Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?
Do you need a website upgrade?
I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.
The key is to detect the attack.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Hoist Number One and Number Six.
Statistically speaking, a 400 person focus group is going to so accurately represent the population from which they were selected it is almost overkill. Bear in mind, however, that they don't represent users in general, but computer users that are smart enough to get into college, aged roughly 18-19 years old, and open minded enough to participate in a college survey regarding passwords on computers.
But yes, 400 people is way more than enough - heck you can usually predict the outcome of most elections using exit polls asking less people than that.
Glonoinha the MebiByte Slayer
Most of the time, people just don't care. And why should they?
I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.
Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.
So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.
Another thing to remember is that rules like this just make brute-forcing simpler. There are 2.18*10^14 mixed-case alphanumeric 8-character passwords, but only 3.11*10^10 mixed-case consonant-vowel passwords (1/7000th as many possibilities), and only 1.2*10^8 single-case C-V passwords.
Forcing 8-char passwords is just as inadvisable. There are 6.16*10^15 possibilities for 6-8 character passwords made up of all typeable characters (ACII 33-126). That'll take 195 days to search the whole keyspace at 1M tests per second. And hopefully your password rotation is more often than that.
Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.
Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?
Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...
Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.
Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.
Glonoinha the MebiByte Slayer
I second the HTML version. Good old Adobe - popped up a nice little window in the background bugging me to update and stalled the IE process. Since the window went to the background, all I could see was the stalled process, and I killed IE, which, of course, closed all my windows. I hate pdf files...
Anyway, here's a consideratoin: semi-disgruntled employees. For example, I'm not disloyal enough to actively seek to damage the company's systems or information, but with the way they treat employees, and the way my dysfunctional department operates, I'm not loyal enough to sit and try to think of strong passwords every month. So, I come up with creative ways to circumvent the draconian password policy instead. Ironically, some of my stronger passwords have been defeated by this overly strict ruleset and wound up with me simply appending a character to a weaker password to get around it.
The lesson: draconian password policies hurt security and audit your password lists on a regular basis (at least randomly sample them regularly). Most of your users probably don't give a crap about their passwords because they don't give a crap about what happens to the company's systems and information.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Length and randomness go together and it should never be an either/or decision.
Plus it's difficult to factor in the domain of characters an attacker will use to brute force a password. Throwing in a puctuation mark on a relatively short password will be strong against any attackers who use only alphanumeric characters in their cracking scheme. But the first attacker who does include said punctuation will crack a short password relatively quickly.
L0phtcrack probably has the best approach in which a basic dictionary attack, then a hybrid attack by attaching numerals and punctuation on to the end of a dictionary word. Etc..
But really, if you're not using a dictionary word as your password, the chances of a brute force attack being successful are very low.
An attacker is going to get your password through other means such as keylogging or packet sniffing.
Passwords are really only one tiny piece to the whole security plan and I think it's too focused on. How about more on how to physically protect a machine, how to prevent keyloggers or packet sniffers. How about social engineering? That's one of the last topics (if at all) to be covered during discussions about security.
-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old.
-The Libra
"Please be patient--The future will begin momentarily."
4. Encryption software tends to be hard to use, and to use it, you have to understand quite a bit about encryption. (What's a keychain? What's a public key? A private key? What do I do if my private key is compromised?)
Personally I use a GPG-encrypted file, but quepasa does sound like a neat idea. My only misgiving about it is that it still requires users to have a clue, and the point of the article seems to be that having a clue (or caring enough to make an effort) is the limiting factor.
Find free books.
Making this kind of argument is valid only if it is practical for people to use passwords from a maximum-entropy pool of acceptable passwords. Think about this for a second: what you are talking about, strictly speaking, is a cryptographic key. However, we keep using the term password. The difference is subtle but significant, and it is the crux of the issue in the article (RTFA). Passwords are a kind of word, used as a cryptographic key in this case. So, they are the intersection of the set of things that can be words and the set of things that can be cryptographic keys. If you get too strict with the definition of either of the two sets, you risk shrinking the intersection to a cryptographically insigificant number of brute-force attempts.
Rules like this do *not* make brute-forcing simpler. What we need is more like them. Instead of forcing people to use a selection of truly random numbers as passwords, we should have a cornucopia of different mnemmonic password generation algorithms with different inputs that are likely to differ greatly (in two dimensions) from person to person and over time. The total brute force guesses would be the UNION of all of those sets, and they would also meet human factors requirements. The way to improve cryptographic security of passwords is to *increase* freedom, and to discourage conformity. Specifically ruling out different password mnemmonics actually shrinks your pool of brute-force possibilities and thus weakens your scheme. It is acceptable for some people to use dictionary-weak passwords sometimes as long as there is a much greater likelihood at any one time that they will not.
The bigger the dictionary, the closer the attack comes to brute-force keyspace searching. GROW the dictionary to obtuse proportions!
--- Nothing clever here: move along now...
Take a song that you like, and use the first letters of each line as your password.
If your password requires numbers or special characters, use the line number of the song, plus its shifted equivalent.
If it requires both upper and lower case, use one upper-case letter, the same position each time.
For example:
A long long time ago,
I can still remember
How that music used to make me smile.
Month 1: aLlta1!
Month 2: iCsr2@
Month 3: hTmutmms3#
etc.
Each year, pick a new song.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana