Multiword Passwords Secure Or Not?

Gaygirlie writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"

Obligatory xkcd

[kc9jud]

http://xkcd.com/936/

Re:Obligatory xkcd

[medv4380]

Come on. All he did was post a link to a related xkcd comic. He didn't say anything about it being right or wrong. It's related, and funny. Would you rather have had someone do a standard first post troll instead?

Re:Obligatory xkcd

No, you RTFA. They mention xkcd, but then ignore it and go on to test 2-word passwords that are not randomly chosen or unrelated words. Of course 2-word passphrases, where the words are related ("Chicago Bulls") or are a verb-noun pair ("Speedy Gonzalez" "Soft Kitty" "Oneiric Ocelot"), are weak against dictionary attacks. The xkcd approach is not.

Re:Obligatory xkcd

[tigre]

Aren't those exponents reversed?

2048^4 vs 102^8?
1.7 * 10^13 vs 1.1 * 10^16?

So completely random is still better in this sense. Just hard to remember and maybe hard to input. xkcd compared "uncommon word + common substitutions + a couple random characters".

Very specific conditions

[Dixie_Flatline]

The passphrase system they studied wouldn't allow duplicate passphrases. So if you picked one that was already in use, it would tell you so.

The problem isn't that the passphrase is insecure, the problem is that the system itself is giving you information about what's inside it. Doesn't it seem obvious that any security system that relies on secret data that gives up information about the secret data is insecure?

Then they did an analysis on passphrases that use english words with the same frequency as in standard English. So the word 'betwixt' was probably pretty low down on the list, and 'material' was probably higher. That also seems unreasonable. Just because you want a memorable password/passphrase, it doesn't mean that you have to use small, ultra-common words.

This study has little merit in declaring that passphrases are insecure. (It does have merit in letting us know that obvious security problems are, in fact, obvious security problems.)

Take into account human nature

[MetalliQaZ]

As mentioned, a lot of stock is put into secure passwords, when the reality of computer usage makes all the effort meaningless.

Lets look at a normal user, Joe. Joe has many corporate logins at his job. His company has a password strength policy, so Joe has ended up with this password: Jason5 (Jason is his youngest son). The last password was Jason4, then Jason3, etc. Some system require more powerful passwords, so he uses _Jason$5. I have met dozens of Joe's IRL.

Lets look at Lucy. Lucy knows that a good password only has to be easy to remember and hard to brute force. "Simple Man" is one of her favorite songs. Especially these lyrics:

"Boy, don't you worry you'll find yourself
Follow your heart and nothing else
And you can do this, oh baby, if you try
All that I want for you my son is to be satisfied"

She selects this password: allthatiwantforyoumysonistobesatisfied
She'll never forget it, and I won't be cracked by ANYONE. Governments who want her password could crack it, but they would probably just put her in jail until she gave it up.

Then, Lucy reads the article linked above and starts to doubt the security of her password. She is wrong, her password is WAY better than Joe's.

Both accounts end up getting compromised. The company had been storing passwords in plain text and was hacked via a 2-year old SQL injection vuln. So much for all that bullcrap.

-d