Cracking Passwords With Statistics 136
New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.
For work I use really bad passwords (Score:5, Insightful)
They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.
Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.
Re: (Score:1)
I do something similar by continually incrementing the numbers on the end like: password1 ...30 days later... password2 ...30 days later... password3 ...30 days later... password4 ...30 days later... password5 ...30 days later... password6 ...etc.
This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder.
Re:For work I use really bad passwords (Score:5, Informative)
Re: (Score:3)
The best passwords are the random ones generated by password managers, but the silly rules prevent you from using them. They also prevent people from using secure "personal words" like that weirdly named village you passed through once on vacation. All passwords-by-rule tend to deteriorate to obvious word with initial capital with a 0 or a 1 on the end.
Re: (Score:2)
Re: (Score:2)
Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack.
Are you crazy? There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities. 2^40 possibilities, which will fall rapidly to a dictionary attack. It's as "strong" as 6 random, typeable characters.
The point of TFA is that while "12 characters, including three different character classes" sounds like 2^84, the reality is that people meet those conditions by using a real word with the first letter capitalized and a num
Re: (Score:2)
There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities.
This is why I use 7 numbers in my password, Jenny8675309.
Re: (Score:2)
It's as "strong" as 6 random, typeable characters.
That's still better than most passwords.
Your dictionary attack will only work if you are 100% correct about your guess. If you don't know the length of the number, then your attack will fail.
Re: (Score:2)
Re:For work I use really bad passwords (Score:4, Funny)
"personal words" like that weirdly named village you passed through once on vacation.
True. I spent last summer in Wales and the landscape is scattered with good passwords.
Re: (Score:2, Funny)
Just take all the vowels out. Oh, hang on a minute...
Re: (Score:2)
I guess 1337 vowels are out, too.
Re: (Score:2)
That is exactly what I did for a while, and for the same reason.
Then I thought out a different system which fits the rules and provides me with new passwords I can use more often that I actually need them. They are still not *that* secure but having to change passwords every couple of months is incompatible with having strong passwords.
Re: (Score:2)
"This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder."
But as your password pique causes its assets to shuffle off to Nigeria, you won't be working there much longer.
Re: (Score:2)
That works great if you aren't forced to have 6 characters different, as well. Our rules were 8+ characters, 20x without repeat, 6 char difference in each password, 30 day forced changes, at least one upper case character, and at least one punctuation. Through trial and error, I found the 6 characters different were based on position, so my solution was rotation - Pa$$w0rd becomes a$$w0rdP and then $$w0rdPa, etc. Works for a few months at least, and I only needed to memorize three strings. Never got cracked
Re: For work I use really bad passwords (Score:5, Insightful)
It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.
1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc
By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.
For non-work websites just remember 2 things:
a. DO NOT USE THE SAME PASSWORD
b. If it is financial, don't use the same username/email-address as other sites.
Re: (Score:2)
I do reuse the same password in places, but only on sites where I don't care if it gets hacked (and it amazes me how many times I've had to use it). What annoys me though is that I can't always use it as sometimes it's too long (?!), and I've had to adapt to having a version that includes digits and mixed-case (despite the fact that even the basic all-lowercase version is pretty much unhackable - hint: it's more than one word, it makes no sense, and it's not even English). But for important sites (banks, e
Re: (Score:2)
I have throw-away passwords I sometimes reuse as well, also for sites I need to register on and don't particularly care about (they also get a junk email account I never check). I will vary this password by using a trick - I use the last character in the site name as the first character in the password so it is rarely the same. Still not exactly secure, but easy to remember and varies the password by site. The rest of the password is usually some fantasy character name with flipped calculator/leetspeak lett
Re: (Score:2)
Brute force hasn't been a threat for years.
Re: For work I use really bad passwords (Score:5, Interesting)
Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.
Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.
Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.
I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).
And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.
Re: (Score:2)
. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).
And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
I had a similar system for a while. The problem? One of the sites that had one of my passwords got hacked. Then I had to change it for every other site in that "category" which was a lot of sites, and I'm sure even now that I've missed some. Plus now I have to remember a new password; but still the old one for any sites I missed...
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Because if some rinky-dink f
Re: (Score:3)
I have no idea why I stopped doing this
Re: (Score:2)
I discussed the details of how you can do it here: http://it.slashdot.org/comment... [slashdot.org]
It's really the only solution. There are 2 modern threats to passwords: computationally weak passwords and compromised servers with poor practices.
It's easy to make a computationally strong password, and it's not hard to make it memorable. But poor HR/IT policies such as described here compromise good passwords (forcing rapid changes, disallowing long passwords, etc). So memorable passwords are not easy, in practice.
On t
Re: (Score:2)
I read your link.
The only problem left is that we can't compute hashes in our head, but there are hardware answers to that.
At which point using a password safe(s) on a trusted device is basically the same thing. Except more convenient. Since you can have as many safes as you want, with an arbitrary number of records in them, protected by passwords as is suitable to the class of passwords in them. Its less data entry on average to retreive a password, and it eliminates having to worry about which sites you need a 123!@# tacked on the end, and which sites don't, etc.
Decent password safes also let you securely sto
Re: (Score:2)
They're close to the same thing, but they differ in the important places. An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".
It could possibly store non-sensitive data, like usernames, "123!@#" modifiers, or notes, but it's not required.
I will admit that it could be inconvenient, but I think it's a reasonable tradeoff for the simplicity and securit
Re: (Score:2)
An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".
That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
Its not a practical solution if it doesn't actually exist.
Although there might be a market for a such a device.
It also still requires you need to memorize a password (even an easy one) for each situation. I have well over 100 passwords; and could not
Re: (Score:2)
That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
It doesn't require the dedicated hardware, it's just an option (that doesn't exist yet...). I think it's likely a better option than products like the Mooltipass.
I use this approach currently, since I basically trust my desktops. I can also ssh to a server I trust, which is capable of doing it. You could do it now on a smartphone, but that's a tough platform to lock down. If you're desperate, you could find a website that can do it for you (googled quickly): http://pajhome.org.uk/crypt/md... [pajhome.org.uk]. Regardles
Re: (Score:2)
You could also use a system to vary the passwords. I use the last character of the site name (as I stated in a different post), but I've been migrating to a new system in the past couple of years, which is why I didn't care about divulging it. Let's say the new system is the first and last characters of the site (it is not) - I could then have sPa$$w0rdT for the password to Slashdot, and while it is essentially the same, it varies for most of my accounts. One hint - my new system sometimes excludes RSTNLE,
Re: (Score:2)
You could also use a system to vary the passwords.
[... describes system loosely...]
The problem I have with systems like this is:
One site won't let you have punctuation... another site requires it. One site says your password is too short. Another says its too long. A site that was happy with your "system" password gets hacked and you have to change it.... and these exceptions build up over time rendering the system an excercise in futility.
Then eventually you get fed up with the exceptions devise a new system and start all over again...
But if you miss any sites when you switch over you ha
Re: (Score:2)
You're making the mistake of thinking that your password system and their requirements need to integrated: they don't. You can concatenate a strong password system with their weak requirements, and the result is still strong.
The only time it gets weaker is when they enforce a maximum length. Then you have to start dropping your secure input in favor of their weak requirements. But in this situation, your (internal) password/phase isn't compromised, only the public version they get. Too bad for them.
Re: (Score:2)
You can concatenate a strong password system with their weak requirements, and the result is still strong.
But this requires I memorize "their weak requirements" for each site as this is not usually disclosed on the usual login page?!
And it still doesn't address the fact that if they get compromised I have to CHANGE my password.
If I'm using a 'system' to generate passwords, then I can't use that system for this site anymore, because the password the system generates for the site is compromised.
Re: (Score:1)
He's a self-described security expert, though, which trumps all of our real world experience.
Mat Honan's experience tells us that all it takes is ONE bad pick of an "unimportant" for re-using your password. I wonder if Tom here burns with a desire to address this point in his post, as well as adding something about personal security questions.
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
Re: (Score:2)
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Yeah, that sucks.
I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.
You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.
Re: (Score:2, Insightful)
Read to the end for a secret revelation.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
Re: (Score:2)
Use a password manager with a really good password.
When you create an account, pick a "secret question" randomly, note it in your password manager, then MAKE UP an answer. "What's your mother's maiden name" - "Merkava". "What's the name of your first pet" - "Norelco".
Hard to guess the answer to a secret question when it has
Re: (Score:2)
Re: (Score:2)
Which I would then have to store in the notes section just like I do with the made-up answers?
Re: (Score:2)
Re: (Score:2)
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.
Banks are among the few who actually t
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have a similar categorization scheme, but I "salt" the PWs with a mnemonic that I use to vary the PW within each category. That way I only have to hurry and reset all my PWs in the category if two or more sites in the category get compromised, which increases the risk that the mnemonic can be derived. For a brute-force attack, if someone knows my password MiXedABUPC, it's just as hard to decrypt MiXedxyUPz as it is to decrypt adfOYcqC1B. Of course if you know (or assume) that I use a pattern, it's probab
Re: (Score:1)
Re: (Score:2)
Changing passwords doesn't make them magically more secure.
What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.
You're doing a lot of effort for - what? If you can't answer that question, don't d
Re: (Score:2)
Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.
Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.
Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.
I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).
And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.
I' m with you. I have a common password for 90% of my websites. I have only 1 credit card, one bank, and one bill payment account. All others I pay via direct visit to the bank or via cheque. For the 1 and 1 and 1, I have three reasonably long passwords.
By the way, my passwords are characters from utf-8. So that you know, € and ¥ are used for some of my pwds. Not sure you can enter the euro or yen symbol on the default US keyboard layout. My financial passwords exceed 10 characters in length a
Re: (Score:2)
You're right on that. If you have an account on some random forum, you should treat the password you use there as if it has already been compromised.
Sorry that I thought that's so obvious it doesn't need to be mentioned.
Re: (Score:2)
a. DO NOT USE THE SAME PASSWORD
There needs to be a better mechanism for doing that easily. Extensions that hash your password with the domain name and a master password before sending work quite well, but mobile browsers often don't support extensions. Keepass with cloud sync isn't bad but means you have to manually find and copy/paste your password every time.
It seems like something that major browsers could easily implement natively. The hashing idea is pretty easy. Most of them will sync your random passwords for you, but that require
Re: (Score:2)
Re: (Score:2)
Thanks, I'll try it.
Re: (Score:2)
One thing about work passwords (and in general, I'm assuming this is an AD or LDAP user account), any sane setup should lock the account after a certain number of guesses [1], so 15-20+ character passwords are not as needed, assuming the account isn't an admin account or a service account which never will have its password changed. (For service accounts, I like using a randomly generated 128 character Unicode passphrases because those accounts are set to not get locked due to brute force attempts, so they
Re: (Score:2)
I do the same. Turns out they only require 18 in a row to be unique :-) Though the rest of the requirements aren't so rigid, though needing to pick a new one every two to three months is ridiculous. That sort of guarantees that someone writes it down or uses a pattern.
Re:For work I use really bad passwords (Score:5, Insightful)
Here's some...
2015January!
2015February@
2015March#
2015April$
2015May%
2015June^
2015July&
2015August*
2015September(
2015October)
2015November-
2015December=
If it's too long, shorten to 3-letter months.
And for next year, you'll have another set of "unique" passwords so it doesn't matter if they demand it doesn't match the last 100 passwords.
Numbers, capital, punctuation it's got it all.
With a few modifications, you can come up with similar passwords that will obey any other rules you need.
Re:For work - You had ONE job... (Score:2)
Re: For work I use really bad passwords (Score:5, Informative)
I have 5 levels of passwords, as follows:
Level 1: Garbage sites that force me to register to read content, places that don't have AC that I want to comment, etc. - My password is monkeys103. Idgaf if you hack these sites. If they force punctuation I add a comma to the end of it. Who cares. Username could be anything because most likely I'm not coming back.
Level 2 - Sites where I have a reputation, but it's not attached to my real world persona. Like ArsTechnica, CNN, Ubuntu Forums, etc. I use a moderately complex password, 8 characters, no dictionary words. If it gets hacked, it sucks, but it's not the end of the world. Username is often similar among the sites because there's no real world connection.
Level 3 - Sites where they have personal information connected to the real world. Think Facebook, instant messaging, etc. I use a 10 digit password here, and if it gets hacked, I immediately change all of these sites so that none have the old password. Also all of them have different usernames.
Level 4 - Banking or any sites connected to my money (PayPal, for example). I have a very long and complex password for these (unique to each site, randomly generated), as well as any other security they offer (two factor authentication).
Level 5 - Email, because it's the master key. I use a unique password here, but I have somehow memorised it. My two email passwords are the same, which I know is a weakness, but its safer than using two weak passwords. The password is the first letter from each word in a phrase, with added numbers and punctuation. Example (I like apples and pears - ilaap)
Also note that I use a password manager, which requires me to enter in a password (same as my computer logon) to autofill the form. So all in all I really only have to memorize five passwords, and typically only the password manager one.
Re: (Score:1)
Yes, this. I think that the "levels" idea is probably the best way to manage passwords, as it strikes a balance between uniqueness where it matters and not having to remember too many passwords.
Also, I would add one comment: not all sites that ask for personal information actually need it (e.g. why should Facebook know - and advertise!? - my real birth date; if people know me well enough, they'll know my real birthday. If not, tough; the site has no need for being given enough information to fake my ident
Re: (Score:1)
You mean this [xkcd.com]? (Obligatory XKCD).
You know, I think I should change my work password to "Correcthorsebatterystaple1" (2, 3, 4...) just because of the idiot policies. :-)
geeks never learn (Score:3, Funny)
quote
"Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure."
unquote
yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....
Re: (Score:1)
If you asked my mom to do this, she would be thinking about snack crackers.
Re: (Score:2)
quote "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." unquote
yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....
This. In fact, I would have probably said "there's your problem" after the second word in the summary, or at best, right after the first comma. The flaw is that users are creating passwords at all. Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords. This is why pretty much every modern browser out there has the ability to create and store passwords for you.
The real solution is twofold: First, beat it into the heads of users that they should always le
Re: (Score:2)
"Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords."
Of course, hard to remember passwords which will get sticked in yellow over the monitor are so much better.
Re: (Score:2)
The point being that humans shouldn't be creating the passwords, nor should they be responsible for remembering the passwords. They should have a password for their computer, and that's it. All other passwords are superfluous.
Re: (Score:2)
"They [humans] should have a password for their computer, and that's it. All other passwords are superfluous."
I don't think you have properly thought about the implications of what you are saying.
On the other hand, even with that single password, it's still either memorable, therefore easy to hack, or it isn't, in which case you turn again to the sticker on the monitor.
Re: (Score:2)
In relative terms, it is still a lot safer. Right now, cracking an average person's online accounts merely requires you to buy access to a botnet and use it to brute-force the account from a distance. By contrast, you can't readily do a brute-force attack on the login password for someone's laptop unless you either have stolen that
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This works fine... as long as the browser (or the HDD it's stored on) doesn't crash. The reason we use passwords is that we need something we can take with us anywhere, which pretty much limits it to "something you know" (as "something you are" - i.e. biometrics - isn't implemented for this sort of thing yet, and we tend to lose the "something we have").
Best kind of password though: the nonsense phrase. Easy to remember, hard to guess. I read "Beagles twirl whiddershins up my saxophone" in a magazine arti
it's quite simple really (Score:2, Interesting)
For anything that matters, I have KeyPass generate the most convoluted password allowable for the given authentication system. For anything else, well, that doesn't matter now, does it?
Re: (Score:2, Funny)
Single point of failure. Excellent.
Yeah, i don't trust the randomness of password generators either, so I always convert it back to binary from base 62, XOR it with about 95 random two-coin tosses (match=0, differ=1), and then convert it back to base 62 so I can write it as a [A-z0-9]{16} password. I do all of that inside of a 2m x 2m tinfoil blanket folded over and taped together like a sleeping bag and then grounded to a metal pipe. I do all the work on paper by hand, memorize the password, and then I shred and eat the scratch paper. After
Re: (Score:1)
The assumption is wrong. (Score:5, Insightful)
The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.
Complexity introduces incremental passwords, common passwords, safes, post its, support costs, complacency, single point of failures, easier social engineering, and easy passwords. All of which work against security. They don't have check boxes for these because they are hard to understand and measure.
So is complexity checked? Yes, OK move along sir. I SAID MOVE ALONG. GOOD DAY!
Re: (Score:1)
Re:The assumption is wrong. (Score:4, Informative)
The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.
That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.
I hate your rules (Score:2)
I have a low-security password that I use all over the Internet, like Slashdot. I have a medium security password I use for Linux logins, and a high security password I use for bank accounts. Notice the security reference standard: money.
I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them. FYI my low-security password has 7 lower-case letters and one special character in the middle. No digits! If you won't take tha
Re: (Score:3)
I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them.
I also hate it when a web site locks you out completely, requiring you to contact someone to do a manual reset, for failing your password three times. At work, the "enter my goals for this year for the stupid review" site is like this. It's not like this is something that lets people steal money from me, sheesh! Sure, if it was an online banking, etc. password, but most of the sites that do this don't have any information worth a lock-out with a manual admin reset.
The whole point of lock-outs was to preven
Re: (Score:2)
Ditto, right down to the three levels. I have a few of variations on my low level password (basically, add 123 at the end, capitalise and/or add an exclamation - to account for the all the (as you rightly say) ego-driven web sites. Sometimes I've just really had to get on a site, much as their rules annoy me).
Even with the variants I can guess which it was in 3 or 4 goes max, if I've forgotten.
Its a six character word that was the name of an old roleplaying character and is probably in the dictionary. Its a
An approach I haven't tried yet... (Score:3)
Always been against the "must contain..." (Score:1)
Every fucking requirement on a password reduces the attack vector timeframes by orders of magnitude.
Password must be more than 8 characters, with one upper, lower, number, and special character.
You've eliminated every password from between 0-8 characters with any single catagory, two catagories, or three catagories combined. I'm not a statistics person, but thats a fucking lot of passwords that you've cut down attack dictionaries by. And in the name of security?
The best security, if you let users set their
Selection bias and circular logic (Score:1)
It's not too surprising to find commonality among the set of cracked passwords. It may well be that the set of all used passwords and the set of cracked passwords share common mask distributions but I suspect that the fact that 50% of all passwords fall within the first 13 common masks is exactly why they were cracked. The passwords sucked.
In the face of bcrypt it is useful to figure out how to more quickly crack the existing set of crackable passwords but it's not clear to me that this effectively broade
subjects are stupid (Score:2)
Do we need an article about how "hackers have realized people swap 'e' and 3!"? Yes, people are simply capping the first letter and it accomplishes little (the "complexity" requirement thus accomplished shit), duh and DUH.
Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any br
Re: (Score:2)
Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.
You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.
A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you
Re: (Score:1)
mhallifwwas is 11 characters. If the attacker knows that the password is all lowercase, then that's only log2(26^11) = 51.7 bits of entropy. If they know the hash, then they can easily crack it in less than a week on a modern PC with a decent graphics card. A decent sized botnet could crack that in less than a minute.
If they know it's English, they can probably speed that up a bit more using letter frequency [wikipedia.org] (i.e. etaoinshrdlcumwfgypbvkjxqz). And if they know it's the first letters of a phrase, then they co
fail2ban (Score:2)
Re: (Score:1)
math (Score:5, Insightful)
Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:
We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.
What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.
That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.
What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.
Re: (Score:1)
There are roughly 300 * 10^6 people in the US. So 9 orders of magnitudes "off" is 0.3 people. Now why should I trust the rest of your math?
Re: (Score:3)
His math is fine. It's his civics estimate of US population that's a problem, and he wasn't claiming expertise there.
Re: (Score:2)
You seem to think the word "like" means "mathematically equivalent". It doesn't. Please move along to some other pedantry trolling.
Re: (Score:2)
Because 9 orders of magnitude applied down towards zero would give you 3.
But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.
Re: (Score:1)
This guy is right explaining that dumb computation about password strength is stupid.
However, I disagree with the conclusion. Asking people to learn impossible to retain passwords is not the solution. Force them to choose a not-trivial but not hard password (entropy >10000) and apply well-balanced password trying policies (100 tries max per month). Everyone will be happy this way.
Re: (Score:3)
Would it help if the people who came up with a password policy were then tasked with thinking up 100 passwords (each one to be used for one day) ?
And then check back with them at the end and see what they chose for the last 20?
Re: (Score:2)
Re: (Score:2)
No, it wouldn't help.
The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.
What about salting? (Score:1)
My password is: (Score:2)
It's not a secure password (Score:2)
It's not a secure password unless it is randomly generated. There are tricks you can use to make it more memorable, like using diceware instead of characters and numbers, but fundamentally if you came up with it, someone else can guess how you came up with it.
Fine theoretical work but.... (Score:2)
...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.
I am not an IT professional engaging in rhetoric; I'm actually curious.
Re: (Score:1)
Re: (Score:2)
...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.
I am not an IT professional engaging in rhetoric; I'm actually curious.
No online system is fast enough to brute force an account even if they did allow you to try new passwords ad-infinitum - each attempt would take a second or two and that's just too slow for effective "cracking" I would think.
I believe that the concern is for when there has been a data breach of some sort, and the "bad guys" have gotten the username/password file. The data in this file has been run through some sort of a one way function and thus you cannot just read the usernames and passwords out of it, bu
Length (Score:2)
Re: (Score:2)
Neither, I put the number 1 at the end!1