Slashdot Mirror
Many Password Strength Meters Are Downright Weak, Researchers Say
alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results.
Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).
123Password is very strong because it uses numbers and upper and lower case letters.
Those meters are stupid.
I think you meant "fist".
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
I know that my password - ********** - is very strong. I use it on all sites and even brute force hasn't worked yet. So, nyah, to the password meters.
The Kai's Semi-Updated Website Thingy
I hope these researchers asked permission of the website owners before sending millions of requests to their servers.
So we need a meter for meters now.
Table-ized A.I.
I've only had one strange encounter with one of these things. I have symbols in my passwords, like I'm supposed to: so I sign up for an account at some website, and it thinks my password is great - until the end. In this case, I placed a period near the end of the password, and for some reason including a period made their website change its mind from my password being great to awful. so awful it wouldn't accept it.
the kicker? this was my ISP.
My personal complaint was when I signed upto a Tesco banking account, it wanted a password that fit their undefined secure scheme.
I entered a password with 20+ psuedo-random character appended to tesco, it deemed this insecure. However on making the password shorter by removing tesco, apparently it become more secure. Although I can understand why such a limitation exists, it defies logic that making a password shorter should make it more secure.
The usual ideas of what makes a strong password according to these strength meters are pretty much all stupid and useless.
Bad rules:
- must use at least one [number, special char, capital letter].
- Cannot use spaces or certain punctuation
Better rules:
- It is not made up of real words in the dictionary
- It is not equal to any of the top several thousand passwords
It's not difficult. These meters will tell you that asdf1234! is more secure than "xxyyff eegg", which of course is utter nonsense.
Those meters are all over the place. As the article mentioned, the majority of them only count the number of characters in each class, so they're pretty terrible at actually telling you how hard your password is to crack. Some of them are set to an absurdly high level too. The default Ubuntu meter for instance requires something like 16 characters before it will even consider your password good. I saw one where it wouldn't take your password unless it was at least 14 characters long, had all classes of characters in it (upper, lower, number, symbol), no more than two of the same class together, and "no patterns". At that point you just kind of have to accept that I'm going to stuff it in a password manager even though your site expressly forbids me recording my password elsewhere.
I read the internet for the articles.
http://i.imgur.com/UHGIx.jpg
Get free satoshi (Bitcoin) and Dogecoins
that we're doing it exactly backwards. https://xkcd.com/936/
Are we ever going to make strong passwords? Ever?
For God's sake, password strength meters were either invented by an incompetent or by the NSA to weaken the web.
I run a GPU cracker on my user's password hashes to preemptively weed out weak passwords. Several times I have seen them try to change it from (for example) "password" to P@ssw0rd99", which in a certain sense is significantly more complex, but OCLHashCat has rules for capitalization, leet-speak, appending/prepending numbers. You've only changed the time it takes to crack that hash from fractions of a second to a few minutes.
The only highly secure password requires long, random characters. Given a choice, users will always prefer an easy-to-remember password because it makes their life easier. Unfortunately, it also makes the bad guy's life easier, and the sysadmin's life harder.
Websites should be required to disclose the hash format they are storing user's passwords in, to hopefully prevent another Linkedin plain-md5 type debacle.
Single factor authentication (ie password) is a people problem. If access to a site is granted by matching an identifier with one other piece of information, then it is the risk created by the compromise of those credentials that should govern how "strong" those credentials need to be.
Financial information? Strong. Personal Health information? Strong. Email? Depends on how interesting you are. Hardware store loyalty points? Meh.
The more important point from the article is this:
"In fact, research from Microsoft/University of California at Berkeley/University of British Columbia (paper titled Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection) found that indeed, password gauges do encourage users to concoct stronger passwords."
Warn/shame people that their passwords suck and they are likely to do better.
(And interestingly enough, mathematically a site that insists on an 8 character password with at least one each of upper/lower case letters, numbers and special characters produces less secure passwords than a site that insists on 8 characters that can be any of those.)
Average Intelligence is a Scary Thing
entropy is, and how to measure it. Then we will solve the problem. Oh my God there is nothing worse than what passes for good passwords. People are good at remembering sentences and those have lots of entropy. People are terrible at remembering what we call passwords and those have very little.
We're just doing this wrong from beginning to end.
Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).
Accepting weak passwords as good is never good, but calling wildly long and random ones poor sometimes has its place, depending on what they're doing.
If they're just checking that you've got the right number of non-alpha, plus upper and lower letters, then that's bad. If however they're doing hash matching, then that's good.
This is because hash collisions occur -- I've experienced a number of these; there are some really "secure" long passcodes that share a number of common hash format results with "password". If you use such a passphrase, you'll think that you are nice and secure, when in reality, anyone can just type in "password" and have full access to what you were attempting to protect.
So sometimes what looks like arbitrary prevention is actually the strength meter knowing more about how the passwords are being used and stored, and protecting you from making bad choices you might not otherwise realize exist.
But yeah; most password meters *are* just junk.
I think this discovery is Nobel Prize worthy!
Most of those web sites are not one's I'm likely to return to anyway. Like a corporate web site for some company I clicked on a job posting for. And now it's asking me to create an account with my E-Mail address and a password. The only information in the account that the password is protecting is an E-Mail address, and I'm not likely to ever return to that site. At this point I'm already pretty sure I don't want to work for that company. If they bitch at me about the strength of the password I chose, that's really just going to make up my mind for me at that point. If I ever DO return to the site, I'm not even likely to remember that I ever created an account there, much less what the password was, so I'm just going to have to click on the "forgot password" link, anyway. I've had sites like this send me the original password in plain text, too.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
We should launch a massive research effort, figure out the strongest possible password, and make everyone use that.
A reminder about their password requirements.
I cannot begin to count the number of times I've had to hit "Forgot my password" simply because they do not remind me up fron that my password must have special character in it. For websites that do not have my personal information and especially not financial (blog sites, sport sites) I tend to use a common password so I don't have to remember different passwords. Again, completely different from any important password and used only for essentially throwaway sites.
But some sites require at least digit, others at least one Capital letter (or at least one lowercase), others at least one special character, others some combination.
The throwaway password usually meets these by virtue of the way it is constructed, but not always. Sometimes it has to be doubled to meet a length requirement, for example. But while they tell you this when you create the password, they never seem to remind you when you later have to enter your password.
There are also often (not told to the user!) length limits on passwords
I like making my passwords a sentence. Whether it is more secure or not, it is easier for me to remember and I like to pretend I believe it is super secure.
However, I have had several places where I make a user, make a password (which it thinks is super strong because it is like 50 characters), copy-paste it somewhere, and it says I have a user. I then try to login using the copy-pasted password, and it tells me I have a bad password. going through the password-reset process, it invariably works if I reset it to a much shorter password.
This is a bug that really annoys me, especially with xkcd encouraging people who might not know about this popular bug to make long passwords.
Sorry, but you have entropy the wrong way round. Good passwords have more entropy, not less.
If different rules for each meter helps people pick a different password for each site, this is a win. To a large extent, I need to trust Facebook to protect my Facebook data from breach at Facebook. However, it really is up to me to protect my Facebook data from a breach at Google.
... wrong from beginning to end.
and that includes not echoing what the user typed. When a password is over 12 characters long, the user needs to be able to edit as it is entered. Echoing stars destroys the ability of user to verify what has been received.
Uhm you didn't understand what I typed.
If you pick 7 different words at random from a dictionary of 100,000 words and make a sentence from them you have log(100,000 choose 7)/log(2) bits of entropy that's 104 bits.
You'll never be able to remember a random character password worth 104 bits. Never. But you could remember a 7 word sentence.
Teach users what entropy is? That is unpossible (as Ralph Wiggins would say).
I have a friend who is clearly quite intelligent, but can't remember how to do cut and paste -- though I bet he knows more people by name than anyone I have ever known. Even a poor quality password meter probably helps password quality more than any single attempt to teach how to make good passwords. After all we have been trying to teach this as an industry for decades without much success.
The problem is that ad-hoc password strength measurement is usually pretty bad because writing a good meter is hard, although again something is usually better than nothing. Best practice would suggest reusing code from someone else, perhaps just as Dropbox did according to the article -- apparently zxcvbn. I am not claiming zxcvbn is actually good, just that the researchers referred to Dropbox favorably in this regard.
The correct solution is clearly a Password Strength Meter Password Strength Meter
If only society had some way of teaching people things so that they wouldn't be incompetent.
We could call it Skowol.
Well, a random set of 7 words will rarely form a sentence.
Gamingmuseum.com: Give your 3D accelerator a rest.
Note: copying and pasting passwords is a hell of a security hole. Every single program can read the clipboard.
True enough.
Though you can do strange things like display a tiny hash picture when the user has finished - that can be a visual verification.
Reordered with glue words between them, they can. None of that reduces the entropy, not the way I calculated it.
Notice I used choose, not powers.
Do you think password strength meters are effective?
No: 51.97%
That's what you want to hear, right??
Upon further reading of the research article itself, I discovered that Dropbox created the meter and then shared it as zxcvbn instead of the other way around that I assumed. They apparently also liked the strength checking in the KeePass utility which is also open source.
If it really "balked", it wouldn't have accepted weak passwords. Balked means to refuse.
Does not matter if the browser block cut and paste. They user probably tries to use cut and paste anyway, so its still in the clipboard.
Of course, making use of this security hole means your computer is already compromised anyway.
Sorry I guess I didn't describe the bug properly: often websites accept a long password to create the password, but apparently drop the rest of the string after a certain amount of characters which makes a password of fewer characters than the user wanted.
This wouldn't cause a problem (aside from being a security hole) except when I go to type in my long password to log in, the software takes the entire string and does not drop off the characters after the limit used in creating the password, effectively making it so I cannot log on with the password I tried to sign up with.
I use the clipboard only for testing to see if this bug is there; eliminating the potential that perhaps I just typed my password in incorrectly.
For example, I sign up for a user on website with username "username" and password "This is a very long and secure password". The site, in order to prevent the string being too long, only accepts 20 characters, making my password "This is a very long ". Ok. When I go to log in, however, there is no character dropping, and so it compares my password "This is a very long and secure password" to "This is a very long ", which obviously do not match, and I cannot log in, even though I am typing the same string every time.
This is the bug I was trying to describe and is very frustrating.
I did not describe what I was doing very well; see my response to my original comment.
The clipboard is just being used to confirm the bug; the first time I attempt to create a password obviously I should not make a habit of doing this.
I know that if you're using single word passwords and going leet-speek is pretty easy to crack. Seriously though, what about passphrases? Even if they're all English words, the time it would take for someone to come up with the right phrase would be years.
Example: "Bob drank 2 large Cokes with his pizza!" would take forever to crack, but it's still easy to remember.
Also, Bob needs to lay off the sugary drinks.
1) Computers are, by design, a tool to lessen entropy. Computers sail through an Internet of chaos and disorder like icebreakers leaving a trail of ordered, aligned wreckage in their wake.
2) Any program or method employed by a computer to evaluate the "entropic value" of a string in the end means absolutely nothing except that it correlates to other virtual "entropic values" of other strings like it using purely ordered, metered and aligned correspondences of information bits.
3) Computers interacting or evaluating entropy in any way lessens the True Entropy of a system (or password or system of passwords).
Allowing a computer to determine entropy nessesarilly reduces it and using such a limited symbolic representation like a keyboard will soon not contain enough variables to adequately retain enough entropy to withstand faster, cooler processors. One method I see for future "password" usage uses the old Ars Memoria or Art of Memory, which I think is somewhat touched upon in xkcd's "correcthorsebatterystaple" method.
In short, letting PCs choose what is random or not is the exact opposite of how true randomness works. We wouldn't trust a randomness engine without knowing how that engine generated the seed of entropy injected to cascade information complexity but knowing how it is done obliterates it's entropic value. In real short, I'm really stoned and I don't know what I'm talking about anymore and this post is too long and boring...I'm hungry dammit.
I'm surprised that Passfault was not mentioned in the paper TFA references, since it specifically checks for dictionary attacks in multiple languages, and for substitutions, reversals, keyboard shifts, and other transforms that an advanced cracking program might check. It's open source, too. Yet no one else even mentioned it in this discussion, when Slashdot is how I know about it in the first place.
"Politicians and diapers must be changed often, and for the same reason."
In fact, they're ridiculous. I've given a couple presentations on password strength, and password meters are to password strength what the TSA is for air travel security - a better-than-nothing baseline approach that is mostly for show.
The problem is that we have nothing better to offer at this time, even though most security experts agree that passwords are a solution whose time is over.
Assorted stuff I do sometimes: Lemuria.org
Prior to landing on /. for the Nth time today ( is a slow day ) I finished reading an article about password complexity and a system called " DiceWare "
The main article can be found here with the Wikipedia version here
The system doesn't rely on crazy levels of complexity in a password, rather longer and random words combined to form phrases which are far easier to remember. If only we could get some sort of standard in place so that every website you visit doesn't use their own in house rules for password length, complexity and storage of the hashed and salted versions. Would be nice to know using a thirty character passphrase would work across the board ( different for each site obviously ) instead of having to hop through the password rules for every site :|
I am afraid you have entropy wrong wrong. It goes the other way. Good passwords have more entropy, not less.
What does "password strength" really mean?
If people used a textual representation of number obtained from a reliable hardware random number generator then the meaning would be unambiguous. It's the number of digits in that number. But most people don't do that (perhaps more should).
So what does it mean to say that a password has so many bits of entropy? Well, I guess it means how many truly random bits it would take to index their password from the universe of passwords the user considered. This is more an exercise in psychology than it is in mathematics. You have to figure out how users generate passwords or discount passwords. For example requiring a mix of upper and lower case letters doesn't add as much entropy as you'd think, because most users are mediocre typists who'll avoid using the shift key too often. Requiring digits means that many people will just "0" for "o" and "1" for "L".
So it's really easy to concoct passwords which you know are bad, because you know the methods used to select which passwords you'd consider; if the developers of the strength meter don't take your particular generation algorithm into account the meter will show the password to be stronger than you know it to be.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I've never trusted the online "tester' sites. The paranoid side of my brain says the site's purpose is, "Hey, let's take this guy's clever password that a dictionary/brute force attack would never ever be able to break, hash it out,and then compare the hash to others we've already stolen. Profit!"
For what it's worth, I understood precisely what you meant because it's a bug that's bitten me plenty of times as well.
A similar problem I've encountered is when email address validation differs between account sign up and login, usually with one disallowing characters the other considers valid. Most commonly caused by using a plus sign (+) in the user@ part of the email. I actually find this problem to be more common than the long password issue, and it's incredibly frustrating.
First, background: + is a valid character that tends to get used for auto-filtering these days. It's good for seeing who's sending you spam and also for filtering it out, while also making it less likely that someone knowing your email address (user@example.com) won't be able to just plug it into random services and try to access accounts.
Example:
1. Attempt to sign up with user+extra@example.com. If you're lucky, it won't just cry "invalid email" and make you start over.
2. Signup successful, password verification successful. Login with user+extra@example.com.
3. Get an ambiguous user/password error.
4. Attempt password reset on user+extra@example.com, receive a simple placeholder password. Account clearly active.
5. Attempt to login with user+extra@example.com and the placeholder password, copy/pasted from reset email.
6. Get ambiguous user/password error again.
7. Make account with any email address without the +, works fine.
You won't, but lots of people will -- who remembers whether an arbitrary website disables cut and paste during password entry.
I use passphrases - but not the phrases themselves. I come up with a really long sentence and then just use the first one or two letters from each word.
So, like I would come up with a phrase such as "I like Robert Reich, and think he should run for president in 2016" I would have a password "ilrr,athsrfpi2016" that would be easy to remember. Even if it were somehow tangentally related to a site by topic or theme or "feel" it is a whole lot more secure than a combination of dictionary words and numbers, because I'd bet that most people have stupid passwords in the form of "Password1" just to meet complexity requirements that really aren't effective at all because ironically it would only serve to incentivize people try to further simplify their passwords.
The ideal complexity tester would test for dictionary words and leave it at that.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Why does my Slashdot account need a password stronger than that?
It's pretty obvious to me that the real solution is to store passwords in a hardware black-box (with a mirrored spare) that only allows a limited number of tries for a given password and all passwords per time period. E.i. throttled.
Computers are getting to fast to permit them to chomp on raw encrypted files.
Table-ized A.I.
Too many devices.
Multiple tablets, roku, smart tv, multiple laptops, multiple computers.
If I change the password on one, I have to change them on all. If I have to change my system on one, then I have to write the passwords down.
It's not even "dumb". It's just reality.
However, so far- I've never had a password cracked and I haven't had a virus since "Your Amiga has Come Alive!" back in the early 90s.
I'm just not worth the effort most likely.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
So long as the browsers hide my password with dots copy pasting is the only sufficiently reliable way to get temporary passwords right.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
For longer passwords, we need to offer to include spaces, or publicize it if we already do, so people can insert sentences as passwords. This could add a great deal of complexity and memorability to complex passwords, e.g.,
"How much you want to make a bet I can throw a football over them mountains? Yeah. If coach would've put me in fourth quarter... we'd have been state champions, no doubt. No doubt in my mind," said Uncle Rico.