Slashdot Mirror
Many Password Strength Meters Are Downright Weak, Researchers Say
alphadogg writes "Website password strength meters often tell you only what you want to hear rather than what you need to hear. That's the finding from researchers at Concordia University in Montreal, who examined the usefulness of those ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of 'not-so-good' passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by what they termed wildly inconsistent results.
Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).
123Password is very strong because it uses numbers and upper and lower case letters.
Those meters are stupid.
I think you meant "fist".
The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.
What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?
I know that my password - ********** - is very strong. I use it on all sites and even brute force hasn't worked yet. So, nyah, to the password meters.
The Kai's Semi-Updated Website Thingy
They're generally implemented as client-side javascript, so there'd be about one request to the server, not millions.
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
So we need a meter for meters now.
Table-ized A.I.
Those meters are all over the place. As the article mentioned, the majority of them only count the number of characters in each class, so they're pretty terrible at actually telling you how hard your password is to crack. Some of them are set to an absurdly high level too. The default Ubuntu meter for instance requires something like 16 characters before it will even consider your password good. I saw one where it wouldn't take your password unless it was at least 14 characters long, had all classes of characters in it (upper, lower, number, symbol), no more than two of the same class together, and "no patterns". At that point you just kind of have to accept that I'm going to stuff it in a password manager even though your site expressly forbids me recording my password elsewhere.
I read the internet for the articles.
http://i.imgur.com/UHGIx.jpg
Get free satoshi (Bitcoin) and Dogecoins
that we're doing it exactly backwards. https://xkcd.com/936/
Are we ever going to make strong passwords? Ever?
For God's sake, password strength meters were either invented by an incompetent or by the NSA to weaken the web.
I run a GPU cracker on my user's password hashes to preemptively weed out weak passwords. Several times I have seen them try to change it from (for example) "password" to P@ssw0rd99", which in a certain sense is significantly more complex, but OCLHashCat has rules for capitalization, leet-speak, appending/prepending numbers. You've only changed the time it takes to crack that hash from fractions of a second to a few minutes.
The only highly secure password requires long, random characters. Given a choice, users will always prefer an easy-to-remember password because it makes their life easier. Unfortunately, it also makes the bad guy's life easier, and the sysadmin's life harder.
Websites should be required to disclose the hash format they are storing user's passwords in, to hopefully prevent another Linkedin plain-md5 type debacle.
Single factor authentication (ie password) is a people problem. If access to a site is granted by matching an identifier with one other piece of information, then it is the risk created by the compromise of those credentials that should govern how "strong" those credentials need to be.
Financial information? Strong. Personal Health information? Strong. Email? Depends on how interesting you are. Hardware store loyalty points? Meh.
The more important point from the article is this:
"In fact, research from Microsoft/University of California at Berkeley/University of British Columbia (paper titled Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection) found that indeed, password gauges do encourage users to concoct stronger passwords."
Warn/shame people that their passwords suck and they are likely to do better.
(And interestingly enough, mathematically a site that insists on an 8 character password with at least one each of upper/lower case letters, numbers and special characters produces less secure passwords than a site that insists on 8 characters that can be any of those.)
Average Intelligence is a Scary Thing
What I hate is when they won't let you paste text into the password field. I use a password database and all of my passwords are random and long. They are hell to enter manually. So I end up putting in a less secure password because it is easier to type.
Bull. Totally wrong.
A good password could be made from real words as long as there are enough of them.
It's true that you want to pick from a larger dictionary rather than a smaller one. Perhaps you should estimate the entropy of a word by how common it is. What matters is total entropy not horrors like expecting users to remember misspelled words or strange symbols.
entropy is, and how to measure it. Then we will solve the problem. Oh my God there is nothing worse than what passes for good passwords. People are good at remembering sentences and those have lots of entropy. People are terrible at remembering what we call passwords and those have very little.
We're just doing this wrong from beginning to end.
Why would you even bother with prepending "tesco" unless you were reusing that "20+ psuedo-random character" string across other sites? That's shitty practice on your end.
What pisses me off about password restrictions is that they change and break my existing passwords.
Most recently, T-Mobile changed their shit to disallow some characters / reduce the length allowed, so my perfectly existing password was rejected as being "wrong", my account locked, and I had to fight with their customer service goons to get a reset. During the support session, the customer support clown actually asked for my actual password! Promptly told the bitch to fuck off and escalate the issue - 5 hours later in the middle of the night I'm FINALLY sent a reset token. I received absolutely zero communication from anyone at T-Mbolie about it.
This also happened to me with my electric utility - they say right on the page they take 16 character passwords, and I was able to set a 16 character password, but when logging in it would fail. It worked if I truncated my input to 15 characters (after setting it as the full 16).
Plenty of other sites have fucked me in similar ways. Who in the fucking shit would change password length/character policies to make them MORE restrictive? Who the fuck would do this on the standard login page that can affect existing passwords?
Inconsistent can go both directions: I've seen password-strength meters that balked at absolutely everything (accepting weak passwords as good, after calling wildly long and random ones poor).
Accepting weak passwords as good is never good, but calling wildly long and random ones poor sometimes has its place, depending on what they're doing.
If they're just checking that you've got the right number of non-alpha, plus upper and lower letters, then that's bad. If however they're doing hash matching, then that's good.
This is because hash collisions occur -- I've experienced a number of these; there are some really "secure" long passcodes that share a number of common hash format results with "password". If you use such a passphrase, you'll think that you are nice and secure, when in reality, anyone can just type in "password" and have full access to what you were attempting to protect.
So sometimes what looks like arbitrary prevention is actually the strength meter knowing more about how the passwords are being used and stored, and protecting you from making bad choices you might not otherwise realize exist.
But yeah; most password meters *are* just junk.
Most of those web sites are not one's I'm likely to return to anyway. Like a corporate web site for some company I clicked on a job posting for. And now it's asking me to create an account with my E-Mail address and a password. The only information in the account that the password is protecting is an E-Mail address, and I'm not likely to ever return to that site. At this point I'm already pretty sure I don't want to work for that company. If they bitch at me about the strength of the password I chose, that's really just going to make up my mind for me at that point. If I ever DO return to the site, I'm not even likely to remember that I ever created an account there, much less what the password was, so I'm just going to have to click on the "forgot password" link, anyway. I've had sites like this send me the original password in plain text, too.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
IMO nobody who signs up for a Tesco bank account has any grounds for complaint.
I once asked a friend of mine, who is a professional ski boot fitter, what brands of hiking boots he recommends (he generally knows his stuff when it comes to performance footwear). His response was "buy a brand that makes shoes", meaning ONLY shoes/boots, not brands like North Face or Salomon.
If I asked my local butcher who I should get my bank account with I wouldn't be surprised if he said Tesco.
We should launch a massive research effort, figure out the strongest possible password, and make everyone use that.
Better rules:
- It is not made up of real words in the dictionary
So something like correcthorsebatterystaple is a bad password now?
I said "like", actually using correcthorsebatterystaple is obviously a bad idea.
A reminder about their password requirements.
I cannot begin to count the number of times I've had to hit "Forgot my password" simply because they do not remind me up fron that my password must have special character in it. For websites that do not have my personal information and especially not financial (blog sites, sport sites) I tend to use a common password so I don't have to remember different passwords. Again, completely different from any important password and used only for essentially throwaway sites.
But some sites require at least digit, others at least one Capital letter (or at least one lowercase), others at least one special character, others some combination.
The throwaway password usually meets these by virtue of the way it is constructed, but not always. Sometimes it has to be doubled to meet a length requirement, for example. But while they tell you this when you create the password, they never seem to remind you when you later have to enter your password.
There are also often (not told to the user!) length limits on passwords
I like making my passwords a sentence. Whether it is more secure or not, it is easier for me to remember and I like to pretend I believe it is super secure.
However, I have had several places where I make a user, make a password (which it thinks is super strong because it is like 50 characters), copy-paste it somewhere, and it says I have a user. I then try to login using the copy-pasted password, and it tells me I have a bad password. going through the password-reset process, it invariably works if I reset it to a much shorter password.
This is a bug that really annoys me, especially with xkcd encouraging people who might not know about this popular bug to make long passwords.
I mean, a correcthorsebatterystaple equivalent is better than 1234 or W%x9, since there are more words in the dictionary than there are ASCII characters. It's really a pretty simple matter of number of possible passwords = (number of units in you're considering) ^ (number of units used). So there are 10^4=10,000 four-number passwords, 128^4=268,435,456 four-ASCII-character passwords, and ~(1,000,000)^4=10^24 four-word passwords.
If different rules for each meter helps people pick a different password for each site, this is a win. To a large extent, I need to trust Facebook to protect my Facebook data from breach at Facebook. However, it really is up to me to protect my Facebook data from a breach at Google.
Uhm you didn't understand what I typed.
If you pick 7 different words at random from a dictionary of 100,000 words and make a sentence from them you have log(100,000 choose 7)/log(2) bits of entropy that's 104 bits.
You'll never be able to remember a random character password worth 104 bits. Never. But you could remember a 7 word sentence.
Teach users what entropy is? That is unpossible (as Ralph Wiggins would say).
I have a friend who is clearly quite intelligent, but can't remember how to do cut and paste -- though I bet he knows more people by name than anyone I have ever known. Even a poor quality password meter probably helps password quality more than any single attempt to teach how to make good passwords. After all we have been trying to teach this as an industry for decades without much success.
The problem is that ad-hoc password strength measurement is usually pretty bad because writing a good meter is hard, although again something is usually better than nothing. Best practice would suggest reusing code from someone else, perhaps just as Dropbox did according to the article -- apparently zxcvbn. I am not claiming zxcvbn is actually good, just that the researchers referred to Dropbox favorably in this regard.
The correct solution is clearly a Password Strength Meter Password Strength Meter
If only society had some way of teaching people things so that they wouldn't be incompetent.
We could call it Skowol.
Well, a random set of 7 words will rarely form a sentence.
Gamingmuseum.com: Give your 3D accelerator a rest.
Note: copying and pasting passwords is a hell of a security hole. Every single program can read the clipboard.
True enough.
Though you can do strange things like display a tiny hash picture when the user has finished - that can be a visual verification.
Reordered with glue words between them, they can. None of that reduces the entropy, not the way I calculated it.
Notice I used choose, not powers.
Or sites that disallow the browser's password store.
Upon further reading of the research article itself, I discovered that Dropbox created the meter and then shared it as zxcvbn instead of the other way around that I assumed. They apparently also liked the strength checking in the KeePass utility which is also open source.
Does not matter if the browser block cut and paste. They user probably tries to use cut and paste anyway, so its still in the clipboard.
Of course, making use of this security hole means your computer is already compromised anyway.
Sorry I guess I didn't describe the bug properly: often websites accept a long password to create the password, but apparently drop the rest of the string after a certain amount of characters which makes a password of fewer characters than the user wanted.
This wouldn't cause a problem (aside from being a security hole) except when I go to type in my long password to log in, the software takes the entire string and does not drop off the characters after the limit used in creating the password, effectively making it so I cannot log on with the password I tried to sign up with.
I use the clipboard only for testing to see if this bug is there; eliminating the potential that perhaps I just typed my password in incorrectly.
For example, I sign up for a user on website with username "username" and password "This is a very long and secure password". The site, in order to prevent the string being too long, only accepts 20 characters, making my password "This is a very long ". Ok. When I go to log in, however, there is no character dropping, and so it compares my password "This is a very long and secure password" to "This is a very long ", which obviously do not match, and I cannot log in, even though I am typing the same string every time.
This is the bug I was trying to describe and is very frustrating.
I did not describe what I was doing very well; see my response to my original comment.
The clipboard is just being used to confirm the bug; the first time I attempt to create a password obviously I should not make a habit of doing this.
Well the arbitrary low limits on password length is just annoying. Yes I am sure that they want to save a few bytes in the DB but seriously if I really want to I should be able to have Beowulf written in the original Old English as my password if I want. Off by one errors are common so maybe report the bug, but I would also complain about short length allowed.
Time to offend someone
1) Computers are, by design, a tool to lessen entropy. Computers sail through an Internet of chaos and disorder like icebreakers leaving a trail of ordered, aligned wreckage in their wake.
2) Any program or method employed by a computer to evaluate the "entropic value" of a string in the end means absolutely nothing except that it correlates to other virtual "entropic values" of other strings like it using purely ordered, metered and aligned correspondences of information bits.
3) Computers interacting or evaluating entropy in any way lessens the True Entropy of a system (or password or system of passwords).
Allowing a computer to determine entropy nessesarilly reduces it and using such a limited symbolic representation like a keyboard will soon not contain enough variables to adequately retain enough entropy to withstand faster, cooler processors. One method I see for future "password" usage uses the old Ars Memoria or Art of Memory, which I think is somewhat touched upon in xkcd's "correcthorsebatterystaple" method.
In short, letting PCs choose what is random or not is the exact opposite of how true randomness works. We wouldn't trust a randomness engine without knowing how that engine generated the seed of entropy injected to cascade information complexity but knowing how it is done obliterates it's entropic value. In real short, I'm really stoned and I don't know what I'm talking about anymore and this post is too long and boring...I'm hungry dammit.
I'm surprised that Passfault was not mentioned in the paper TFA references, since it specifically checks for dictionary attacks in multiple languages, and for substitutions, reversals, keyboard shifts, and other transforms that an advanced cracking program might check. It's open source, too. Yet no one else even mentioned it in this discussion, when Slashdot is how I know about it in the first place.
"Politicians and diapers must be changed often, and for the same reason."
In fact, they're ridiculous. I've given a couple presentations on password strength, and password meters are to password strength what the TSA is for air travel security - a better-than-nothing baseline approach that is mostly for show.
The problem is that we have nothing better to offer at this time, even though most security experts agree that passwords are a solution whose time is over.
Assorted stuff I do sometimes: Lemuria.org
Already thought of.
https://hashcat.net/wiki/doku....
I hate the length limit too. I commented about how sometimes there is a length limit, but it happebs automatically, making your 80 character password 20 characters, and impossible to log in...
But it shouldn't even be a database issue. Unless I am mistaken, the length of hashes isn't (or at least doesn't have to be) dependent on the length of the input, so the database should store the same amount of information for "password" as for the entirety of beowulf...
Granted, that would take a lot longer for the hasher, but there are generally already things in place to prevent robots trying to bring down the system by attempting login many times a second, no?
Prior to landing on /. for the Nth time today ( is a slow day ) I finished reading an article about password complexity and a system called " DiceWare "
The main article can be found here with the Wikipedia version here
The system doesn't rely on crazy levels of complexity in a password, rather longer and random words combined to form phrases which are far easier to remember. If only we could get some sort of standard in place so that every website you visit doesn't use their own in house rules for password length, complexity and storage of the hashed and salted versions. Would be nice to know using a thirty character passphrase would work across the board ( different for each site obviously ) instead of having to hop through the password rules for every site :|
What does "password strength" really mean?
If people used a textual representation of number obtained from a reliable hardware random number generator then the meaning would be unambiguous. It's the number of digits in that number. But most people don't do that (perhaps more should).
So what does it mean to say that a password has so many bits of entropy? Well, I guess it means how many truly random bits it would take to index their password from the universe of passwords the user considered. This is more an exercise in psychology than it is in mathematics. You have to figure out how users generate passwords or discount passwords. For example requiring a mix of upper and lower case letters doesn't add as much entropy as you'd think, because most users are mediocre typists who'll avoid using the shift key too often. Requiring digits means that many people will just "0" for "o" and "1" for "L".
So it's really easy to concoct passwords which you know are bad, because you know the methods used to select which passwords you'd consider; if the developers of the strength meter don't take your particular generation algorithm into account the meter will show the password to be stronger than you know it to be.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I've never trusted the online "tester' sites. The paranoid side of my brain says the site's purpose is, "Hey, let's take this guy's clever password that a dictionary/brute force attack would never ever be able to break, hash it out,and then compare the hash to others we've already stolen. Profit!"
You won't, but lots of people will -- who remembers whether an arbitrary website disables cut and paste during password entry.
I use passphrases - but not the phrases themselves. I come up with a really long sentence and then just use the first one or two letters from each word.
So, like I would come up with a phrase such as "I like Robert Reich, and think he should run for president in 2016" I would have a password "ilrr,athsrfpi2016" that would be easy to remember. Even if it were somehow tangentally related to a site by topic or theme or "feel" it is a whole lot more secure than a combination of dictionary words and numbers, because I'd bet that most people have stupid passwords in the form of "Password1" just to meet complexity requirements that really aren't effective at all because ironically it would only serve to incentivize people try to further simplify their passwords.
The ideal complexity tester would test for dictionary words and leave it at that.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Why does my Slashdot account need a password stronger than that?
It's pretty obvious to me that the real solution is to store passwords in a hardware black-box (with a mirrored spare) that only allows a limited number of tries for a given password and all passwords per time period. E.i. throttled.
Computers are getting to fast to permit them to chomp on raw encrypted files.
Table-ized A.I.
Too many devices.
Multiple tablets, roku, smart tv, multiple laptops, multiple computers.
If I change the password on one, I have to change them on all. If I have to change my system on one, then I have to write the passwords down.
It's not even "dumb". It's just reality.
However, so far- I've never had a password cracked and I haven't had a virus since "Your Amiga has Come Alive!" back in the early 90s.
I'm just not worth the effort most likely.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
So long as the browsers hide my password with dots copy pasting is the only sufficiently reliable way to get temporary passwords right.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
There should be but with these systems that are home rolled who knows. As far as the password truncation the last thing I dealt with that had that problem was a stupid router from the ISP I had about 15 years ago. I get the feeling that having a properly designed system costs money and requires competent and thus expensive people to design and implement so in the race to the bottom good security seems to be the first thing cut.
Time to offend someone
Sites that disallow any browser autofilling feature for that matter... Why the hell would a site prevent address autofilling? Are users really more likely to manually type in all their information correctly than have the browser fill it in for them that's been stored for years and never had a problem? I hate websites that block the best tools to keep my information correct and secure as well as save me time.
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?