Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Your Passwords Don't Suck — It's Your Policies 487

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"
This discussion has been archived. No new comments can be posted.

Your Passwords Don't Suck — It's Your Policies

Comments Filter:
  • by Anonymous Coward on Friday May 18, 2012 @06:30PM (#40047375)

    Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

    • Re: (Score:3, Funny)

      by ClioCJS ( 264898 )
      because it would take longer to type
      • by Anonymous Coward on Friday May 18, 2012 @06:46PM (#40047509)

        because it would take longer to type

        I disagree, my ability to type words in sequence each day has made me quite efficient at doing so, a garbled string on the other hand I am not. The lowercase, uppercase, numbers and symbols make passwords longer to type.

        With different passwords for each site (or at least each serious one such as banks) the garbled text approach is very inappropriate.

        As passwords are stored in as a hash created with a salt the password is always stored as a fixed value (128bit for MD5 etc) it requires no additional storage for the servers/databases.

        • Re: (Score:2, Interesting)

          by Anonymous Coward
          When sites like slashdot impose a maximum password length limit like 22 characters, it suggests to me that they don't infact store the passwords as hashes as you would expect. Also garbled passwords are going to be far harder for people to memorize if seen by accident.
          • Of course... if I can't memorize it, how the hell is anyone else going to memorize it?
          • Also garbled passwords are going to be far harder for people to memorize if seen by accident.

            Not if they do not recognize it as a password e.g. "Remember the lepton-jet meeting at 8am" would look more like a reminder than a password.

            • by donaldm ( 919619 )

              Also garbled passwords are going to be far harder for people to memorize if seen by accident.

              Not if they do not recognize it as a password e.g. "Remember the lepton-jet meeting at 8am" would look more like a reminder than a password.

              You could do this to the sentence in quotation marks "Rtl-jm@8am". Easy for you to remember but a real bitch for someone looking over your shoulder. Actually a better way is to poke the guy in the eyes who is looking over your shoulder :)

    • by ozduo ( 2043408 ) on Friday May 18, 2012 @06:35PM (#40047417)
      A white jacketed southern gentlemen's password is "This secret spice makes shit taste like chicken"
    • by SomeJoel ( 1061138 ) on Friday May 18, 2012 @06:36PM (#40047423)

      Every time a see a password like this "12ol3jkh!!asrdfw9g8"

      That's the password on my luggage!

      • Good job printing it on the outside...

    • by The Raven ( 30575 ) on Friday May 18, 2012 @06:39PM (#40047453) Homepage

      The reason to avoid understandable sentences is they have extremely low entropy per character. Or, put another way, they are easier to hack than their length would indicate. An xkcd password has about 1.5 bits per character of entropy; a normal English sentence has as low as 0.6 to 1.3 bits per letter, according to one study [wikipedia.org]. Given the simple and trite short sentences people would use for passwords, it's likely closer to 0.6, or about 20 bits of entropy for your example 'chicken' password, compared to 44 bits for a shorter xkcd password [xkcd.com].

      • by SilverJets ( 131916 ) on Friday May 18, 2012 @06:59PM (#40047607) Homepage

        Funny.

          According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

        Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

        • by sexconker ( 1179573 ) on Friday May 18, 2012 @07:14PM (#40047695)

          Funny.

            According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

          Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

          That estimate is generated by assuming brute force and a specific character set that contains all of your input characters.
          No one cracks passwords starting with brute force.

        • by roc97007 ( 608802 ) on Friday May 18, 2012 @07:47PM (#40047889) Journal

          Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

          Yep. (nods). Now if you excuse me, I have to change my password right now.

        • by LordKronos ( 470910 ) on Friday May 18, 2012 @08:03PM (#40048015)

          Actually, it's "correct horse battery staple". And the funny thing is, I didn't even have to look it up. As the comic says "you've already memorized it".

      • by felila ( 150701 ) on Friday May 18, 2012 @07:52PM (#40047929)

        I tried out the Analyzer program, and discovered that it only seemed to look for *English* words. Simple, easy-to-remember phrases in Tongan or French were rated as extremely strong (taking centuries to break).

    • by Kvasio ( 127200 ) on Friday May 18, 2012 @06:49PM (#40047529)

      because "This chicken tastes like shit!" password is more or less a "5-character password", but characters are selected not from ~26 but from say 50000.

      My guess is that after the referred xkcd strip brut force algoritms also put more emphasis to natural language sentences, etc.

      • Re: (Score:3, Funny)

        by pacapaca ( 1955354 )
        Clearly the solution is "tH15 Ch!ck3n tas7es l1k3 sH|t!"
    • Re: (Score:3, Interesting)

      by sexconker ( 1179573 )

      Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

      Because 12ol3jkh!!asrdfw9g8 is a good password and This chicken tastes like shit! is a terrible password.
      Please quote that XKCD comic all you like, it doesn't make it right.

      "Entropy" (can we please stop misusing this word?) is only a useful measure of password strength if you're brute forcing.
      Password crackers employ methods that are a teeny bit more sophisticated than brute forcing.

      • by spazdor ( 902907 )

        Why exactly do you think 'entropy' is the wrong word? It's a pretty well-formed concept in information theory.

    • by pgpalmer ( 2015142 ) on Friday May 18, 2012 @09:52PM (#40048645)
      "Your password must be six to eight characters and contain only letters and numbers."
      "Your password cannot be over twelve characters."
      "You have used this password before. Please enter a new one."

      I have my own password policies, and it's frustrating when I can't follow them.
  • Wrong (Score:3, Insightful)

    by DarkOx ( 621550 ) on Friday May 18, 2012 @06:35PM (#40047415) Journal

    The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large. You could use a common spelling dictionary and toss in the like substitutions 0 for o excetra and you don't really have a key space much larger than normal 7 character or so passwords offer

    • Well, a "common" dictionary is still 200-300 words. And you can also use the name of a pet. So that is a X variable that is fairly large. So basically we have 300*300*300*300*X, and X is most likely larger than 500. Its still a lot of passwords, and then we have the spelling mistakes, writing the words as their litteraly are spoken, and a lot more. Just replacing e with 3, i or l wih 1 and 0 with o is just more noise to the pattern.
      Basically: XKCDs multiple word scheme is secure enough if its long enough. J

    • Re:Wrong (Score:5, Funny)

      by LordLucless ( 582312 ) on Friday May 18, 2012 @06:48PM (#40047521)

      Of course, your fiendishly clever non-standard spelling of et cetera would fool any such dictionary attacks.

    • Re:Wrong (Score:5, Informative)

      by wrook ( 134116 ) on Friday May 18, 2012 @06:55PM (#40047569) Homepage

      The average adult that has been to University knows 20,000 head words. A head word is a group of words with essentially the same meaning. For example, expect, expectation, is expecting, etc are all one head word. 26^7 is a little bit over 8x10^9. If a user picks 4 headwords for their passphrase, the search space is 20000^4 or 1.6x10^17. And that's if we just use headwords. If the user uses variations the search space is rather huge.

      You might say that 20,000 headwords includes a lot of strange vocabulary. But for instance, to get 95% vocabulary coverage in reading a newspaper you need just under 16,000 headwords. However, even if we restrict vocabulary to the most common 5,000 headwords (the average vocabulary of a 5 year old) we get a search space of 6.25x10^14.

      XKCD style passphrases are dramatically more robust than a 7 character alphabetic password.
       

    • Re:Wrong (Score:5, Insightful)

      by pongo000 ( 97357 ) on Friday May 18, 2012 @07:51PM (#40047919)
      The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large.

      That's why you use a standardized list of tokens (mostly words, but some non-word tokens as well) such as Diceware [std.com]. With 7776 tokens, the keyspace is far larger than the "normal 7 character" password. The trick is to ensure that you are choosing the tokens randomly. You can use dice, your favorite random number generator [random.org], etc. I use several 4- and 5-token passphrases that I have remembered literally for years, each one unique. Type them enough times, and muscle memory takes care of the rest. Even after a period of non-use, it amazes me how my fingers will remember the passphrase but yet I can't recall the passphrase itself.
    • 2140^4 ~= 80^7

      I think most paid professionals could come up with a 2100 word vocabulary of words they can remember, especially if you bounce their choice when they use any of the 500 most commonly selected words - they could use the 500 most common, just that they wouldn't get credit for a common word being one of the four.

      A 4 to 7 word sentence is a hell of a lot easier to remember than 7 screwy characters.

    • Re:Wrong (Score:5, Interesting)

      by tknd ( 979052 ) on Friday May 18, 2012 @09:25PM (#40048525)

      Most people's vocabulary is not that large.

      Let's use the xkcd example: correct horse battery staple.

      Using a list of the 5000 most commonly used words, I was able to find rankings for 3 of the 4 words:

      • 1813 correct
      • 1291 horse
      • 3226 battery

      "staple" doesn't even appear on the most common 5000 word list. But let's assume it did at 5000. That means your dictionary now is 5000 words large. 5000^4 = 6.25 * 10^14.

      Now let's address your suggestion:

      you don't really have a key space much larger than normal 7 character or so passwords offer

      Now your average English keyboard has 47*2 = 94 type-able characters. 94^7 = 6.48477594 * 10^13. The xkcd example assuming it was smaller than it really was beat your suggestion by an order of magnitude.

      Now let's address how large people's vocabularies are. According to wikipedia:

      This translates into a wide range of vocabulary size by age five or six, at which time an English-speaking child will have learned about 2,500-5,000 words. An average student learns some 3,000 words per year, or approximately eight words per day.

      But 6 year old kids don't have much interesting personal information that people are really after like credit cards. Let's read further:

      A 1995 study estimated the vocabulary size of college-educated speakers at about 17,000 word families, and that of first-year college students (high-school educated) at about 12,000.

      http://en.wikipedia.org/wiki/Vocabulary [wikipedia.org]

      So let's re-do the calculations with 10,000 words: 10 000^4 = 1.0 * 10^16.

      Things will only get worse if you tell people to use numbers, names, special abbreviations, etc. For example it will be highly unlikely the following phrase will be in your dictionary: "5000 most common vocabulary". People can also use natural language and still fall way out of your dictionary: "yummy carne asada dinner". They can also use personal and vulgar language: "Stupid bitch Alice, never again".

  • by bu11d0zer ( 1074683 ) on Friday May 18, 2012 @06:38PM (#40047445)
    Any password policy that basically forces you to write down your password somewhere is broken. Sure, you can use a password vault but that's cumbersome for the various dozens of passwords strewn about the web and on mobile devices. But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses. I could understand 100 incorrect guesses, but 3 guesses is not enough to recall a password when you have not used it in several months. One hundred guesses by a computer/hacker is nothing compared to the full password space.
    • My company's password policy is that you're not allowed to use password vault software.

      I wish I were kidding.

      Oddly, though, the new policy came out a month or two after the xkcd comic, and they *did* make a special exemption for using dictionary words and the other password complexity rules provided the password was of sufficient length.

      And I think most of the systems will lock out after between 3-5 failed attempts, but they'll automatically unlock after 5-15 minutes, so you don't have to call in.

    • by Solandri ( 704621 ) on Saturday May 19, 2012 @12:17AM (#40049341)

      But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses.

      What's even more facepalm worthy is that when you call, they usually "verify" your identity using information about you which is frequently publicly available.

    • by doomday ( 948793 ) on Saturday May 19, 2012 @11:24AM (#40051749)
      100 attempts may be small enough to stop a random computer or hacker, but it may not be low enough to stop your buddy who figured out part of your password while you were typing and wants to play a prank. That is one reason the limit needs to be pretty low.
  • What puzzles me... (Score:4, Informative)

    by jbwolfe ( 241413 ) on Friday May 18, 2012 @06:40PM (#40047461) Homepage
    ...is why is it all so difficult to come up with some scheme to secure internet accessible resources. Corporate policy for me require password changes every 90 days and disallows any of the last eight passwords, and the use of letters and numbers. Effectively, I'm forced to write it down, negating all their efforts at obscurity. When will some bright CS geek invent a real solution to this problem. Is it that hard? Can't it be as simple as probing me for dynamic info that only I would know? How about visual methods- ask me who's in this picture of my co-workers or what is this family snapshot from my past, etc.?
    • why is it all so difficult to come up with some scheme to secure internet accessible resources.

      Its not.

      Its hard to come up with a scheme to do all of the following simultaneously:
      * Secure access to internet accessible resources from unauthorized use,
      * Permit access to internet accessible resources to authorized use,
      * Have a low per-user cost to implement and support
      * Be convenient for common users

      Can't it be as simple as probing me for dynamic info that only I would know?

      If its dynamic (rather than static,

    • If they know it, it's not something 'only you would know' (or it's a password, effectively). Family or coworker snapshots can be defeated with a bit of time on Facebook. Etc. The article above seems to think switching to a physical token is a solution - effectively switching from a combination lock to a keyed one. Which works in a controlled, corporate environment.

      But the problem is fairly complex: You need to come up with a simple, secure, easily implemented, quick way to distinguish a human from a mac

  • i.e. 7 characters one must be a non-character or capital.
    The result is that people like me chose passwords that a keyboard patterns that anyone could guess if they watched me type it.

  • by k3vlar ( 979024 ) on Friday May 18, 2012 @06:45PM (#40047501)
    The main problem is indeed the policies. While I (mostly) agree with the main statements TFA makes, I have my own note to add:

    My bank's website enforces a MAXIMUM length. I'd love to have a password like "c0rr3c7 h0r53 b4773ry st4p13", but I can't use more than 6 characters.
    Yes, you read that right. 6 characters. Maximum.

    I fear for my online bank info constantly .
    Why would there ever be a reason to enforce such a small maximum length? I don't get it.
    • by John Hasler ( 414242 ) on Friday May 18, 2012 @07:06PM (#40047645) Homepage

      > I fear for my online bank info constantly .

      And yet you continue to deal with that bank. Why?

      • Getting a new account and transfering everything is always a mess. Its hard to do. Human nature at its best.

    • by nzac ( 1822298 )

      Did you understand the XKCD comic?
      the whole idea is random. Those similar looking numeric substitutions are binary at best adding 13 bits at best.
      It's hard to remember the ones you chose and if you chose all of them you would only add 1 bit.

      • by Osgeld ( 1900440 )

        apparently you didnt understand

        a random short password is less strong than a simpleton long password

        if you mix the two you get even stronger, if you speek "leet" you would have read that password as normal english, and its something the OP could very easliy remember WHILE increasing length AND adding bits

        25 still beats the shit out of 6

        its not the content its the length

    • Re: (Score:3, Insightful)

      As someone with a rather embarassingly similar system to support, I can sympathize with your concern. We railed against the limitations of the software vendor when we switched to it, but their attempts to fix it caused new issues. At first we had a system that truncated the longer passwords our users had on the old system, and then later when they tried to expand the length of input, those users with longer passwords they'd been transparently using were suddenly getting told their password was incorrect bec

  • The problem with XKCD style passwords is the more characters in a password, the more likely I am to make a typo while entering it. I mistype a typical 8 character password a couple times a day. I can imagine what it would be like with a 25 character password.
    • The problem with XKCD style passwords is the more characters in a password, the more likely I am to make a typo while entering it. I mistype a typical 8 character password a couple times a day. I can imagine what it would be like with a 25 character password.

      Um..... practice typing more?

      The thing with xkcd type passwords is that they are made up of english words (or whatever your native language) which you have probably typed a million times before. How could you not type them correctly? I just typed this sentence without a single mistake and it contains 49 words.

  • Wow... (Score:5, Insightful)

    by NoMaster ( 142776 ) on Friday May 18, 2012 @06:57PM (#40047589) Homepage Journal

    Congratulations on winning the Slashdot trifecta - you managed to invoke the GPL, cite XKCD, and slashvertise your own project all in one!

  • Pwds will always be an easy security bad idea, because by the time a new pwd sec-theme is common cracks have been emplace for about five years.

    We need to get pass crazy/silly pwds to non-human dependent security. It will cost a little more, but increased productivity and better security will save oodles.

    Pwds are in the trench of the Maginot-line of security, stop wasting time and money, get to bio-PKI and beyond. Easy (to manage/implement or cheap) security is bad security physically/virtually.

  • A computer can't tell if a passphrase is random or guessable, even a human wouldn't necceserily be able to. XKCD/diceware style passphrases however are supposed to be easy to remember despite being completely random, so the proper course is to let the computer generate the passphrase.
  • by dskoll ( 99328 ) on Friday May 18, 2012 @07:44PM (#40047867) Homepage

    I use randomly-generated passwords (generated by reading /dev/random) that are at least 16 characters wrong. I restrict the character set to [A-Za-z0-9] which is a touch under 6 bits per characters, so I have about 95 bits of /dev/random-quality entropy.

    The passwords are stored in a file encrypted with a long passphrase. The long passphrase is probably the weak link, but by not reusing passwords across different websites and using randomly-generated ones, I'm fairly well-protected if one of the sites I visit has its password file stolen.

  • Q: "What is your pet's name?"
    A: "What are stupid questions I don't want to answer truthfully, Alex?"
    .

    Also unwise is to have web sites save your info, especially credit card info. Someone cracks the db and you are p0wned.

    It is more than just passwords...Heh, don't click that link, Grandma!

  • by kriston ( 7886 ) on Friday May 18, 2012 @10:44PM (#40048933) Homepage Journal

    The highly secure NSA and DoD password policy is very thorough, but one thing was left un-noticed about this policy. You can create a valid password by merely running your finder down a colum of the keyboard, and then holding down the shift key and doing the same thing. Really!!

    To wit, this password is valid. Run your finger down the left-most column of your keyboard: 1qaz2wsx
    Then hold down the SHIFT key and type !QAZ@WSX
    Presto, you have a valid password that meets all the security requirements the NSA and DoD have imposed upon you.

    Now that's okay for creating system images for deployment.

    In 45 days when you need to change your password again, just shift to the next row of your keyboard. This will keep you okay for a couple of years or so until you run out of keyboard rows to use. Then, you just do it backwards. It really is that simple.

    Try it!! It's almost unbelievable.

  • Major bugs (Score:4, Interesting)

    by Georules ( 655379 ) on Saturday May 19, 2012 @12:21AM (#40049351)
    Just did this:
    Start with "awesomepasswordtoday"
    1 year, 8 months
    Go to "awesomepasswordtoday000"
    7 centuries, 8 decades
    Go to "000awesomepasswordtoday000"
    less than 1 day

    This tells me there is something in the logic that makes it a pretty unreliable metric of password strength.

If you have a procedure with 10 parameters, you probably missed some.

Working...