Your Passwords Don't Suck — It's Your Policies

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

This is too simple to fix

Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

Re:This is too simple to fix

[SomeJoel]

Every time a see a password like this "12ol3jkh!!asrdfw9g8"

That's the password on my luggage!

Re:This is too simple to fix

[The+Raven]

The reason to avoid understandable sentences is they have extremely low entropy per character. Or, put another way, they are easier to hack than their length would indicate. An xkcd password has about 1.5 bits per character of entropy; a normal English sentence has as low as 0.6 to 1.3 bits per letter, according to one study. Given the simple and trite short sentences people would use for passwords, it's likely closer to 0.6, or about 20 bits of entropy for your example 'chicken' password, compared to 44 bits for a shorter xkcd password.

Re:This is too simple to fix

because it would take longer to type

I disagree, my ability to type words in sequence each day has made me quite efficient at doing so, a garbled string on the other hand I am not. The lowercase, uppercase, numbers and symbols make passwords longer to type.

With different passwords for each site (or at least each serious one such as banks) the garbled text approach is very inappropriate.

As passwords are stored in as a hash created with a salt the password is always stored as a fixed value (128bit for MD5 etc) it requires no additional storage for the servers/databases.

Re:This is too simple to fix

[Kvasio]

because "This chicken tastes like shit!" password is more or less a "5-character password", but characters are selected not from ~26 but from say 50000.

My guess is that after the referred xkcd strip brut force algoritms also put more emphasis to natural language sentences, etc.

Re:This is too simple to fix

[SilverJets]

Funny.

  According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

Re:This is too simple to fix

[sexconker]

Funny.

  According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

That estimate is generated by assuming brute force and a specific character set that contains all of your input characters.
No one cracks passwords starting with brute force.

Re:This is too simple to fix

[roc97007]

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

Yep. (nods). Now if you excuse me, I have to change my password right now.

Re:This is too simple to fix

[felila]

I tried out the Analyzer program, and discovered that it only seemed to look for *English* words. Simple, easy-to-remember phrases in Tongan or French were rated as extremely strong (taking centuries to break).

Re:This is too simple to fix

[LordKronos]

Actually, it's "correct horse battery staple". And the funny thing is, I didn't even have to look it up. As the comic says "you've already memorized it".

Re:This is too simple to fix

[pacapaca]

Clearly the solution is "tH15 Ch!ck3n tas7es l1k3 sH|t!"

Re:This is too simple to fix

[Sancho]

we widely distribute a standard library method for computing password entropy and let people pick what kind of strong password they want to remember

There are a few complications with this.

1) Humans are incapable of picking entropic passwords. They think they can, but they can't. So the measure we need isn't actually one of entropy, though it looks like that to computers.
2) Mostly due to (1) above, computers are incapable of correctly calculating the entropy of a human generated password. They can calculate the entropy of a string of characters if they presuppose that the string of characters was not generated by a human.
3) Even if we assume that humans can create entropic passwords, it's difficult for a human to estimate that entropy. What happens when the password entropy checker rejects "This shit tastes like chicken"? How does the human know how to make that password more acceptable? Is "shit this tastes like chicken" any better? How about "chicken like this tastes shit"? Or "Tastes chicken shit this like"? How does that even compare to a shorter string of letters, numbers, and symbols which don't form a word? To the person behind the keyboard, such a comparison is nonsensical. They computer can't reasonably say, "Please add 4 bits of entropy to your password," and saying that the password isn't strong enough without providing any guidance as to why will just be frustrating.
4) The library would need constant updating to be valid. Because "correct horse stable battery" and all of the permutations of that set of words (probably including pluralization and tense changes) are terrible passphrases now, but they would have been pretty good prior to Randall Monroe's comic. Each new song, book, poem, and speech decreases the value of passphrase word-sets.
5) Assuming you ignore (4) above, you still basically eventually run into what we have now--some people have good passwords, some people have bad passwords, and the biggest problem is still reusing passwords combined with site compromises.

Re:This is too simple to fix

[gtbritishskull]

I have 3 different bank accounts, 3 different credit cards, a HSA, a Roth IRA, and a 401k that I should probably make sure have secure passwords. (And I am sure there are a couple more non-financial ones that should also be secure). In an ideal world, that would be 9 different 6-8 digit random character passwords. That is assuming that all of the other accounts (like /.) have less secure passwords. That doesn't even take into account changing the password semi-regularly. Even if you feel it is unnecessary, some websites enforce it on you. I am a pretty smart guy, but I might have a little trouble keeping them straight. How many different 6-8 digit random character strings do you have memorized? And how often do you change passwords on your account? Do you change them all at once (and memorize all new passwords), or do you spread it out?

It only doesn't seem hard if you are not doing it right.

Re:This is too simple to fix

[Phrogman]

My banking site insists I change my password every few months. It must have a capital letter, it must have a numerical character - and worst of all - it cannot be any of the last 5 passwords I chose. It is only one of about 20 websites I have passwords for (not to mention a half dozen MMORPGs I play from time to time). I cannot remember all of those passwords easily so when I am forced to cycle through 6 different passwords by one single website its a bit fucking irritating. Not only that but I highly doubt it increases my security significantly, and of course my bank account seldom has much money in it in the first place.

Re:This is too simple to fix

[wisnoskij]

Well you simply cannot memorise all the passwords that a modern computer user has to use no matter what style you use if you are not taking risks or a memory expert. That is why you need password vaults, or post it notes.

Re:This is too simple to fix

[pgpalmer]

"Your password must be six to eight characters and contain only letters and numbers."
"Your password cannot be over twelve characters."
"You have used this password before. Please enter a new one."

I have my own password policies, and it's frustrating when I can't follow them.

Re:This is too simple to fix

[arekq]

Good. Then Google have all your passwords.

Re:This is too simple to fix

[Drishmung]

We actually did something like this.

Users were permitted to choose their own password. These passwords could be long. We had guidelines as to what were good schemes, but there was no enforcement of rules.

However, we also

1. ran a quick check on your password against a cracker and
2. ran a password cracker as a constant background job.

If your password was cracked by the quick checker, it was rejected and you had to choose another.

If the background checker cracked your password, you were locked out. When you tried to log on and couldn't, and called to find out why, you were told your password had been cracked and you needed a new one. (Actually, I think we emailed you then locked you out, so if you were on-line, you could choose a new password then and there).

It worked.

Re:This is too simple to fix

[mysidia]

but I do know many dictionary cracking programs implement mixing of words on the list - meaning "correct horse staple battery" will be cracked in SECONDS, not centuries.

There are approximately 6000 common words in the English language, so if you just pick 4 random words, there are
6000 ^ 4 = 1296000000000000 possibilities

If you pick a truly random 8-character password, there are:
140 ^ 7 = 1054135040000000 possible choices.

Even at 1,000,000 crack attempts per second, it still takes on average 16 years to crack a password formulated using either method. way.

Re:This is too simple to fix

[SuricouRaven]

I work at a school. Think lots of computers at a desk, all in a row. Every time we ban someone from internet access due to gaming/porn, we find out within a couple of days that they are back on using stolen credentials. Half the time they aren't even stolen, their friends hand over passwords willingly, but there is no way we can prove that.

Re:This is too simple to fix

[the_other_chewey]

I take it you've never seen a wordlist for a dictionary password cracker. I don't have any on me to see if that specific string is in them (quite possible, based on some of what I remember), but I do know many dictionary cracking programs implement mixing of words on the list - meaning "correct horse staple battery" will be cracked in SECONDS, not centuries.

No it won't. I recommend some math instead of faulty intuition:

Let's assume a word list of 5000 entries (that's very low, the OED
counts over 150000 words in current use).

Four words out of this gives us 5000^4 (word repetitions are allowed),
or 6.25e14, that's 625 trillion. At a million cracking attemps per second,
that gives 19.8 years for an exhaustive search.

So, a random four-word passphrase made up from a 5000 word list
will take nearly 10 years (exhaustive/2). And that assumes the passphrase
only contains words from the list. Unlikely.

Of course, 10 years isn't that impressive. But even a single changed
character somewhere – or just a word not on the list! – will require a full
brute-force search on the character level instead of at the word level.

Hello bazillions of years.

Re:This is too simple to fix

[Stormtrooper42]

You can always use a password manager (ex: http://www.clipperz.com/ ). I actually don't even know most of my passwords. Don't need to.

Re:This is too simple to fix

[Sancho]

Actually, I think we emailed you then locked you out, so if you were on-line, you could choose a new password then and there

Sounds absolutely ripe for phishers to send fake e-mails.

another password revealed

[ozduo]

A white jacketed southern gentlemen's password is "This secret spice makes shit taste like chicken"

Terrible password policies

[bu11d0zer]

Any password policy that basically forces you to write down your password somewhere is broken. Sure, you can use a password vault but that's cumbersome for the various dozens of passwords strewn about the web and on mobile devices. But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses. I could understand 100 incorrect guesses, but 3 guesses is not enough to recall a password when you have not used it in several months. One hundred guesses by a computer/hacker is nothing compared to the full password space.

Re:Terrible password policies

[Solandri]

But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses.

What's even more facepalm worthy is that when you call, they usually "verify" your identity using information about you which is frequently publicly available.

Re:Terrible password policies

[doomday]

100 attempts may be small enough to stop a random computer or hacker, but it may not be low enough to stop your buddy who figured out part of your password while you were typing and wants to play a prank. That is one reason the limit needs to be pretty low.

What puzzles me...

[jbwolfe]

...is why is it all so difficult to come up with some scheme to secure internet accessible resources. Corporate policy for me require password changes every 90 days and disallows any of the last eight passwords, and the use of letters and numbers. Effectively, I'm forced to write it down, negating all their efforts at obscurity. When will some bright CS geek invent a real solution to this problem. Is it that hard? Can't it be as simple as probing me for dynamic info that only I would know? How about visual methods- ask me who's in this picture of my co-workers or what is this family snapshot from my past, etc.?

Re:XKCD

[spazdor]

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no?

It makes it weaker by a factor of about 2^28.
Which sounds like a lot, but when the lowercase password space is already 26^28, it's not much.

XKCD's math is sound.

The main problem is...

[k3vlar]

The main problem is indeed the policies. While I (mostly) agree with the main statements TFA makes, I have my own note to add:

My bank's website enforces a MAXIMUM length. I'd love to have a password like "c0rr3c7 h0r53 b4773ry st4p13", but I can't use more than 6 characters.
Yes, you read that right. 6 characters. Maximum.

I fear for my online bank info constantly .
Why would there ever be a reason to enforce such a small maximum length? I don't get it.

Re:The main problem is...

[John+Hasler]

> I fear for my online bank info constantly .

And yet you continue to deal with that bank. Why?

Re:The main problem is...

[youngatheart]

As someone with a rather embarassingly similar system to support, I can sympathize with your concern. We railed against the limitations of the software vendor when we switched to it, but their attempts to fix it caused new issues. At first we had a system that truncated the longer passwords our users had on the old system, and then later when they tried to expand the length of input, those users with longer passwords they'd been transparently using were suddenly getting told their password was incorrect because the stored truncated version didn't match the longer version they were typing in.

As an example the password "iLikeLongPassword$ican'tT3ll@Lie" was stored internally as "iLikeLongP" and happily accepted, but the new password "iLikeLongP@sswordsButChangeWhenIrritated" was treated as a duplicate. When they implemented a fix, it started comparing "iLikeLongP" to "iLikeLongPassword$" and gave an authentication error. To prevent the overlap, they limited new password entries to ten (example only, not necessarily reality) and users were rightfully indignant thinking (incorrectly) their older password had been more secure.

Rather than have the system recognize truncated versions of the same password and prompt the user that the system had been updated and their longer password was now stored, they rolled back the "fix" to the older more limited system.

What they should have done was update the system to read the full password entered by the end user, and submit that to the authentication system, and if it failed, submit the truncated password to the authentication system. If the truncated version matched, it should have then alerted the user that it was now storing the fully complex password and then updated the stored version.

Why? is what you asked though. The short answer is that it probably relies on backend systems that were historically much more limited and weren't designed with modern security issues in mind. In some cases the password storage was designed to be able to be decrypted, in others the database was designed with a specific length for that entry. "Why don't they fix it" is the obvious followup question, but the answer is long so I won't repeat it here for the sake of brevity.

Re:The main problem is...

It means they don't care. I do online banking security consulting, including almost all of the largest banks in Canada. They know that what they have is far from ideal, but the losses are not enough for them to want to make a change. It comes down to a formula of the costs of fraud vs the costs of adding additional security + help desk calls as a result + end user usability. One of the largest banks I worked with told me that banking with them is a cultural thing and that most of the citizens in the province will bank with them by default. They can afford to have minimal security and just cover the fraud loss out of their profit.

And just so you know, Authentication is dead. If I've got malware on your machine, then I don't care how strong your password, OTP and biometric security is. I'm going to wait for you to login and then take over your session in the background. Security at this point is well beyond what's happening at the login stage. And don't get me wrong, the vendors that are doing the current security implementation for these banks have a lot more to offer, but it's the banks that are deciding that it doesn't matter to them.

Re:Wrong

[LordLucless]

Of course, your fiendishly clever non-standard spelling of et cetera would fool any such dictionary attacks.

Re:XKCD

[Zocalo]

Well, you can probably blame Little Bobby Tables for that. Depending on the programming language there are plenty of "control characters" in the ASCII 32-126 range, and it's much easier when deadlines are pressing to just restrict input to alphanumerics than try and sanitize against passwords that contain some variant of "'); drop table students;"

Re:Wrong

[wrook]

The average adult that has been to University knows 20,000 head words. A head word is a group of words with essentially the same meaning. For example, expect, expectation, is expecting, etc are all one head word. 26^7 is a little bit over 8x10^9. If a user picks 4 headwords for their passphrase, the search space is 20000^4 or 1.6x10^17. And that's if we just use headwords. If the user uses variations the search space is rather huge.

You might say that 20,000 headwords includes a lot of strange vocabulary. But for instance, to get 95% vocabulary coverage in reading a newspaper you need just under 16,000 headwords. However, even if we restrict vocabulary to the most common 5,000 headwords (the average vocabulary of a 5 year old) we get a search space of 6.25x10^14.

XKCD style passphrases are dramatically more robust than a 7 character alphabetic password.
 

Wow...

[NoMaster]

Congratulations on winning the Slashdot trifecta - you managed to invoke the GPL, cite XKCD, and slashvertise your own project all in one!

Re:XKCD

[spazdor]

No, it would be "weaker by half" if the alternative was a single capital letter at the beginning of the password.

In fact, the alternative is that any, some, or all of the 28 characters could be capitalized or not.

So the first character halves the password's strength if it is predictably lower-case.
and the second halves it again.
and so does the third.

Incidentally, halving or doubling the key space is not "a lot," not by any cryptologist's standards.

Re:XKCD

[baileydau]

The only thing going for it is that you don't know that it's only lower case letters.

I think this is a very important point that lots of people overlook.

By prescribing the use of various character classes, you are actually weakening the password.

A proper password should allow the use of those classes, but not prescribe them.

When I was a kid, we had a game called "Mastermind". One person selected various coloured buttons and hid them behind a screen. The other person had to guess the colours / sequence.

We had various house rules about difficulty levels. One of the easiest ones was if they had to tell you the pattern. eg:
* double colour
* blank
etc

Same thing with passwords

Re:XKCD

[spazdor]

My problem with the xkcd scheme is that users are lazy and rather than pick 4 random words, they'll pick 4 words that are easy to remember in sequence: "haveityourway" "darksideofthemoon" "thesearenothtedroidsyourelookingfor", so with a phrase dictionary and some grammar rules, you still have a good chance at brute-forcing some user's passwords.

You could perform this attack using Google's autocompletion database as a dictionary.

Re:testing the password

[JustOK]

wait for the beta

Re:Passwords DO suck

[sexconker]

All digital security boils down to the key sharing problem.

And the key sharing problem is "solved" in practice thusly:

Server: O hai! Give me your infos! Here's my certificate.
Computer: Warning! This certificate is not trusted!
User: Ignore warning, add certificate.
Computer: K.

OR

Server: O hai! Give me your infos! Here's my certificate.
Computer: This certificate is trusted because VeriSign totally vouches for these guys.
User: VeriSign?
Computer: Yeah yeah, we totally trust VeriSign. I mean, we've never met them, we don't know their policies, and we rely on VeriSign to tell us if their shit gets stolen, and we basically have no recourse if shit goes wrong, but we trust them.
User: K.

Nobody ever actually checks to see if something is legit because they want it to be painless and automatic. I'd love to be able to go to bank.com and view the certificate, then call the number on my credit card (or go in to an actual bank location) and see if the certificate matches up.

Randomly-generated passwords

[dskoll]

I use randomly-generated passwords (generated by reading /dev/random) that are at least 16 characters wrong. I restrict the character set to [A-Za-z0-9] which is a touch under 6 bits per characters, so I have about 95 bits of /dev/random-quality entropy.

The passwords are stored in a file encrypted with a long passphrase. The long passphrase is probably the weak link, but by not reusing passwords across different websites and using randomly-generated ones, I'm fairly well-protected if one of the sites I visit has its password file stolen.

Re:Wrong

[pongo000]

The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large.

That's why you use a standardized list of tokens (mostly words, but some non-word tokens as well) such as Diceware. With 7776 tokens, the keyspace is far larger than the "normal 7 character" password. The trick is to ensure that you are choosing the tokens randomly. You can use dice, your favorite random number generator, etc. I use several 4- and 5-token passphrases that I have remembered literally for years, each one unique. Type them enough times, and muscle memory takes care of the rest. Even after a period of non-use, it amazes me how my fingers will remember the passphrase but yet I can't recall the passphrase itself.

Re:Wrong

[tknd]

Most people's vocabulary is not that large.

Let's use the xkcd example: correct horse battery staple.

Using a list of the 5000 most commonly used words, I was able to find rankings for 3 of the 4 words:

• 1813 correct
• 1291 horse
• 3226 battery

"staple" doesn't even appear on the most common 5000 word list. But let's assume it did at 5000. That means your dictionary now is 5000 words large. 5000^4 = 6.25 * 10^14.

Now let's address your suggestion:

you don't really have a key space much larger than normal 7 character or so passwords offer

Now your average English keyboard has 47*2 = 94 type-able characters. 94^7 = 6.48477594 * 10^13. The xkcd example assuming it was smaller than it really was beat your suggestion by an order of magnitude.

Now let's address how large people's vocabularies are. According to wikipedia:

This translates into a wide range of vocabulary size by age five or six, at which time an English-speaking child will have learned about 2,500-5,000 words. An average student learns some 3,000 words per year, or approximately eight words per day.

But 6 year old kids don't have much interesting personal information that people are really after like credit cards. Let's read further:

A 1995 study estimated the vocabulary size of college-educated speakers at about 17,000 word families, and that of first-year college students (high-school educated) at about 12,000.

http://en.wikipedia.org/wiki/Vocabulary

So let's re-do the calculations with 10,000 words: 10 000^4 = 1.0 * 10^16.

Things will only get worse if you tell people to use numbers, names, special abbreviations, etc. For example it will be highly unlikely the following phrase will be in your dictionary: "5000 most common vocabulary". People can also use natural language and still fall way out of your dictionary: "yummy carne asada dinner". They can also use personal and vulgar language: "Stupid bitch Alice, never again".

Highly secure NSA and DoD passwords

[kriston]

The highly secure NSA and DoD password policy is very thorough, but one thing was left un-noticed about this policy. You can create a valid password by merely running your finder down a colum of the keyboard, and then holding down the shift key and doing the same thing. Really!!

To wit, this password is valid. Run your finger down the left-most column of your keyboard: 1qaz2wsx
Then hold down the SHIFT key and type !QAZ@WSX
Presto, you have a valid password that meets all the security requirements the NSA and DoD have imposed upon you.

Now that's okay for creating system images for deployment.

In 45 days when you need to change your password again, just shift to the next row of your keyboard. This will keep you okay for a couple of years or so until you run out of keyboard rows to use. Then, you just do it backwards. It really is that simple.

Try it!! It's almost unbelievable.

Major bugs

[Georules]

Just did this:
Start with "awesomepasswordtoday"
1 year, 8 months
Go to "awesomepasswordtoday000"
7 centuries, 8 decades
Go to "000awesomepasswordtoday000"
less than 1 day

This tells me there is something in the logic that makes it a pretty unreliable metric of password strength.

Re:XKCD

[arose]

Your password complexity requirements are worthless, users will pick easy to remember, insecure passwords no matter what the requirements are. They will, of course, literally fullfill the requirements. The difference is that you are much more likely to get user cooperation if password changes consisted of the computer picking 4 random words for them, rather than 12 random alphanumerics with a side dish of ASCII barf. The only reason users pick their own passwords for sensitive applications is that they'd write that shit down and stick it on the monitor (or under the keyboard, for the ones who "understand security") if you made it truly secure (i.e. generated it for them).

Right now your users pretend to pick secure passwords and you pretend that they do. You don't want to know how shitty they are, they don't want to tell you. As long as you don't find them on post-its and there is no visible compromise everyone is happy. Of course they should have PIN-secured, challenge-response based one time password generators, but let's face it, your systems just aren't important enough to secure them in a thoroughly user friendly manner. So if you actually do care beyond your users picking the simplest password that passes your requirements you very well might think about randomly generating 4 word passphrases for them, I think you even have some volunteers for a trial.

Re:Unreliable cracking estimate

[lewko]

Since when is coprophage rare? This is the Internet.