Calculating Password Policy Strength Vs. Cracking

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

Is this a problem?

[khasim]

Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

The solution is not complexity. It is limiting the number of attempts and logging the process and having a HUMAN review the logs on a daily basis.

Re:Is this a problem?

[wjh31]

unless you have a botnet so as each infected computer is blocked, others in the net take their turn. To get 65 guesses per minuite at 3 guesses per 5 minuites i think would only take about 100 computers

Re:Is this a problem?

[Omniscient+Lurker]

Some lock down the account (not computer doing the accessing) when that account has 3 failed attempts. So different computers don't help.

Re:Is this a problem?

[MoonBuggy]

Which is still solved by a quick look at the logs. Any account with multiple login attempts from multiple IP addresses in rapid succession should be a huge red flag. Even without human review it's trivial to make the block on the account, not on the party that's trying to log in.

The real problem is striking a balance between complexity and usability. You don't need a botnet if you can grab the passwords using any number of social engineering techniques, many of which are made much easier when people are pushed into habits like writing their login details on post-it notes.

Re:Is this a problem?

[fatalwall]

that implies its per computer. A smart systems would be per user account then per computer.

Re:Is this a problem?

[mysidia]

No problem. Utilize many parallels processes, so you are sourced from multiple IP addresses and you are targetting multiple usernames.

So you still make -many- more than 65 guesses a minute, they're just spread over multiple source IP addresses.

Re:Is this a problem?

[osu-neko]

A good system does both, since otherwise on failure the attacker can just try a different account (they're usually not concerned with hacking a particular account, they just want any old account). So, limit the number of attempts on a particular account, AND limit the number of attempts from a particular source.

Re:Is this a problem?

[noidentity]

"three strikes and you're out for 5 minutes" means that that account is locked out for 5 minutes, not just the remote machine that tried to log in. Duh?

Re:Is this a problem?

[swillden]

Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

But most systems only apply this policy per account.

If you have 300 known usernames you can try another username/password pair every second and never test one account more than once per five minutes.

Re:Is this a problem?

[ILongForDarkness]

Exactly. At my work we occasionally need to crack a password for an account. Our password policy is fairly strong, minimum 8 characters, must have a symbol, letter and number in it. Anyways we can crack the passwords in a couple hours or less from the password hash on a workstation. On a network the trick is to not let someone try very often, and protecting the password hashes, ie if your using LDAP or AD passwords, encrypt the queries to the nameservice etc so somebody doesn't get the hashes to crack offline.

Re:Is this a problem?

[mistralol]

For a single account it does. But does anyone actually know of an account being broken into with brute forcing the password unless the password is really simple? This leeds to the point that if you want to break into a number of accounts somewhere you keep the password a constant and brute force the username. How can this be detected which you think of somebody using a large number of proxies 1000's of attempts could be made per minute. It doesnt really matter how complex you make the password when people are shipping trojans to just take it off the wire the next time you login.

Re:Is this a problem?

[RiotingPacifist]

Your better off throttling an account at (12/min 5s between guesses) it takes more than a year to get an 8 digit even a 7 digit password will be safe for 120days. Although your still vulnerable to bots that don't care what account they get if they just want an account, for that you need anti-bot net stuff
*if the same IP gets x wrong passwords in y hrs (irrespective of accounts) put them on a blocklist for 24hrs, if they get a 10 wrong the following day put them straight back on at 0.007attempts/min they 10,000 bots to get anywhere.

Re:Is this a problem?

[blincoln]

Anyways we can crack the passwords in a couple hours or less from the password hash on a workstation.

If it's taking you "a couple hours" to crack a Windows password that meets the criteria you specified, you're using the wrong tool. Have a look at Ophcrack, then see if you ever want to use a less-than-15-character password on a Windows system again.

Re:Is this a problem?

[Ytsejam-03]

Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

You're missing the point. This isn't so much about guessing the password in network logon attempts as it is about guessing passwords on already-compromised machines. Since users frequently use the same password on multiple systems, a password file from a compromised workstation will sometimes yield valid passwords for other not-yet-compromised systems. Local passwords can also be useful in decrypting hard drive contents in cases where the encryption key is stored locally, wrapped with the user's password. The faster an attacker is able to crack passwords in the password file, the more time he has to further compromise the network without being noticed.

Re:Is this a problem?

[calmofthestorm]

Cracking with a hash is a lot faster than cracking without one.

I'm still confused by the math:

(90 days) / (8 ** 94) = 1.0006852 x 10^-78 seconds

For reference, Planck time is 5.39124*10^-44 seconds.

Where does the 65 passwords per minute come from? Even if we assume many, many, users, you still need to provide the correct username/password pair.

I was under the impression that the mass ssh password bots that hit our cluster constantly are looking for weak passwords, not trying to break reasonable ones.

That said, let's start moving to two-factor now, while it'll be an orderly transition.

Re:Is this a problem?

[ILongForDarkness]

Nice good tip. Actually neither a windows workstation or windows password, Mac site. But we do us NTLM passwords for radius and stuff I we still generate the hashes in NTLM. Hmm, another excuse to have a linux box kicking around :)

Re:Is this a problem?

[Zero__Kelvin]

Right. And don't use LAN/MAN hashes, which I'm guessing you do? ;-)

Re:Is this a problem?

[sortius_nod]

Unfortunately it's not the gathering of the passwords that hurts the business with things like Confiker.

I was recently on contract for a large bank doing what they called "lvl 1 support" (tough times and no work calls for tough measures). I bailed after 2 days due to the fact they'd let Confiker take a massive hold on the network. 1500+ servers, every workstation of about 20 000 was infected. The biggest issue was that users were being locked out of their accounts, productivity was at almost 0, and the highest level of support had no idea what they were doing. Supposedly they were fixing the issues, however the servers they "fixed" were ending up reinfected due to them not patching against Confiker straight away.

Pretty much a lack of decent IT staff (they are currently offshoring all their support staff, with infrastructure staff to be moved later) was to blame for the massive infection. Policies weren't enforced, lower level support staff had close to full administrative access on the servers, and there were no proactive patching cycles. I've seen this before and raised the red flag at previous jobs, unfortunately the calls for greater security and greater responsibility for high level admins has gone unheeded.

The people controlling IT departments prefer to follow their little management processes rather than actually do anything productive for the company. Taking months if not a year to deploy a critical patch on a server, or ignoring calls for tightened security policies (both digital and social) are the real reason companies fail. What IT managers need to remember is, a decent password policy is a vital portion of a wider solution.

Re:Is this a problem?

[bcrowell]

Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

Hmm...I tested this on my internet-facing server, which is running a Debian with a default configuration of ssh, and it doesn't seem to do that. After three strikes it disconnects, but there doesn't seem to be any long waiting period before it will accept another connection and allow three more tries.

Last time I dug through the man pages for ssh, I remember that it was a long slog to get information I wanted. Is there anyone here who knows where to look in /etc/ssh/sshd_config for this kind of stuff, and who can suggest what parameters to look at or fiddle with?

The solution is not complexity. It is limiting the number of attempts and logging the process and having a HUMAN review the logs on a daily basis.

Hmm...I'd be interested in hearing more about exactly how you implement that. It doesn't seem easy to me. You can limit attempts by throttling them to, say, a maximum of 1/second on any particular account; but then any user who knows your login name can DoS you. You can lock an account after, say, 1000 failed attempts, but you get the same DoS issue. You can have certain accounts that can only be logged in to from a terminal that's physically located where the computer is, but that's not an option for many people, including me, who rent a box in a rack from someone far away. (I'd really prefer not to have to call my webhost and get them to let me back in to my own machine. They'd charge me money, for one thing.) Having a human review the logs every day might make a lot of sense for, e.g., a corporate system with a lot of users, but personally, for me, it's just not something I want to dedicate time to for every single day of my life. And I'm curious what you would actually do if you found a bad guy doing such an attack. Use iptables to block that ip address? But what if the attack is coming from a botnet? If it's a botnet, then out of all the addresses that are attempting to get in, there may be one that belongs to the actual user, and it may not be obvious which one it is. And if you don't have certain accounts that can only be logged in to from a terminal that's physically where the CPU is, then I don't see how you can even guarantee that you'll be able to log in and do your daily check of the logs; you could be locked out yourself because they're DoS'ing you.

It seems to me like the really clearcut answer probably is to pick a very high entropy password.

Re:Is this a problem?

[Daychilde]

What's wrong with writing their login details on post-it notes?

Of course, it completely depends on the context... but I'm assuming massive attempts to log in are probably coming from an external source, i.e. across the internet. If people don't have physical access to your workstations, putting the post-it note isn't such a terrible thing.

Now, don't get me wrong - I'm not advocating posting login details and pasting them on the monitor. Instead, write `em down and treat that piece of paper like a thousand-dollar bill. Put it in your wallet or purse. If someone gains access to it - you have worse problems than just your password being taken.

And again - if your hacker is onsite and has physical access - you really have worse problems than a password written down and stuck in a drawer (because I'm really not advocating for sticking it on a monitor).

Which of these sounds more secure:
1) Employees are forced to change their passwords every 90 days, but are discouraged from writing the passwords down anywhere.
2) Employees are forced to change their passwords every 90 days, and are encouraged to keep a written copy in their wallet or purse.

Which of those will tend to allow for more secure passwords, realistically?

There's a ton of things to consider - but it always bugs me when someone argues that writing down passwords is a bad thing. It may seem counter-intuitive at first, but I think it's clearly a Good Thing(tm). :)

Re:Is this a problem?

[goarilla]

Last time I dug through the man pages for ssh, I remember that it was a long slog to get information I wanted. Is there anyone here who knows where to look in /etc/ssh/sshd_config for this kind of stuff, and who can suggest what parameters to look at or fiddle with?

i don't know if it is exactly what you want but most users use fail2ban or denyhosts
to lock out the IP

Re:Is this a problem?

[bcrowell]

i don't know if it is exactly what you want but most users use fail2ban or denyhosts to lock out the IP

Thanks, that's helpful!

Of course, its not that simple...

[Shados]

Some systems will intentionally "lag" you on a failed password attempt, or wait some time before the next guess. So you can't even MAKE 64 guesses a minute.

Others will lock you out after 3-5 attempts.

Kind of stops this flat, hmm?

Re:Of course, its not that simple...

[Vintermann]

"Others will lock you out after 3-5 attempts."

Yeah, I know the type. They are for people who are truly paranoid about break-ins, and incredibly unconcerned about denial of service attacks.

Re:Of course, its not that simple...

[geekboy642]

Clearly the only solution is to let the attackers keep hammering away without any countermeasures.

No, really, I mean it. What you do is force everybody to have a 5-10 sec delay on login. Immediately, your hacker's ability to bruteforce your system drops by at least an order of magnitude.

Re:Of course, its not that simple...

[dvorakhound]

Agreed. This calculation is more useful for local attacks (e.g. - pwd protected archives, encrypted file systems, etc...). Attempting a brute-force hack of any online account or system would be silly, as any system worth their salt would stop the attacker after a few tries and raise red flags.

Re:Of course, its not that simple...

[TheSpoom]

Like all Unix-based systems, for example.

Re:Of course, its not that simple...

[Meshach]

If someone is doing a DOS attack on your server you have bigger problems then passwords. It seems that the existence of regular Password Crash attempts is a whole separate issue from DOS attacks and they need to be handled independently.

But as we saw from the Sarah Palin debacle last year no complex methods are needed if you know a few personal details about the user like their mother's maiden name or their first pet.

Re:Of course, its not that simple...

[Shados]

Well, like pretty much all current operating systems, really. Unless I did something without realising it, if I type the wrong login name in Windows, it doesn't tell me instantly.

Re:Of course, its not that simple...

"Others will lock you out after 3-5 attempts."

Yeah, I know the type. They are for people who are truly paranoid about break-ins, and incredibly unconcerned about denial of service attacks.

If you have a "3-strikes" policy, you can be hit with a DOS.

If you don't have a "3-strikes" policy, you can be hit with a DOS.

If you don't even have a login at all, you can be hit with a DOS.

I'm sorry, what was your point again?

Re:Of course, its not that simple...

I rather like the fact that my bank is "truly paranoid about break-ins."

Re:Of course, its not that simple...

[Jurily]

If you don't have a "3-strikes" policy, you can be hit with a DOS.

Not when you there's an enforced delay of, say, 5 seconds after a bad attempt.

Re:Of course, its not that simple...

[Vintermann]

Still don't get it? Ok, I'll try again, with a real world example of how stupid sysadmins can be.

To get unemployment benefits in Norway, you have to fill out a lot of paperwork every 14 days.
Fortunately, this can be done online.
Unfortunately, if some idiot has your username, and tries to guess your password three times, the account locks completely for 30 minutes.

So there you have it. For three connections every 30 minutes, you can make sure an unemployed Norwegian won't eat the next two weeks. Cute, eh?

There are denial of service attacks, and there are denial of service attacks. Sometimes you need a botnet of thousands of machines. Sometimes you need one machine, a perl script and insignificant bandwith. The latter is a bit more aggravating.

Re:Of course, its not that simple...

(Intentionally posting AC)

If I have access to any system that authenticates users, and can query that global catalog of usernames (which I can very easily with Linux, via ldapsearch or similar, tied to AD through NTLM), then I can lock out every single Windows and UNIX account in the company, and keep them locked out until someone figures out which machine is causing the outage, by parallelizing attempts at every user's account 3 times (locking them out), across the network.

If timed right, even the Help Desk wouldn't be able to have access long enough to unlock the accounts needed to ensure unlocking the rest was successful, before their OWN accounts were locked out again.

So yes, not having a valid password can still cause a huge, HUGE disruption in a company, globally. Can you imagine what would happen if this were to happen on a Monday morning at 9:00am, right before trading opened on Wall St, for any number of large financial companies?

Re:Of course, its not that simple...

[dkf]

Can you imagine what would happen if this were to happen on a Monday morning at 9:00am, right before trading opened on Wall St, for any number of large financial companies?

While not every detail is clear to me, I can imagine that it would definitely involve you losing your job in the middle of a recession with damn little hope of getting a new one. I would not count on the corporate spyware and tripwires from not catching you do it either.

In short, being a dick is easy, but it is also very stupid. Why not use your time to do something productive instead?

Re:Of course, its not that simple...

Can be done online != must be done online.

Re:Of course, its not that simple...

[Zero__Kelvin]

Why not mix the methods? Allow three quick attempts, and then lag for a minute per ...

Re:Of course, its not that simple...

[micheas]

I would suppose it would depend on the number of puts you have on Firm X in an offshore shell company as to how productive destroying the company is.

Your odds of facing consequences decline the more negative the banks net worth is. (as long as you are up enough that you can give back 100,000,000 or so from you gains.)

Re:Of course, its not that simple...

[Da+Fokka]

Get a job!

Re:Of course, its not that simple...

So, a system that allows an attacker to repeatedly attempt to brute force their way in so that they can change the password (thereby locking your unemployed Norwegian out permanently), and possibly even change the mailing address or some other information (thereby actually stealing said unemployed Norwegian's money), is better?

I feel sorry for unemployed Norwegians who don't have computers. It must be rough to have absolutely no way to collect unemployment benefits, since apparently the only way to do it is by filling out paperwork online every 14 days. Maybe they should provide another way to fill in this paperwork. You know, one that involves paper. Then the poor bastard who got locked out of the online system could collect his money as well.

Re:Of course, its not that simple...

You don't get GP's point. You still can be hit with a DoS attack. Whatever you do DoS attacks are unstoppable.
So locking the account for a while doesn't make it any more vulnerable to DoS than 5 second delays because all systems are 100% vulnerable to DoS attacks.

Re:Of course, its not that simple...

[TheSpoom]

Probably, I'm just more personally familiar with Unix systems.

Yeah right

[Brian+Gordon]

With 8 characters you have to make on the order of 10^15 guesses. To go through all of those guesses in 90 days you have to try 783.9 million combinations per second.

Re:Yeah right

[Celeste+R]

How many of us use truly random passwords?

Consider the dictionary attack, combined with numbers, symbols and other words, and it's really not quite so random.

Re:Yeah right

[TheLink]

Yeah, I wonder how he got the 65 per minute figure for passwords that pass some simple complexity test ("complexity enabled").

Anyway, it usually takes one or two phone/support calls to bypass a password.

People make it even easier nowadays:
Mother's maiden name?
Where was your father born?

The trouble with such stupid questions is it makes it harder for those who know what they are doing. The sheeple will just cheerfully give their passwords away to the next person who asks or for a free beer.

Re:Yeah right

[wjh31]

on average, you would find the answer in half the time. also that is just a brute force attack, you have to consider dictionary attacks and other sneaky tricks

Re:Yeah right

[RiotingPacifist]

6 lower case + 1 upper case + 1 symbol/num is the norm meaning it only takes roughly 26^8 * 6 (assuming the 6 lower case letters are together) / 2 to crack via brute force
this gives 6.26481e+11 or 80566 attempts/second for 90 days, which is still tough but much more achievable than assuming your 96^8 guesses are needed

Re:Yeah right

[Znork]

The trouble with such stupid questions

Funny how the old saying 'there are no stupid questions, only stupid answers' actually applies to this.

To avoid the potential trouble, simply don't make a habit of specifying the correct answer; there's usually nothing preventing you from saying your mothers maiden name was Thevirginmary, or claiming that your father was born on Krypton.

Of course, it may get a bit more difficult to remember, but it'd prevent anyone from simply researching the answer to your hints.

Re:Yeah right

[fishbowl]

Even the dumbest script-kiddie attacks are smarter than raw permutations of characters.
If you allow people to choose their own passwords, you *will* have a bias toward dictionary words (or just "pronounceable") which allows a statistical method that dramatically reduces the search space.

Re:Yeah right

[Packet+Pusher]

This whole new password every 90 days things blows monkey chunks too. All it does is make me have a half a dozen passwords or more likely variations on a few passwords that I never know which one belongs where and end up putting every valid password into all the wrong sites.

If the password is strong to begin with then changing it every 90 days is stupid. Who's to say the password I change it to isn't next on the list to be guessed?

Monitor systems for strange access, restrict my access to just what I need, let me know the last place and time I access sensitive systems from and leave my fracking password alone.

Re:Yeah right

[cheftw]

Sorry sir, but I followed your google link and feel obliged to tell you that all modern processors have at least 800 megahertz in them. Therefore your point is invalid. Apologies

Re:Yeah right

[calmofthestorm]

I'm really lucky that my mother's maiden name is a 64 byte sequence of random hex, as was my father's city of birth. And even more lucky that it's different depending on who is asking.

The only services I use still vulnerable to that attack are my financial ones. It sucks, I know, but they force you to do it, and I haven't been able to convince them not to.

It's sad. We have these passwords which provide some security at least, and then we throw it all away and force users NOT to be secure.

Re:Yeah right

[jacksonj04]

I'd love to see your modern processor which can perform all the generation, communication and validation required to attempt a single password in 1 clock cycle.

Apologies.

Re:Yeah right

[Brian+Gordon]

I think he knows. At least, I hope there's nobody that thinks a megahertz is something inside a processor.

Re:Yeah right

[hannson]

and other sneaky tricks...

You mean something like that?

Re:Yeah right

How many of us use truly random passwords?

Consider the dictionary attack, combined with numbers, symbols and other words, and it's really not quite so random.

Which irritates those of us who do even more when we have to change them every 90 days.

Re:Yeah right

[Zero__Kelvin]

If only we had some concept to describe this! We could call it entropy or something ...

Re:Yeah right

[Zero__Kelvin]

"I'm really lucky that my mother's maiden name is a 64 byte sequence of random hex"

I'm guessing you are typing it from a keyboard, so it is not truly random after all.

Re:Yeah right

[Zero__Kelvin]

Actually, this attack assumes you have proximity to both the computer and the account holder. In general once one has proximity, they will get in unless there are measure like smart cards and/or biometrics in place, and even then - as the cartoon shows - these are not foolproof.

A network based attack, is however, an entirely different story.

Re:Yeah right

[calmofthestorm]

Her parents named her after some output from a tRNG. Short of gvmt organizations who can get in anyway, I'm sure, I don't think anyone's breaking in.

I'm not trying to stop a determined attacker. I'm trying to stop the mass harvesters.

Re:Yeah right

[Mr+Z]

Where I work, the system picks passwords FOR you, randomly generated. Now, it does give you a table of options, and you can keep asking it for new random sets until you get one you like, but that's still way better than letting users come up with their own passwords.

Of course, the resulting selected passwords are significantly weaker than the raw password count implied by "8 characters mixed case alphanumeric" (which has almost 48 bits of entropy if truly random). If you figure that a third of the bits of entropy are lost by letting users pick their own from a list of random passwords, that still leaves a 4 billion password space. You'd have to try 552 passwords/second to crack that one account in 90 days. If there are more effective bits of entropy (which there likely are), then the count only goes up from there.

Re:Yeah right

[bcrowell]

With 8 characters you have to make on the order of 10^15 guesses.

No, that's incorrect. You seem to be assuming about 6 bits worth of entropy per character. The author of TFA has a long discussion of this buried in one of the tabs of the spreadsheet. The classic reference, which he gives, seems to be C.E. Shannon, "Prediction and Entropy in Printed English." Shannon estimated about 2.3 bits of entropy per character of printed English. That's a worst case, if you make your password out of English words. ASCII has 95 printable characters, which corresponds to 6.6 bits, so that's pretty much the best case. You can only use the best-case scenario to estimate the strength of passwords if either (a) users choose passwords that really look like a cat walking across a keyboard, or (b) the cracker guesses randomly, rather than using attacks like dictionary attacks that exploit the low entropy content of real-world passwords. Neither a nor b is likely to apply in the real world, so the right estimate is definitely an entropy content of more than 2.3 and less than 6.6 bits per character.

So for 8 characters, we can be pretty sure that the actual entropy content is between 18 and 53 bits. On the low end, that's only 10^5 combinations; on the high end, it's about 10^16. If you can test one password per second, then in 90 days you can try 10^11 combinations, which is (logarithmically) right in the middle of the range of estimates. So if you have an internet-facing server that accepts incoming ssh connections, and it never locks out or throttles back a user who is making too many login attempts, then it's quite reasonable that someone could crack your 8-character password in 90 days. If they have access to the hashed values of the passwords, then they can presumably carry out thousands of attempts per second, so they can almost certainly crack an 8-character password in much less than 90 days.

Re:Yeah right

[Brian+Gordon]

How does someone picking one from a list eliminate that much entropy?

Re:Yeah right

[TCM]

May I present my method:

Visit this page and generate yourself a nice litte passphrase.

For every combination of login and domain/account/ do

echo "$login:$account:$iteration:$passphrase" | sha1

Tada, instant secure password. You only need to write down $login, $account and $iteration.

Re:Yeah right

[Brian+Gordon]

Theoretically the attacker could throw away un-memorizable permutations and cut through tons of entropy, but it would be extremely difficult.

So you're an attacker and you try all the English words. Users can just type in 1337 5P33K. So you throw in leet words. Users can type their word ROT1. So you throw in all constant shifts. Users can type their word in ROTN where N is the place of the character they're typing. So you throw in all linear shifts. Users can type their word using the key directly to the right of the actual letter, or below it, or to the left, or above it, or two letters to the right, or on the opposite side. The user can just remember their word and whatever neat trick they happen to be using that 90 days, and they have a password that's in practice exactly as secure as a true random sequence. If they want to be really secure they can just remember a nice symmetrical pattern of keypresses around the keyboard- there are so many that an attacker could never identify permutations that "aren't part of a pattern." Yes they can say that if you have '!@#$%^&*()' characters in your password you're probably using the key-above method or something like that but really, you're grasping at straws.

Re:Yeah right

[Mr+Z]

The random number generator will occasionally pick random strings that have word fragments or small numbers of case transitions or good left-right hand balance or some other attribute that makes it "easier." If you can model "easier" in those terms, then one can focus ones search on the "easier" passwords.

For example, my boss will keep asking for random passwords until she gets one with only a single capital. Well, if a hacker knew a priori that people did that sort of sorting, then they could exploit the lowered entropy.

You can prove this to yourself with an experiment. Imagine, for example, if you decided that digits in increasing order were "easier" than digits in arbitrary orders. Now suppose that users are presented with a dozen random passwords (consisting entirely of digits) to choose from, and they preferentially chose passwords with the longest runs of increasing digits. What does the password distribution look like now among your pool of users?

The important point in my comment was that "you can keep asking it for new random sets until you get one you like." If you ask for a long enough list, you can find whatever password you want. It's then just a battle of wills between you and the computer at that point.

Re:Yeah right

[TheLink]

They are stupid questions, because you'll have to keep track of yet more answers.

I do try to put strong passwords as the answers, but often the sites don't let me.

I hear some sites are even worse - they force you to pick answers from limited choices!

Re:Yeah right

[bcrowell]

Theoretically the attacker could throw away un-memorizable permutations and cut through tons of entropy, but it would be extremely difficult.

No, it's not extremely difficult. It's more or less what password-cracking software does. Here are some examples of the kinds of low-entropy passwords that are susceptible to attack.

So you're an attacker and you try all the English words. Users can just type in 1337 5P33K. So you throw in leet words. Users can type their word ROT1. [...]

All of those are perfectly reasonable things to do, and doing them will get you closer to the theoretical maximum entropy of 6.6 bits per character for printable ASCII. An 8-character password done using the techniques you're talking about is probably quite secure. However, most users don't understand enough to do that. Here is an analysis that shows that users vary widely in their sophistication.

Re:Yeah right

[VanessaE]

A friend of mine used to call mine "line noise" passwords, and aptly named they are. What I use for any given account is reasonably long, and as close to truly random as the login system in question will allow - "qK5N$1R6&w#k%g" and the like. If it doesn't look even enough after I've typed it, I just salt it with a few more characters. I wish I could use this kind of thing everywhere; I'm rather surprised at the number of systems out there that wouldn't be able to take a password like the above, either because of stupid shit like a ridiculously low maximum length or restrictions on symbols/punctuation.

I'm thankful that those passwords which I need frequently, I already remember. Those which I can't remember are stored in a strongly-encrypted file, again using a line noise password.

I'd like to think that's a secure enough setup for anyone not employed at the NSA or similar.

Re:Yeah right

[TheRaven64]

The simplest way of generating a password that I've found is to think of a memorable phrase and use the first letter from each word. For example, if you come up with the phrase 'what would Cowboy Neal do to think of twenty (secure) passwords?' then the password is 'wwCNdtto20(s)p?' This is easy to remember, but doesn't have many patterns. The OS X password strength indicator marks this as 'excellent'.

Note that this password had a couple of repeated letters. It's very common to discount passwords like this, because they don't 'look random'. This is exactly the same line of thought that lead the Germans to ensure that the discs in the enigma machine were never in the same position on two consecutive days, reducing the search space just enough to let the British crack their codes.

Re:Yeah right

[koafc2]

How many of us use truly random passwords?

Only one way to find out. Everyone, please post your passwords and I will inspect them for randomness.

Re:Yeah right

[JerryLove]

True: but statistically you should average "only" half that to succeed (it won't be the last possible password that's true, generally).

Under the radar

[Fuzzums]

And 65 guesses per minute is hardly something that should trip ANY rule of an IDS.

quick slashdot reader test:

[LeonN]

break this password 1bbe3bcb8c840c7309d460d8d5b8e709 how long did it take? (used the echo -n "string" | md5sum to get that hash, with ofc another word then string)

Re:quick slashdot reader test:

[wjh31]

damn it, i thought being on slashdot was enough to count as a geek, now we have to actually be able to understand encryption?

Re:quick slashdot reader test:

[LeonN]

hehe :P quick answer yes, long answer: 0e1e76ac3b5744a8a84c40112510ad21

Re:quick slashdot reader test:

[RiotingPacifist]

"SLOW DOWN COWBOY!" erm about 30 seconds thanks to google i found http://tools.benramsey.com/md5/

Re:quick slashdot reader test:

[RiotingPacifist]

disregard that my source website sucks cocks and returns the same string for any reverse hash!

Re:quick slashdot reader test:

[LeonN]

HAHAHAHHAHAHAHAH :D thats not it at all :D it gives SLOW DOWN COWBOY no matter what you type on that site, it seems :P

Re:quick slashdot reader test:

[maxume]

It passes the google test. By example, 5f4dcc3b5aa765d61d8327deb882cf99 does not. Nor does 5ebe2294ecd0e0f08eab7690d2a6ee69.

This table doesn't know it:

http://gdataonline.com/seekhash.php

Neither does this one:

http://md5.rednoize.com/

And nor do several others. So it seems it is reasonably long or otherwise strong.

Re:quick slashdot reader test:

[LeonN]

well its actually just commonly used words..

Re:quick slashdot reader test:

[maxume]

Sure. But those tables focus on short character strings (like, 8 or 10 characters), so they aren't terribly useful against 20 or 30 characters (or even 12).

Re:quick slashdot reader test:

[jonaskoelker]

Is it...

Nah, it couldn't be...

Is it "hunter2"?

Re:quick slashdot reader test:

[selven]

09f911029d74e35bd84156c5635688c0

Am I right?

Re:quick slashdot reader test:

[Samah]

That's nothing! Break this one:
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re:quick slashdot reader test:

[buchner.johannes]

Have any identities* under MD5 or SHA1/256/512 been discovered yet? I'd be really interested in those!

*(where hash = md5(hash))

Re:quick slashdot reader test:

[LeonN]

heh, well the secret pawwsword that got hashed is actually: "secretpassword" ofc, would easily be breaked by guessing passwords/brute force, but hard to break decrypting hash.

Re:quick slashdot reader test:

[maxume]

I get 2034f6e32958647fdff75d265b455ebf when I do that command using "secretpassword" (I did this in Python, a cmd shell and on my webhost, so either I am not reading the exact string correctly or that isn't it). My hash crack would have found that one straightaway:

http://gdataonline.com/qkhash.php?mode=txt&hash=2034f6e32958647fdff75d265b455ebf

Re:quick slashdot reader test:

[zippthorne]

Me, too.

In fact, none of the 16,384 possible capitalizations yield that hash. Nor do any of the words in the linux words list (ubuntu ibex), with any arbitrary capitalization on them, either.

I did not feel like trying combinations of two words, as 2.5 billion (i think, I cleared the screen to do other stuff before writing this comment) multiplied by an hour and a half is longer than I'm willing to wait for results for a stupid web forum, as is the time to write a decent algorithm in a better language than nice, dirty, perl.

The focus should be on the account.

[khasim]

It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

Yes, this does allow for DoS attacks. So what? It's better to have the legitimate owner locked out so that he can call to find out why than it is to have his account cracked.

Re:The focus should be on the account.

[mysidia]

What happens when a bot comes out whose sole purpose is to discover all usernames on a system (including the admin users), via dictionary attack, common variations, and lock them all out, by making exactly 3 attempts per account?

i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.

Re:The focus should be on the account.

[maxume]

You switch to physical tokens?

For the most part, if you are protecting something valuable, you will be willing to spend more resources than someone just trying to be a nuisance. That doesn't make them any less of a nuisance, but it isn't particularly hard to work around them.

I guess this sort of sucks for someone trying to run a small forum or something, but they could do something crazy like support OpenID.

Re:The focus should be on the account.

Since most systems I know already have the "3 strikes and you're out" policy, shouldnt we have seen this already in the thousands of bots coming out each year?

And most systems I have worked with were security is actually important do NOT use standard accountnames but use random numbers or characters to generate accountnames. This provides an easy defense both against attacks as DOS and as real attack to crack accounts.

Re:The focus should be on the account.

[iwein]

i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.

Those type of hackers are rare and have less resources. There isn't any point in pure vandalism you see. In any case research has shown that it's not a primary motive.

http://www.aic.gov.au/publications/htcb/htcb006.html

Re:The focus should be on the account.

[Jurily]

Yes, this does allow for DoS attacks. So what?

This attitude is not really welcome among the users, you know. Compare the Linux login method: on a password failure, a 3 second waiting period is enforced before you can try again. After three strikes, 15 min lockout. 12/hour/host is way too slow for a good password, even with, say, 1 million attacking hosts.

Re:The focus should be on the account.

[fishbowl]

IP Whitelist.

Private Keys+Hardware Token (no passwords weak or strong.)

IT Security Policy Breach is Firing Offense.

Problem solved.

In a defense environment, "Firing Offense" can be upgraded to "Felony Prosecution."

Re:The focus should be on the account.

It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

Oh, please, please, please, be very careful when implementing this sort of policy. My employer uses LDAP to implement a corporation-wide password database. This is used for various applications, VPNs and a bunch of other things, including internal frame-based webpages.

This means, very simply, that if you type your password wrong only once, four or more different frames will simultaneously query the LDAP database with the wrong password. That's more than three strikes. You're out.

Re:The focus should be on the account.

[Bught_42]

Where I work they had conficker/downadup infect alot of computers, and it would try to guess passwords and lock out alot of users.

Re:The focus should be on the account.

[legirons]

It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

Yes, this does allow for DoS attacks. So what?

so they can prevent everyone from logging-in. would that not cause a problem to your login system?

Re:The focus should be on the account.

[selven]

Those type of hackers are rare and have less resources. There isn't any point in pure vandalism you see. In any case research has shown that it's not a primary motive.

Pure destruction without personal gain has its uses. See DOS attacks, pretty much every army in existence, terrorists, blackmailers, etc.

Re:The focus should be on the account.

Two words: Single sign-on.

Re:The focus should be on the account.

[danwesnor]

I would think that if half your accounts get attacked in a few hours, it might be a good idea to just go ahead and cut the wire to the outside world until you get control of the situation.

Re:The focus should be on the account.

[Machtyn]

Support desk: How may I help you?
User: Yes, I just typed my password incorrectly three times, can you unlock it, please?
Support desk: Sure. There you go.


Sure, this type of social engineering trick may only work once, but perhaps the attacker might get lucky and continually get a different support person each time.

Re:The focus should be on the account.

[maxume]

If anything anywhere near that simple works, you don't have any security anyway, password strength doesn't matter a whole lot.

Re:The focus should be on the account.

[fullgandoo]

Why not simply introduce a delay after each unsuccessful password (as many systems do) instead of a lockout after n attempts? Wouldn't this avoid any DOS and stump any brute force attempt?

Re:The focus should be on the account.

[Bodrius]

Support desk: Sure - the issue should be resolved in 5 minutes . Please try again later.

If the Support Desk has any password policy of this type *at all*, they'll know the problem resolves itself after X minutes and will be either smart enough, or (more likely) lazy enough, not to subvert the process.

That doesn't trained support would never unlock the account for you, but it would require wasting more time on the social engineering attack (i.e.: convince the CSR that the process failed - and that you really, really, really cannot wait).

If they're clueless about the password policy (e.g.: they just left a default) *and* they're naive enough to fall for this - then you have bigger problems. But then again, they'll probably take longer than 5 minutes to unlock that account too.

Either way, "might get lucky the first time" does not a 65-guesses-per-minute make.

If you try run a distributed social engineering attack on the same account people are going to notice something is wrong before the first 65/minute.

Re:The focus should be on the account.

[Dan541]

What happens when a bot comes out....

A very funny situation :)

Re:The focus should be on the account.

[somersault]

See DOS attacks, pretty much every army in existence, terrorists, blackmailers, etc.

Aren't those all methods of achieving personal gain? Unless your army is out doing relief work or you are doing DOS attacks against spammers only without expecting payment..

Re:The focus should be on the account.

[Eskarel]

This is true, but when you're looking at having to generate > 1 attack per second, social engineering isn't going to work. You're better off calling up and saying you've forgotten your password and can they reset it for you.

Re:The focus should be on the account.

[selven]

They are all methods of personal gain, but indirect ones - you extort money by threatening to use your method of destruction. I was using those examples to show how something which doesn't benefit you directly (like password locking a computer) can be used for personal gain.

Re:The focus should be on the account.

[legirons]

I would think that if half your accounts get attacked in a few hours, it might be a good idea to just go ahead and cut the wire to the outside world until you get control of the situation.

the PP was talking about password guesses, i.e. someone who can't break into your account nonetheless prevening you from logging-in just by guessing 3 times.

so you're willing to prevent a legit user from working because someone who knows their account name (clearly exposed in email addresses etc) made 3 anonymous connections per 3 days to your network?

Missing part of his formula

[DoofusOfDeath]

Did he remember to model the fact that if you make your password requirements sufficiently rigorous....

(A) People will increase risk by having to write them down, or

(B) People will try to stop using your system, which is a different but related kind of failure?

Re:Missing part of his formula

[Stiletto]

I tend to pick "random string" type passwords, write them down and stick them to my computer case.

If someone has successfully gained physical access to my machine, it doesn't really matter how strong my passwords are anymore. I'd rather have the (easier) problem of phyiscal security to solve than the harder problems of adequately securing using weak passwords or trying to remember strong ones.

Re:Missing part of his formula

[John+Hasler]

> People will increase risk by having to write them down...

Depending on your threat model that may not be a risk. You are generally much safer letting your users carry truly random passwords in their wallets than letting them use their pet's names.

Re:Missing part of his formula

[Shados]

It kindda still matters. If I'm at the office, and stick my password on my box...well, yeah, everyone has physical access to my machine...but SOMEONE will notice when the receptionist is taking a screwdriver to my workstation. They won't notice her picking a post-it note from it.

Re:Missing part of his formula

[fishbowl]

>(A) People will increase risk by having to write them down, or

Firing offense in my shop.

>(B) People will try to stop using your system, which is a different but related kind of failure?

Employment is voluntary. Don't like our security policies? That's squarely in "keep your fat mouth shut" territory.

Re:Missing part of his formula

[John+Hasler]

> It kindda still matters.

In your case, yes. In others (locked offices) it may not.

> They won't notice her picking a post-it note from it.

You would probably notice her picking a slip of paper from your wallet.

Re:Missing part of his formula

[El_Muerte_TDS]

That's why I camouflage the password. It's not a post-it with "Password: aa\x5Ahf". But something like:

"""
TODO:
- fix bug http://is.gd/av+a3ohW
- file header should be: aa\x5Ahf
- upgrade http://tinyurl.com/ov-eiP2o
"""

Re:Missing part of his formula

[ColdWetDog]

Then everyone wonders why you never seem to get much accomplished.

Re:Missing part of his formula

[blincoln]

I tend to pick "random string" type passwords, write them down and stick them to my computer case.

Why not use a passphrase instead? Even without special characters, no one is ever going to crack one of my 20-to-40 character passwords, unless they've built a custom cracking dictionary filled with every possible combination of lines from films/novels and song lyrics. Since we have a "must include upper/lowercase, a number, and a punctuation mark" policy at work, it would require many, many more variations even than that complex base.

Re:Missing part of his formula

[Eil]

Years ago, the Air Force had some pretty ridiculous security policies for its I.T. systems. (And I would expect that they still probably do.) I've written extensively here on Slashdot about them, but one thing that consistently bugged me was the password policy. I can't recall the specifics, but the password had several "conditions" that needed to be satisfied before it would save your password. Among them were things like:

- Must be mixed-case
- Must be between 8 and 12 characters in length (or so)
- Must contain at least 2 symbols (barring a short list of seemingly random exceptions)
- Must contain at least 1 letter
- Must not contain a space, tab, or non-keyboard character
- No part can match a dictionary word or proper name

I'm not a cryptologist, so I always wondered: wouldn't adding so many restrictions actually make it easier to brute-force passwords? If an attacker knows the unit's password policy, shouldn't that enable them to narrow the search space considerably?

Re:Missing part of his formula

[Ocker3]

Except anyone with knowledge of your company's password policy will know about the punctuation mark requirement. Better to have multiple password complexities, of which not all are required, allowing staff to choose which ones they can utilise easier. The more staff you have, the more likely that different complexities will be used. That way you preserve the mystery.

Re:Missing part of his formula

If an attacker knows the unit's password policy, shouldn't that enable them to narrow the search space considerably?

Sometimes it can, it depends heavily on the password policy... If you tell users to put some specific character on some specific place (like: your password must be of form NxNxxNx, where N is number and x is letter) then yes, the password space shrinked considerably.
On the other hand, the policy you have presented above doesn't suffer from such shrinking. All that it wants to achieve is that the attacker cannot reasonably bruteforce it:
- mixed-case, special chars -> at least 70 characters to choose from
- 8 to 12 characters -> 8^70 to 12^70 possibilities to choose password minus what this policy forbids. Still a huge password space
- no matching to dictionary -> no funky bruteforcing other than simple trying of all combinations in a sequence (question is if that policy forbids common di- and trigrams. If not than some funky bruteforcing is still availabale)

The same thing that happens with everything else.

[khasim]

First off, there should NOT be any indication whether the username was valid or not. It's as simple as that.

Secondly, the issue really comes down to whether a DoS attack is better/worse than a compromised account.

I'm on the side that believes compromised accounts are WAY worse than a DoS attack.

I have seen this hash before.

G0a$e.cX

This really just moves the test up a step

[Colin+Smith]

So the attacker hashes the passwords he's trying. It would really only be useful if the attacker was unaware your password was a hash. Which means it's no use for company policy.

Still. Not a bad idea for my personal accounts. ;)

 

Re:This really just moves the test up a step

[zippthorne]

For personal accounts, the "good idea" is to use a hash of some combination of: the site name, your username, and your "one good password for all of 'em" But not a concatenation. Maybe an xor.

Although I'm not sure how great of an idea that is, but at least you don't have to actually store any passwords anywhere, and they're all safe as long as your primary password isn't compromised.

Our problem

[Henry+V+.009]

The issue that we have to deal with isn't password-guessing so much. It's stupid users responding to emails asking for their passwords. All it takes is for the spammers to ask nicely, and two or three professors immediately give out their password.

hmm...

[buddyglass]

Does it take into account how many users are going to write down their passwords on a post it note and stick it to their monitor (or something equally risky) if the password policy is any more cumbersome than "8 character minimum with complexity enabled with a 90-day forced change"?

Re:hmm...

[not-my-real-name]

If you wanted to find the password to my slashdot account that way, you'd first have to figure out who I am, where I live, possibly travel a great distance to my house, break into it, find *my* computer, and then figure out which one of the post-its on my monitor is my slashdot password.

I suspect that in many cases writing a password down is more secure for home uses than picking something easy to remember. For corporate/office users it's a bit different since there are a bunch of other people in and out all the time.

Re:hmm...

[Tuoqui]

Security Tokens/Smart Cards... Two (or Three) factor authentication is superior to username/password. Something you HAVE + Something you KNOW. If you dont have both then knowing soandso's password is hunter2 wont help you.

Re:hmm...

[adamofgreyskull]

Great. Now I have to change the combination on my luggage.

Frequency of change is irrelevant!

[Geoffrey.landis]

As an example, Grimes assumes... 90 days between password change

How long you go between password changes is an irrelevant parameter, since a password change does not change the probability of success of a brute-force attack (i.e., any change is just as likely to change the password into the window of attack as it is to move it out of the window.)

Requiring frequent password change doesn't change the success statistics at all if the attacker is attacking multiple accounts. Even if the attacker is focussed on a single account, however, requiring a password change at intervals doesn't change the mean time it takes to break an account; it merely means that success is guaranteed, rather than probable, after twice the mean time (since that the mean time to break in is after exactly half the passwords have been tried.)

Re:Frequency of change is irrelevant!

[jonbryce]

It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually. If you do change passwords, you are trying to hit a moving target. You might get it, you might not, and even if you do, you don't have long before you have to run the attack again.

Re:Frequency of change is irrelevant!

[ottothecow]

It isn't irrelevant if you change your password during the attack to something the attacker has already tried. Lets say you change the password after the attacker has made it through half of the keyspace...there is a 50% chance that this new password will never be guessed (I dont know any brute force tools that recheck old passwords).

It is all pretty irrelevant though since I dont know many systems that let you keep making authentication attempts anywhere near 65 tries a minutes. I can maybe think of some internal things that allow a lot of attempts but they require you to be logged into the local machine first which throttles attempts and eventually locks up.

Re:Frequency of change is irrelevant!

[gadget+junkie]

It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually. If you do change passwords, you are trying to hit a moving target. You might get it, you might not, and even if you do, you don't have long before you have to run the attack again.

that implies that the password hacker has a mean to ascertain if a password he tried was a "near miss", i.e."congratulations! you got X characters right but on the wrong place, and Y characters right and in the right place. Try again? Y/N". BTW, Mastermind anyone?
Here in italy the security model approved by the law is : 8 char password, change every 90 days. I agree that changing passwords, or even forcing user to use password that are totally different from those previously used, is futile if you do not allow user to pick passphrases instead of password; they'll stick a post-it to the screen.
Fixed lenght is a big help to password crackers. Most software vendors tough use it as such, meaning that a password must be * exactly 8 characters *. Given that, I'll give you my recipe for password generation:

1. look around you, and find something that has a 6 character name;
2. Add the suffix "01" at the end, chenging it to "02" when 90 days have elapsed;
3. ????????
4. Profit!!

Re:Frequency of change is irrelevant!

[Mutatis+Mutandis]

and even if you do, you don't have long before you have to run the attack again.

Not really. Because if people need to change their passwords frequently, they tend to go for stupid changes, such as incrementing a suffix number. I could make a pretty good guess of what some passwords on our systems will be a year from now, even though they are nominally changed every 90 days.

Re:Frequency of change is irrelevant!

[MrMr]

It's worse, requiring 90 day password changes will almost guarantee they will be written down on post-it notes stuck to the monitor.

Re:Frequency of change is irrelevant!

[Geoffrey.landis]

It isn't irrelevant if you change your password during the attack to something the attacker has already tried.

Nope. Think about it as a statistical thing. There's an equal probability that you'll change your password to something that the cracker is just about to try, as there is to change it to something the cracker hasn't tried yet

Lets say you change the password after the attacker has made it through half of the keyspace...there is a 50% chance that this new password will never be guessed

It's easier to think about statistics if you think about large numbers. Suppose the cracker is trying to crack 1 thousand user accounts, and the password change comes when he is one ten thousandth of the way through. Yes, on the average there's some chance that a users will change their password into one that he's already checked (and if they never changed their password again, they'd be immune from getting cracked.) However, to balance that, an equal chance exists that they happen to change their password to one that he's about to try. There's no net change in the statistics of cracking.

The same statistics work, on the average, whether the cracker is trying to break into one account.

Re:Frequency of change is irrelevant!

[legirons]

It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.

With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.

Re:Frequency of change is irrelevant!

[jonbryce]

No it doesn't imply that at all.

For each password you try, you have for example 1:1x10^111 probability that it is correct.

Without a password change as you go through your 1x10^111 possible combinations, you will find the correct one eventually.

This is the same as a situation where the password is a single bit. A brute force attack would take two attempts, and where changing the password includes the possibility of keeping it the same as before.

If the password is changed once while you go though them all, you might find two correct passwords - one before the change and one after, one correct password - before or after the change, or no correct passwords; so your chances of finding a correct password have been reduced from 100% to 75%.

Of course, if people don't chose their passwords randomly, this significantly reduces the effectiveness of them.

Re:Frequency of change is irrelevant!

[DarkOx]

The thing about changing passwords is that is that it is not intended as a measure against bruit force attacks. You change them so that leaks get plugged.

User A gives user B his/her password despite that being against policy for reason X. At least a few months later user B no longer knows A's password. Suppose user B leaves the company or something IT naturally disables B's account and does not disable A's account. Its a good thing B no longer has A's credentials.

Password changes are a weak but probably only real effective solution to the social problem of passwords leaking. I would think you would want to do this with physical tokens as well just as a basic sanity check. Every 90 days or so a physical token should be disabled and replaced or recoded. This is the administrative peoples certain opportunity to verify the person in possession of that token is who think should have it.

Re:Frequency of change is irrelevant!

[nabsltd]

Mod parent up as one of the few who understands how forced password changes are generally bad for security.

When asked, most system admins do not know what the single security issue that is addressed by forced password changes: limiting the amount of time a compromised password can do damage.

The problem is that any forced change time that is short enough to do any good with this (like 30 days) would cause users to always pick the most memorable (i.e., least secure) password that meets the requirements. Worse, it's more likely to cause every monitor in your office to have a password-laden sticky-note. If you have a 90-day change time (about the standard), that gives an average of 45 days that a compromised password can do damage, which is way too much.

Last, forced password changes are still almost certainly nothing but security theater, because once an account is compromised, it's easy to re-compromise it with a keylogger or similar background software.

Re:Frequency of change is irrelevant!

[swillden]

Nope. Think about it as a statistical thing. There's an equal probability that you'll change your password to something that the cracker is just about to try, as there is to change it to something the cracker hasn't tried yet

Correct. The purpose of password changes is to (hopefully) reduce the window of vulnerability, so that if an attacker has obtained your password (by cracking, shoulder-surfing, social engineering, etc.) they can exploit it only for a limited time.

Well, unless they can escalate to root.

Re:Frequency of change is irrelevant!

[Geoffrey.landis]

Yes, good calculation. I'm assuming that in the real world, the cracker is attacking a large number of systems at once.

Of course, it will take somewhat longer than the age of the universe to go through all of the 1x10^111 possible combinations you mention.

Re:Frequency of change is irrelevant!

[bradley13]

Having recently worked for a company that forced password changes (insistence of the owner over the objections of IT), I can tell you that almost everyone in the office selected a one-time password and incremented a number on the end of it: xxxx13, xxxx14, xxxx15, and so on. So a compromised password would stay compromised - one gained nothing beyond irritating the users...

Re:Frequency of change is irrelevant!

Why doesn't the hacker have long before needing to hack it again? Once in they could possibly install some sort of keystroke catcher or another hack to get the new password.
The other question is, once they've gotten in, what is it that they want? If it's information, they should be able to gather most of what they want in one session, therefore are not affected by a future change in password.

I personally HATE forcing users to frequently change their passwords. As stated above the end result is users using post-it notes stuck to the monitor to remember the latest password, which is not good.

Re:Frequency of change is irrelevant!

[wvmarle]

About ten years ago I heard the password scheme of someone who had to change his password on a monthly basis. He used the name of the current month as basis for the password... the current password ('may') would have to be padded or doubled or so probably, but later in the year it went fine: 'september', 'october', 'november'. Need to add numbers? Capitals? 'September09', 'October10'. Yes, monthly password changes are so good for security. At least he didn't need post-it notes as reminder.

Re:Frequency of change is irrelevant!

[wvmarle]

Add to that (for statistics): the user doesn't know the account is under attack or which passwords have been tested already. So even if they change the password to something the attacker has tried already, they are immune until the next change comes when they have a good chance to change to something that was not yet tried.

As many other posters argued already: there should be a rate limit of attempts per 5 minutes, or total number of attempts - set that to say three or five times per five minutes or ten times to block the account and a human that knows the password has plenty of tries available but a brute forcer will be locked out virtually immediately with next-to-zero chance to guess right.

Re:Frequency of change is irrelevant!

[iamhigh]

You seem so sure there is only one reason to change passwords I guess you have never dealt with internal password issues. A colleague looking over-the-shoulder(bolder-holder, yeah, I'm 10 for a moment) can do far more damage than a "hacker" in certain situations. Or if an employee shares their password (that would *never* happen, right) at least you know that after a while they won't have it anymore. Think about getting an HR password and what that could do for employee morale. That isn't to say it will prevent all problems, but at least they won't have the password FOREVER!

Re:Frequency of change is irrelevant!

[ottothecow]

It still decreases the chance that the cracker will get to your password. Before the cracker started, 100% of the keyspace was at risk of being cracked. Once he clears 10% of the keyspace without getting it right, your password change has a 1/10 chance of ending up in the "safe zone". Sure there is always the chance that you could change it to the next password he is going to guess but statistically, the pool of "safe" passwords is increasing while the pool of still vulnerable passwords is decreasing.

Of course, this is not the purpose of mandatory password changes. I see them more as combating other issues like people accidentally letting their password slip or blocking out someone who a hold of it and is using it to access the companies systems (not all people interested in getting on your corporate network have the expertise to install a rootkit...they may just want to read your email for news of the XX merger or specs of the YY device)

Re:Frequency of change is irrelevant!

[runningduck]

Nope. Think about it as a statistical thing. There's an equal probability that you'll change your password to something that the cracker is just about to try, as there is to change it to something the cracker hasn't tried yet

Statistically speaking this should read that there is an equal probability that you'll change your password to something that the cracker is just about to try, as there is to change it to any other password the cracker hasn't tried yet. The population of passwords the cracker is about to try depends on the defined duration of "about to" as well as the number of guesses the cracker is allowed per interval. Only if these two criteria split the untried passwords into equal populations will there be equal probabilities. This of course disregards the already attempted password population.

The best knob to turn in any reasonable password policy is limiting the number of guesses per minute. Even using 4 digit numeric pin type passwords with no change policy can be secure if proper limiting factors are put in place.

Re:Frequency of change is irrelevant!

[legirons]

Mod parent up as one of the few who understands how forced password changes are generally bad for security.

thanks. just an amateur at security, but apparently the professionals can make-up arguments which baffle me... ;)

anyway, the "time since compromised" thing - surely once an account's password is guessed, that's it -- security is failed?

so if you change passwords every 10 seconds, the hacker doesn't give a fig since he already has a login token valid for 15 or 30 minutes which allows him to download everything accessible by the person with the weak password

what exactly are password-expiry people hoping to gain by shutting-off access 30 days later? Do they think the compromised account didn't have permissions to install an app which will compromise the next password? (remembering that security didn't detect this compromise, hence why they're relying on the password expiry as their only way to lock-out crackers who are already in their network)

Re:Frequency of change is irrelevant!

[atamido]

Escalating to root is a particularly troublesome issue in Windows environments where users often run with elevated privileges. Even if a user has only elevated privileges (Power-user and above) on a single machine in the organization, a program can set itself to run for any user that logs on. Then the first user to log on that administrative privileges across an organization will run the program and potentially infect all other systems the user is an administrator on. And that's all without any exploits. (The best reason to never use a server administrator to log on to a workstation.)

Re:Frequency of change is irrelevant!

[swillden]

Makes me glad I'm not responsible for administering Windows systems! Thanks for the information, it's interesting.

Re:Frequency of change is irrelevant!

[nabsltd]

That's was my point...they will effectively have the password forever because they can use that to install whatever software they want that will allow them to keep access indefinitely.

65 guesses per minute?

[denzacar]

OK... But for how many minutes?
If it should be the maximum possible amount (90 days) - then it is only 8424000 possible passwords (65 password x 60 minutes x 24 hours x 90 days).

Now, I may be wrong but somehow I have a feeling that there are far more combinations for 94 characters.
Also, this page makes some quite different claims regarding the time it takes to break passwords depending on their complexity.

Like 22,875 years to go through all passwords for 96 character password - if you are doing 10000 passwords per second.

Re:65 guesses per minute?

[Vairon]

By default the author's spreadsheet calculates how long it takes to guess a *likely* password based on the NIST model
http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf of the amount of entropy in a likely password. If you look at the "Entropy Models" tab of the spreadsheet you'll see more of this information. If you change the spreadsheet to use a "perfect" entropy model it would require 22,926,448,052.7 guesses per second to find an 8 character password utilizing 96 characters within 90 days. Fortunately for hackers, people don't usually cat /dev/random when generating their password. Some letters are used more than others. Passwords are usually not perfectly random.

Required Passord Changes

[Archangel+Michael]

Requiring password changes on a regular basis doesn't improve security, it actually lowers it IMHO.

Whenever I've seen institutions start to require this policy, I explain expect a larger number of people to tape their current password under their keyboards.

The other option I see people do, is use a password combination like this "MyCurrentPassword!05" where the "05" is the month. So, in a few days from now, the new password will be "MyCurrentPassword!06" and so on. Even if you require 12 unique passwords in 12 month period, they will be cool, and not really change the password.

The #1 problem with passwords in my opinion, is that most systems have a "remember password" checkbox. That checkbox should be BANNED!

Re:Required Passord Changes

I agree. My college implements this with 0-45 days, and a history of 4 passwords. I only have one strong password in my arsenal, so I'm using weak passwords the other 3 periods.

Of course, if I don't want to give a crap about their policies, I'd just change the password three times in quick successions.

Re:Required Passord Changes

[westlake]

I explain expect a larger number of people to tape their current password under their keyboards.

physical access is ownership. that problem doesn't have a solution.

Re:Required Passord Changes

The purpose of an onerous password policy is not to improve security but instead to shift the blame for security breaches onto users.

Re:Required Passord Changes

- The password may be for an account on another computer.
- If the hard disk is encrytpted, physical access is not enough, you need the password

Re:Required Passord Changes

The real problem is that more things DONT remember your password.

Every time you enter your password you're risking it leaking or being shouldersurfed. Far better to enter your password once into an agent(ssh-agent being the best example) and then staying logged in until you are done(*). If only more thing accepted my ssh key..

(*): some kind of auto logout after machine inactivity would help with security here.

So don't allow password authentication

[fishbowl]

Distribute private keys. Enforce a policy where the private keys can be revoked. Use a physical token.
Make it so the party logging in needs something they know (a private key) and something they don't know (the random number from the key fob).

It's easier to convince the People In Charge that this is necessary *after* a break-in.

It's better to simply *be* the Person In Charge and establish the policy, and enforce it.

Either you're serious about security or you're not.

One problem is that laypersons don't understand just how simple it is to break password authentication, and don't understand that if their password is a dictionary word or even a misspelling or l33t of a dictionary word, they've probably already been compromised. Going further, they don't consider that maybe the person doing the attack is a competitor or disgruntled former employee who *knows* the names and birthdates of all the spouses and children of the whole sales department.

Then there are people who won't take IT security seriously until they've lost a defense contract or a faced lawsuit over a leak of proprietary information.

Re:So don't allow password authentication

[omz13]

Absolutely right. Private keys in tokens are part of the solution. But, I have only ever some across one company who used them... they provided a smart card which you had to use to login to the computer (and provide a password too)... just to make life more fun, the smart card also opened the office doors, so when you want to go for a toilet break or a coffee break you had to remove the card from the computer (which locks it).

Re:So don't allow password authentication

[fishbowl]

>But, I have only ever some across one company who used them...

Very common in my sector (manufacture and overhaul of military aircraft).

Re:So don't allow password authentication

[omz13]

>But, I have only ever some across one company who used them...

Very common in my sector (manufacture and overhaul of military aircraft).

The military sector is a bit more secure than where I tend to work (in financial services)

Re:So don't allow password authentication

Apparently.

WOW, what a GREAT social engineering!

[Hurricane78]

Why work hard to get passwords from the people who are most worried about their security (possibly because they have the most valuable data),
when you can simply open a site, offer them to "check them for security", and let them input them themselves!

Why didn't I think of that! Man, what a genius!

Re:WOW, what a GREAT social engineering!

[Pinckney]

...when you can simply open a site, offer them to "check them for security", and let them input them themselves!

It's not a website; it's a downloadable spreadsheet. It does not ask you to input passwords, but rather the parameters defined by your password policy. For example, the length, number of possible characters, and number of days between password changes.

Wrong threat

[Xenophon+Fenderson,]

You misunderstand the risk. Password complexity policies offer protection in case the password database itself is compromised, when account lockout policies are of no use. The idea is to give everyone enough time to change their password before the attacker is able to decode the database (or authentication caches or packet captures or whatever).

Re:Wrong threat

[Zero__Kelvin]

... and since any modern secure UNIX/Linux uses password shadowing, there is little danger that the system password file (/etc/shadow these days, not /etc/passwd) will be compromised.

Re:Wrong threat

[Xenophon+Fenderson,]

I'm not sure I understand how that's relevant. Usually, exploits allow attackers to gain privileged access to their target. In any case, that's merely one source of password hashes. There are numerous others available to attackers (e.g., packet captures of vulnerable challenge/response protocols).

Re:Wrong threat

[Zero__Kelvin]

"Password complexity policies offer protection in case the password database itself is compromised"

Strange, because you explicitly state why it is relevant in your OP, and that is the statement to which I am responding. If you already have privileged access then you don't need to hack in through brute force, which is the subject of the discussion.

"There are numerous others available to attackers (e.g., packet captures of vulnerable challenge/response protocols)."

Which is all well and good, but not germane to the current discussion, which is brute forcing the password.

Re:Wrong threat

[lemonjelo]

I can't find it now (can't remember the name used) but I had referenced a webpage for an online authen system awhile back that "solved" that problem nicely. I'm probably going to mess up a step by rushing but it went something like this:

• 1. Server sends tokenA and tokenB to client
• 2. Client returns hmac(password, tokenA), and hash(hmac(password, tokenB).
• 3. Server verifies hash of the first part matches what is stored, and stores the second part for next time.

So the hash on the server changes everytime the login is successful, without changing the password, and it doesn't inconvience users. Also there's nice javascript libraries for things like md5/sha that do not take noticeable time on any client I've tried.

Re:Wrong threat

[runningduck]

Hmmm, I have been out to the security arena for a while but aren't passwords individually hashed? There shouldn't be a single crack to the entire database.

Re:Wrong threat

[Xenophon+Fenderson,]

Yes, passwords are individually hashed. I should have said something like "when a significant number of the passwords are decoded".

Re:Wrong threat

[Xenophon+Fenderson,]

I'm not talking about hacking a single computer. An attacker doesn't necessarily have access to the victim's computers. What if someone stole the backup tapes for the victim's authentication servers (Active Directory or OpenLDAP or whatever)? Eventually, the theft will be discovered, but if the passwords are weak enough to be easily cracked, the attacker may be able to cause plenty of damage in the time between the theft and its discovery. Getting back to my original point, you are trying to slow attackers down or force them to do things that make them easier to detect. Some jerk spewing exploit code all over a network is fairly easy to spot. What could be legitimate resource accesses from properly authenticated accounts are much more difficult to detect and repudiate.

Hang on... A little maths:

[Techmeology]

So, there are 94 symbols, 8 characters, and 90 days to guess them in. There are 94^8 possible passwords. That's 6.10*10^15 possible passwords. Per day, you'd have to rattle through 6.77*10^13 passwords. 2.82*10^12 passwords an hour. That's 4.70*10^10 passwords a minute. Last time I checked, 47 billion is greater than 65. Granted: passwords are usually stored as cryptographic hashes so there is the possibility, but the total number of password combinations is equivalent to a 53 bit number (log to the base to of 94^8). Most hashes are longer than this, so that's not a go. While it is also true that many users will pick passwords that are easier to guess, administrators should know better, and users should be taught better (practical demonstrations?).

Easy to remember false answers.

[Chmcginn]

Which is why I always answer security questions from the perspective of my high school D&D characters.

So unless the crackers get access to one of the other six people from that group (and assuming they actually remember any of that from almost two decades ago), they can try my real birth place all day long.

Re:Easy to remember false answers.

[taucross]

Cheers for that.

Allow only certificate logins

[the_other_chewey]

All the systems I have access to or control myself allow only certificate+password logins (with
per-accessing-machine and per-user specific certificates for easy access management and revocation)
but will happily ask for a password on any certificate-less login attempt.
Also, remote root logins are completely disallowed.

Combine this with fail2ban and brute-force attacks of any kind are pretty much a non-issue.

Password strength is meaningless.

[Afforess]

Who cares about password strength anyway? A four letter password is still stronger protection than most people give. The weak link in the chain is and always has been humans. I've found that the security questions to reset the password are easier than the password to crack. Either that or just wait for some Security Official to slip up and sell a hard drive with passwords and usernames on ebay.

Re:Password strength is meaningless.

[French31]

I've found that the security questions to reset the password are easier than the password to crack.

Slashdot Article Reference

Either that or just wait for some Security Official to slip up and sell a hard drive with passwords and usernames on ebay.

Slashdot Article Reference

Re:Password strength is meaningless.

[blincoln]

A four letter password is still stronger protection than most people give.

It isn't depending on the system. If you're working with Windows, passwords less than 15 characters in length can be cracked in a trivial amount of time (usually minutes) using a rainbow table-based system like Ophcrack, assuming access to the hash.
Some ways to obtain the hashes for privileged accounts:
1 - From the local cache on a workstation (e.g. the service accounts used for remote software installation).
2 - Intercepted off of the network by software like Cain and Abel.
3 - Copied off of a domain controller by someone with remote or physical access to one or more DCs.

Re:Password strength is meaningless.

[buchner.johannes]

A chain is only as strong as its weakest link.
You're right on enforcing that weakest link (hard drives getting lost, reset questions), but there is no reason to loosen the others.

Is this secure enough?

[reboot246]

I'm glad my password is 100 characters long with some from English, some from Greek, and some from Klingon.

Re:Is this secure enough?

[BikeHelmet]

According to this spreadsheet, it'd take millenia to guess my best password.

But I suspect my password will be cracked by more advanced computers long before then. Or a keylogger will get me. Or I'll die of old age.

It's about 40-50 characters long before adding a passphrase to the end. It's not written down anywhere, either on paper or digitally. Like a true geek, I remember the whole thing in my head.

And no, I don't use this password on Slashdot. This is my special "only if it's direly important" password. For slashdot and most other sites, I use KeePass to generate passwords.

Re:Is this secure enough?

[reboot246]

Is your passphrase, "this is a really long passphrase. i hope nobody ever guesses what it is because i do not want to have to remember another long phrase like this one"?

Hey, that was mine first! :)

Re:Is this secure enough?

[BikeHelmet]

No. Large chunks of it are hexadecimal patterns that stuck in my head from when I learned how to create webpages. :P

F0D0C01S14ME ;)

That's just 12 chars. Multiply by 4, then add the passphrase and typical stuff like random years/birthdays, plus an occasional symbol. I'm sure it'd be a pain to crack!

Re:Is this secure enough?

[reboot246]

Hexadecimal sorta sticks with you. I still sometimes think of colors in hexadecimal when I'm stopped at a ff0000 light waiting for it to turn 00ff00 while my hair is slowing turning cccccc. :)

Measuring complexity?

[jonaskoelker]

You're right on target.

The real question one wants to ask: what maximizes the security of security measures?

For passwords, we want something that's easy to remember and hard to guess. Hard to guess means it has to appear random: it has to be chosen with a large amount of entropy from the set of valid passwords. In other words, it needs to have a high amount of information content.

"Easy to remember" is at odds with "high information content": the more you have to remember (generally speaking) the harder it is. However, there are mitigating factors.

One is the rehearsal effect: by training something (repeatedly retrieving your password from memory), you become better at it. This can somewhat mitigate the problem of long, hard-to-remember passwords.

Another trick is to exploit the way human memory works. It doesn't just store a big array of bytes like a disk does. I conjecture that the more connected a piece of information is to other pieces of information, the easier it is to remember. (the ocw.mit.edu psych 101 tells that this is certainly true for short-term/working memory.)

A neat trick (recommended by root@myuni) is to come up with a list of words which mean something (say, they're part of a nonsense phrase you made up*), picking the first letters**, adding some punctuation, and using that.

** Maybe I'd recommend picking the i'th mod n of word i where len(word i) == n, due to language statistics issues.

* Say you can remember "Ash nazg durbatuluk, Ash nazg gimbatul, Ash nazg thrakatuluk, Agh burzum-ishi krimpatul" (one ring to {rule,find,bring,bind} them all). Pick as your password AnrAntAglAbi.

If you don't remember geek poetry, pick a list of people you've had crushes on, ordered chronologically, and capitalize every one you've actually been with.

Note that your password must contain at least one upper-case letter. If it doesn't, you have bigger things to worry about than the security of your slashdot account :p

The sticky issue, from a theoretical standpoint, is that you want a password that's very random, but randomness (i.e. entropy) is an attribute of the distribution, not the sample. That means you can't really say that choosing "password" isn't random.

The practical upshot is that you want to choose passwords that evil people are unlikely to guess, which is dependent on what typical people use as passwords. So, by enforcing "nasty" rules, you force users to select something with at least a little entropy (_which_ upper/digit/punct and where it is). Sadly, it'll be Passwo!1, Passwo!2, Passwo!3, etc.

An interesting rule: no three consecutive members of the same character class.

Re:Measuring complexity?

[Beryllium+Sphere(tm)]

>randomness (i.e. entropy) is an attribute of the distribution, not the sample. That means you can't really say that choosing "password" isn't random.
In other words, entropy is a property of the source and not of the output.

http://www.diceware.com/ is another approach. With 4-6 randomly chosen words in a passphrase you can usually make up a story to string them together into a sentence you have a chance of remembering.

Re:Measuring complexity?

[proton]

If you don't remember geek poetry, pick a list of people you've had crushes on, ordered chronologically, and capitalize every one you've actually been with.

Holy crap thats a lot of passwords all with lower-case statistically predictable letters. And even if they do contain any uppercases, in most cases it will only be the last one.

Re:Measuring complexity?

[ResidentSourcerer]

As sysadmin at a school I assigned passwords to the kids, and set the system so that they couldn't change them. They could come to me or the school secretary to find out what it was as often as they wanted, but after the first request, asking me cost them 10 pushups.

Passwords were generated by creating a digraph tree from a large block of text (a mail spool file)

Pick a digraph at random. ac
Now pick a digraph at random from all the ones starting with c
and add the second letter. -> ck -> ack
Repeat.

The effect of this is that while random, the distribution of vowels is such that about half of them are pronounceable. It's much easier to remember a random word (even with non alphabet characters in it) than total alphabet soup. E.g. fliP.nibblit3! vs qVrET2-Yp]

It's a smaller name space, but avoids much of the post-it security issue.

Re:Measuring complexity?

If you don't remember geek poetry, pick a list of people you've had crushes on, ordered chronologically, and capitalize every one you've actually been with.

that made me crying.

Re:Measuring complexity?

[jonaskoelker]

Passwords were generated by creating a digraph tree from a large block of text (a mail spool file)

apt-get install bible-kjv-text ;)

Pick a digraph at random.

I assume with the same distribution as the one you have observed in your reference text corpus.

Re:Measuring complexity?

[jonaskoelker]

sOrRY :p

Re:The same thing that happens with everything els

[mysidia]

The username is not the credential. In the design of a secure system, it should be assumed the attacker has (or can find out) all the valid usernames. The administrative usernames that are defined by the implementation (i.e. the 'Administrator' user, the 'root' user are well-known anyways, and in many cases, required to be active by various software products used in a system.)

The security is in the key (or password), i.e. the secret credential.

Sending 3 attempts is cheap. Generally there's no need to know if the lockout attempt was a "hit" or not.

Also, many systems that implement password lockout will notify the attacker of the password lockout, once the account's been locked rather than state "Invalid Password".

It's foolhardy to place any trust of security in or reliance in difficulty of discovering a username.

The math is wrong

[ratboy666]

Must be, the number of attempts per second makes no sense. I get a COMPLETELY different answer based on similar "data" from his article:

Even if the password is "trivially" generated:

symbol word symbol word symbol: eg. _orange*bear#

would require 10,000 attempts per second to crack under these circumstances (roughly). Assuming that the defender uses ONLY this exact pattern:

The symbol characters add 4 bits each, or 1000 multiplier for 3 (very rough). Choose two words from the dictionary, say limited to 10,000 choices each (the author states that it could be chosen from a set of 50,000). 100,000,000,000 possibilities to run through, If 100 days given, 1,000,000,000 have to examined per day, 86,400 seconds per day, or just over 10,000/second. Contrast to 65/minute.

And that assumes a VERY limited password.

I should download and review this, but I really don't care enough.

But I will try to guess where that number could come from:

Two words together, nothing else. 100,000,000 combinations, 1,000,000 per day, or just over 10 per second.

A single dictionary word, followed by a number. 100,000 combinations. Finally, our attack rate can be 1 per second.

Bullshit

[Bob9113]

As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break -- not at all hard to accomplish, Grimes writes.

90 * 24 * 60 * 65 = 8,424,000
8 ^ 8 = 16,777,216

So if you used an 8 character set, 8 characters wide, you'd get broken by Roger's attack. And you'd be an idiot.

Dictionary attacks? Ask yourself this: What other attack vectors do you open up by using this fame-monger's advice on how to mitigate dictionary attacks? Does Roger address that concern? Might that be because he doesn't know what he's talking about, and is more concerned with getting column inches and his face on your computer screen than he is with security?

Just a thought.

Re:The same thing that happens with everything els

[chill]

No, it isn't that simple.

Considering just about every system today has the user's e-mail address or some combination of first initial/name last name as a username, this is a waste of time and misdirection. It is much too easy to come up with someone's username, even if it isn't one of the above patterns. The username is NOT designed to be part of the security scheme because it is simply ineffective, gives a sense of false complexity (security thru obscurity) and is a major PITA!

(Hmmmm...which username did I use on this site? Is this one that allows e-mail addresses? Does it mandate a certain length of username? Was my preferred name already taken? Hopefully it'll tell me if I screw it up.)

The Myth Of Strong Passwords

[gilgongo]

While Roger Grimes's intentions are good, in making that spreadsheet he's just wasted a lot of effort that he could have spent drinking beer and kissing women.

Firstly, any analysis of real-world passwords in use in, er, the real world, will scream that they are far too weak. That is not news. At all.

Secondly (and this is the hard part for geeks to understand, so: l i s t e n - the strength of a password decreases the greater its theoretical strength becomes. Yes, that's DECREASES.

Why? Because if my password has more than a couple of numbers and some upper/lower case letters in, I will write it on a sticky note and attach it to my monitor - sometimes with the words "password to payroll system" or whatever also written on it.

That is reality. Now, can we all stop this nerdy crap about password strength and do the real work of thinking about the human factors involved in security? That, I am afraid, is where the hard work is. Any idiot can make a spreadsheet.

 

Re:The Myth Of Strong Passwords

[greg1104]

Come on, if Roger Grimes had ready access to beer and/or women he wouldn't be writing for InfoWorld.

Re:The Myth Of Strong Passwords

[gilgongo]

Secondly (and this is the hard part for geeks to understand, so): l i s t e n - the strength of a password decreases the greater its theoretical strength becomes. Yes, that's DECREASES.

Aah, now "-1 Troll"

I rest my case.

Webform

Somebody programmed somehow useful web page (if you dislike excel, that is): http://olli.jarva.fi/passwordstrength/?en

New online service!

[Alain+Williams]

If people are really going to download a spreadsheet that attempts to tell you how secure your password is, I suspect that they will flock to my site that does even better checks.

You enter your password into a web form. Because the checks take a lot of CPU time I will do it off line and email the results back to you (so give me your email address). In addition I will do checks that are specific to your bank, so please tell me that so that I can better assess and help you ....

OK: I jest - but I suspect that a few people would be suckered by that!

Fuzziness doesn't inspire confidence in the author

[mozzis]

The spreadsheet purports to calculate the number of guesses per minute needed to break the password. But in how much time? Also, the comment next to the final result says that it represents guesses per second. 65 guesses per second should cause some notice somewhere in your system. TFA claims that "usually I'm able to break most passwords in under three days, if not in hours". I'm guessing that "most" refers to six-character, birthday or pet-name passwords. My takeaway is that the most effective defense against poor passwords is a [3]-minute lockout after [5] wrong guesses. This will limit the bandwidth of the attack to an unusably low rate. I just can't resist adding that it is really easy for us to enforce password policy for all services domain-wide by a simple policy setting on our DC. In our cluster computing group, where Linux boxen are the norm, chaos reigns and it is a really good thing that those machines are not accessible from the external network.

One good way to make secure, but memorable pws

[selven]

Set up 2 random number generators, 1 from 1 to 20 and the other from 1 to 6. Roll the first one, and use the consonant that is at that position in the alphabet (not counting vowels, so 1 becomes b, 2 becomes c, 3 becomes d, 4 becomes f, etc). Roll the second one and do the same thing but with vowels. Alternate vowels and consonants for about 10-12 letters. You should end up with something like this:

dobamohaqes

Completely meaningless, but pronounceable and therefore easy to remember. If you want, you can add some funny capitalization or some numbers at the end.

4 Numbers is Strong Enought

[esten]

Really the 4 number password for your pin code is strong enough (10000 combination) Any attempt to brute guess these is going to be detected and any further attempts will be stopped.

Evaluating password strength

[Midnight+Thunder]

On this subject, what algorithms are out there for establishing a user's password strength? I see some sites do this, but I am not sure what mechanism they use.

Moving target [Re:Frequency of change is irrel...]

[Geoffrey.landis]

It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually. If you do change passwords, you are trying to hit a moving target. You might get it, you might not

Good metaphor. Guessing a password by brute force is like a blindfolded man trying to shoot a car on the highway by the technique of shooting a bullet, moving the gun two meters, shooting another bullet, and repeating.

Now, if the cars are not moving (and he knows that there is a car on the road somewhere), this technique guarantees he hits one eventually; while if the cars are moving, there's no such guarantee... but, statistically, he hits the same number of cars, on the average, whether the cars are moving or not. It doesn't make any difference if the cars are moving or not to the average.

LIkewise, on the average, it makes no difference whether the passwords being probed for by a brute-force search are changing or not. This should be obvious if the cracker is trying to crack, say, a thousand systems, right? So, you should agree that a system administrator who's administrating a thousand accounts, ought to realize that the system is no safer against getting cracked if he makes his thousand users change their passwords every day or every year.

and even if you do, you don't have long before you have to run the attack again.

Now, that is a different story. If the cracker doesn't install his malware on the cracked system once he gets the password, but instead saves the password for later use, then yes, if you change the password before he uses it, that will help.

Re:4 Numbers is Strong Enough

I think this might be poor advice for any system that does not block and report after failed attempts. Yes, if your password is a 4-digit number it could be cracked in 10,000 attempts OR LESS. Obviously would not take that long if you can make unlimited attempts AND thousands of attempts per second. Most crackers can do all numbers up to 4 digits very quickly indeed for windows passwords (see ophcrack reference above) and if I remember there are things like john the ripper for unix hashes...
If an attacker gains access to brute force any system then the time taken to brute force with only 4 numeric digits might be miniscule. For instance, think of a 4-digit combination bicycle lock. I can physically crack one of those quite quickly. Its not that different. I once cracked a fairly complex 8-digit password in under a day (I felt that was lucky though). If you can get physical access to a machine (or can socially engineer someone who has) there are usually workarounds that will bypass password mechanisms anyhow (there certainly are for Windows). My current password scheme is to use 'up and down the keyboard' pattern sets with mixed case. i.e. zse45TGB and then shift along a set every 90 days so next block is xdr56YHN. Handy if you don't access a system for a few months/years and can just go back. Even using these unpredictable non-dictionary patterns you're not safe from the brute force rainbow tables which just store every hashed result like a dictionary database. Time is the only thing a good cracker needs, Moore's Law will fill in the gaps.

Bank PINs

[AsmordeanX]

With the worries of security I'm shocked at the number of people that use 4 digits for a bank PIN. Mine varies between 10 to 14 digits. Yes I change it every-so-often. I believe the limit on Plus / Interac compatible banks is 16 digits.

I used to work at a coffeeshop and at least 85% of the customers used a 4 digit pin. I know this because the pad went BLEEP for every key push. Just count the bleeps.

Re:Bank PINs

[bradley13]

Some systems used to limit you to 4 digits - maybe some still do. I certainly have a card with a 6-digit limit.

If you are using 10-digit pins that you change, one of the following is true: (a) you have a ridiculous memory for numbers, or (b) you write your PIN down, or (c) you are using something simple for your PIN like 1234513245. The average person has trouble remembering more than 7 digits (not coincidentally, the maximum length of a local telephone number).

Re:Bank PINs

[twostix]

I'm shocked that there's so many over reactors in the world.

You get three goes to get the pin right before the bank will lock the account.

3 attempts to get 10,000 possible combinations correct.

4 digit pins on cards have been around for at least two decades and have *never* been an issue, because there's no vector, you can't brute force a traditional pin because the system locks the account as soon as your start.

There's security then there's misplaced "Well *I'm* more secure than you with my 10 billion digit pin" irrationality.

I'll take security thanks.

Not to mention the obvious; that if 85% of people are doing it and their money isn't being stolen from their bank accounts via legitimate pin guessing then it's not something that's a problem, if it was then 4 digit pins would be no more.

Re:The same thing that happens with everything els

Are you serious? All it takes is 3 attempts to lock someone out for 5 minutes? Sweet! There's this guy named khasim on this message board that really pisses me off. I think I'll just set up a little script to periodically log in with bogus credentials...

Half that for parallel cracking attempts.

[Gazzonyx]

Divide that in half again. You can break an 8 character password in to two 4 character passwords and crack them in parallel. This is why it takes longer to break a 7 character password than an 8 character password.

Re:Half that for parallel cracking attempts.

[TheRaven64]

Divide that in half again. You can break an 8 character password in to two 4 character passwords and crack them in parallel

This is simply not true. In parallel, you can do two attempts at once, but dividing it into two 4-character passwords is definitely not possible. If it were, you could divide each of those into two 2-character passwords, each of those into two 1-character passwords. You'd then have eight 1-character passwords to crack and have to do 8 * 256 = 2048 attempts to crack any 8-character password (assuming each character could be any ASCII character, fewer if it's a restricted subset). This is only the case in very-flawed systems where each character can be tested individually. There was an OpenSSL vulnerability a while ago that made this true - the return time could be used to infer which byte of the key was the first incorrect one - but it isn't the case on any common system.

Divide that in half again. You can break an 8 character password in to two 4 character passwords and crack them in parallel

Ex falso quodlibet.

Re:Half that for parallel cracking attempts.

[Gazzonyx]

I stand corrected (you freakin' old hat ;) ) and retract my previous statement. Apparently this exploit is only applicable for LANMAN hashes. I thought all DES ciphers suffered this weakness.

Quotith the freakin' wikipedia page:

Although it is based on DES, a well-studied block cipher, the LM hash can easily be cracked due to two weaknesses in its implementation. First, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately. Second, all lower case letters in the password are changed to upper case before the password is hashed. The first weakness allows each half of the password to be attacked separately. While there are 95^{14} \approx 2^{92} different passwords made of up to 14 printable ASCII characters, there would be only 95^{7} \approx 2^{46} different 7 character password pieces using the same character set. Restricting the character set by converting lowercase to uppercase further reduces the number of possibilities for each half to 69^{7} \approx 2^{43}. By mounting a brute force attack on each half separately, modern desktop machines can crack alphanumeric LM hashes in a few hours.

LM hash does not include salt, therefore a time-memory trade-off cryptanalysis attack, such as rainbow tables, is also feasible. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes trivial. However, because LM hashing is not used for passwords of 15 characters or longer, these are relatively strong.

Well done geezer, I'll get you next time though! :)

Re:Half that for parallel cracking attempts.

[qubezz]

Divide that in half again. You can break an 8 character password in to two 4 character passwords and crack them in parallel

This is simply not true. If it were, you could divide each of those into two 2-character passwords, each of those into two 1-character passwords.

You clearly have not played Global Thermonuclear War recently.

Re:The same thing that happens with everything els

[firewrought]

It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked

The risk of this type policy (in a corporate IT environment) is that you start locking people out during important sales presentations, during middle-of-the-night production emergencies, during shareholder meetings, and during critical moments of new project go-lives. In an e-commerce environment, obviously, the risk is that you'll drive away customers who can't use your system.

My (large, important) company has a 10-password lockout backed up by a 24/7 1-800 number with an automated system for resetting passwords. Even that's a pain sometime... in the real world people futz up passwords repeatedly because they put their fingers in the wrong place, have the caps lock on, have the wrong keyboard layout selected (dvorak--my personal password beast), or are struggling to remember the new password they chose.

First off, there should NOT be any indication whether the username was valid or not. It's as simple as that.

Why? As others have pointed out, it's not part of the security mechanism. Go ahead and tell the user their account is locked and point them in the right direction. For e-commerce especially... your users have umpteen different logins that they rarely use, and they need some help recalling their username on your site.

Is is really "bad" to write down your passwords?

[bradley13]

I read a persuasive article once that argued that writing down passwords was a good thing. The argument was that this allows the user to select stronger passwords without worrying about forgetting them.

In essence, you replace an IT security problem with a physical security problem. The number of people with physical access to your desk, or wallet, or whatever is probably considerably smaller than the number of people with electronic access to hack your account.

Re:The same thing that happens with everything els

[PMBjornerud]

Are you serious? All it takes is 3 attempts to lock someone out for 5 minutes? Sweet! There's this guy named khasim on this message board that really pisses me off. I think I'll just set up a little script to periodically log in with bogus credentials...

Do you really prefer the alternative? That anyone can set up a script with an unlimited amount of guesses on your* password?

*No, not your password, which is strong. Your users passwords', which often takes the form "John" or (if you're lucky) "Johnathan45".

Re:The same thing that happens with everything els

[JohanSteyn]

No, it isn't that simple.

It is that simple: don't provide any information to a potential cracker other than that an attempt either succeeded or failed.

Imagine this response from a web site: "You attempted to sign in with username joe.blog@somemail.com, but unfortunately there is no such user registered. Please make use of this opportunity to register now."

Or this: "You attempted to sign in with the valid registered username joe.blog@somemail.com, but unfortunately you submitted an incorrect password. Silly person - please try again."

Both (contrived) responses indicate whether or not there is such a user currently registered on the site. That's too much information and entirely unnecessary.

Forgot your username? Tough.

How about the reverse effect

Does that excel sheet also calculate the number of additional help desk calls and wasted work time of password resets that stem from changing passwords too often and using too complex passwords for people to remember? Also, making these recovery methods an everyday practice makes other kinds of cracking methods (such as social engineering) easier, thus reducing the gained "level of security".

If it wasn't so, everyone would naturally use 128-character totally random generated passwords that must be reset after every use...

Re:The same thing that happens with everything els

[Bender0x7D1]

Except many email addresses are public because they are used as a method of contact which, if you like bringing in new customers, is important. Of course, this might not be necessary for most people in a large organization - unless they do things like volunteer, fundraise, coach little league, etc.

Re:Moving target [Re:Frequency of change is irrel.

[jonbryce]

If the cars are moving, the probability of each individual shot hitting is the same as before eg 1:10, but the probability of one of the series of 10 shots is less than 1:1. However the probability of more than one of the 10 shots hitting has increased from 0:1.

If what matters is whether or not you are shot rather than how many times you are shot if you are unlucky, then you should move around.

Re:The same thing that happens with everything els

[atamido]

When we had the opportunity to rebuild our network from the ground up, my boss insisted that the usernames be different from the email addresses for security reasons. No amount of talking to him would convince him this was entirely unnecessary as account lockouts would protect from password guessing bots. It's not an issue most of the time, but it is added confusion for users, and when it is an issue it is a real pain.

Re:Fuzziness doesn't inspire confidence in the aut

[Slashcrap]

I just can't resist adding that it is really easy for us to enforce password policy for all services domain-wide by a simple policy setting on our DC. In our cluster computing group, where Linux boxen are the norm, chaos reigns and it is a really good thing that those machines are not accessible from the external network.

If only there were some centralised directory protocol that could be used with Linux to enforce password policy amongst different machines. Ideally it should be lightweight. Just one more area where Linux needs to catch up with Windows. If only we had Group Policy too, so that we could manage systems remotely.