Slashdot Mirror
The Science of Password Selection
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
What's the inspiration for choosing short, simple passwords? They are short and simple, so you don't forget them. Similar reason to using the same password for a variety of different purposes. For bank accounts, use the strongest possible password, and don't write it on a sticky note. For Facebook, use "asdf1234" and don't put *any* important information on there.
That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.
The problem with passwords is that if they are too complex people can't remember them or write them down in plain sight. Pass phrases can be very effective, easy to type and don't rely on the cleverness of people who can't remember 10 random letters, numbers and special characters.
You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.
To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
I've become a recent convert to the idea of using a password card or
password chart to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.
Your design to a real part online: Big Blue Saw
A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ but I find that a password like that will be hard to type, much less to remember.
Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.
I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.
https://www.grc.com/haystack.htm
If you build it, nerds will come. Soylentnews.org
Exactly. Having reasonable policies such as "passwords may not consist solely of names or common dictionary words" strengthens security; going further than that and insisting that all passwords must consist of strings such as "kjf83i3n!mnc_79d" weakens security, because it practically begs people to write their passwords down. Similarly, requiring users to change their passwords every month will result in nothing but the use of weak passwords and/or constant tech support requests from users who can't log in.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.
I used a password cracker once as a sysadmin many years ago and I recall that that was one of the higher priority alternates the password cracker tried after dictionary words. I also remember there were plenty of adjunct dictionaries for password crackers with things such as anime/book/movie/tv names and character names and places which might cover a lot of that "other" category.
My IT department was not even able to tell me what our password policy is. My password expired and I had to pick a new one. I could not get one to work that passed our policy. I had one with four symbols four upper case four lowercase and four numbers that I would never be able to remember and it still would not take it. Finally, in desperation I logged in as a domain administrator (which I happen to know and which the password never changes because the entire system would break) and set my password to something that has a reasonable complexity that no one would randomly figure out and that I can remember.
If you are not allowed to question your government then the government has answered your question.
Seriously, I don't care if someone guesses or bruteforces a password to some news site, or anything where I've used a totally random pseudonym in the first place. I will do things like use weak passwords, re-use them, etc. Because I don't care. I mean, I *really* don't care. Please hack these. Who cares? Not me.
Web sites and applications where I *do* care, get particularly long, entropy-rich randomly generated passwords. These passwords do get stored locally, on a well-encrypted medium that I would be most happy to surrender at the first hint of torture. But these aren't going to be casually guessed, and if you're trying to brute force one of these accounts, you're much better off attacking the next one over. (I take the same strategy with auto and home security as well -- all I really have to do is make YOUR car look more attractive to thieves.)
-fb Everything not expressly forbidden is now mandatory.
Having a hard-to-guess password on a post-it note stuck to your monitor is entirely appropriate in a lot of places. If the threat from inside the organisation is close to zero (eg a home office with no external cleaning contractor where all staff have equal network access) but the threat from outside is high (eg remote access to email or desktop) then it's a better outcome than an easy-to-guess password that exists only in the users head... and in the dictionary.
I think a lot of these stupid password policies were the result of Lanman and L0phtcrack.
First, there are two kinds of things that people call "passwords". #1, a secret phrase that you tell to a remote system to authenticate yourself. #2, a key that has to be cryptographically secure against local attacks.
Traditional Windows NT domains essentially published a Lanman hash of everyone's password. Lanman had a bizarrely bad hashing scheme: it null-pads your password to 14 characters, then splits it in half to two 7 character passwords. Thus, an attacker gets a local copy of your hash and only has to crack a 7 character long portion of it, which is exactly what L0phtcrack does. Decently good passwords get cracked within hours.
The band-aid attempt to secure this horrible situation was to try to make the most cryptographically secure 7 character password possible. That isn't a lot of key data to work with so you basically have to have an absurdly line-noised password - and even then it could be cracked given enough time, so NT admins forced changing passwords frequently (which actually doesn't help, since the attacker just picks up random-guessing on the new hashes as they come out - sooner or later they'll find one).
So that got enshrined as what a "secure password policy" was supposed to be. Unfortunately, it was designed to protect against an absurdly-bad implementation of scenario #2, when for the most part, your password only needs to be secure in scenario #1, because the hash isn't published and you can only make a half-dozen attempts to guess it before it gets locked out.
If you lock your car, a skilled car thief can be inside in 15 seconds. Should you stop locking your car? No. Should everyone buy a high-security locking system? No. If somebody wants your car badly enough, they will get it. The lock just prevents casual theft.
Same with passwords. If somebody wants into your Citibank account badly enough, they'll find a way to get it, like just logging in as themselves and then changing the URL! Does that mean you shouldn't have a password? No. Should you use an ultra-complex combination of letters, numbers, and symbols? No.
I think password strength rules should be eliminated. It's not really about how strong the password is. If the system is built in a secure way (like locking you out after three bad attempts, etc.), any password will be good enough for most people.
Simple? Yes. Short? NO.
Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.
0#f$%aEx
6.7e15 search space (cracked in 3.35e15 brute force attempts on average).
Sl@5h--------------------VortexCortex
1.51e73 (cracked in 75.5e72 brute force attempts on average).
(Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)
A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...
The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).
Exactly, so repeating patterns are OK as far as brute force is concerned.
The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:
Bill4$Bil
All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.
Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.
Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.
So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.
And now we have reached the end of anther long and exciting post about passwords.
Calling someone a "hater" only means you can not rationally rebut their argument.
I'm surprised the common public hasn't really gotten into password managers like lastpass or keepass yet.
For example, I use lastpass. I have it set up so it logs off every time I close my browser, and I can set a delay time on how long after I close my browser it logs off as well. I only really have to log in with my master password once, and then everything is great after that.
Seeing as lastpass will autofill every form or password field on every website, and can even generate completely random passwords, from all forms of characters and symbols at any length, it seems odd to me that most wouldn't like to use it. It's very point-and-click-y and doesn't really provoke much in the way of effort, sans setting it up once and letting it do it's thing.
Plus, you only have to remember one password. The master password. And if you tell me that you can't remember a single complex password, then I challenge you to try. It's really not that hard. With only one password to remember, it's hardly a big deal to strain yourself to remember it. Plus, if you do it properly, the rest of your passwords that are stored will be 64+ some characters in length (assuming there's no size limit) and will be 100% random. Since you never bother to look at the generated passwords, you never remember them, and never know them, which is probably the safest way to keep it.
In any case, I'm shocked that people still think they can get away with garbage passwords nowadays. I could probably break into the entirety of my parent's and sister's accounts just by guessing passwords that I think they'd use. My parent's especially on that list. Then again, here I am preaching to the choir (I hope) and it's likely they'll never change their ways and set up a decent password longer than 6 or 8 characters.
(Since this was a long post, here, have fun playing the how secure is my password game. Longest amount of years = biggest e-peen)
HowSecureIsMyPassword?
tools -->> generate secure password -->> generate -->> save -->> autofill done and done.
https://www.accountkiller.com/removal-requested
NEVER put your password on a post-it note stuck to your monitor!!
The correct place for it is under the keyboard
A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.
The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.
learn to type.
my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.
http://www.accountkiller.com/removal-requested
I have full-sentence keyphrases on things like the truecrypt vault that holds my SSH keys. I mean 50+ character sentences.
Most of the time, I have it right on the first shot. Muscle memory helps a lot with things you type regularly, like some passwords.
What a depressingly stupid machine.
TFA complains about simple passwords (containing no non-alphanumeric characters). Over the years I found that every single little stupid corner of the internet decided they had a better idea what should be in a password than everyone else. Each of them excludes a random subset of non-alphanumeric characters from being valid. Another subset of stupid little corners of the internet can't code their way out of a paper bag, and can't properly escape non-alphanumeric characters, especially ['"\%&=] which need to be escaped in certain contexts or are contained in urls. Yet another subset of stupid corners of the internet place arbitrary length restrictions on your password (here on slashdot: 20 characters). Working on wiki software for a while, I watched as time and time again, contributors couldn't understand the basics of properly escaping strings, so they invented stupid crazy regexes that always failed. Then they would pile on more hacks to catch corner cases. On web forms it usually takes the form of some javascript that "checks" the password, and other javascript that has to encode it into a URL or POST request.
So I gave up. As you argue, increasing the length increases the complexity exponentially fast, while increasing the character set increases the complexity only logarithmically fast. So it's better to use a long alphanumeric password than to discover that you can't log in, because the password form can't encode what you typed properly. These days I find it's extremely rare to run across a site or application that requires a non-alphanumeric character to be present.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.
My password scheme..
I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same 4 words, changing the order, and the location of the punctuation. Throughout the password I will also randomly replace letters with their related number or special character symbols.
I have yet to forget my password (except on sites where I will log in once every 4 or 5 months, the Startek website being one of those (the user and parts site for my car), where I do a password reset and pick a new password.
I came, I conquered, I coredumped
And then there's code like PHPbb, where it will let you create an admin password with an @ in it during site setup, but then just mysteriously strips the @ out of the actual password when the site is set up. I rebuilt a site three times before (for some crazy reason, can't recall how I thought of it) deciding to type the password and leave out the special character, and finally getting in.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay