Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

An Algorithm For Better Password Checking (technologyreview.com) 103

New submitter della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.

In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.

This discussion has been archived. No new comments can be posted.

An Algorithm For Better Password Checking

Comments Filter:
  • STOP IT! (Score:2, Insightful)

    by Anonymous Coward

    Stop saying my password is bad. If I make it more complicated, I won't remember it. So it would be even worse.
    And making me change it every now and then is even more stupid.

    • I'm a big fan of random phonetic passwords. The work well for my brain. Even a short base64 random letter password is harder for me to recall than a long phonetic password. Look at that co-author's butter tasting name " Maurizio Filippone". It's totally awesome to say that out loud. And do that 7 times right now and this evening you will still be able to say it. But you won't be able to recall 5(F{!X45*~d tonight. It's pretty easy to generate these where each phonem or di-phonem component has a very

    • Yeah, I give up.

      (plasters stickynote on monitor)

  • Sick of Passwords (Score:3, Informative)

    by Anonymous Coward on Friday October 23, 2015 @01:17PM (#50789133)

    I don't even care if they're secure or guessable or lexographic or written down or whatever other bullshit I'm supposed to care about.

    I am sick of these bullshit passwords and signins fucking everywhere. Every single site, every single service, every single day, input this, email that, account name, please re-enter, confirm, mandatory, change must contain a two numbers, must contain capital letters, cannot contain special characters, forgotton your password?

    I've given up. Fuck it. I'll just lurk, post anonymously while I still can. I must have over 200 accounts out there and I just don't care anymore. It's too much effort to remember all this bullshit anymore.

  • Password1 (Score:4, Informative)

    by sims 2 ( 994794 ) on Friday October 23, 2015 @01:20PM (#50789153)

    Lots of things really don't need highly secure passwords but insist on having ridiculous password requirements.

    Case in point Xbox one must login to microsoft account to setup for the first time password must have at least one capital, at least one number, at least one symbol and at least 8 characters Password1~ is an acceptable password. Pita to type on xbox controller.

    Netflix is a model for reasonable requirement's especially since it likes to log itself out at random. So less to type on wii remote is a definite plus. 4 letters minimum 0000 is an acceptable password.

    • at least one symbol and at least 8 characters Password1~

      This leads to extremely common patterns, or classes of passwords such as ULLLLLLLDS, which can be pre-computed for cracking.

      Knowing the 30 most common such topologies and allows an attacker to crack 90% of all passwords (according to leaked password lists).

      Smart password checkers like the one of Kaspersky take that into account https://blog.kaspersky.com/pas... [kaspersky.com]

      Here is a talk https://www.youtube.com/watch?... [youtube.com] and some material here: https://blog.korelogic.com/blo... [korelogic.com].

      • by khasim ( 1285 )

        I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

        Of course the forbid process would take 1 second in order to block brute force attempts.

        And you can pre-seed the database of hashes by using various dictionary lists and other sites' cracked password lists.

        Over time you'll end up with unique passwords for all users that are not in any of the dictionaries.

        Also, demand "pass phrases" instead of "passwords". 15 characters o

        • I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

          You can use a good bloom filter implementation for that.

        • I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

          Thus giving an attacker a handy way to simultaneously brute-force every account on the site. That's a horrible idea.

    • by bondsbw ( 888959 )

      Pita to type on xbox controller.

      To be fair, anything is a pita to type on an Xbox controller.

  • by jklovanc ( 1603149 ) on Friday October 23, 2015 @01:21PM (#50789161)

    various studies have found that they make users choose better passwords.

    By better do you mean harder for computers to guess or easier for users to remember and not have to write down?

    • by bondsbw ( 888959 )

      Writing down a complex password is generally better and more secure than using a simple one. Attackers in China can't get into my desk drawer, and the lock keeps most who have physical access out.

      • Attackers in China can't get into my desk drawer,

        Neither can you if you are not in your office.
        Pass phrases are easy to remember but don't follow the "at least one caps, special character and number" general rule. "unicornscraprainbows" is a pretty good password.

    • by mjwx ( 966435 )

      various studies have found that they make users choose better passwords.

      By better do you mean harder for computers to guess or easier for users to remember and not have to write down?

      Yes.

  • by xxxJonBoyxxx ( 565205 ) on Friday October 23, 2015 @01:21PM (#50789163)

    >> Symbols appear to be less predictable and placed in different locations of the password

    I disagree with the paper's conclusion based on the passwords I've seen, which FREQUENTLY just end in a "!" or other common character. Here's a different paper that goes into symbol frequency; I pulled out the relevant bit.

    In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-“), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.” - http://resources.infosecinstit... [infosecinstitute.com]

    • by MobyDisk ( 75490 )

      1) Some systems limit which special characters you can use!
      2) I bet people don't like to use parenthesis, brackets, or braces because seeing mismatched pairs seems "wrong." Or maybe it's just programmers.

    • Sooooo True.

      That's what happen when you fight against human beings : they work around you. We're constantly told that adding a special character makes your password so much stronger ... those people must be morons to think that because they enforce a special character, people will start using randomly generated password. We're human beings, not machines, so we'll choose myusualpassword1! and not 4@dE^5%3SfdSF because the first is so much easier to remember.

      And that's actually fine : we're now all using

    • You failed to demonstrate your point. You show that symbols are not used in a way that would create the most entropy in the password. But that's not what the statement said... it said that symbols generally add more entropy than capitals or numbers. And unless you also compare the entropy added by capitals (barely 1 bit most of the time, capitalizing the first letter) or numbers usually a 1 at the end, or just a few digits at the end (and even fully random digits are only 3.2bits of entropy per character).

      S

    • by Tom ( 822 )

      I think it is generally known and trivially obvious to anyone who has done any research or statistics on this subject at all that the requirement of special characters is a total failure and where enforced it actually reduces the search space instead of enlarging it, due to human nature and the simple heuristics you can use.

  • Here's an idea (Score:4, Insightful)

    by Nidi62 ( 1525137 ) on Friday October 23, 2015 @01:26PM (#50789191)
    Stop making us change them every 3 months and we could come up with stronger passwords.
    • by gweihir ( 88907 )

      Which is stupid anyways. If it is compromised by a competent attacker, then 3 months are far, far too long. If it is not compromised, then there is really no reason to change it.

    • Yes! Also, stop remembering the hashes of my past N passwords.

      Forcing you to routinely change passwords, forcing the inclusion of mixed case or numbers or symbols, forcing you to not reuse a past password... net result is less security because most people will just end up writing their weird passwords down somewhere.

      All of these restrictions aren't fixing the problem, just shifting elsewhere to be not the site's problem.

    • Stop making us change them every 3 months and we could come up with stronger passwords.

      None of the websites I use require me to periodically change my password. Are there any well known sites with this requirement?

      • that isn't a web site thing, its a corporate thing. 30-days is an all-to common scenario. Friend of mine worked in a plant that had a disconnected network (no Internet). They were forced to use "complex" passwords with 30-day expiration and a history of the last twelve. Which was entirely ludicrous: what were they defending against? No one from the outside because it wasn't a connected network. An insider will just use the same post-it note that the user put on the monitor because they can't remember the pa

      • by sims 2 ( 994794 )

        http://www.nicsezcheckfbi.gov/ [nicsezcheckfbi.gov]
        Used to run background checks for guns in 36 states or so.
        Password must be changed every 90 days

        I think that should qualify as well known.

  • by gweihir ( 88907 ) on Friday October 23, 2015 @01:40PM (#50789295)

    I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure. This just shows how bad they are. Bit it is good that somebody did a systematic evaluation of the problem. Maybe now the stupidity will decrease.

    • I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure.

      A random 8 byte password using only lowercase letters and numbers is more than a quadrillion times easier to crack than one that also includes uppercase and special characters.

      This just shows how bad they are.

      No, it just shows that they are designed for the common situation where a normal person is using a mnemonic password, rather than a geek using something random.

    • I used to do that:

      head -c 16 /dev/random | md5sum

      then use the checksum. A nice, full 128 bits of randomness, and frequently rejected for being insecure. Now I do:

      head -c 10 /dev/random | base64

      The nice thing about 10 chars is you always get == at the end giving the required symbols. The rest is of course 80 bits of randomness. Sometimes it won't have a digit, so you have to repeat.

  • Some sites have a horrible password schemas:

    * Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.
    * Enter in a password only to have it rejected? Tell us _which_ characters are allowed and which ones aren't !

    • * Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.

      Sounds like my old bank. If I want to be able to use an epic poem written in the original language (we do support Unicode, right?) I should be able to, or if I am reasonably smart I should be using a password vault and should be able to enter 128 random characters if I want but far too many sites like to have a limit on password strength. I also like the stupid security questions they present as I just use them as an added source of entropy and are filled with other random chars. It is rather interesting wh

    • by fisted ( 2295862 )

      * Tell us _which_ characters are allowed and which ones aren't !

      Yes, please. It will make the search space so much smaller!

      • * Tell us _which_ characters are allowed and which ones aren't !

        Yes, please. It will make the search space so much smaller!

        Implying that that would be good for attackers. If this is the case, why have the restriction in the first place?

  • by LichtSpektren ( 4201985 ) on Friday October 23, 2015 @01:50PM (#50789371)
    What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?

    The answer seems pretty obvious to me.
    • by mjwx ( 966435 )

      What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?

      The answer seems pretty obvious to me.

      Tech savvy people get passwords wrong as often as non-tech savvy people.

      This is because passwords aren't about technology in as much as they are about risk and I've met a lot of very tech savvy people who know nothing about managing risk.

      When it comes to risk, you have to quantify the risk and then classify it. What is the risk of this password being comprimised, what are the potential results of it being compromised, so on and so forth. A lot of people never think about these things.

      To me, I've go

  • by darkain ( 749283 ) on Friday October 23, 2015 @02:31PM (#50789675) Homepage

    Let's stop caring about password complexity! It is a losing game. Let's stick with simple passwords that are super easy to remember and type.

    Security shouldn't be limited to a single factor. Two factor authentication is what we SHOULD be using. Something you know (the password), and something you have (some physical device). U2F is a damn perfect example of this. You can use your phone as an authenticator. You can add the authentication codes on multiple devices in case you lose the primary. These codes generate a time based sequence of numbers, so even if some MitM attach steals the entire login session details, it'll only be valid for at best ~1 minute.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

  • From the article:

    Making a password longer or including symbols was much more effective.

    Yet so many systems limit password lengths and forbid special characters. Example: My bank is one of the top 20 largest banks in the US, and they do not allow special characters in their web banking.

  • I don't understand why brute force attacks can't be stopped by limiting the number of failed attempts on any given account name and password. After x failures on either, don't accept another attempt for y minutes. It can't just be stupidity, so what am I missing?
    • by ledow ( 319597 )

      Failing on attempts from the same IP? They spread them across millions of IPs

      Failing on attempts on a particular account? Good luck explaining to your users why their accounts lock out every week and they have to come to you to unlock because of random people attempting to bruteforce them.

      Failing on attempts within a time-frame? These things are long-running attacks, millions of attempts per second across the globe. They only have to get lucky once.

      That said, it's not a brute-force that's your main prob

  • Fifty posts, didn't spot acronyms.

    rrrybgdts
    ttlshiwwya
    ratrpfop

    Nursery rhymes.
  • def IsPasswordHackable(password): return True
  • They make you choose passwords like JaNjwMownpJu81% which is pure crap, hard to remember, easy to bruteforce. Most sites won't let you use pass phrases, which are much more secure that those cryptic bullshit.
  • I haven't seen zxcvbn mentioned before, a similar look at password strength from 3 years ago.

    https://blogs.dropbox.com/tech... [dropbox.com]

    Demo is here: https://dl.dropboxusercontent.... [dropboxusercontent.com]

    Personally I like the output of http://www.kurtm.net/wpa-pskge... [kurtm.net] for passwords:

    o|IRcWY;g_V]C}9'.@]@,]!YF.[Yj{K@QmuFCo%%!=~+ab,e2(pU97{V-)Qm*T

  • Services should not care about whether or not my password is easy to guess (easy to remember). They should only care about making sure nobody can hack into their data center and steal EVERYONE'S passwords.
  • This is exactly what we need. An approach that tells users who strong their passwords actually are in real-life scenarios, and not how well they conform to some arbitrary policy.

    The alternative, that's been used by some for more than a decade, is to run your own password cracker at night, and everyone whose password it cracks by morning is sent a mail telling them to change it.

    We desperately need to get away from these awful policies that try to make passwords as random as possible for two reasons. One, the

Keep up the good work! But please don't ask me to help.

Working...