions that hash your password with the domain name and a master password before sending work quite well, but mobile browsers often don't support extensions. Keepass with cloud sync isn't bad but means you have to manually find and copy/paste your password every time.

        It seems like something that major browsers could easily implement natively. The hashing idea is pretty easy. Most of them will sync your random passwords for you, but that require

        • by Steve B ( 42864 )
          If you have a global auto-type key set (Ctrl-Alt-A by default), you can get KeePass to autotype your username and password. The details can be fiddly (especially for site where they have some weird notion that forcing you to load a new page between entering username and entering password enhances security somehow), but it generally works if you have the URL field filled out in the individual KeePass entries.
      • by mlts ( 1038732 )

        One thing about work passwords (and in general, I'm assuming this is an AD or LDAP user account), any sane setup should lock the account after a certain number of guesses [1], so 15-20+ character passwords are not as needed, assuming the account isn't an admin account or a service account which never will have its password changed. (For service accounts, I like using a randomly generated 128 character Unicode passphrases because those accounts are set to not get locked due to brute force attempts, so they

    • I do the same. Turns out they only require 18 in a row to be unique :-) Though the rest of the requirements aren't so rigid, though needing to pick a new one every two to three months is ridiculous. That sort of guarantees that someone writes it down or uses a pattern.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Wednesday April 15, 2015 @12:27AM (#49476223)

      They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

      Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

      Here's some...

      2015January!
      2015February@
      2015March#
      2015April$
      2015May%
      2015June^
      2015July&
      2015August*
      2015September(
      2015October)
      2015November-
      2015December=

      If it's too long, shorten to 3-letter months.

      And for next year, you'll have another set of "unique" passwords so it doesn't matter if they demand it doesn't match the last 100 passwords.

      Numbers, capital, punctuation it's got it all.

      With a few modifications, you can come up with similar passwords that will obey any other rules you need.

    • When the "bad guys" manage to download the password database from a Windows domain controller in your company (and that can happen) then they will be able to crack some of your previous 12 passwords that it stores in the history. Then you will be an easy target because they can predict your password from the history because you did not bother to comply with the company password policy. You were negligent.
  • by Anonymous Coward on Tuesday April 14, 2015 @09:36PM (#49475683)

    quote
      "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure."
    unquote

    yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....

    • by Anonymous Coward

      If you asked my mom to do this, she would be thinking about snack crackers.

    • by dgatwood ( 11270 )

      quote "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." unquote

      yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....

      This. In fact, I would have probably said "there's your problem" after the second word in the summary, or at best, right after the first comma. The flaw is that users are creating passwords at all. Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords. This is why pretty much every modern browser out there has the ability to create and store passwords for you.

      The real solution is twofold: First, beat it into the heads of users that they should always le

      • "Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords."

        Of course, hard to remember passwords which will get sticked in yellow over the monitor are so much better.

        • by dgatwood ( 11270 )

          The point being that humans shouldn't be creating the passwords, nor should they be responsible for remembering the passwords. They should have a password for their computer, and that's it. All other passwords are superfluous.

          • "They [humans] should have a password for their computer, and that's it. All other passwords are superfluous."

            I don't think you have properly thought about the implications of what you are saying.

            On the other hand, even with that single password, it's still either memorable, therefore easy to hack, or it isn't, in which case you turn again to the sticker on the monitor.

            • by dgatwood ( 11270 )

              On the other hand, even with that single password, it's still either memorable, therefore easy to hack, or it isn't, in which case you turn again to the sticker on the monitor.

              In relative terms, it is still a lot safer. Right now, cracking an average person's online accounts merely requires you to buy access to a botnet and use it to brute-force the account from a distance. By contrast, you can't readily do a brute-force attack on the login password for someone's laptop unless you either have stolen that

            • Most of my passwords are variations on a word that's very memorable to me, but incomprehensible to almost anybody else. The word itself is a made-up word that was popular among people involved in one of my hobbies when I first got involved with it over thirty years ago. Except for those of us who go back that far, even the people who share my hobby now are very unlikely to be aware of it because the jargon has shifted. It's a dictionary word, but only in the sense that it's not too hard to work out how t
          • If you're not expecting users to remember them, why use passwords at all? There are standard HTML facilities for generating keypairs in the browser. If you want to make it easy to share logins with mobile devices, then something that turns a private key into a QR code for easily copying to the mobile device would work fine.
      • This works fine... as long as the browser (or the HDD it's stored on) doesn't crash. The reason we use passwords is that we need something we can take with us anywhere, which pretty much limits it to "something you know" (as "something you are" - i.e. biometrics - isn't implemented for this sort of thing yet, and we tend to lose the "something we have").

        Best kind of password though: the nonsense phrase. Easy to remember, hard to guess. I read "Beagles twirl whiddershins up my saxophone" in a magazine arti

  • by Anonymous Coward

    For anything that matters, I have KeyPass generate the most convoluted password allowable for the given authentication system. For anything else, well, that doesn't matter now, does it?

  • by orlanz ( 882574 ) on Tuesday April 14, 2015 @09:57PM (#49475771)

    The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

    Complexity introduces incremental passwords, common passwords, safes, post its, support costs, complacency, single point of failures, easier social engineering, and easy passwords. All of which work against security. They don't have check boxes for these because they are hard to understand and measure.

    So is complexity checked? Yes, OK move along sir. I SAID MOVE ALONG. GOOD DAY!

    • I've always thought that a better option than "must have at least 1 upper case and 1 lower case letter, 1 number, 1 symbol, and 1 untypeable character" kind of rules, is to match the passwords users are attempting to set up against a rainbow table (i.e. approach it in the same way that hackers do). "P@ssw0rd1" is a crap password, but will be accepted by almost any site as "strong". Instead, match against a dictionary, against known common passwords, and against a general sanity filter (e.g. 3 characters i
    • by Tom ( 822 ) on Wednesday April 15, 2015 @01:13AM (#49476351) Homepage Journal

      The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

      That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.

  • I have a low-security password that I use all over the Internet, like Slashdot. I have a medium security password I use for Linux logins, and a high security password I use for bank accounts. Notice the security reference standard: money.

    I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them. FYI my low-security password has 7 lower-case letters and one special character in the middle. No digits! If you won't take tha

    • by Megane ( 129182 )

      I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them.

      I also hate it when a web site locks you out completely, requiring you to contact someone to do a manual reset, for failing your password three times. At work, the "enter my goals for this year for the stupid review" site is like this. It's not like this is something that lets people steal money from me, sheesh! Sure, if it was an online banking, etc. password, but most of the sites that do this don't have any information worth a lock-out with a manual admin reset.

      The whole point of lock-outs was to preven

    • Ditto, right down to the three levels. I have a few of variations on my low level password (basically, add 123 at the end, capitalise and/or add an exclamation - to account for the all the (as you rightly say) ego-driven web sites. Sometimes I've just really had to get on a site, much as their rules annoy me).

      Even with the variants I can guess which it was in 3 or 4 goes max, if I've forgotten.

      Its a six character word that was the name of an old roleplaying character and is probably in the dictionary. Its a

  • Grab one of the available databases of hacked passwords. Train an arithmetic compressor on that dataset, so that if any part of the password is predictable it will be compressed better. It's the kinds of statistics you feed into this training process that are the key. Passing a random bit-sequence through your decompressor will generate something that could be a password, similar to those in the database you trained on. So enumerate through all short bit-patterns to generate a set of easily guessed passwords.
  • by Anonymous Coward

    Every fucking requirement on a password reduces the attack vector timeframes by orders of magnitude.

    Password must be more than 8 characters, with one upper, lower, number, and special character.

    You've eliminated every password from between 0-8 characters with any single catagory, two catagories, or three catagories combined. I'm not a statistics person, but thats a fucking lot of passwords that you've cut down attack dictionaries by. And in the name of security?

    The best security, if you let users set their

  • by Anonymous Coward

    It's not too surprising to find commonality among the set of cracked passwords. It may well be that the set of all used passwords and the set of cracked passwords share common mask distributions but I suspect that the fact that 50% of all passwords fall within the first 13 common masks is exactly why they were cracked. The passwords sucked.

    In the face of bcrypt it is useful to figure out how to more quickly crack the existing set of crackable passwords but it's not clear to me that this effectively broade

  • Attackers know to check for 'e' characters swapped with '3' characters. It's in their tables. It won't do shit. Words like asdfghjkl are in their tables. Duh.

    Do we need an article about how "hackers have realized people swap 'e' and 3!"? Yes, people are simply capping the first letter and it accomplishes little (the "complexity" requirement thus accomplished shit), duh and DUH.

    Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any br
    • by Tom ( 822 )

      Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.

      You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.

      A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you

    • by Anonymous Coward

      mhallifwwas is 11 characters. If the attacker knows that the password is all lowercase, then that's only log2(26^11) = 51.7 bits of entropy. If they know the hash, then they can easily crack it in less than a week on a modern PC with a decent graphics card. A decent sized botnet could crack that in less than a minute.

      If they know it's English, they can probably speed that up a bit more using letter frequency [wikipedia.org] (i.e. etaoinshrdlcumwfgypbvkjxqz). And if they know it's the first letters of a phrase, then they co

  • Using fail2ban, after 3 failed ssh logins it cuts access to the hacker IP for 20 minutes (iptables firewall)
  • math (Score:5, Insightful)

    by Tom ( 822 ) on Wednesday April 15, 2015 @01:02AM (#49476327) Homepage Journal

    Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

    We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

    What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

    That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

    What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

    • by Anonymous Coward

      There are roughly 300 * 10^6 people in the US. So 9 orders of magnitudes "off" is 0.3 people. Now why should I trust the rest of your math?

      • His math is fine. It's his civics estimate of US population that's a problem, and he wasn't claiming expertise there.

      • You seem to think the word "like" means "mathematically equivalent". It doesn't. Please move along to some other pedantry trolling.

      • by Tom ( 822 )

        Because 9 orders of magnitude applied down towards zero would give you 3.

        But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.

    • This guy is right explaining that dumb computation about password strength is stupid.

      However, I disagree with the conclusion. Asking people to learn impossible to retain passwords is not the solution. Force them to choose a not-trivial but not hard password (entropy >10000) and apply well-balanced password trying policies (100 tries max per month). Everyone will be happy this way.

    • by Bongo ( 13261 )

      Would it help if the people who came up with a password policy were then tasked with thinking up 100 passwords (each one to be used for one day) ?
      And then check back with them at the end and see what they chose for the last 20?

      • Comment removed based on user account deletion
      • by Tom ( 822 )

        No, it wouldn't help.

        The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.

  • I've only skimmed the article, but I didn't see any mention of hash salting. Is the author assuming that the password hashes haven't been salted, or the salt has been recovered along with the raw password database, or am I misunderstanding completely and salting doesn't play a part here? Salting of password hashes has to be standard practice now, surely.
  • MickeyMinniePlutoDonaldGoofySneezyDocGrumpySacramento .... 8 characters and one capital.
  • It's not a secure password unless it is randomly generated. There are tricks you can use to make it more memorable, like using diceware instead of characters and numbers, but fundamentally if you came up with it, someone else can guess how you came up with it.

  • ...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.

    I am not an IT professional engaging in rhetoric; I'm actually curious.

    • No, I think this attack is predicated on having already stolen the password database.
    • by j-beda ( 85386 )

      ...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.

      I am not an IT professional engaging in rhetoric; I'm actually curious.

      No online system is fast enough to brute force an account even if they did allow you to try new passwords ad-infinitum - each attempt would take a second or two and that's just too slow for effective "cracking" I would think.

      I believe that the concern is for when there has been a data breach of some sort, and the "bad guys" have gotten the username/password file. The data in this file has been run through some sort of a one way function and thus you cannot just read the usernames and passwords out of it, bu

  • I've been told by a pentester that length matters more than anything. He said a password that is at least 14 characters or longer that doesn't contain any words or numbers that have personal meaning are the strongest to use. He also recommended using random dictionary words to make it easier to remember while keeping it strong.

Trap full -- please empty.

Working...