Slashdot Mirror
Your Passwords Don't Suck — It's Your Policies
First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"
Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"
I'm not sure who's wrong or right
http://www.wolframalpha.com/input/?i=password+strength+correcthousebatterystaple
The problem I have with that comic is that the "strong" password is lowercase only.
Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no? I personally use a 17 character long password (for anything important) at this time, being somewhat random and including lowercase, uppercase, numbers and special characters. If there is one thing I have seen from hashtables, its that adding in special characters makes it a lot harder, and sometimes outside the realm of possible.
Never mind that if you know the person is using special characters, you still gonna have a lot longer time cracking, if you know he is only using words, with the help of dictionary attacks you gonna run through them a lot faster.
Oh, and the way I manage to remember my long password is that I take the short, I assume random, passwords that I have been forced to remember for a few years, like for school, and add those together with a special character in between. Makes it very doable to remember.
The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large. You could use a common spelling dictionary and toss in the like substitutions 0 for o excetra and you don't really have a key space much larger than normal 7 character or so passwords offer
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
A white jacketed southern gentlemen's password is "This secret spice makes shit taste like chicken"
I got to the chocolate box before you, that's why the hard ones have teeth marks.
at the very least, just show what the password requirements were.
Any password policy that basically forces you to write down your password somewhere is broken. Sure, you can use a password vault but that's cumbersome for the various dozens of passwords strewn about the web and on mobile devices. But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses. I could understand 100 incorrect guesses, but 3 guesses is not enough to recall a password when you have not used it in several months. One hundred guesses by a computer/hacker is nothing compared to the full password space.
...is why is it all so difficult to come up with some scheme to secure internet accessible resources. Corporate policy for me require password changes every 90 days and disallows any of the last eight passwords, and the use of letters and numbers. Effectively, I'm forced to write it down, negating all their efforts at obscurity. When will some bright CS geek invent a real solution to this problem. Is it that hard? Can't it be as simple as probing me for dynamic info that only I would know? How about visual methods- ask me who's in this picture of my co-workers or what is this family snapshot from my past, etc.?
Have you ever noticed that anybody driving slower than you is an idiot, and anyone going faster than you is a maniac?
sandra bullock upload virus
good luck with that i have a zero balance
cowboy neal is the joke reply
You'll have to imagine there are no spaces, because it won't pass the /. filters as a concatenated string.
i.e. 7 characters one must be a non-character or capital.
The result is that people like me chose passwords that a keyboard patterns that anyone could guess if they watched me type it.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Passwords are fine - they are the only thing that identifies the mind behind the input device (as long as you aren't stupid about it).
Especially since everything else is worse.
Biometrics suffer many flaws.
Fingerprints - easily duplicated. Blood flow patterns - a bit harder.
Both fail if you get a bad cut/scar on the finger.
Facial recognition? - just use a photo - or better yet, a bust with color added (especially now that people are using them for avatars). As long as the image has a higher resolution than the camera being used, not much of a problem.
Retina/iris scan? Bit tricky, but can be duplicated on a glass eye. Again, need a higher resolution than the scanner/camera.
The main problem is indeed the policies. While I (mostly) agree with the main statements TFA makes, I have my own note to add:
.
My bank's website enforces a MAXIMUM length. I'd love to have a password like "c0rr3c7 h0r53 b4773ry st4p13", but I can't use more than 6 characters.
Yes, you read that right. 6 characters. Maximum.
I fear for my online bank info constantly
Why would there ever be a reason to enforce such a small maximum length? I don't get it.
Unlike porn, which yada yada rimshot hey-ooh!
The problem with XKCD style passwords is the more characters in a password, the more likely I am to make a typo while entering it. I mistype a typical 8 character password a couple times a day. I can imagine what it would be like with a 25 character password.
...It's too bad there's no way for two hosts to authenticate on a pre-shared key system with a public half and private half for each key, so bob and alice trade public keys and can communicate safely even if eve has both public keys....
Congratulations on winning the Slashdot trifecta - you managed to invoke the GPL, cite XKCD, and slashvertise your own project all in one!
What part of "a well regulated militia" do you not understand?
Pwds will always be an easy security bad idea, because by the time a new pwd sec-theme is common cracks have been emplace for about five years.
We need to get pass crazy/silly pwds to non-human dependent security. It will cost a little more, but increased productivity and better security will save oodles.
Pwds are in the trench of the Maginot-line of security, stop wasting time and money, get to bio-PKI and beyond. Easy (to manage/implement or cheap) security is bad security physically/virtually.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
they sure do make it a lot easier, with some downsides as well. i use keepassx on *nix, and keep a portable keepass on my USB thumb drive for windows computer. all my passwords are store in it, all are 25 characters, with around 200 bits of entropy each. the only thing to worry about, is the master password, which was created using keepassx's password generator as well. as long as i remember to exit it before leaving, or at least locking the computer, there's not much to worry about. all passwords different, all strong, and auto-type makes things very easy. the downside is... you dont really know any of your passwords, and become reliant on the program. that's why i keep at least 2 complex passwords committed to memory and use them for common stuff, like my email. it's quite embarrassing to sit by your university project partner, be asked to login to the university website, put hand in pocket, realize you forgot the thumbdrive home, and exclaim "i don't know my uni password at the moment".
my sig pwns your sig
I th1n5 1ts 2 l8
A computer can't tell if a passphrase is random or guessable, even a human wouldn't necceserily be able to. XKCD/diceware style passphrases however are supposed to be easy to remember despite being completely random, so the proper course is to let the computer generate the passphrase.
Analogies don't equal equalities, they are merely somewhat analogous.
I use about 9 different passwords ranging from the 6 or 7 characters i'm allowed up to the 20's,
i tier them by importance, so if i ever come into any shit, i know what accounts will need to be checked.
I'll also add that i lock my doors and windows, and own a gun, but because i don't have top notch Ub3r l33t h4xoring
skills or a LOIC, i use the best passwords i'm able.
I use randomly-generated passwords (generated by reading /dev/random) that are at least 16 characters wrong. I restrict the character set to [A-Za-z0-9] which is a touch under 6 bits per characters, so I have about 95 bits of /dev/random-quality entropy.
The passwords are stored in a file encrypted with a long passphrase. The long passphrase is probably the weak link, but by not reusing passwords across different websites and using randomly-generated ones, I'm fairly well-protected if one of the sites I visit has its password file stolen.
I need to pick up battery staples.
Since when this is an issue anyway?
Every single important system (e-mail, ssh, my bank) I use has some sort of protection against brute-force attacks.
Even if the issue was the choice of choosing a zip-file password, given the limited amount of computation resources the number of zeroes in the size of keyword space lose their meaning at a certain point.
A: "What are stupid questions I don't want to answer truthfully, Alex?"
.
Also unwise is to have web sites save your info, especially credit card info. Someone cracks the db and you are p0wned.
It is more than just passwords...Heh, don't click that link, Grandma!
I come here for the love
I'd love to see a PAM (Pluggable Authentication Module) for this.
Also garbled passwords are going to be far harder for people to memorize if seen by accident.
Not if they do not recognize it as a password e.g. "Remember the lepton-jet meeting at 8am" would look more like a reminder than a password.
I walked into work this morning to hear one of my colleagues explaining to a user over the phone that if they just "type in the password they want, preferably eight characters, capitalize the first letter and stick a "1" on the end, it satisfies all the password requirements."
Words cannot describe my reaction when he hung up the phone and turned around.
Who is passfault! We don't know. Did anyone else start typing in their best passwords to test them then think... wait... I'm just giving these away. They have my IP and my best passwords now.
So I then went to the github site and downloaded the java jar version of this but it is not the same! On the website I tested "abc123" and it said it was weak, less than 1 day, obviously. But the java jar program doesn't notice the pattern and says it would take 8 days to crack.
Time to change my passwords I guess.
Just because you are paranoid doesn't mean they aren't out to get you.
Obligatory xkcd... Oh... Nevermind.
Their demo estimated 18 years to crack a particular password based on a UNIX crypt. Changed the "Password Protection System" to "Microsoft Windows System" and it dropped to 1 day to crack the same password.
Credibility: gone.
Login names should also not be easily determinable from knowing your identity.
the sign in for your email account should not be your email address. It should be unrelated.
The signin for my slashdot account should not be Shavano.
I should not use my name for either, but my employer requires me to use my name for my email account AND my username on its systems.
We are so worried about our accounts being hacked and at the same time not remembering our passwords. Put a sticky note under your desk or in some easily retrievable (but not moronically easy to find) location. The likely-hood that someone breaks into your computer and steals stuff is much higher than someone breaking into your house and stealing your passwords and computer (given the amount of respective time required for each). Also, if someone breaks into your house, they probably aren't looking for your Facebook password... Or I could be wrong and just blowing smoke outta my ass.
Here's an example of something easy to remember and hard to crack:
Take any sentence with 8+ words that includes one or two numbers. Just use the first character. Thrown in a CAP or two.
Example:
My 9 inch Cock is bigger than your puny pecker.
M9iCibtypp
I've become so annoyed with remembering passwords while trying to keep them complex enough i decided to write a vb application which hashes the web address (or game name) with a single master password salt and returns the first 14 a-z A-Z 0-9 characters (for the sake of universal compatibility). The result being if i used "password" as my master password i'd use "t82CUwcZf26uPL" as the password for slashdot. Obviously i use a much more complex password for any site that i have given my personal details to, but for your run of the mill site it's a perfectly strong password.
It means i can never forget or lose my password, and as long as i can run a simple vb.net application i can always log in.
The highly secure NSA and DoD password policy is very thorough, but one thing was left un-noticed about this policy. You can create a valid password by merely running your finder down a colum of the keyboard, and then holding down the shift key and doing the same thing. Really!!
To wit, this password is valid. Run your finger down the left-most column of your keyboard: 1qaz2wsx
Then hold down the SHIFT key and type !QAZ@WSX
Presto, you have a valid password that meets all the security requirements the NSA and DoD have imposed upon you.
Now that's okay for creating system images for deployment.
In 45 days when you need to change your password again, just shift to the next row of your keyboard. This will keep you okay for a couple of years or so until you run out of keyboard rows to use. Then, you just do it backwards. It really is that simple.
Try it!! It's almost unbelievable.
Kriston
Very good analysis.
Let me take a different direction:
Like or hate it, Ubuntu is the top OS distribution.
And it asks you for your password. A lot. For updating software. Running gparted. Adminning.
It can get annoying constantly typing it in. Any comments by other Ubuntu users?
I'm not a lawyer, but I play one on the Internet. Blog
It happily reports passwords I cracked in just a few GPU-days from a cryptmd5 password leak as taking "174246 centuries" to crack. This is irresponsible. Human generated passwords should simply not be used for situations where an attacker can attack offline.
Why do both XKCD and TFA assume having access to the hashed password? The normal "guessing" case is a password prompt and that'd better not allow 1000 guesses/second (try 10/day or so). The remedy for a compromised database of hashed passwords is: do not use the same credentials in several places. Afraid of someone stealing your hashed password by sniffing it? Use transport level encryption. Apart from that, using a password that you can type quickly and do not need to write down is a good idea.
"I love my job, but I hate talking to people like you" (Freddie Mercury)
It's interesting to me that we don't employ something like a keyfob that generates a code or a code texted to your cell phone, then combine that with a reasonable password. That way, it doesn't matter if your password gets guessed or compromised: the guesser/compromiser still needs the code from your text/keyfob.
I realize it isn't infallible but it would seem to be a very easy next step that would add a significant barrier to the vast majority of criminal methods in use today.
Sorry, Golddess. I didn't read usernames so closely - obviously that wasn't your method.
DRM: Terminator crops for your mind!
Just did this:
Start with "awesomepasswordtoday"
1 year, 8 months
Go to "awesomepasswordtoday000"
7 centuries, 8 decades
Go to "000awesomepasswordtoday000"
less than 1 day
This tells me there is something in the logic that makes it a pretty unreliable metric of password strength.
video world+dog 24x7x365, allow suit for MONETARY damages to give Judge authority to unseal; otherwise let it happen as it happens. Why do you care who I am- you think that would deter ME? Think again. And I don't care who you are nor what you do to my "reputation" since I care not what the entire human race feels thinks says or does - what can you all do? kill me? Torture me? Been done, so wucking fut. I am better able to fight anything imaginable, than anyone else in my opinion able to protect me. I HATE security and privacy and I am convinced that both were invented as an excuse for not serving customers
Even correcthorsebatterystaple is too complex, we can make it *even* simpler.
Most, if not all of us, have some favourite fictional (or not so fictional) media item, why not try a phrase from that?
Harry Potter fan? Try
Wingardium Leviosa!
Time To Crack:
554042313 centuries
Total Passwords in Pattern:
2 Septillion
Naruto fan? Try
Kuchiyose no Jutsu!
Time To Crack:
1623474350 centuries
Total Passwords in Pattern:
5 Septillion
My favourite one is, when I tried
My Little Pony: Friendship is Magic!
Time To Crack:
1.126570510614998e+23 centuries
Total Passwords in Pattern:
341,000 Decillion
*snigger*
And I dare any Brony to *not* know exactly how the phrase above is spelt, (colon and small letter i for is and all)! (but if you forget, you can always look it up on the internet, the format is always the same)
And many other zillion of phrases, like "The Spice Must Flow!" of "Beam me up, Scotty!", just choose one, typing it is easy since you are use to typing it *anyway* when you use it as a meme or catchphrase on your favourite fandom forums, and in case of doubt, you can always look it up on your fandom wikia.
Of course, if your site (e.g. banks) forces a *Maximum* limit, then you are screwed :(
I am an ACCA student. Got a query on Accountancy/Finance? Maybe I can help!
Yes, in the short term you can improve the password selection regime, but think about it like this: what does passfault use for a model of increasing computational efficiency? Computing power seems to be growing expoentially, while at best we have a linear growth model for the human intellect. While I don't know how long it will be before we have to give up passwords, I suspect it'll be within my lifetime.
Rather than put up with a problem which is mainly caused by a broken way of looking at passwords - as a frowny-face stern-eyebrows thing - why not create a solution?
Here's one: make creating a good password into a game.
Download and print the Diceware wordlist and instructions, and buy five dice. Package the list, instructions and dice in a box - say, a shoe-box. Stick a nice "game-y" cover on the box. Set aside a desk in IT (one immediately in front of a blank wall) as the "password desk". Instruct locked-out users that they have to come to IT and play the password game to get their next password. A user uses the Diceware method to generate a password, types it on a typewriter ten times to memorise it, and then shreds the paper (a bit of security theater that might actually be useful).
(In bigger organisations, make up a password game box for each unit manager or each floor of the building(s). Sourcing enough typewriters and shredders might be a problem, so type-and-shred might have to be write-and-eat - on rice paper, of course.)
If you really have to - BOFH habits are hard to overcome - you can still use a stick: a policy that says "if your account is hacked and you were not using a password from the game, you're sacked. Instantly. And billed for costs. If you were using a password from the game, then you're fine, unless we find you wrote your password or messsaged it to someone else."
Just like I said, no way to do it safely. That has about the same amount of entropy as a single character password.
FWIW, it claims it would take a few hundred billion centuries to crack one of my former home passwords (I changed it last year, but remember it well). However, while I think that password/passphrase was probably secure enough, the tool's dictionary appears to be short on words so its estimate of brute-force cracking time is not reliable.
It flagged that disused passphrase as having mis-spelled words largely because it did not recognize two fairly common words stuck together. Actually, the passphrase had no mis-spellings and no 1337-substitutions or interstitial characters. It also flagged the passphrase as having a mis-spelled US city because it did not recognize another fairly common word. BTW, by fairly common words, I don't mean rare or scientific terms like "coprophage" or "syzygy".
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
I gave a speech on this topic recently, and can only support everything said. Most password policies suck so hard, my rough estimates (presented to an academic audience, no refutations so far) show that they lower the complexity of passwords by at least eight orders of magnitude.
That's not a little bit, that is what brings them down into ranges that are brute-forceable.
I think I should translate the paper into english and get it published somewhere.
Assorted stuff I do sometimes: Lemuria.org
Pferde papillon neko-inu-mushi gato dog.
Sure in that speicific case I only used animals name, but that' incidental, that is 5 languages in that password and it is frigging easy to remember, and you rose your space to work with from 20000 headword to many many many more.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Usernames for a vast number of sites default to you email address - with a different password for each site.
As such, people end up sticking patterns in their passwords to keep track of which is which... or, worse, they use the same pwd for every account.
I'm more worried about the number of times I've put the wrong username / password combo in a login prompt for some site, when that username/password is valid for another side.
muscle memory too, is a killer in this regard.
eg if your email address is the same as your domain username - how many sites have you given your work account details to due to muscle memory alone?
Sure, the site failed the login - but who says they destroyed the details of the attempt ?
Actually everyone of us can quite easily remember 26 characters long random "password". The one we _do_ remember starts with "abcdefg..". If that isn't random (the order of alphabets) then maybe someone can tell us an easy way to conclude why alphabet "a" is followed by "b" and then why it's followed by "c". AFAIK the order of alphabets is just an agreement and could be as well "qwertyuio..". My point is that random passwords can be remembered the same way as the order of alphabets. At least here in Finland kids are taught to remember alphabets by "singing" them in order. Random passwords can be quite easily remembered by the same way. Repeat the characters in your mind (speak them to yourself in your mind) ten times (or something). It's also good way to type the password a few times while repeating it in mind. It's also good to use the password for a few times during the day or a next few. If you can remember the layout of your keyboard then why much shorter random password should be any harder? I do agree that sentences are easier to remember and the xkcd comic has it's point.
83978 centuries HAHAHAH
Only ONE person so far, out of 300 posts, has actually discussed the SOLUTION to this problem, which is to have progressively longer DELAYS in between login attempts...
Jesus. Is it that difficult to THINK?
If you enter the password incorrectly the first time, you can immediately try again, because you may have just made a typo when entering. Ditto for the third try. Then you have to wait ten seconds for the fourth. Then a minute for the fifth. Then two minutes for the sixth. Then ten minutes, then an hour. So that's 24 tries a day, until you get it right.
Was that so difficult? Meanwhile you morons (did I mention you were MORONS?) are talking about everything BUT the solution - the solution being to get the COMPUTER to do what it should be doing to make the system secure, rather than trying to re-train four billion people... Fucking retards...
I cannot stress how important special symbols are if you don't want a password cracker to work.
If you pop default OPH XP Cracking disk in a drive the only thing (bar a locked bios and no boot from disk) that is going to stop you is a special character. In many real life situations "#" is a safer password then "ajrfvd".
Troll is not a replacement for I disagree.
My early post suggested expanding the idea of "passwords" to include dynamic info that only the user would know rather than just a passphrase- some sites are already doing this. The replies suggested that sharing this info with the secured site means that it would no longer be only me who knew it. But that's already true then, isn't it? My point is the problem needs to be looked at differently- instead of letting computers do security like a computer, we should make them do it like humans. How do humans secure real (vice virtual) assets? What are we good at and where are our failures? It should actually be easier to achieve the sought after increase in security than what we are currently doing. The only brute force cracks are distributed test projects and complex passwords are more often less secure. If you cannot remember your password, you're gonna have to record it somewhere.
Have you ever noticed that anybody driving slower than you is an idiot, and anyone going faster than you is a maniac?
Long live the passweird!
I recommend less paul passwords, you know, the google doodle guitar thing. just pick a song you like, and learn how to play it in the keyboard. If you are good enough you could even throw shift as if it was a sustained pedal. Its very easy to memorize (if you pick a good song), entropy should be enough to make dictionary attacks void and the length will throw brute force attacks off. Just be sure to pick a fast paced song since you will most likely type with the songs tempo.
The solution to the password non-problem is obvious. I worked it out it years ago and never looked back.
1. Think of a hash which turns two letters into 6-letters-plus-2-numbers (use alphabet position for the numbers)
2. Use it to encode the first two letters of the site or app name
That's it. You get a different non-alphabet password for every site or app, and you'll never forget anything if you remember the hash. Why the hell are we having this debate? We should just get on with it and evangelize for this technique. It's easy and failproof. The only hard bit is learning the number-correspondence of letters, but even just using a favorite number instead the solution is somewhat secure.
Do you also like lively protoplasm?
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
Well, that doesn't mean you can't rely on biometrics or physical keys as passwords... It just means the server doesn't KNOW you're using one of those methods.
The easiest is to visit password card and print off a password card. This is your new PHYSICAL INTERNET KEY!
It generates a string of completely random letters, numbers, and symbols. These are in a grid, so you don't have to remember your whole password - just where your password begins. This defeats the number one security flaw: laziness. Eventually everyone gets lazy. So getting in the habit of *secure laziness,* like using a password card, prevents stupid passwords like 110v3k1tt3ns.
The importance of the password card is in the dictionary. Yeah, yeah, its hard to guess a 4-8 word sentence of random words. But its easy to compile a list of known passwords and use them for all future brute-forces. Every successful brute-force makes *every single subsequent attack* easier. The only way to combat that fact is with truly random passwords using every possible character-set, and never ever using the same password for more than one thing.
Using a password card allows you to have one single 'key' to get into every secure location, without ever re-using a password. Its easy for you, difficult for hackers.
Cracking using English word-string assumptions is much more difficult when the words are not parsed by spaces between them.
Yes, the password is based on dictionary words.
Except there are several of them in a row.
Say that there are 5'000 common words in English.
The phrase has to make sense, so actually there's only a subset of those 5000 which can follow a given word without breaking grammar rules.
Let's say this subset of "next grammatically correct option" is 1000.
A string of five word gives you a space of:
1000 ^ 5 = 10 ^ 15 possibilities
When using a combination of 80 sings (small and capital letters, numbers and a couple of punctuation marks), this is exactly the same as :
ln(10^5)/ln(80) = 8.4
Thus picking such a phrase would give roughly the same password strength as using 8 purely random characters (enough for the usual requirement for most passwords).
If "at least 8 characters long, including capital letters, numbers and punctuation" passwords are good for most situation, this phrase should do the trick, even more so because most passwords people will provide won't actually be purely random strings but modified words ("(hick3n!", "sHit_666", etc.) which are much more easy to crack than purely random strings.
Now of course, a completely alternate strategy would be to generate 64-caracters long strings of purely random shit, and then use a keyring manager to remember them for you.
(If the authentication supports non-ASCII caracters, that would give you roughly 10^149 combinations. Down to 10^126 if you use only 96 printable symbols)
Or even move to public/private key strategy for authentication.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
i have hundreds of password, but only know 3. the rest are stored inside a password manager - random, long, passwords. i do not type those passwords. the password manager handles it. 20 or 65 characters matters not to me.
there is nothing to replace length for strong passwords. we need to think about password cracks 20-30 years out. is your password that strong?
for the 3 paaswords i do need to type, 4 unrelated words of 8+ characters each is fine. of course i spell them wrong and punctuate them oddly.
Any password policy that basically forces you to write down your password somewhere is broken.
If you can remember all your passwords they're likely either too simple or you're re-using them, neither of which is a good idea.