An Algorithm For Better Password Checking (technologyreview.com) 103
New submitter della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.
In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.
In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.
STOP IT! (Score:2, Insightful)
Stop saying my password is bad. If I make it more complicated, I won't remember it. So it would be even worse.
And making me change it every now and then is even more stupid.
Phonetic passwords (Score:2)
I'm a big fan of random phonetic passwords. The work well for my brain. Even a short base64 random letter password is harder for me to recall than a long phonetic password. Look at that co-author's butter tasting name " Maurizio Filippone". It's totally awesome to say that out loud. And do that 7 times right now and this evening you will still be able to say it. But you won't be able to recall 5(F{!X45*~d tonight. It's pretty easy to generate these where each phonem or di-phonem component has a very
Re: (Score:3)
Sure. I can remember one of those. But seriously the (r) and (c) symbols ... pray you never need type that in on someone elses laptop computer with an international keyboard and no numeric pad or a smartphone keyboard... etc.
But more importantly I can't remember dozens of those.
And password re-use is a bigger issue than using a good password.
I use a mix of a password safe for most passwords, and subset of passwords i need to use commonly are 'algorithmic' based on what i need them for / the sites name / etc
Re: (Score:2)
"But seriously the (r) and (c) symbols ... pray you never need type that in on someone elses laptop computer with an international keyboard and no numeric pad or a smartphone keyboard... etc."
The particular symbols are not important, they are just to appease any password strength algorithm. The actual value of that kind of password comes from the string of words than can be meaningful to the user without being statistically prominent.
Re: (Score:2)
The post I was responding to was specifically asking for symbol characters that weren't 'above the numbers'. (r) and (c) the examples given ... aren't even on most keyboards, and the methods for inputting them can be wildly variable, and a royal PITA to even know if you are doing it right if all you get as feedback is the usual asterisk.
Re: (Score:2)
Nope, seen this several times. Not easy to remember.
Re: (Score:2)
Nope, Bruce Schneier debunked this https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
Re: (Score:2)
Bruce Schneier isn't usually wrong about this stuff, but it seems he's serverely mistaken into what the XKCD/Diceware method [std.com] actually is. You're choosing four words totally randomly from a list of ten thousand or so. Knowing someone is using the diceware method, their password will (still) have 51 bits of security, way more secure than most passwords and even the scheme that he describes in the blog post.
Re: (Score:2)
Note that Bruce Schneier doesn't actually debunk it, he just assert that it is bad.
Compare that with the "Schneier Scheme" "take a sentence and turn it into a password." He thinks of a sentence and takes the initial letter for long words, the whole word for short words, a digit for number words or homophones of number words, and and a arbitrary list of some other manipulations. However, from a brute force perspective this is functionally equivalent to always writing out whole words since a password brute fo
Re: (Score:2)
Re: (Score:2)
Yeah, I give up.
(plasters stickynote on monitor)
Sick of Passwords (Score:3, Informative)
I don't even care if they're secure or guessable or lexographic or written down or whatever other bullshit I'm supposed to care about.
I am sick of these bullshit passwords and signins fucking everywhere. Every single site, every single service, every single day, input this, email that, account name, please re-enter, confirm, mandatory, change must contain a two numbers, must contain capital letters, cannot contain special characters, forgotton your password?
I've given up. Fuck it. I'll just lurk, post anonymously while I still can. I must have over 200 accounts out there and I just don't care anymore. It's too much effort to remember all this bullshit anymore.
Password1 (Score:4, Informative)
Lots of things really don't need highly secure passwords but insist on having ridiculous password requirements.
Case in point Xbox one must login to microsoft account to setup for the first time password must have at least one capital, at least one number, at least one symbol and at least 8 characters Password1~ is an acceptable password. Pita to type on xbox controller.
Netflix is a model for reasonable requirement's especially since it likes to log itself out at random. So less to type on wii remote is a definite plus. 4 letters minimum 0000 is an acceptable password.
Re: (Score:3)
at least one symbol and at least 8 characters Password1~
This leads to extremely common patterns, or classes of passwords such as ULLLLLLLDS, which can be pre-computed for cracking.
Knowing the 30 most common such topologies and allows an attacker to crack 90% of all passwords (according to leaked password lists).
Smart password checkers like the one of Kaspersky take that into account https://blog.kaspersky.com/pas... [kaspersky.com]
Here is a talk https://www.youtube.com/watch?... [youtube.com] and some material here: https://blog.korelogic.com/blo... [korelogic.com].
Re: (Score:2)
I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.
Of course the forbid process would take 1 second in order to block brute force attempts.
And you can pre-seed the database of hashes by using various dictionary lists and other sites' cracked password lists.
Over time you'll end up with unique passwords for all users that are not in any of the dictionaries.
Also, demand "pass phrases" instead of "passwords". 15 characters o
Re: (Score:2)
I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.
You can use a good bloom filter implementation for that.
Re: (Score:2)
Thus giving an attacker a handy way to simultaneously brute-force every account on the site. That's a horrible idea.
Re: (Score:2)
Pita to type on xbox controller.
To be fair, anything is a pita to type on an Xbox controller.
Re: (Score:1)
No, GP was correct. Written English is certainly a different set of registers from spoken English, but the original sentence is grammatical in neither. The original placement of "well" does not satisfy the correctness conditions of English syntax. It's not idiomatic. It's wrong.
Re: (Score:2)
No, GP was correct. Written English is certainly a different set of registers from spoken English, but the original sentence is grammatical in neither. The original placement of "well" does not satisfy the correctness conditions of English syntax. It's not idiomatic. It's wrong.
I didn't well understand that.
Define better (Score:3)
various studies have found that they make users choose better passwords.
By better do you mean harder for computers to guess or easier for users to remember and not have to write down?
Re: (Score:2)
Writing down a complex password is generally better and more secure than using a simple one. Attackers in China can't get into my desk drawer, and the lock keeps most who have physical access out.
Re: (Score:3)
Attackers in China can't get into my desk drawer,
Neither can you if you are not in your office.
Pass phrases are easy to remember but don't follow the "at least one caps, special character and number" general rule. "unicornscraprainbows" is a pretty good password.
Re: (Score:2)
Re: (Score:2)
various studies have found that they make users choose better passwords.
By better do you mean harder for computers to guess or easier for users to remember and not have to write down?
Yes.
Read the paper. Disagree with "symbols" (Score:4, Informative)
>> Symbols appear to be less predictable and placed in different locations of the password
I disagree with the paper's conclusion based on the passwords I've seen, which FREQUENTLY just end in a "!" or other common character. Here's a different paper that goes into symbol frequency; I pulled out the relevant bit.
In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-“), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.” - http://resources.infosecinstit... [infosecinstitute.com]
Re: (Score:2)
True story - my brother and I were at a financial services institution to take care of my mother's accounts when her Alzheimer's took over. So, he's creating a password and the system wouldn't take it -- it kept giving an obvious database error (not something that would normally be shown to an end-user). He showed me what he was typing and it contained a single-quote, something like "Mom's account". I told him to take out the single quote and it was happy.
I insisted that the representative get their deve
Re: (Score:2)
1) Some systems limit which special characters you can use!
2) I bet people don't like to use parenthesis, brackets, or braces because seeing mismatched pairs seems "wrong." Or maybe it's just programmers.
Re: (Score:2)
Sooooo True.
That's what happen when you fight against human beings : they work around you. We're constantly told that adding a special character makes your password so much stronger ... those people must be morons to think that because they enforce a special character, people will start using randomly generated password. We're human beings, not machines, so we'll choose myusualpassword1! and not 4@dE^5%3SfdSF because the first is so much easier to remember.
And that's actually fine : we're now all using
Re: (Score:2)
You failed to demonstrate your point. You show that symbols are not used in a way that would create the most entropy in the password. But that's not what the statement said... it said that symbols generally add more entropy than capitals or numbers. And unless you also compare the entropy added by capitals (barely 1 bit most of the time, capitalizing the first letter) or numbers usually a 1 at the end, or just a few digits at the end (and even fully random digits are only 3.2bits of entropy per character).
S
Re: (Score:2)
I think it is generally known and trivially obvious to anyone who has done any research or statistics on this subject at all that the requirement of special characters is a total failure and where enforced it actually reduces the search space instead of enlarging it, due to human nature and the simple heuristics you can use.
Re: (Score:2)
Except that if your company has no password policy and a bunch of bad stuff is done with a user's account, you can't hold the user accountable, because you are not sure that they did it.... and they were just following policy.
Also there are pesky things like getting audited that come into play.
Here's an idea (Score:4, Insightful)
Re: (Score:3)
Which is stupid anyways. If it is compromised by a competent attacker, then 3 months are far, far too long. If it is not compromised, then there is really no reason to change it.
Re: (Score:3)
And a competent attacker needs maybe a day. So this policy is exceptionally stupid even taking your argument into account.
Re: (Score:3)
Yes! Also, stop remembering the hashes of my past N passwords.
Forcing you to routinely change passwords, forcing the inclusion of mixed case or numbers or symbols, forcing you to not reuse a past password... net result is less security because most people will just end up writing their weird passwords down somewhere.
All of these restrictions aren't fixing the problem, just shifting elsewhere to be not the site's problem.
Re: (Score:2)
Stop making us change them every 3 months and we could come up with stronger passwords.
None of the websites I use require me to periodically change my password. Are there any well known sites with this requirement?
Re: (Score:2)
that isn't a web site thing, its a corporate thing. 30-days is an all-to common scenario. Friend of mine worked in a plant that had a disconnected network (no Internet). They were forced to use "complex" passwords with 30-day expiration and a history of the last twelve. Which was entirely ludicrous: what were they defending against? No one from the outside because it wasn't a connected network. An insider will just use the same post-it note that the user put on the monitor because they can't remember the pa
Re: (Score:2)
http://www.nicsezcheckfbi.gov/ [nicsezcheckfbi.gov]
Used to run background checks for guns in 36 states or so.
Password must be changed every 90 days
I think that should qualify as well known.
Really no surprise (Score:3)
I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure. This just shows how bad they are. Bit it is good that somebody did a systematic evaluation of the problem. Maybe now the stupidity will decrease.
Re: (Score:2)
Depends on what security I need. Low-security: 8 chars, higher 12 chars, max 20 chars. That is 41 bit, 62 bit and 103 bit of entropy, roughly.
Re: (Score:2)
Yes, but I found that the mix of upper and lowercase letters is far, far more difficult to remember than just lowercase ones. For more bits just make it longer. Incidentally, 80 bits is about the spot were it will be secure for "the foreseeable future", so 119 bits is not really any better than 103 bits.
Re: (Score:2)
I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure.
A random 8 byte password using only lowercase letters and numbers is more than a quadrillion times easier to crack than one that also includes uppercase and special characters.
This just shows how bad they are.
No, it just shows that they are designed for the common situation where a normal person is using a mnemonic password, rather than a geek using something random.
Re: (Score:2)
A password can be secure using only the letters 'A' and 'B' if it's of sufficient length.
I'll call your AlphaBeta, and raise you the binary digits.
Re: (Score:2)
I used to do that:
head -c 16 /dev/random | md5sum
then use the checksum. A nice, full 128 bits of randomness, and frequently rejected for being insecure. Now I do:
head -c 10 /dev/random | base64
The nice thing about 10 chars is you always get == at the end giving the required symbols. The rest is of course 80 bits of randomness. Sometimes it won't have a digit, so you have to repeat.
Fix the bloody short limits first ... (Score:2)
Some sites have a horrible password schemas:
* Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.
* Enter in a password only to have it rejected? Tell us _which_ characters are allowed and which ones aren't !
Re: (Score:2)
* Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.
Sounds like my old bank. If I want to be able to use an epic poem written in the original language (we do support Unicode, right?) I should be able to, or if I am reasonably smart I should be using a password vault and should be able to enter 128 random characters if I want but far too many sites like to have a limit on password strength. I also like the stupid security questions they present as I just use them as an added source of entropy and are filled with other random chars. It is rather interesting wh
Re: (Score:2)
* Tell us _which_ characters are allowed and which ones aren't !
Yes, please. It will make the search space so much smaller!
Re: (Score:2)
* Tell us _which_ characters are allowed and which ones aren't !
Yes, please. It will make the search space so much smaller!
Implying that that would be good for attackers. If this is the case, why have the restriction in the first place?
Re: (Score:1)
This one was pretty funny; http://thedailywtf.com/article... [thedailywtf.com]
Protip flog is not a good password on a golf website.
Password managers (Score:3)
The answer seems pretty obvious to me.
Re: (Score:2)
What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?
The answer seems pretty obvious to me.
Tech savvy people get passwords wrong as often as non-tech savvy people.
This is because passwords aren't about technology in as much as they are about risk and I've met a lot of very tech savvy people who know nothing about managing risk.
When it comes to risk, you have to quantify the risk and then classify it. What is the risk of this password being comprimised, what are the potential results of it being compromised, so on and so forth. A lot of people never think about these things.
To me, I've go
Stop caring! (Score:3)
Let's stop caring about password complexity! It is a losing game. Let's stick with simple passwords that are super easy to remember and type.
Security shouldn't be limited to a single factor. Two factor authentication is what we SHOULD be using. Something you know (the password), and something you have (some physical device). U2F is a damn perfect example of this. You can use your phone as an authenticator. You can add the authentication codes on multiple devices in case you lose the primary. These codes generate a time based sequence of numbers, so even if some MitM attach steals the entire login session details, it'll only be valid for at best ~1 minute.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Allow pass phrases (Score:2)
From the article:
Making a password longer or including symbols was much more effective.
Yet so many systems limit password lengths and forbid special characters. Example: My bank is one of the top 20 largest banks in the US, and they do not allow special characters in their web banking.
Why is this still a problem? (Score:2)
Re: (Score:2)
Failing on attempts from the same IP? They spread them across millions of IPs
Failing on attempts on a particular account? Good luck explaining to your users why their accounts lock out every week and they have to come to you to unlock because of random people attempting to bruteforce them.
Failing on attempts within a time-frame? These things are long-running attacks, millions of attempts per second across the globe. They only have to get lucky once.
That said, it's not a brute-force that's your main prob
commentsubjectsaredumb (Score:2)
rrrybgdts
ttlshiwwya
ratrpfop
Nursery rhymes.
Here it is (Score:1)
NO, they are no good. (Score:2)
zxcvbn (Score:2)
I haven't seen zxcvbn mentioned before, a similar look at password strength from 3 years ago.
https://blogs.dropbox.com/tech... [dropbox.com]
Demo is here: https://dl.dropboxusercontent.... [dropboxusercontent.com]
Personally I like the output of http://www.kurtm.net/wpa-pskge... [kurtm.net] for passwords:
o|IRcWY;g_V]C}9'.@]@,]!YF.[Yj{K@QmuFCo%%!=~+ab,e2(pU97{V-)Qm*T
Re: (Score:2)
How about the shibboleth "xyzzy"?
personal responsibility (Score:2)
yes, please! (Score:2)
This is exactly what we need. An approach that tells users who strong their passwords actually are in real-life scenarios, and not how well they conform to some arbitrary policy.
The alternative, that's been used by some for more than a decade, is to run your own password cracker at night, and everyone whose password it cracks by morning is sent a mail telling them to change it.
We desperately need to get away from these awful policies that try to make passwords as random as possible for two reasons. One, the
Re: (Score:1)
dammit. now I have to change my password.
Re: (Score:2)