Password Memorability and Securability

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

Freaking PDF files.

Freaking PDF files. Link to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.

I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.

Google

[Mz6]

Google's HTML Cache Version

Consonant-Vowel Method

[Chess_the_cat]

Mitnick had a neat suggestion in the Art of Deception. The Consonant-Vowel Method. It provides an easy to remember password because it is pronounceable. You take the following template and swap in consonants and vowels: CVCVCVCV. The examples he gave are MIXOCASO and CUSOJENA. The point is they won't be in the dictionary but you can remember these nonsense words.

Re:Consonant-Vowel Method

[joelhayhurst]

There is also a unix utility called APG (Automated Password Generator) which will create pronounceable gibbrish passwords to your specifications. I usually use that, find one I like, then replace a few letters with l33t-speak numbers (to think, it has a use...).

Now keep them away from chocolate

[enkafan]

Yeah, passwords and standards are fine as long as you keep snickers out of the office

Length vs randomness

[SWroclawski]

One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?

Then we can determine a good password policy that fits with the security model at the facility.

Re:Length vs randomness

[pyro_peter_911]

One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?

An 8 character password using unique upper case, lower case, digits and punctuation has about 94 different characters. If we picked a random 8 character password from this we would have:

94_P_8 = 94! / (94 - 8)! = 94! / 86! = 94 * 93 * 92 * 91 * 90 * 89 * 88 * 87 = 4.4x10^15 permutations

A 10 character password using only unique 26 lower case characters has:

26_P_10 = 26! / (26-10)! = 26! / 16! = 1.9x10^13 permutations.

So, the 8 character password using all characters is about 200 times more difficult to brute force than the 10 character password only using lower case characters.

Peter

entering passwords is the biggest problem

[Whitecloud]

How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?

Re:I just use my phone number.....

[Dr.+GeneMachine]

Hah! Now I also know how to reach you on the phone...

Use these...

[mcgroarty]

These are the best passwords ever:

jieph9Ee eik4zahW que8aiQu wahK6pee nie1eCho aNg2raew
exeif0Ta ooqu9Aye Eid7iici eiZ6boin Waeg5kah Mi9vegoh
eelae9Oo Ua7yojie Jiquaud5 Vohw7iwi Eit7laax Aesae2ax

They are relatively random, easy to remember (you can kind of pronounce all of them), and best of all, nobody has guessed a single one of them yet. I've been using these for years, and you should too!

I sense a good social engineering technique here

[Spatula+Sam]

"Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."

Random Passwords aren't the problem

[Stargoat]

The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Re:Random Passwords aren't the problem

[Gorbag]

Random passwords, password aging, etc. are indeed the problem. The human element is a constant, and humans aren't that good (these days) at memorization. So all you are doing by assigning a random password and/or aging, is making it more likely (bordering on certainty) the password is going to get written down and sticky taped to the monitor.

Catchphrases are far easier to remember, and simple mapping of words to punctuation symbols and numbers can go a long way to personalizing even a catchphrase. IT should train appropriate passwords, and run crack to catch problems.

Re:Random Passwords aren't the problem

[ericspinder]

The real problem is 30 day password expiration. Short password expirations are (I believe) the largest security hole in IT. On the user side, most people don't cannot keep coming up with new complex passwords every few weeks, they know that they will forget, so they get into the habit of writing down the password, or trying to create a "moving password scheme" that is easier to remember. Also is a problem is the lack of a consolidated logon, meaning that the current password will not be updated in multiple distributed systems. Many users who "follow policy" and fail to keep mental track of their password are heavy users of password reset, which creates "social engineering" problems.

Password reset is the number one help desk issue. All you need is some basic information about the user and a cracker could get the password reset to whatever they want. It's tough for companies to make resets as tough as they really need to be, the cost would be too high.

I believe that the best solution is to enforce complex passwords and allow those passwords to last 6 months or longer.

Re:Random Passwords aren't the problem

[Aapje]

The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password

No, the problem is with the password police who requires those women to change their password every month. While that theoretically improves security, in reality it makes it worse because people are prone to forgot their changed passwords and thus write them down. That is not the user's fault. That those 40 year old women can't remember their passwords, especially when they change every month, is a fact of life. Ignoring that fact, changing the situation from bad to worse, means that you are stupid, not the users.

</end rant about stupid sys admins>

Anyway, if you really cared about security, you would use smartcards, fingerprints or whatever. Passwords for regular users are about as secure as locking your front door and putting the key under the mat*.

*In a place I worked someone used 'secret' as a password and shouted it across the room. And yes, it was a 40 year old woman. ;)

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Sure, management is ultimately responsible for everything. But often, IT can also be blamed for not being informative enough. In the case of security, you should ideally have made a comparison between the security mechanisms and offer your boss a clear choice:
- Passwords without enforcement/whining = little security + easy for users
- Passwords with user enforcement = some security + hard on users
- Chopping off a finger for every bad login attempt = good security + lawsuits
- etc...

Spell it out and get management to agree what your job is, what others should do and what things can still happen. Of course, then management can still be unfair, but you will be happy knowing that you are being professional.

The #1 cause of poor passwords

[Shimmer]

Most of the time, people just don't care. And why should they?

I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.

Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.

So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.

Brute Force Attacks

[Afty0r]

Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.

Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?

Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...

Re:No passwords...

[Glonoinha]

Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.

Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.

Mnemonics questionable

[Anixamander]

My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"

And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.

6. The sixth folk belief...

[cedmond]

Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.

Passwords? More like words.

[Sheepdot]

Let me give you some insight into how a 'cracker' looks at this since I just cracked an alpha-symbol-numeric Windows NT LM hash about an hour ago in about 5 minutes time. Your password isn't enough. You, as an administrator, have to get in there and modify the authentication scheme.

Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack page.

The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.

An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.

I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.

A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.

When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.

Divorces and Passwords dont mix

[MajorDick]

Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.

Sometimes easy to crack passwords are a GOOD thing :)

On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage

Getting users to comply with password policy.

[TheTXLibra]

Well, having been a System Administrator, I can sympathize with this plight. Even a small non-compliance percentage is a bad thing, since there's only about 50-million cracker tools that will give the list of usernames for the network. Here's a few things I can recommend. Most are common sense, but just in case, I thought it might help:

1. Educate your users in 1337-speak. - You know, 3's as E's, 7's as T's, etc. Point out that they can make nearly any normal, easy to remember password more secure by using 1337-speak. This will help prevent tools like L0phtCrack from breaking the code in minutes, but rather might change it to days. I did a bit of security consulting and found this to be the easiest way of ensuring compliance at the user level. For added security, have them make phrases using the special characters. For instance $4Bugs is a rather secure six-letter password (though really I'd prefer 8+).
2. Fear Works Wonders - Divulge that if their account is hacked because of a non-compliant password, the entire office will know of it, and they will probably be lynched, but only after the cracker has stolen all their bank account info and ss#. This may or may not be the truth, but the people listening to you say this are the same people who are using their CD-ROM drive bay for a cup holder.
3. Tools a la Sneakers - Of course, you can turn on password enforcements, that's the first one. Now try to crack your own network. Not a Cracker? All right, then just go download YAPS, LANGuard, and L0phtCrack and run those. Yeah, they're only scripts, but unless your network has somehow garnered the attention of a serious cracker, the only ones assaulting you will be script-kiddies. So fill in the blanks, and see how your network holds up.
4. Given Time, Serious Hackers Will Get In - There's only so much security you can have without just simply yanking the network from any outside connections. If the network you are supporting is government, big-money, or anything of interest to a serious hacker, it is only a matter of time. Forced PW changes (every 14 days) or so, will help reduce this chance a lot, but will also anger your users. But if passwords are allowed to sit for 30 days, and a compliant admin-access password only takes 25 days to crack, then it will be cracked.
5. Sure, let them keep their PWs on stickies... IN A LOCKED CABINET - Most offices will give you a drawer with a lock on it. These locks are almost never used. Find the Facilities person for this office and get those keys. Let the users write down their PWs in a notebook or stickies, but make it clear they need to lock those books up at night or take them home. Getting a custodial job to crack a network by writing down PWs from stickies on the monitor is the oldest trick in the book (and by god, it still works great). If you catch someone with password stickies on their monitor, punish them.
6. Breed ph34r and paranoia - I printed out some old WWII propaganda posters and changed the lettering on them to refer to passwords and security. It was fun, livened up the walls a bit in the office, and served as a subtle reminder to the users that SAM the Cracker was always out there, trying to steal their (fill in the blank). Of course, in truth, we only had one serious hacking attempt, but it was a lot of fun scaring them, and it made them more attentive to possible security breaches. Sometimes annoyingly so, but hey, we never got cracked in the time I was there.

-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old.

Alternative to memnonics -- pronounceables

[0x0d0a]

I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).

FIPS-181 describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here.

Sample run:

$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat

APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.

For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.