Password Security: Why the Horse Battery Staple Is Not Correct

First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."

Oh great

[Falos]

> asserting that a single point of ultimate failure is the most important technology
Yeah, it's important all right. Critical, even.

We're being awfully slow about teaching people to adopt passphrases. Simple, no number no symbol nonsense.

"rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.

Re: Oh great

[David+Jao]

A quantum computer can brute force a password quadratically faster than a classical computer. This speedup is much slower than the exponential speedup that a quantum computer enjoys against RSA. Long passphrases are still very secure against quantum attacks.

Every time XKCD 936 is Mentioned

[Matt+Steelblade]

Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...

Negative

[mseeger]

Good, bad & ugly - Your password

PASSWORD REQUIREMENTS

A good password must have two properties:

1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)

But in most cases another requirement is thrown into the mix:

3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:

The password must be at least 8 characters long
The password must contain upper- and lower-case letters
The password must contain a number
The password must contain a non-alphanumeric character

You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.

THREATS TO PASSWORDS

Let us take look at how the security of password can be compromised:

- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)

- The password has been re-used by the user in a different context where the attacker has access to it

- The attacker gained access to the encrypted storage of password and managed to extract it from there

- The password has been guessed by the attacker

How does having a complex password help you against these attacks?

In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.

If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.

In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).

One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).

Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.

DECRYPTING PASSWORDS

To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.

When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.

But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.

Does this case justify all the negative impact?

I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.

Remark: I did not specifically address the issue of an attacker

Re:Negative

[The+Technomancer]

Having read this before, I was about to blast you for copypasta without attribution.

Then I looked at your username, looked at where I saw this, and realized that mseeger is probably Martin Seeger.

So, rather than blasting you for plagiarizing yourself, here's a thank you instead!

lost password process as an attack vector

[roc97007]

Even with the best password, memorized or securely stored doesn't protect you against a password recovery process that's improperly engineered. Often an institution, even a BANK, will give you as a recovery password a choice from perhaps six possibilities, any of which can be divined from publicly available information or a little social engineering. Your password may be q4ot38yhewa;okl, but your password recovery phrase will be the street you lived on in high school or the name of your first dog. This is not secure.

And don't even get me STARTED about pin code security. When I set up my AmEx corporate card, the phone menu suggested strongly that I use digits that are easy to remember, like my mother's birthday. Ignoring the directions and entering a random code, I got rejected because my pin WASN'T A VALID DATE. I called tech support, told the tech monkey the error I was getting and he immediately said that I was to set it to my mother's birthday. I said I didn't want to use something that would so easily be discovered, and he seemed nonplussed. He had to consult with a supervisor. They eventually decided that I could use a random number, but I had to tell him the number over the phone so he could override the menu's requirements to use a valid date. This was AMEX!

Back to the lost password process, I give random strings as answers to the challenge questions, but I figure eventually banks won't let me use strings that aren't a valid dog's name or a listed street name in my home town.

I know why they do this -- it cuts down on service calls to require shlubs to use passwords that are easy for them to remember. But geeze... I foresee a time when we'll all be required to use the common name for an eating implement. Everyone will choose "spoon". The institution will be able to cut customer support back to one person in north-eastern Poland. Or perhaps they already have.

(I use Poland not to denigrate the Poles, but because a company I do business with was quite proud of the low low DL price they got for customer support hotline personnel in eastern Poland. To cover North American accounts. Because that makes sense. Really.)

Re:Mod parent up.

[rainmaestro]

Not having the manager available is a big problem. I redid all my passwords after the Heartbleed issue, and pretty much maxed out the password for each of my important accounts. Was great on my PCs where I had KeePassX, but the first time I had to enter a 24-character randomly generated password with special characters on my cellphone to log in, I realized why it will never work for the average person. Big, long complex passwords are great until you have to type them in on a tiny ass keyboard.

Re:symbols, caps, numbers

Like my bank, which has to keep the answers to my security questions in plain text. Otherwise, the last time I got locked out, I would not have had the rep say, "Alright, now what is your mother's maide.... Good lord." The answer, by the way, was Mrs. Farty Pants.

Re:symbols, caps, numbers

[FatdogHaiku]

The only reason they started with 6 chars was so they could generate an error message:
"penis is too short"
when someone tried to use that for a password...

Evolution Of Passwords

[Tablizer]

1978:

  password

1983: Rule: Don't use 'password', too common.

  passgas

1990: Rule: Must contain at least one digit

  passgas7

1995: Rule: Must contain mixed case

  Passgas7

1999: Rule: Must contain at least one punctuation character

  Passgas7&

2004: Rule: Must change every 2 months

  Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

2015: Rule: Must be at least 20 characters long

  Passgas711111111111$ ... Passgas177777777777$ ...

2017: Rule: Can't use any patterns guessable by AI

  Oh f$ck it, just hack me already, dammit @666

(Courtesy c2 wiki)

Re:symbols, caps, numbers

[PraiseBob]

IT companies like Microsoft? You've just described the exact password policy that the largest software company in the world uses to enforce a "strong password", under the guises of best practices. I don't know why you blame the end user, when the manufacturer is the one perpetuating this system through documentation, training certifications, and the operating system itself.

But all that aside, those passwords are plenty good enough. Any system that allows an attacker to brute force passwords, especially online, has a design problem. It would take an idiot to build a system that allows 1000 password guesses per second without a timeout. Guess wrong 5 times, and you get locked out for 10 minutes, and a warning email sent. Suddenly you've increased the brute force time to thousands of years, and the target is aware. This is basic stuff, and just about any dictionary word is safe.

Ever increasing complexity is an unnecessary solution. Password breaches are not being done through brute force, there's no real reason to make brute force harder.

Re:symbols, caps, numbers

[DaTrueDave]

Not only that, but remember multiple different passwords like that, because some websites/databases don't allow the carat symbol.

I have over 20 different passwords for different sites at work. Some of them don't allow a password under 12 characters, some don't allow a password over 8 characters. Some don't allow a number or symbol in the first space. Some only allow 6 different symbols to be used. Some don't allow capital letters. Some require capital letters.

It's insane. It's not possible for my coworkers to remember them all, so they get written down, which certainly doesn't increase security. Many times people keep their passwords in their phones. Some write them down on paper and keep them in their wallet. Some folks leave them on notes in their cubicle.

Then, to top it off, some require the password to change every 30 days. Some every 60 days. Some every 90 days.

These insane attempts to force password security have actually destroyed it.