Slashdot Mirror
Enforcing Crytographically Strong Passwords
Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.
Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.
Either use single sign on or an honest assessment of whether or not every f-ing application and web site in the intranet needs it's own f-ing password. Some things are just not so important that they need a password especially if they are already relatively safe within the corporate intranet.
To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.
Waltz, nymph, for quick jigs vex Bud.
I use password safe to keep all my passwords. I used to have password overload and ended up using the same password for tons of sites. I eventually came to the decision this was a really dumb idea and shopped around for a solution. Now I just use password safe to generate proper random passwords for all my web sites and accounts. All you have to remember is one master password.
The only problem is that it is not very portable in that if I am not on my own computer I don't have access to the password data base.
The bikini - security through obscurity since 1943
I like to pick a pattern on the keyboard, and then use that, alternating shift. If you were to ask me what my password is, I really wouldnt know unless I'm sitting at the keyboard.
:LKPOI)(*890iopkl;
Now, this is NOT my password, but it may have been at some point, but for example
As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.
Try and type that password and you'll see how easy it is to remember.
Don't Tread on Me
Mag strips!
Put 32 random bytes on a magstrip and hand it to your user. Oh but Tom, what if they lose the card or it's stolen? Yeah simple plan for that.
USER: "Yeah hello sysadmin? I lost my card."
ADMIN: "Ok. Your account has been temporarily deactivated please pick up a new card."
If you're a company/group/etc that is worried about security you can afford a keyboard with a magstrip reader (they're not that expensive).
Tom
Someday, I'll have a real sig.
This subject comes up a lot. It's been on /. in various forms in the past. In fact, I think I'll just cut n paste a previous comment of mine :)
----
I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious, no randomization/separation of key sequences) but things like !@()ZX>? or QW./>?wq
Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Do not taunt Happy-Fun Ball
My passwords are typically 10-12 characters (a-z,A-Z,0-9) long randomly generated strings. I don't learn or remember them in the sense that I could write them on paper or spell them out. Instead, my fingers learn them. Each password has a specific feel, rhythm or a sequence of finger movements to it and as long as I can remember which sequence belonged to which account, there's no problem.
The owls are not what they seem
Are there any projects / discussions regarding password expirations linked to password complexities?
If I chose a password of "random", the computer could reject it and now allow me to use it.
If I chose a password of "r4nd0m11" it may allow me to use it for a month due to it being complex.
If a chose a password of "1tst00b4dth4t1c4ntyp3l33tsp3aks0w311", it may allow me to use it for 3 months.
All of this could be controlled by a policy created/configured by the system administrator and could include things like:
- Does the password have letters and numbers
- Does the password contain non-numerical/alpha numbers (!@#$%^& etc)
- Does the password contain more than X characters
So on and so forth. Based on that criteria, it would then set the expiration on that password to the sysadmin configured timeframe.
Just a though.
Force users to remember password that are cryptographically strong? Impossible.
Having an 8 characters long password with letters was ok in 1995 or so, when computer power was unable to decrypt password by brute force.
Today, cryptographically strong means : with lower and upper case letters, with numbers and special characters, and long enough (at least 16 characters).
How the f*** do you want someone to remember that kind of password (I do, but I don't expect Joe User to do it).
The future is not in longer passwords or passphrases, but other cryptographic means.
The guys from the article should think of something else. The future is about biometrics or 256 bits keys embedded in small cards.
The password era is almost over dudes, let's get used to it.
Here's a little trick I've been using recently, I don't remember a password, I remember a phrase. Such as Ten and twenty blackbirds baked in a pie, boiled down to create 10&20bbb1@p. It looks pretty random to the average person, but a lot easier to remember than pure randomness.
Perhaps instead of offering people simply randomly generated numbers and letters, or even pronounceable versions thereof, why not offer a variety of phrases along with the resulting hash after filtering it through 'leet' speek?
By the way, I did not RTFA, so I apologize if this is -1 Redundant
bend like the reed
As an SF fan I just make up some race.
ex: Kanarian
Then add a few touches to "alien it up a bit"
ex: !K@N@rI@n!
Then when I need to change the password, I just make up a member to the race, and do the same changes to it.
ex: !B@ThooS@n!
Fairly easy to remember, and doesn't matter if the names are stupid, nobody's supposed to see them anyway.
The U.S. really needs an English to Wisdom dictionary.
I always recommend users consider a password comprised largely of profanity. This has proven to have several benefits: 1. It's makes passwords "sticky" and easier to remember, so you can make them arbitrarily long. It's easy for your password to be 1Mg\/\/v when it stands for "lick my gibbering whale vulva." 2. Because these passwords are potentially embarassing, users are much less likely to write them down in any conspicuous place (like the sticky note on the monitor). 3. An additional benefit of the embarassment factor, users are less likely to give their password out to others, thus protecting against social engineering attacks.
If you have a process that locks an account when it is not logged into sucessfully more than n times.
...) We are not supposed to use words in the dictionary, because even if we put @ for a - leet dictionaries have this combination. Insert numbers. No use two words combined with a number. No use the first letter from each word in a pass phrase...
The arguement for having strong passwords almost always goes: "There are 200,000 words in the english language. A computer can test all of those words within seconds: Therefore it is necessary to have strong passwords."
Then we get recommendations on how to make a password secure (and yet, it's not to use a secure ID token with it). To avoid a brute force attack make the minimum size of passwords over 7. (No, wait, computers are now faster - make that over 8, 9, 10,
I'll Pass. My users get locked out for 15 minutes if they do not log in correctly three times within a few minutes. Now instead of being able to check all the words in the english language in minutes, it takes only. ((200,000 / 3) * 15 minutes * 1/60* 1/24 ~= 694 days. Have fun;)
Disclaimer: This is not true for the Admin account, which cannot be locked out.
Or, if the length of the passwords isn't restricted, just use the whole sentence without any spaces and say goodbye to brute force.
10 billion won't take long to crack, though. Someone could easily pre-generate the hashed password list so they're just doing a bunch of string comparisons later. Also, PCs are pretty cheap, and it would be trivial for someone to cluster 10 or so machines together to parallelize the cracking process.
Anyway, with a random combination of letters and numbers (including shifted values), you can get over 139 billion combinations with just 6 characters, and over 722 trillion with 8 characters. 10 characters gives you nearly 4 quintillion combinations! Seeing as how the number of English dictionary words is only in the hundreds of thousands, a dictionary-based attack would be effectively useless here.
If you want to make your password selection process a tad more secure without giving up the ease of remembering it, you'd be better off coming up with a 6 to 8 word sentence and select some particular letter from each word (e.g., the first letter). Then change a couple of characters to numbers or symbols, or further manipulate it in some pre-defined fashion (like reversing the order of the letters, using ROT13, changing capitalization, et cetera). You can write the sentence down without it looking like a password, or even translate it into another language.
Generative sentence: "Ceci n'est pas une pipe"
Selected letters: "C n e p u p"
Transform: "P u p 3 n C"
Password: "Pup3nC!"
Reminder: "This is not a pipe"
Note: This is not actually my password, either.
With your original method, a dictionary attack (with a little brute force for the word combinations) has almost a 100% chance of discovering your password. With a purely random password of a length of 8 characters, the chance of a dictionary attack working drops to about 0.000000062 percent.
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
just use the whole sentence
/. userid, they'll certainly recognize my old favorite: "smarfle marfle barfle parfle".
Exactly. Years ago I used to use "this is my really long password at work." as my GPG passphrase. The looks I got while typing were priceless. And if there are any of my friends left who don't know this is my
Intelligent Life on Earth
And what do you propose to use for the 10 different login systems I have to work with? And some of them need passwords >= 6 chars length and others = 8. Some need to change after 6 weeks and others not. Also I we have to use 2 different RSA code keys (for different systems). One with pin and one without. Would you blame me for writing down my passwords?