Cracking Passwords With Statistics

New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.

For work I use really bad passwords

They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

Re:For work I use really bad passwords

I do something similar by continually incrementing the numbers on the end like: password1 ...30 days later... password2 ...30 days later... password3 ...30 days later... password4 ...30 days later... password5 ...30 days later... password6 ...etc.

This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder.

Re: For work I use really bad passwords

[khasim]

It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.

1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc

By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.

For non-work websites just remember 2 things:
a. DO NOT USE THE SAME PASSWORD
b. If it is financial, don't use the same username/email-address as other sites.

Re:For work I use really bad passwords

[Darinbob]

I do the same. Turns out they only require 18 in a row to be unique :-) Though the rest of the requirements aren't so rigid, though needing to pick a new one every two to three months is ridiculous. That sort of guarantees that someone writes it down or uses a pattern.

Re:For work I use really bad passwords

I have 5 passwords to remember. All have different expiration times! At least 2 have different requirements(one requires special characters, the other cannot use special characters). wtf? Oh, and yes, it is a medical group including the EMR. When you have to change the password, you don't get any warning, so you have to do it then and there, usually right in front of a patient, typing it in twice. I wish this was just an exaggeration.

Re: For work I use really bad passwords

I have 5 levels of passwords, as follows:

Level 1: Garbage sites that force me to register to read content, places that don't have AC that I want to comment, etc. - My password is monkeys103. Idgaf if you hack these sites. If they force punctuation I add a comma to the end of it. Who cares. Username could be anything because most likely I'm not coming back.

Level 2 - Sites where I have a reputation, but it's not attached to my real world persona. Like ArsTechnica, CNN, Ubuntu Forums, etc. I use a moderately complex password, 8 characters, no dictionary words. If it gets hacked, it sucks, but it's not the end of the world. Username is often similar among the sites because there's no real world connection.

Level 3 - Sites where they have personal information connected to the real world. Think Facebook, instant messaging, etc. I use a 10 digit password here, and if it gets hacked, I immediately change all of these sites so that none have the old password. Also all of them have different usernames.

Level 4 - Banking or any sites connected to my money (PayPal, for example). I have a very long and complex password for these (unique to each site, randomly generated), as well as any other security they offer (two factor authentication).

Level 5 - Email, because it's the master key. I use a unique password here, but I have somehow memorised it. My two email passwords are the same, which I know is a weakness, but its safer than using two weak passwords. The password is the first letter from each word in a phrase, with added numbers and punctuation. Example (I like apples and pears - ilaap)

Also note that I use a password manager, which requires me to enter in a password (same as my computer logon) to autofill the form. So all in all I really only have to memorize five passwords, and typically only the password manager one.

Re:For work I use really bad passwords

They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

There was a statistical analysis done which proved that combining two random words is more secure than these Byzantine password policies which actually encourage people to write them down because of their complexity.

Re: For work I use really bad passwords

[BevanFindlay]

I do reuse the same password in places, but only on sites where I don't care if it gets hacked (and it amazes me how many times I've had to use it). What annoys me though is that I can't always use it as sometimes it's too long (?!), and I've had to adapt to having a version that includes digits and mixed-case (despite the fact that even the basic all-lowercase version is pretty much unhackable - hint: it's more than one word, it makes no sense, and it's not even English). But for important sites (banks, even email) I use completely different passwords. What reusing one password does do though is save me ever having to write down passwords: is it an important site? Then I can probably remember the password. Is it some site I can't even remember signing up to? Then I'll know it's my "throwaway" password.

Although, a smarter version would probably be to adapt the "throwaway" password with some arbitrary variation based on the name of the site or whatever (e.g. add the third letter of the site name as the second-to-last character, or something similarly obfuscated but easy to remember).

Re: For work I use really bad passwords

[BevanFindlay]

Yes, this. I think that the "levels" idea is probably the best way to manage passwords, as it strikes a balance between uniqueness where it matters and not having to remember too many passwords.

Also, I would add one comment: not all sites that ask for personal information actually need it (e.g. why should Facebook know - and advertise!? - my real birth date; if people know me well enough, they'll know my real birthday. If not, tough; the site has no need for being given enough information to fake my identity when calling my bank...!)

Re:For work I use really bad passwords

[BevanFindlay]

You mean this? (Obligatory XKCD).

You know, I think I should change my work password to "Correcthorsebatterystaple1" (2, 3, 4...) just because of the idiot policies. :-)

Re:For work I use really bad passwords

[AK+Marc]

I've had my first day include complaining to the head of HR that the HR documents on passwords were wrong. The rules were at least one upper, at least one lower, at least one number, and no shorter than 8. However, the password policy described by my peers was "pick a 6-letter word, start with a cap, and put 00 at the end. When you increment it for the 30 day expiration, you can last past the 1-year no reuse policy." The funny thing was, I followed the policy and came up with one that used special characters. Not accepted. And one that used an 8-character word. Not accepted (the password must be exactly 8 chars, and can't include special characters, despite the rules not directing such). The head of HR gave me the same rules as everyone else. So nobody in the company uses a secure password, and the rules on the password are mis-documented. Chairs00. Shh, don't tell anyone.

Re:For work I use really bad passwords

[Applehu+Akbar]

"This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder."

But as your password pique causes its assets to shuffle off to Nigeria, you won't be working there much longer.

Re:For work I use really bad passwords

[Applehu+Akbar]

The best passwords are the random ones generated by password managers, but the silly rules prevent you from using them. They also prevent people from using secure "personal words" like that weirdly named village you passed through once on vacation. All passwords-by-rule tend to deteriorate to obvious word with initial capital with a 0 or a 1 on the end.

Re:For work I use really bad passwords

[tlhIngan]

They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

Here's some...

2015January!
2015February@
2015March#
2015April$
2015May%
2015June^
2015July&
2015August*
2015September(
2015October)
2015November-
2015December=

If it's too long, shorten to 3-letter months.

And for next year, you'll have another set of "unique" passwords so it doesn't matter if they demand it doesn't match the last 100 passwords.

Numbers, capital, punctuation it's got it all.

With a few modifications, you can come up with similar passwords that will obey any other rules you need.

Re: For work I use really bad passwords

[Tom]

Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

Re:For work I use really bad passwords

At first I thought that was a good idea, then I realized how depressing it would be to type my password every day.

Re:For work I use really bad passwords

[AK+Marc]

An unguessable personal word worked well for me for 20 years online, until places started checking them unencrypted against dictionaries. Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack. But would be banned by many places I have passwords now. Like Scunthorpe is banned from most user names and some passwords because it contains a "banned" word, despite not actually containing the word, just the letters in order. It's not like it's #1_cunt_buster, which is what they are trying to ban.

So yeah, most of the rules are silly, for both usernames and passwords. Though for username, most places are falling back to email address.

I liked when my bank stopped using SSN for username and switched to last name. Now, someone trying to hack my account personally will have no trouble guessing my username.

Re: For work I use really bad passwords

[vux984]

. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).

And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.

I had a similar system for a while. The problem? One of the sites that had one of my passwords got hacked. Then I had to change it for every other site in that "category" which was a lot of sites, and I'm sure even now that I've missed some. Plus now I have to remember a new password; but still the old one for any sites I missed...

Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.

Because if some rinky-dink forum I use gets hacked I don't want to have to change my p/w on 40 other sites.

I still use passwords I can remember on sites I log into daily, but my utilities, random stores I rarely shop at, etc all have random strings in a password manager.

Re: For work I use really bad passwords

[khasim]

Read to the end for a secret revelation.

One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.

The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).

A different password but does it still have the same "reset answers" that the other category does?

And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.

And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.

Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.

This is about preventing the damage before it costs you time and money.

Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.

My PayPal and banking accounts have their own passwords, ...

And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.

Now, for the secret revelation!

Passwords WERE once used for security.

NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).

Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.

Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.

Re:For work I use really bad passwords

You can do better than one digit and 8 characters total. For example:

January2015

At least one capital letter: check.
At least one digit: check.
At least 8 characters: check.

Before this password policy, I had a random generated password. You know, one of those that takes three months to memorize. Well, if they don't want me to use random passwords, it's their own damn fault that I comply with the letter of the password policy.

Re:For work I use really bad passwords

[Buchenskjoll]

"personal words" like that weirdly named village you passed through once on vacation.

True. I spent last summer in Wales and the landscape is scattered with good passwords.

Re:For work I use really bad passwords

They are terrible passwords if they're in a dictionary or a rainbow table.

Re:For work I use really bad passwords

[Hognoxious]

Just take all the vowels out. Oh, hang on a minute...

Re: For work I use really bad passwords

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Unfortunately it's their software not your server (ie your company / website you're on not your own personal software). An end-user has no way to verify how passwords are stored. And unless the password is sent as a digest it still passes unencrypted through the server before being hashed, providing a point where they can be logged/captured if the server is compromised.

Re: For work I use really bad passwords

[CrimsonAvenger]

The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

Use a password manager with a really good password.

When you create an account, pick a "secret question" randomly, note it in your password manager, then MAKE UP an answer. "What's your mother's maiden name" - "Merkava". "What's the name of your first pet" - "Norelco".

Hard to guess the answer to a secret question when it has nothing to do with the facts on the ground....

Re:For work I use really bad passwords

I do something similar by continually incrementing the numbers on the end like: password1 ...30 days later... password2 ...30 days later... password3 ...30 days later... password4 ...30 days later... password5 ...30 days later... password6 ...etc.

This also has the wonderful effect of constantly reminding me of roughly how many months i've worked for this shithole company, as if I needed a reminder.

Ha! You fool! Never discuss your security! I've just cracked your slashdot account!

Re: For work I use really bad passwords

[AmiMoJo]

a. DO NOT USE THE SAME PASSWORD

There needs to be a better mechanism for doing that easily. Extensions that hash your password with the domain name and a master password before sending work quite well, but mobile browsers often don't support extensions. Keepass with cloud sync isn't bad but means you have to manually find and copy/paste your password every time.

It seems like something that major browsers could easily implement natively. The hashing idea is pretty easy. Most of them will sync your random passwords for you, but that requires you to trust them with them in the first place.

Re:For work I use really bad passwords

[tburkhol]

Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack.

Are you crazy? There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities. 2^40 possibilities, which will fall rapidly to a dictionary attack. It's as "strong" as 6 random, typeable characters.

The point of TFA is that while "12 characters, including three different character classes" sounds like 2^84, the reality is that people meet those conditions by using a real word with the first letter capitalized and a number. (rarely the reverse: Number-word)

Re:For work I use really bad passwords

The problem at my company is that the horrible policy is applied to everyone except IT and the CEO.
The only people with the power to change it aren't affected by it :(

Re: For work I use really bad passwords

[F.Ultra]

Instead of writing these made up answers to the "secret question" it's far better IMHO to just have your password generator generate a new 40 random character string and use that.

Re: For work I use really bad passwords

[houghi]

We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.tHIS; This. So much this. I use 5 different passwords. The same as you, but with different ones for work and for home as well added.

IT people only look at their own little world. Their own server and the only thing they are interested in is not being blamed if somebody hacks the system. Then when it is broken into they can say: well, we told the password should be 256 characters long, should be changed each time you get back from a break and must contain the rules as provided by us. The user decided to write it down and that is clearly not allowed.

Instead they should start looking for a better way to do it. People are part of the chain and will be the weakest link; You can not change people, so you need to work with what you have.

So as a result the weakest password I have is my work password. Basically a four letter word with year and month added. I change them every month on the first workday of the month.

Re: For work I use really bad passwords

[CrimsonAvenger]

Instead of writing these made up answers to the "secret question" it's far better IMHO to just have your password generator generate a new 40 random character string and use that.

Which I would then have to store in the notes section just like I do with the made-up answers?

Re:For work I use really bad passwords

[Quirkz]

I guess 1337 vowels are out, too.

Re:For work I use really bad passwords

[Creepy]

That works great if you aren't forced to have 6 characters different, as well. Our rules were 8+ characters, 20x without repeat, 6 char difference in each password, 30 day forced changes, at least one upper case character, and at least one punctuation. Through trial and error, I found the 6 characters different were based on position, so my solution was rotation - Pa$$w0rd becomes a$$w0rdP and then $$w0rdPa, etc. Works for a few months at least, and I only needed to memorize three strings. Never got cracked by the brute force software so far, so it worked for me (and no, my password is not Pa$$w0rd - that is an old joke and not a very good one).

Re: For work I use really bad passwords

[JazzLad]

I used to have a favourite keygen (for some obscure program, I don't recall which), I would use the webpage address as the name & whatever key it spit out would be my password.

I have no idea why I stopped doing this ... I may start again :)

Re:For work I use really bad passwords

I solve that in a simple manner. I have an app for Android which is a version of KeePass (KeePass2AndroidOffline) that requires zero permissions (i.e. no network access), so I just use that for storing and generating passwords used.

For backups, Titanium Backup does encryption (it generates a RSA key, encrypts the private key, then saves backups, encrypting with the public key, so backups can be done, but restores will need a passphrase).

Not a 100% secure solution, but not bad, and helps with needing a new password every time.

Re: For work I use really bad passwords

[Creepy]

I have throw-away passwords I sometimes reuse as well, also for sites I need to register on and don't particularly care about (they also get a junk email account I never check). I will vary this password by using a trick - I use the last character in the site name as the first character in the password so it is rarely the same. Still not exactly secure, but easy to remember and varies the password by site. The rest of the password is usually some fantasy character name with flipped calculator/leetspeak letters thrown in with the capital moved to after the first number. For instance, Godwynne would become g0Dwynn3 and BadBrutus would be b7DBrutus. If I was on Slashdot, these would be tg0Dwynn3 or tb7DBrutus.

And yeah, that is for my throw-away passwords. Most of my non-throwaway passwords I doubt could be guessed or hacked through brute force. A keylogger probably won't help (it will be flagged as an unknown program by security scans and set off a security alert), so you'd need to rootkit the machine.

Re: For work I use really bad passwords

[Creepy]

You could also use a system to vary the passwords. I use the last character of the site name (as I stated in a different post), but I've been migrating to a new system in the past couple of years, which is why I didn't care about divulging it. Let's say the new system is the first and last characters of the site (it is not) - I could then have sPa$$w0rdT for the password to Slashdot, and while it is essentially the same, it varies for most of my accounts. One hint - my new system sometimes excludes RSTNLE, AKA the Wheel of Fortune characters, AKA the most popular characters in at least American English, but sometimes does not and knowing when to use them or not is part of the trick. My new system gives me 4 character/number differences and positional differences in every password, so I expect it will be far more secure than my current method and still easy to remember.

Re: For work I use really bad passwords

[mlts]

One thing about work passwords (and in general, I'm assuming this is an AD or LDAP user account), any sane setup should lock the account after a certain number of guesses [1], so 15-20+ character passwords are not as needed, assuming the account isn't an admin account or a service account which never will have its password changed. (For service accounts, I like using a randomly generated 128 character Unicode passphrases because those accounts are set to not get locked due to brute force attempts, so they have to have actual brute-force resistance.)

With this in mind, a "work" password with the Microsoft defaults (as shipped with Windows server releases) is reasonably secure.

For finances, I use not just a completely different password, but an E-mail address on a private domain that doesn't get used anywhere else. I also try to enable 2FA if possible.

For other passwords, I just use a mechanism that asks for a master passphrase, then uses a MD5 hash of the site + the passphrase to derive the password for that website. This way, there isn't much to store, and they are easily regenerated.

[1]: Of course, unlock it after a period of time has passed. I've seen some companies have a "keep accounts locked until manually unlocked" policy... only to discover that it takes more time in manning a phone bank 24/7 to have someone unlock accounts as opposed to just locking an account for a few minutes (which is good enough to help mitigate a brute force password guess attack, especially if logs that alert someone are used.)

Re: For work I use really bad passwords

He's a self-described security expert, though, which trumps all of our real world experience.

Mat Honan's experience tells us that all it takes is ONE bad pick of an "unimportant" for re-using your password. I wonder if Tom here burns with a desire to address this point in his post, as well as adding something about personal security questions.

http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

Re: For work I use really bad passwords

[Larryish]

Brute force hasn't been a threat for years.

Re: For work I use really bad passwords

[bwcbwc]

I have a similar categorization scheme, but I "salt" the PWs with a mnemonic that I use to vary the PW within each category. That way I only have to hurry and reset all my PWs in the category if two or more sites in the category get compromised, which increases the risk that the mnemonic can be derived. For a brute-force attack, if someone knows my password MiXedABUPC, it's just as hard to decrypt MiXedxyUPz as it is to decrypt adfOYcqC1B. Of course if you know (or assume) that I use a pattern, it's probably easier to try to guess what the pattern is than a pure brute-force attack.

Re: For work I use really bad passwords

[minchazo]

What about using the same password for everything, just changing them *all* every 2-3 months?

Re: For work I use really bad passwords

While I really have no grounds to question an authority such as yourself, I think your analysis (and the analysis of many other people commenting on this) is really missing the huge elephant in the room. We need to start holding the people who are storing our passwords accountable for negligence when they end up getting hacked and leaking them. Of the high profile cases that come immediately to my mind, they all happened because those entrusted to keep our personal information secure fell down on the job, often in spectacularly stupid ways. This seems to me to be the weakest link in the security fence. And no amount of password obfuscation/randomization on our part can ever fix that. Until that security hole is plugged, telling the end user to come up with ever longer/random passwords looks more and more like a desperate attempt to rearrange deck chairs on the Titanic.

Re:For work I use really bad passwords

[Vlad_the_Inhaler]

That is exactly what I did for a while, and for the same reason.
Then I thought out a different system which fits the rules and provides me with new passwords I can use more often that I actually need them. They are still not *that* secure but having to change passwords every couple of months is incompatible with having strong passwords.

Re:For work I use really bad passwords

[greg1104]

There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities.

This is why I use 7 numbers in my password, Jenny8675309.

Re: For work I use really bad passwords

[Steve+B]

If you have a global auto-type key set (Ctrl-Alt-A by default), you can get KeePass to autotype your username and password. The details can be fiddly (especially for site where they have some weird notion that forcing you to load a new page between entering username and entering password enhances security somehow), but it generally works if you have the URL field filled out in the individual KeePass entries.

Re: For work I use really bad passwords

[vux984]

You could also use a system to vary the passwords.
[... describes system loosely...]

The problem I have with systems like this is:

One site won't let you have punctuation... another site requires it. One site says your password is too short. Another says its too long. A site that was happy with your "system" password gets hacked and you have to change it.... and these exceptions build up over time rendering the system an excercise in futility.

Then eventually you get fed up with the exceptions devise a new system and start all over again...

But if you miss any sites when you switch over you have to retain your old system as well.

This sort of all defeats the purpose of a system.

So I have a loose system for the passwords I need daily. And a password app for everything else.

Re: For work I use really bad passwords

I also like the levels idea. Since there are so many sites that demand a login before they allow posting or even viewing, the password is there just to get to the next screen. Someone hacks my pinterest account, who cares. It is only there because the site gives you 8 seconds before demanding you make an account and consent to constant spam bombardments.

As for a password manager, I'd like one that does two layers of encryption:

The first layer is the one to access passwords on a device. Since a password manager -should- use KeyChain or other functionality in iOS to lock access unless the device is unlocked, the code doesn't have to be as secure as on a PC.

However, there needs to be a second layer, especially if the PW manager syncs using a cloud utility. Preferably not based on passwords. The ideal was one PW manager which would allow devices access... but you had to put in the new device's public key and re-encrypt the synced file from a previously authorized device. This way, the person who hacks the cloud provider has to guess all 256 bits of AES, with no ease of brute forcing possible.

Re: For work I use really bad passwords

[Vesvvi]

I discussed the details of how you can do it here: http://it.slashdot.org/comment...

It's really the only solution. There are 2 modern threats to passwords: computationally weak passwords and compromised servers with poor practices.

It's easy to make a computationally strong password, and it's not hard to make it memorable. But poor HR/IT policies such as described here compromise good passwords (forcing rapid changes, disallowing long passwords, etc). So memorable passwords are not easy, in practice.

On the other hand, there is absolutely nothing you can do to fix the possibility of server-side password leakage, aside from avoiding inter-site re-use.

The parameters which solve these two issues is really obvious: never provide any server which is not 1.) unique, and 2.) effectively random.

Once you're that far, it's also obvious how to get from something memorable to something unique and random: you take something simple, salt it, and encrypt/hash it. There is one additional step of complexity: use a non-secure transform to convert your random hash into an IT-approved password. If they want a character and an uppercase, go ahead and add/replace to get those characters. It doesn't matter if those characters are secure, since the rest of your password is: put 123!@# on the end of every password if you want.

The only problem left is that we can't compute hashes in our head, but there are hardware answers to that. The only place this falls short is when you are not permitted by policy to bring a device with you, and there is no trusted hardware on-site (desktop) capable of computing a hash.

Re: For work I use really bad passwords

[Vesvvi]

You're making the mistake of thinking that your password system and their requirements need to integrated: they don't. You can concatenate a strong password system with their weak requirements, and the result is still strong.

The only time it gets weaker is when they enforce a maximum length. Then you have to start dropping your secure input in favor of their weak requirements. But in this situation, your (internal) password/phase isn't compromised, only the public version they get. Too bad for them.

Re: For work I use really bad passwords

[vux984]

You can concatenate a strong password system with their weak requirements, and the result is still strong.

But this requires I memorize "their weak requirements" for each site as this is not usually disclosed on the usual login page?!

And it still doesn't address the fact that if they get compromised I have to CHANGE my password.

If I'm using a 'system' to generate passwords, then I can't use that system for this site anymore, because the password the system generates for the site is compromised.

Re:For work I use really bad passwords

A classical example of insecurity by stupidly done security measures. From my experience, corporate IT security people are the dumbest and least capable ones of all IT personnel.

Re:For work I use really bad passwords

[AK+Marc]

How do you know I'm using a 6-digit number?

It's as "strong" as 6 random, typeable characters.

That's still better than most passwords.

Your dictionary attack will only work if you are 100% correct about your guess. If you don't know the length of the number, then your attack will fail.

Re: For work I use really bad passwords

[Tom]

You're right on that. If you have an account on some random forum, you should treat the password you use there as if it has already been compromised.

Sorry that I thought that's so obvious it doesn't need to be mentioned.

Re: For work I use really bad passwords

[AmiMoJo]

Thanks, I'll try it.

Re: For work I use really bad passwords

[Tom]

Changing passwords doesn't make them magically more secure.

What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.

You're doing a lot of effort for - what? If you can't answer that question, don't do it.

Re: For work I use really bad passwords

[Tom]

The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.

Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.

Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.

Banks are among the few who actually take security seriously. They're not perfect, not by far, but they are still among the only commercial entities to use one-time-passwords (those TAN lists) and were among the very first to use 2-factor authentication.

So, to answer your question: What do you need to access my bank account? Nothing you would find on any of the forums, games sites or even my Amazon or iTunes account.

Re: For work I use really bad passwords

[Tom]

Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.

Yeah, that sucks.

I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.

You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.

Re: For work I use really bad passwords

[vux984]

I read your link.

The only problem left is that we can't compute hashes in our head, but there are hardware answers to that.

At which point using a password safe(s) on a trusted device is basically the same thing. Except more convenient. Since you can have as many safes as you want, with an arbitrary number of records in them, protected by passwords as is suitable to the class of passwords in them. Its less data entry on average to retreive a password, and it eliminates having to worry about which sites you need a 123!@# tacked on the end, and which sites don't, etc.

Decent password safes also let you securely store notes, usernames, urls, and so forth... which is often just as important and just as difficult to remember as the actual password.

Re: For work I use really bad passwords

[Vesvvi]

They're close to the same thing, but they differ in the important places. An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".

It could possibly store non-sensitive data, like usernames, "123!@#" modifiers, or notes, but it's not required.

I will admit that it could be inconvenient, but I think it's a reasonable tradeoff for the simplicity and security.

Re: For work I use really bad passwords

[vux984]

An algorithm-on-a-chip (with tiny keypad and LCD) never stores any sensitive data. It's never connected to a potentially-compromised desktop. It can't be brute-forced, since there's nothing present to "unlock".

That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)

Its not a practical solution if it doesn't actually exist.

Although there might be a market for a such a device.

It also still requires you need to memorize a password (even an easy one) for each situation. I have well over 100 passwords; and could not remember them all even if they were "easy" -- some I don't use for over a year at a time, unless I relied on a system -- and relying on a system breaks down as soon a site is compromised as I would then need to come up with a new password that deviates from the "system".

I would suggest that perhaps a combination of the two is the holy-grail. Password safe-like functionality for the majority of relatively unimportant passwords, and then some dedicated hardware for a smaller subset of important passwords.

Re:For work I use really bad passwords

[AchilleTalon]

Frankly guys, I believe you are complaining the belly full. At my place, everything is so obscure and cryptic that even the guys responsibles for the DNS succeeded to defeat the purpose of a DNS in first place. It is almost easier to remember the hosts by their IP addresses than by their names. Imagine now the password rules.

Re: For work I use really bad passwords

[Vesvvi]

That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)

It doesn't require the dedicated hardware, it's just an option (that doesn't exist yet...). I think it's likely a better option than products like the Mooltipass.

I use this approach currently, since I basically trust my desktops. I can also ssh to a server I trust, which is capable of doing it. You could do it now on a smartphone, but that's a tough platform to lock down. If you're desperate, you could find a website that can do it for you (googled quickly): http://pajhome.org.uk/crypt/md.... Regardless of full desktop, smartphone, or keyfob, the general characteristics are always the same: never storing secret, never directly performing authentication, no storing secure keys (although they could be added as another layer).

You definitely never need to worry about compromised sites:
hashlib.sha256('PrivateSimplePass+OnlinePoker.com'.encode('utf-8')).hexdigest[:16] = '2afd111a2ddde285'
When their site gets compromised, your password needs to change:
hashlib.sha256('PrivateSimplePass+YourSecuritySucks'.encode('utf-8')).hexdigest[:16] = 'fead5a3bbde90be3'

I do agree that a password safe combo would be the best option, since it's just not important to really lock down every password.

Re: For work I use really bad passwords

[dave420]

My bank has pretty decent security - after logging in with a very long string of numbers & password combination, to do anything with the bank accounts one must use a TAN generator into which they place their card, then place it on the screen in order to generate the TAN itself, which is typed back.

Re:For work I use really bad passwords

[Mex5150]

But what about May? May2015 is a character short ;^/

Re: For work I use really bad passwords

[F.Ultra]

Exactly

Re: For work I use really bad passwords

[lsatenstein]

Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

I' m with you. I have a common password for 90% of my websites. I have only 1 credit card, one bank, and one bill payment account. All others I pay via direct visit to the bank or via cheque. For the 1 and 1 and 1, I have three reasonably long passwords.
By the way, my passwords are characters from utf-8. So that you know, € and ¥ are used for some of my pwds. Not sure you can enter the euro or yen symbol on the default US keyboard layout. My financial passwords exceed 10 characters in length and may include some characters from ±£€½¾çî and more. Hackers usually believe that only easily enteredd keyboard characters are required in the test alphabet.

geeks never learn

quote
  "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure."
unquote

yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....

Re:geeks never learn

If you asked my mom to do this, she would be thinking about snack crackers.

Re:geeks never learn

[dgatwood]

quote "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." unquote

yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....

This. In fact, I would have probably said "there's your problem" after the second word in the summary, or at best, right after the first comma. The flaw is that users are creating passwords at all. Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords. This is why pretty much every modern browser out there has the ability to create and store passwords for you.

The real solution is twofold: First, beat it into the heads of users that they should always let the browser choose a password for them. Second, beat it into the heads of website designers that it is crucial for their sites to work correctly when using that feature in modern browsers (e.g. never, ever ask the user for his or her password without asking for the associated username). In relative terms, both of those tasks are a whole lot easier than somehow training users to come up with good passwords on their own.

Re:geeks never learn

[turbidostato]

"Humans create passwords that are easy to remember, which almost invariably makes them terrible passwords."

Of course, hard to remember passwords which will get sticked in yellow over the monitor are so much better.

Re:geeks never learn

[dgatwood]

The point being that humans shouldn't be creating the passwords, nor should they be responsible for remembering the passwords. They should have a password for their computer, and that's it. All other passwords are superfluous.

Re:geeks never learn

[BevanFindlay]

This works fine... as long as the browser (or the HDD it's stored on) doesn't crash. The reason we use passwords is that we need something we can take with us anywhere, which pretty much limits it to "something you know" (as "something you are" - i.e. biometrics - isn't implemented for this sort of thing yet, and we tend to lose the "something we have").

Best kind of password though: the nonsense phrase. Easy to remember, hard to guess. I read "Beagles twirl whiddershins up my saxophone" in a magazine article about passwords some 10 - 15 years ago and have never had trouble remembering it since. The "acronym" nonsense phrase is about as good (e.g. "I like eating ten elephants" = "ile10e").

Re:geeks never learn

[turbidostato]

"They [humans] should have a password for their computer, and that's it. All other passwords are superfluous."

I don't think you have properly thought about the implications of what you are saying.

On the other hand, even with that single password, it's still either memorable, therefore easy to hack, or it isn't, in which case you turn again to the sticker on the monitor.

Re:geeks never learn

[dgatwood]

On the other hand, even with that single password, it's still either memorable, therefore easy to hack, or it isn't, in which case you turn again to the sticker on the monitor.

In relative terms, it is still a lot safer. Right now, cracking an average person's online accounts merely requires you to buy access to a botnet and use it to brute-force the account from a distance. By contrast, you can't readily do a brute-force attack on the login password for someone's laptop unless you either have stolen that laptop or have otherwise compromised it somehow.

So even in the worst-case scenario, you're replacing one weak password that the user uses for a hundred different sites and can be cracked remotely with another weak password that the user uses for a hundred different sites that can't easily be cracked remotely. And in the best-case scenario, the user is using a biometric sensor in combination with that weak password to lock the device.

Re:geeks never learn

[techno-vampire]

Most of my passwords are variations on a word that's very memorable to me, but incomprehensible to almost anybody else. The word itself is a made-up word that was popular among people involved in one of my hobbies when I first got involved with it over thirty years ago. Except for those of us who go back that far, even the people who share my hobby now are very unlikely to be aware of it because the jargon has shifted. It's a dictionary word, but only in the sense that it's not too hard to work out how to pronounce it the first time you come across it, but it's not a real word in any language I'm aware of. This gives me a whole bunch of potential passwords that are easy for me to remember, but very hard for J. Random Cracker to find without exceptional luck. And, of course, capitalization, using numbers for some of the letters and putting punctuation marks in at appropriate (or inappropriate) places makes for lots and lots of passwords.

Re:geeks never learn

[TheRaven64]

If you're not expecting users to remember them, why use passwords at all? There are standard HTML facilities for generating keypairs in the browser. If you want to make it easy to share logins with mobile devices, then something that turns a private key into a QR code for easily copying to the mobile device would work fine.

Re:geeks never learn

beat it into the heads of website designers

As long as we're doing that, why don't we just beat them until they stop locking trivial shit behind a login?

hah, I never put the capital at the beginninG

Thus being a stastistical outlier, I can not be hacked.

Re:hah, I never put the capital at the beginninG

[viperidaenz]

Neither, I put the number 1 at the end!1

it's quite simple really

For anything that matters, I have KeyPass generate the most convoluted password allowable for the given authentication system. For anything else, well, that doesn't matter now, does it?

Re:it's quite simple really

For anything that matters, I have KeyPass generate the most convoluted password allowable for the given authentication system. For anything else, well, that doesn't matter now, does it?

Single point of failure. Excellent.

Re:it's quite simple really

Single point of failure. Excellent.

Yeah, i don't trust the randomness of password generators either, so I always convert it back to binary from base 62, XOR it with about 95 random two-coin tosses (match=0, differ=1), and then convert it back to base 62 so I can write it as a [A-z0-9]{16} password. I do all of that inside of a 2m x 2m tinfoil blanket folded over and taped together like a sleeping bag and then grounded to a metal pipe. I do all the work on paper by hand, memorize the password, and then I shred and eat the scratch paper. Afterwards I go spend the coins in different locations.

Re:it's quite simple really

Afterwards I go spend the coins in different locations.

Wont be home for a while after a password generation. Excellent.

Re:it's quite simple really

[Buchenskjoll]

I did exactly as described and came up with "p4ssw0rd". What are the odds?

Haven't read the summarr yet

Haven't read the summary yet, but here I go...

Diceware

The assumption is wrong.

[orlanz]

The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

Complexity introduces incremental passwords, common passwords, safes, post its, support costs, complacency, single point of failures, easier social engineering, and easy passwords. All of which work against security. They don't have check boxes for these because they are hard to understand and measure.

So is complexity checked? Yes, OK move along sir. I SAID MOVE ALONG. GOOD DAY!

Re:The assumption is wrong.

[BevanFindlay]

I've always thought that a better option than "must have at least 1 upper case and 1 lower case letter, 1 number, 1 symbol, and 1 untypeable character" kind of rules, is to match the passwords users are attempting to set up against a rainbow table (i.e. approach it in the same way that hackers do). "P@ssw0rd1" is a crap password, but will be accepted by almost any site as "strong". Instead, match against a dictionary, against known common passwords, and against a general sanity filter (e.g. 3 characters is too short, perhaps even display the results of an entropy calculation if you're feeling really snazzy). beaglemayhemsenselessaurevoir would be an excellent password - but a lot of algorithms wouldn't think so.

Re:The assumption is wrong.

[Tom]

The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.

Re:The assumption is wrong.

I quite like zxcvbn, which is a password strength estimation tool. It's much better thought-out than any other password complexity tests I've come across.
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

As far as I understand it, it basically tests whether a password could be generated using various common dictionaries, patterns, substitutions and transformations. Whichever technique would generate the password the quickest is taken as a lower bound for the time taken to crack the password. In other words, it assumes that an attacker is going to assume or know that the password has a particular pattern and then try cracking it according to that pattern. (If they don't pick that pattern, then it will probably take them longer to crack it, though that assumes zxcvbn did not miss some even easier pattern.)

It handles xkcd-style passwords well. Sometimes, it turns out that a long word you thought was obscure can actually be formed from two very common words, making the overall password easier to crack. Two easy words can be easier to crack than one difficult word, even if there are other words as well.

Since discovering it, I've often thought it would be quite good if people used something like zxcvbn to set password expiry dates: You pick a weak password, you get asked to change it more often. ("We estimate that your password would take 3 months for somebody to crack using the pattern [describe what pattern it matched], so we will set it to expire after 3 months, when you'll be asked to make a new one.") If you pick a stronger one, you get asked less frequently. And, of course, the expiry of something like "password" would be practically instant, so those kinds of passwords would effectively be banned. ("We estimate that your password would take less than a second for somebody to crack using the pattern [describe what pattern it matched]. Please try something that is longer and/or has less of a pattern.")

I suppose there would be a risk in using this technique though. It might push users to choose genuinely stronger passwords, or alternatively they might find some loophole; a pattern it doesn't recognise; and use that. For instance, a quotes from a published work. (I suspect that if Google were the one implementing this, they would be very well placed to recognise passwords that quote published works, so perhaps we don't have to worry too much about that one, but there are probably other examples of such 'loopholes'.)

I hate your rules

[AndyCanfield]

I have a low-security password that I use all over the Internet, like Slashdot. I have a medium security password I use for Linux logins, and a high security password I use for bank accounts. Notice the security reference standard: money.

I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them. FYI my low-security password has 7 lower-case letters and one special character in the middle. No digits! If you won't take that, your web site just isn't worh it, and I will not have an account there. Your loss, not mine.

Oh, and my PGP secret key has a 30-40 character passphrase, the first line of a song I made up and used to sing to my daughter, who died in 1994. The passphrase includes capitalization and punctuation, but it's easy for me to rememember. You turkeys who want high-security passwords, why don't you hash a pass phrase?

Re: I hate your rules

I am sorry for your loss :(

Re:I hate your rules

I'm sorry to hear about your daughter, even though it was a long time ago.

Re:I hate your rules

I have a low-security password that I use all over the Internet, like Slashdot. I have a medium security password I use for Linux logins, and a high security password I use for bank accounts. Notice the security reference standard: money.

I have a medium-security (6 characters, letters and digits) password that I use all over the internet, a high security (8 characters, random generated) one that I use for Linux login and password manager, and a low security one (4 digits) that I use for my bank.

On top of that, there's the ones in the password manager, that either get used very rarely, or the program in question is set to remember the password (e.g. Steam).

Re:I hate your rules

[Megane]

I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them.

I also hate it when a web site locks you out completely, requiring you to contact someone to do a manual reset, for failing your password three times. At work, the "enter my goals for this year for the stupid review" site is like this. It's not like this is something that lets people steal money from me, sheesh! Sure, if it was an online banking, etc. password, but most of the sites that do this don't have any information worth a lock-out with a manual admin reset.

The whole point of lock-outs was to prevent someone from trying hundreds of different passwords with a program, not "I forgot which password I have to use this month, and I fumble-fingered one of my three tries". Even a five minute automatic reset should be more than enough to prevent random automated guessing.

Even worse, do they even do a proper check that it's really you when they do the reset, especially if they have to give you a NEW password to do a reset, because their security policy is even more out of proportion with the kind of data they have?

Re:I hate your rules

I've got a low security one I use, 10 characters, for websites like Slashdot where I don't give a damn what happens. It's garbage, but it's garbage from a serial # so it's not actually random. There's the long version of it, which is 20 characters of garbage, but I pretty much stopped that. Passwords are organized/applied by what you can get into by gaining access to something (e.g., email allows you to access recovery services for other passwords, so it shouldn't have the same password as anything else).

Everything else is 16+ characters of completely random garbage (any available character on a keyboard). My longest semi-routinely used password (for long-term backups) is 32 characters. If I really need to draw a new random password but don't have an available (P)RNG, I'll reuse chunks of other passwords (I've got at least a few hundred characters worth of random garbage to pick from stored in my head) and generate a new one later. It takes about a day or two of regular usage to switch to a new password. Write it down on a rolling paper and set it on fire when you're done, as they burn cleanly.

Re:I hate your rules

[JonnyCalcutta]

Ditto, right down to the three levels. I have a few of variations on my low level password (basically, add 123 at the end, capitalise and/or add an exclamation - to account for the all the (as you rightly say) ego-driven web sites. Sometimes I've just really had to get on a site, much as their rules annoy me).

Even with the variants I can guess which it was in 3 or 4 goes max, if I've forgotten.

Its a six character word that was the name of an old roleplaying character and is probably in the dictionary. Its also been known by almost everyone I've ever worked with (since its my 'don't care' desktop login). If someone really wants to hack one of those accounts all they have to do is use my browser anyway.

My higher level passwords are all sentences with digits and punctuation and spaces removed to prevent annoyance - good luck getting them with your brute force attacks.

An approach I haven't tried yet...

[complete+loony]

Grab one of the available databases of hacked passwords. Train an arithmetic compressor on that dataset, so that if any part of the password is predictable it will be compressed better. It's the kinds of statistics you feed into this training process that are the key. Passing a random bit-sequence through your decompressor will generate something that could be a password, similar to those in the database you trained on. So enumerate through all short bit-patterns to generate a set of easily guessed passwords.

Always been against the "must contain..."

Every fucking requirement on a password reduces the attack vector timeframes by orders of magnitude.

Password must be more than 8 characters, with one upper, lower, number, and special character.

You've eliminated every password from between 0-8 characters with any single catagory, two catagories, or three catagories combined. I'm not a statistics person, but thats a fucking lot of passwords that you've cut down attack dictionaries by. And in the name of security?

The best security, if you let users set their own passwords, is to ENCOURAGE them to use complex passwords, but not REQUIRE them. You'll gain seconds, maybe minutes of attack time if somone needs to include "aaa12345" et all in their brute forcing.

List of No Bullsh*t Pastebins Usable Via Tor v042

List of No Bullsh*t Pastebins Usable Via Tor - v.0.4.2, 04/15/15

* Pastebins which are usable via Tor and do not require javascript to use
# v.0.4.2 posted @: http://pastebin.com/UgeYW4fy
                                                                http://slexy.org/view/s207aCCw...

Selection bias and circular logic

It's not too surprising to find commonality among the set of cracked passwords. It may well be that the set of all used passwords and the set of cracked passwords share common mask distributions but I suspect that the fact that 50% of all passwords fall within the first 13 common masks is exactly why they were cracked. The passwords sucked.

In the face of bcrypt it is useful to figure out how to more quickly crack the existing set of crackable passwords but it's not clear to me that this effectively broadens the set of crackable passwords.

subjects are stupid

[Falos]

Attackers know to check for 'e' characters swapped with '3' characters. It's in their tables. It won't do shit. Words like asdfghjkl are in their tables. Duh.

Do we need an article about how "hackers have realized people swap 'e' and 3!"? Yes, people are simply capping the first letter and it accomplishes little (the "complexity" requirement thus accomplished shit), duh and DUH.

Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.

No weird complexity. No increasingly obnoxious user burden. It's actually easier to memorize than many passwords. And if not, you gain greater-yet-lower-hanging pendefense compared to DICKING AROUND WITH SYMBOLS AND NUMBERS AND CAPS.

tibswutws
ratrpfop
aysaysbjbj

...well, okay, that last one is probably less secure. The original French rhyme isn't much better.

Re:subjects are stupid

[Tom]

Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.

You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.

A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you more. Taking all that into account, my best gut feeling is that you'll end up somewhere in the area of 10^10 in complexity for an 8-character output. Better than passwords (which I've repeatedly estimated at around 10^7) but still not so great and probably much less than you'd expect.

Also, taking into account psychology and the fact that a fairly small set of phrases is much more popular than all the others combined, and that many users will choose a popular phrase instead of a personal one, you would also end up with the "password"-as-my-password problem in that a lot of accounts would have phrases from a list of maybe 1000 popular ones.

Re:subjects are stupid

mhallifwwas is 11 characters. If the attacker knows that the password is all lowercase, then that's only log2(26^11) = 51.7 bits of entropy. If they know the hash, then they can easily crack it in less than a week on a modern PC with a decent graphics card. A decent sized botnet could crack that in less than a minute.

If they know it's English, they can probably speed that up a bit more using letter frequency (i.e. etaoinshrdlcumwfgypbvkjxqz). And if they know it's the first letters of a phrase, then they could speed it up even more using first letter frequency (i.e. tashwiobmfcldpnegryuvjkqzx). All 11 of your letters fall in the first half of the first-letter order, so a letter frequency based cracker would be much, much faster than using standard alphabet order. If they know it's English first letters, then your password really only has about log2(13^11) = 40.7 bits to crack. That's weaker than a random 9-letter lowercase password with log2(26^7) = 42.3 bits, or a random 7-character mixed case with digits password with log2(62^7) = 41.7 bits.

Your password scheme is actually pretty weak by modern standards. Hint: Random 8-char mixed case with digits = 47.6 bits, 12 char = 71.5 bits, and 16 char = 95.3 bits. An 8-char will only keep the good guys out; bad guys will break it almost instantly on a botnet. 12-char will keep a botnet busy for a while, and 16-char is probably safe for a few decades unless QC becomes a thing or someone proves P=NP.

Re:subjects are stupid

[Falos]

We share some grief. When purely based on a "word" you're effectively picking a single character from a set of, what, 10^5? You say 7, after permutations? Either way, that original pool means a limiting factor.

I might be more pessimistic than you about the lifetime of a basic string like "mhallifwwas". It's not here yet, but it's the sort of AI, the sort of language indexing that's less like whimsy scifi and more like inevitable Big Data. Yes, I do expect tables to respond and evolve into phrase dictionaries.

In this context, nursery rhymes are shit. I like them to help illustrate the simplicity of use and apparent complexity gains. They're superstrong in the current meta. But once the new tables are built they'll wreck rhymes, pop song lyrics, quotes, sayings, etc. in a hurry. OTOH, the concept comes with implicit invitation to roll your own. Hell, they did it on Doctor Who. And I get the sense it's easier to add permutation to phrases.

password policies have been really dumb for years.

Look here and it explains exactly why the password policy in a whole big fat whopping gob of companies has been really dumb for a long time. Let me string 3 or 4 long words together. Let me keep it for a year. Let me have the last sentence of page 286 of my favourite book, or the last stanza of my favourite song. And they won't be able to crack it. Give me the last paragraph or chorus (if you dare) and they won't break it till the end of time. No numbers, no punctuation, and no problem either.

fail2ban

[hcs_$reboot]

Using fail2ban, after 3 failed ssh logins it cuts access to the hacker IP for 20 minutes (iptables firewall)

Re:fail2ban

[piripiri]

Use sshguard, it's way more efficient. Unless you need to monitor other services than SSH.

Re:fail2ban

This can be used for a DoS attack.

math

[Tom]

Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

Re:math

There are roughly 300 * 10^6 people in the US. So 9 orders of magnitudes "off" is 0.3 people. Now why should I trust the rest of your math?

Re:math

[Guybrush_T]

This guy is right explaining that dumb computation about password strength is stupid.

However, I disagree with the conclusion. Asking people to learn impossible to retain passwords is not the solution. Force them to choose a not-trivial but not hard password (entropy >10000) and apply well-balanced password trying policies (100 tries max per month). Everyone will be happy this way.

Re:math

[Bongo]

Would it help if the people who came up with a password policy were then tasked with thinking up 100 passwords (each one to be used for one day) ?
And then check back with them at the end and see what they chose for the last 20?

Re:math

[Aristos+Mazer]

His math is fine. It's his civics estimate of US population that's a problem, and he wasn't claiming expertise there.

Re:math

[houghi]

The IT people who I talked to about passwords all had them written down. All of them over several companies.

Re:math

[greg1104]

You seem to think the word "like" means "mathematically equivalent". It doesn't. Please move along to some other pedantry trolling.

Re:math

[Tom]

No, it wouldn't help.

The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.

Re:math

[Tom]

Because 9 orders of magnitude applied down towards zero would give you 3.

But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.

Re:For work - You had ONE job...

[ei4anb]

When the "bad guys" manage to download the password database from a Windows domain controller in your company (and that can happen) then they will be able to crack some of your previous 12 passwords that it stores in the history. Then you will be an easy target because they can predict your password from the history because you did not bother to comply with the company password policy. You were negligent.

What about salting?

[EmBeeDee]

I've only skimmed the article, but I didn't see any mention of hash salting. Is the author assuming that the password hashes haven't been salted, or the salt has been recovered along with the raw password database, or am I misunderstanding completely and salting doesn't play a part here? Salting of password hashes has to be standard practice now, surely.

My password is:

[ai4px]

MickeyMinniePlutoDonaldGoofySneezyDocGrumpySacramento .... 8 characters and one capital.

It's not a secure password

[AikonMGB]

It's not a secure password unless it is randomly generated. There are tricks you can use to make it more memorable, like using diceware instead of characters and numbers, but fundamentally if you came up with it, someone else can guess how you came up with it.

Fine theoretical work but....

[dfenstrate]

...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.

I am not an IT professional engaging in rhetoric; I'm actually curious.

Re:Fine theoretical work but....

[EmBeeDee]

No, I think this attack is predicated on having already stolen the password database.

Re:Fine theoretical work but....

[j-beda]

...how many systems let you try new passwords ad-infinitum, rapidly? I know back when I was in college I could brute force Windows shared folders (script kiddie style), but nowadays I'd expect any semi-serious authentication system to limit the number and frequency of login attempts.

I am not an IT professional engaging in rhetoric; I'm actually curious.

No online system is fast enough to brute force an account even if they did allow you to try new passwords ad-infinitum - each attempt would take a second or two and that's just too slow for effective "cracking" I would think.

I believe that the concern is for when there has been a data breach of some sort, and the "bad guys" have gotten the username/password file. The data in this file has been run through some sort of a one way function and thus you cannot just read the usernames and passwords out of it, but since the attacker knows what the one-way function is, they can test to see if any username or password that they want to know about is in the file, and they can do this with all the computing power at their disposal. "Rainbow" tables are pre-calculated results of this one-way function for common usernames and passwords.

The data in the file can be "salted" adding an extra bit of information to the password before running it through the one-way function - even if the "salt" is known by the attacker, this prevents rainbow tables from being useful. There are probably also ways of combining unique salt values, usernames, and passwords so that even "insecure" passwords are difficult to recover from the file, but of course the longest passwords drawn from the largest possible set of characters will always be hardest to "crack".

Length

[Agares]

I've been told by a pentester that length matters more than anything. He said a password that is at least 14 characters or longer that doesn't contain any words or numbers that have personal meaning are the strongest to use. He also recommended using random dictionary words to make it easier to remember while keeping it strong.

Chess opening as a password

[nimzo]

I use chess openings for password.

Something like: e4e5Nc3Nf6Bb5d6Bxc6#bxc6

Re:Chess opening as a password

[nimzo]

Of course I meant: ...Nf3Nc6...