Deloitte: Use a Longer Password In 2013. Seriously.

a user writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

Secret Plans

[SJHillman]

I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.

Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s

Re:I love old news.

[SuricouRaven]

xapsdogien32
> Error: Must include at least one punctuation character.
xapsdogien32!
> Error: Must not contain a dictionary word.
xapsd_ogien32!
>Error: Maximum length twelve characters.
psd_ogien32!
> Error: Must include an uppercase character.
A1!
> OK

not my problem

[Charliemopps]

I've got logins for what... 200 sites? This is a problem for the sites, not me.
Passwords don't work. Think of something new. I can not remember 200 passwords that are 9+ characters, can't contain real words, have special charcters and God knows what else.

The solution for the end user? Don't use these sites for anything important. Don't store and personal information. Don't do business with sites that retain your credit card number and give you no option to not store it.

Re:I Got It!

[OzPeter]

A better question would be, what system would allow 1000 password guesses per second to be authenticated?

Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

Re:I Got It!

[AndrewStephens]

True, but nobody tries breaking into a system by logging in ten thousand times a second to a single account. The recent well-publicised break-ins resulted from the hashed password file being publicly available, either stolen through a vulnerability or maliciously leaked. If the attackers have the hashed passwords they can try them at a rate of millions or billions of attempts per second for as long as they want.

Re:Duh...OK.

[Capt.DrumkenBum]

44 actually.
You are only young once, but if you are lucky you can be immature forever. :)

Re:I Got It!

[vux984]

If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

Which is why the computer would generate the phrase.

2Correcthorse4batteryStapple!

Varying capitalization, and optionally separating the 4 words with 3 character symbols adds: 2*2*2*2*90*90*90*5*4*3 possible permutations: 6.9e8

Now that's not bad, and it definitely is more secure than the plain 4 words. BUT:

Assuming 200,000 words in the dictionary. Simply adding 3 more words to the end gives you 8e15 additional permutations.

8e15 is a LOT bigger than 6.9e8

And now we are at 7 symbols either way.

Remembering 3 more words is both easier and ridiculously more secure too.

Peppering a passphrase with difficult to remember symbols is missing the point. If you want more security, just add another random word or two. Either method increases its brute force complexity, but perhaps counterintuitively, adding a few words is far more secure than mangling the pass phrase with a few symbols.

Re:I Got It!

[DarkOx]

The answer is yes but its not the guy you think doing it. We still live in a largely single factor authentication world. Since you used facebook as an example I will too, but hopefully you can see how and why similar issues could come up in other organizations.

You correct in that there are very few online brute force attacks, because as you say effective controls exist timeout intervals, lock outs etc on most systems. Somewhere there this is a file or table with password hashes, ideally salted. This is vulnerable to brute force because you don't use the 'system' to try and log in you build your own hash generator that works through a word list generating hashes and seeing if any match. The size of a good word list, say the Oxford dictionary, with each word also spelled with some typical numeric substitutions and followed by various arrangements of !, 4theWin! etc is pretty large. When you then multiply that out by the number of possible salt values you end up with a word + set of hashes that is many TB in size. Its to large to search efficiently with out special purpose built systems. This is known as a rainbow table; it used be popular but CPUs and GPUs have gotten so much faster they make sense in fewer cases.

Because searching the rainbow table takes so long and salts are now known to you its actually faster to generate the [list of salts] * [word list entries] on the fly and see if you match any of the password hashes. If you do match one you know know the password. This is the sort of attack people mean when they say brute force password attack now most of time.

So how would an attacker get the password file? Well in many cases it would be an inside job. Let assume facebook has a policy that employees are not allowed to bypass the privacy controls and access the pages of celebrities, politicians, etc. Admins can do it because its sometime a requirement of their job but the back end systems always audit this sort of activity. So someone abusing the master key will be punished. Now lets also suppose access to the master password file is also protected fairly well. Attempts to read it by non-authorized process etc are logged. Ah but what about if someone replaces a raid disk in a authentication server that was not really bad? Is it possible it could be read off a backup tape by an operator who knows the key etc. There are probably holes, insiders might use; even in mostly secure environments.

So now mister admin that really wants to know who K.Stu is banging this week can take the password file home with him and brute force it. Once he has her password, he can log in as her. The password not been rest, which might have been logged, or noticed by the user and reported etc, so chances are he can do whatever he wants with very little chance of detection and no audit trail that will point back to him, remember he has stolen the users identity. So yes he might have gotten the data anyway through other means but this way he can do it with everyone being unaware.

This is one of the hole that strong passwords and semi frequent rotation are seeking to close. The hope is if it takes enough weeks to brute force, you will have changed it by the time its been cracked.