Slashdot Mirror
Password Security: Why the Horse Battery Staple Is Not Correct
First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
For example I am not worried that someone might get my Slashdot password.
Email, shopping and banking passwords are the ones I worry about.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...
Good, bad & ugly - Your password
PASSWORD REQUIREMENTS
A good password must have two properties:
1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)
But in most cases another requirement is thrown into the mix:
3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:
The password must be at least 8 characters long
The password must contain upper- and lower-case letters
The password must contain a number
The password must contain a non-alphanumeric character
You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.
THREATS TO PASSWORDS
Let us take look at how the security of password can be compromised:
- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
- The password has been re-used by the user in a different context where the attacker has access to it
- The attacker gained access to the encrypted storage of password and managed to extract it from there
- The password has been guessed by the attacker
How does having a complex password help you against these attacks?
In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.
DECRYPTING PASSWORDS
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.
But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.
Does this case justify all the negative impact?
I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.
Remark: I did not specifically address the issue of an attacker
There's a subtle difference here.
It is absolutely better to use One Time Passwords (like most 2-factor auth solutions these days with a random number either generated by an app or token or something or supplied to you via an out-of-band channel like an SMS message).
It is not better to choose One Time Passwords, as the user experience hit is horrible and can you imagine the horrible passwords one would come up with if they needed to come up with a new one on every login action?.
Basically, users are bad at choosing/creating passwords. And passwords get compromised. So, the best solution (that we currently have, anyway) is to have the user pick one really good (hard to guess) password and then to also use a One Time Password (2FA).
This is a really bad way of choosing passwords.
The number of verses of songs, nursery rhymes, poems and paragraphs that people would tend to think of probably number less than a million.
Your particular example has 946 hits on Google.
"Love is beautiful, like birds that sing." is more secure than "Lib,lbts". Why are you making your password less secure?
Short Passwords lengths ARE useful, to learn how to avoid bad websites!
Sites that limit password lengths are also skimping on other security.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The core problem is that security has many different approaches.
A password manager is great ... as long as it is available to you on all the devices that you use to login from. Which makes it vulnerable to being cracked when one of those devices is cracked.
And that isn't even addressing things like the recent rash of credit card cracks being reported. Even if you keep YOUR password secured the attackers can still attack the system when you use the secure information.
Instead, the focus should be on the knowledge that you will, eventually, be cracked. At least partially. So be prepared to mitigate the damage done at that point.
Too many people have too much access to your information without the personal incentive to keep it secure. Or the knowledge of how to secure it. Password managers are an improvement in many scenarios. But so is writing your passwords in a book that you keep at home.
Password managers don't really solve the problem. Many of them aren't really cross platform (by which I mean, they sync with and are accessible by all your programs/browsers for all of your devices), and as he recognizes, there will be some passwords that you can't store in the manager (e.g. the password to the manager itself, and for the devices that access your password manager). Beyond that, I didn't see any recognition anywhere that there are at least some services that you might want to access somewhere where you don't have access to a password manager. For example, the selling point of both webmail and services like Dropbox are that you can access your data on another person's computer. Are you going to want to download, install, and sign into a password manager on another person's computer.
So yes, password actually do need to be both memorable and strong.
However, I'd agree with him that really, passwords need to die. Or not actually die completely, but most sites should not require their own password. What we really need is some kind of standardized identity management system-- like you know how you can sign onto various sites using either your Facebook or Google+ sign-on? Like that, but standardized. We need a true single-sign-on solution that is easy to manage, hard to screw up and lose your identity permanently, and usable everywhere.
This has been obvious for well over a decade, but we can't do it because we don't create standards anymore. For any solution, Microsoft wants to have their solution, Facebook wants theirs, Google wants to do it their own way, and Apple wants to do something different from all the rest. Each company pretty much wants a solution that will benefit themselves and screw over their competitors. None are really focused on creating the best solution for social/economic/computing progress, and if they were, it would still be impossible to get others on board. So that's the real problem. Unwillingness to create standards.
and half the banking and finance websites don't allow the symbols, and it's too long
As a rock-in-roll Physicist once said, No matter where you go, there you are.
1) Choosing a password should be something you do very infrequently.
horse battery type passwords encourage this by making the password relateable as well as affording excellent bruteforce protection. Bruteforce accounts for most password compromises outside of data breeches, which ultimately serve as a direct path toward and a source from which additional attacks can be performed.
2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
yes but this is infrequent and has little to do with password structure. in the article the NSA is sighted, but thats not exactly how they work. Youre more likely to have a secret court order Google to cough up your data, not your password. Your computer password on the other hand would be demanded at penalty of spending the rest of your life in contempt of court or guilty by default. either way they win.
3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.
I would argue the question is whether this password has ever been compromised or the breadth to which it is used online. more exposure means a greater chance of compromise. horse battery tries to get people to think creatively to avoid duplication however its not perfect.
4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords.
absolutely. this and two-factor, which is mentioned in the article, are critical steps in ensuring online services and applications encourage strong passwords. I think the attacks on horse-battery passwords are unmerited, and ultimately irrelevant once paired in a two-factor environment with a private or yubikey solution. intelligent service responses to bruteforce attempts, RBL's that blackhole compromised machines and subnets, and application support for longer than 8 character passwords are also important.
Good people go to bed earlier.
Bullshit... this guy is working in some fantasy world separated from reality.
Anecdotal example: I used to work for AT&T back in the 90s. They wanted to improve the security of an application so they changed the password requirements and had it require a 30 character pass phrase that included capitals, lower case, numbers, special symbols, no numbers could repeat, etc... The result? Everyone had a posit note with their password stuck to their monitor within a week.
All of your security measures are meaningless if no-one follows them. There was no way in hell we were going to remember our 30 character password without writing it down.
Password safe huh? And how do I log onto the computer in the first place? Or remember the password for the password safe? I need 2 passwords just to get into the safe! I have to pick a less secure password to protect the thing I keep all my passwords in?!?!
6 to 8 characters
make us change it every 90 days
Special characters don't matter
4 attempt lockout
done
If they can guess your password in 4 attempts, they know your god damned password.
There are now lists of millions of stolen passwords, and frankly none of them are safe. Why shouldn't someone set up a password security app (like captcha, but in reverse) so that a large web site could
- download a large stolen password list (even 1 billion would only be a few GBytes)
- checks (a salted hash) of your password against the list (say, salts changed every day or hour or...) and
- if yours is on the list, tells you to do better
It seems this would be much safer than just having some app that counts punctuation characters and tells you your password is strong if it has more than 3.
Yeah, I try to make this point all the time. I run into IT people and companies whose idea of a "strong password" is something like: have 8 characters, one capital letter, one number, and one symbol/punctuation-mark, and rotated every few months without repeating for the past 5 passwords.
You know what people do? They rotate through the following passwords: Password1!, Password2!, Password3!, Password4!, Password5!
Actually, if you think about it, standardizing on those kinds of requirements is kind of dumb, since it limits the combinations of different passwords people can use. If an attacker knows these requirements, and wants to attempt a brute-force attack, he start by ruling out anything with fewer than 8 characters, and any combination lacking in symbols, capital letters, etc. Now, that doesn't cut out that many possible combinations, but you can start by ruling out short words, assume that the first letter will be capital, assume that the numbers will be at the end, and there's a good chance the whole thing ends in an exclamation mark. I've seen a lot of passwords, and it's always an exclamation mark at the end.
And then there's always someone who pops up with the clever advice of substituting symbols for letters. "The password 'password' is completely insecure. Instead, use 'P@ssw0rd!'. Hackers can't guess your password if it has symbols, numbers, and punctuation!" Ummm... no. those kinds of substitutions have been included in dictionary attacks for a long time now. "P@ssw0rd!" is not a strong password.
The "correcthorsebatterystaple" is actually pretty good advice at this point, all things considered.
IT companies like Microsoft? You've just described the exact password policy that the largest software company in the world uses to enforce a "strong password", under the guises of best practices. I don't know why you blame the end user, when the manufacturer is the one perpetuating this system through documentation, training certifications, and the operating system itself.
But all that aside, those passwords are plenty good enough. Any system that allows an attacker to brute force passwords, especially online, has a design problem. It would take an idiot to build a system that allows 1000 password guesses per second without a timeout. Guess wrong 5 times, and you get locked out for 10 minutes, and a warning email sent. Suddenly you've increased the brute force time to thousands of years, and the target is aware. This is basic stuff, and just about any dictionary word is safe.
Ever increasing complexity is an unnecessary solution. Password breaches are not being done through brute force, there's no real reason to make brute force harder.
Not only that, but remember multiple different passwords like that, because some websites/databases don't allow the carat symbol.
I have over 20 different passwords for different sites at work. Some of them don't allow a password under 12 characters, some don't allow a password over 8 characters. Some don't allow a number or symbol in the first space. Some only allow 6 different symbols to be used. Some don't allow capital letters. Some require capital letters.
It's insane. It's not possible for my coworkers to remember them all, so they get written down, which certainly doesn't increase security. Many times people keep their passwords in their phones. Some write them down on paper and keep them in their wallet. Some folks leave them on notes in their cubicle.
Then, to top it off, some require the password to change every 30 days. Some every 60 days. Some every 90 days.
These insane attempts to force password security have actually destroyed it.
I would like to see a password cracking tool that actually follows what you say.
See the problem with what you propose is that all it takes is one character to be wrong and your entire guessing game falls in a heap. Is there a comma in there? Did they end with an exclamation mark? When looking at the number of possible words that could be strung together to create a grammatically correct sentence, add the necessary grammar, and pray to god someone didn't miss-spell a word or add a number, you're effectively brute forcing for a stupendously large dataset.
The way it works in real-life (tm), a dictionary attack is performed with 1 word. If it doesn't find it hit, dump the target and move on to the next person who is likely to use one word. If evil-dooers (tm) really want your data they'll coerce it out of you, or social engineer your password. No one sits down and brute forces passwords with complex Markov chains and Bayesian analysis.