Cracking Passwords With Statistics

New submitter pjauregui writes: When users are asked to create a "secure" password, most sites simply demand things like "must contain 1 uppercase letter and one punctuation character." But those requirements often lead to users picking exactly 1 uppercase letter, and using it to begin their password. What was intended to increase randomness is instead creating structure that statistical analysis can exploit. This article starts by asking the reader, "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure." The author then describes his method for cracking passwords at scale, efficiently, stating that many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. His post is a discussion that demonstrates effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.

For work I use really bad passwords

They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

Re: For work I use really bad passwords

[khasim]

It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.

1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc

By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.

For non-work websites just remember 2 things:
a. DO NOT USE THE SAME PASSWORD
b. If it is financial, don't use the same username/email-address as other sites.

Re: For work I use really bad passwords

I have 5 levels of passwords, as follows:

Level 1: Garbage sites that force me to register to read content, places that don't have AC that I want to comment, etc. - My password is monkeys103. Idgaf if you hack these sites. If they force punctuation I add a comma to the end of it. Who cares. Username could be anything because most likely I'm not coming back.

Level 2 - Sites where I have a reputation, but it's not attached to my real world persona. Like ArsTechnica, CNN, Ubuntu Forums, etc. I use a moderately complex password, 8 characters, no dictionary words. If it gets hacked, it sucks, but it's not the end of the world. Username is often similar among the sites because there's no real world connection.

Level 3 - Sites where they have personal information connected to the real world. Think Facebook, instant messaging, etc. I use a 10 digit password here, and if it gets hacked, I immediately change all of these sites so that none have the old password. Also all of them have different usernames.

Level 4 - Banking or any sites connected to my money (PayPal, for example). I have a very long and complex password for these (unique to each site, randomly generated), as well as any other security they offer (two factor authentication).

Level 5 - Email, because it's the master key. I use a unique password here, but I have somehow memorised it. My two email passwords are the same, which I know is a weakness, but its safer than using two weak passwords. The password is the first letter from each word in a phrase, with added numbers and punctuation. Example (I like apples and pears - ilaap)

Also note that I use a password manager, which requires me to enter in a password (same as my computer logon) to autofill the form. So all in all I really only have to memorize five passwords, and typically only the password manager one.

Re: For work I use really bad passwords

[BevanFindlay]

I do reuse the same password in places, but only on sites where I don't care if it gets hacked (and it amazes me how many times I've had to use it). What annoys me though is that I can't always use it as sometimes it's too long (?!), and I've had to adapt to having a version that includes digits and mixed-case (despite the fact that even the basic all-lowercase version is pretty much unhackable - hint: it's more than one word, it makes no sense, and it's not even English). But for important sites (banks, even email) I use completely different passwords. What reusing one password does do though is save me ever having to write down passwords: is it an important site? Then I can probably remember the password. Is it some site I can't even remember signing up to? Then I'll know it's my "throwaway" password.

Although, a smarter version would probably be to adapt the "throwaway" password with some arbitrary variation based on the name of the site or whatever (e.g. add the third letter of the site name as the second-to-last character, or something similarly obfuscated but easy to remember).

Re:For work I use really bad passwords

[AK+Marc]

I've had my first day include complaining to the head of HR that the HR documents on passwords were wrong. The rules were at least one upper, at least one lower, at least one number, and no shorter than 8. However, the password policy described by my peers was "pick a 6-letter word, start with a cap, and put 00 at the end. When you increment it for the 30 day expiration, you can last past the 1-year no reuse policy." The funny thing was, I followed the policy and came up with one that used special characters. Not accepted. And one that used an 8-character word. Not accepted (the password must be exactly 8 chars, and can't include special characters, despite the rules not directing such). The head of HR gave me the same rules as everyone else. So nobody in the company uses a secure password, and the rules on the password are mis-documented. Chairs00. Shh, don't tell anyone.

Re:For work I use really bad passwords

[Applehu+Akbar]

The best passwords are the random ones generated by password managers, but the silly rules prevent you from using them. They also prevent people from using secure "personal words" like that weirdly named village you passed through once on vacation. All passwords-by-rule tend to deteriorate to obvious word with initial capital with a 0 or a 1 on the end.

Re:For work I use really bad passwords

[tlhIngan]

They have this draconian douchebag policy that you can't ever reuse one for like 20 tries, you have to have a capital, number and punctuation.... so I just keep adding numbers to the end of it. Fark them if we get hacked.

Give me a reasonable password requirement with a reasonable expiry (NOT 30 days) and we'll talk.

Here's some...

2015January!
2015February@
2015March#
2015April$
2015May%
2015June^
2015July&
2015August*
2015September(
2015October)
2015November-
2015December=

If it's too long, shorten to 3-letter months.

And for next year, you'll have another set of "unique" passwords so it doesn't matter if they demand it doesn't match the last 100 passwords.

Numbers, capital, punctuation it's got it all.

With a few modifications, you can come up with similar passwords that will obey any other rules you need.

Re: For work I use really bad passwords

[Tom]

Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.

Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.

Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.

I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).

And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.

Re:For work I use really bad passwords

[Buchenskjoll]

"personal words" like that weirdly named village you passed through once on vacation.

True. I spent last summer in Wales and the landscape is scattered with good passwords.

Re:For work I use really bad passwords

[tburkhol]

Yes, Calypso443521 contains a word that could exist in a dictionary, but is unguessable. Nobody would guess that it has any meaning, and with a personal number on the end, it wouldn't fall to any dictionary attack.

Are you crazy? There's only a million words in English and only a million six digit numbers, so the combination of real word + number has only a trillion possibilities. 2^40 possibilities, which will fall rapidly to a dictionary attack. It's as "strong" as 6 random, typeable characters.

The point of TFA is that while "12 characters, including three different character classes" sounds like 2^84, the reality is that people meet those conditions by using a real word with the first letter capitalized and a number. (rarely the reverse: Number-word)

Re: For work I use really bad passwords

[JazzLad]

I used to have a favourite keygen (for some obscure program, I don't recall which), I would use the webpage address as the name & whatever key it spit out would be my password.

I have no idea why I stopped doing this ... I may start again :)

geeks never learn

quote
  "Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure."
unquote

yeah, right, my mom is gonna stop and thing about how a cracker looks at structure....

Re:geeks never learn

[BevanFindlay]

This works fine... as long as the browser (or the HDD it's stored on) doesn't crash. The reason we use passwords is that we need something we can take with us anywhere, which pretty much limits it to "something you know" (as "something you are" - i.e. biometrics - isn't implemented for this sort of thing yet, and we tend to lose the "something we have").

Best kind of password though: the nonsense phrase. Easy to remember, hard to guess. I read "Beagles twirl whiddershins up my saxophone" in a magazine article about passwords some 10 - 15 years ago and have never had trouble remembering it since. The "acronym" nonsense phrase is about as good (e.g. "I like eating ten elephants" = "ile10e").

it's quite simple really

For anything that matters, I have KeyPass generate the most convoluted password allowable for the given authentication system. For anything else, well, that doesn't matter now, does it?

Re:it's quite simple really

Single point of failure. Excellent.

Yeah, i don't trust the randomness of password generators either, so I always convert it back to binary from base 62, XOR it with about 95 random two-coin tosses (match=0, differ=1), and then convert it back to base 62 so I can write it as a [A-z0-9]{16} password. I do all of that inside of a 2m x 2m tinfoil blanket folded over and taped together like a sleeping bag and then grounded to a metal pipe. I do all the work on paper by hand, memorize the password, and then I shred and eat the scratch paper. Afterwards I go spend the coins in different locations.

The assumption is wrong.

[orlanz]

The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

Complexity introduces incremental passwords, common passwords, safes, post its, support costs, complacency, single point of failures, easier social engineering, and easy passwords. All of which work against security. They don't have check boxes for these because they are hard to understand and measure.

So is complexity checked? Yes, OK move along sir. I SAID MOVE ALONG. GOOD DAY!

Re:The assumption is wrong.

[Tom]

The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.

That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.

An approach I haven't tried yet...

[complete+loony]

Grab one of the available databases of hacked passwords. Train an arithmetic compressor on that dataset, so that if any part of the password is predictable it will be compressed better. It's the kinds of statistics you feed into this training process that are the key. Passing a random bit-sequence through your decompressor will generate something that could be a password, similar to those in the database you trained on. So enumerate through all short bit-patterns to generate a set of easily guessed passwords.

subjects are stupid

[Falos]

Attackers know to check for 'e' characters swapped with '3' characters. It's in their tables. It won't do shit. Words like asdfghjkl are in their tables. Duh.

Do we need an article about how "hackers have realized people swap 'e' and 3!"? Yes, people are simply capping the first letter and it accomplishes little (the "complexity" requirement thus accomplished shit), duh and DUH.

Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.

No weird complexity. No increasingly obnoxious user burden. It's actually easier to memorize than many passwords. And if not, you gain greater-yet-lower-hanging pendefense compared to DICKING AROUND WITH SYMBOLS AND NUMBERS AND CAPS.

tibswutws
ratrpfop
aysaysbjbj

...well, okay, that last one is probably less secure. The original French rhyme isn't much better.

math

[Tom]

Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:

We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.

What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.

That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.

What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.

Re:math

[Bongo]

Would it help if the people who came up with a password policy were then tasked with thinking up 100 passwords (each one to be used for one day) ?
And then check back with them at the end and see what they chose for the last 20?

Re:math

[Aristos+Mazer]

His math is fine. It's his civics estimate of US population that's a problem, and he wasn't claiming expertise there.

Re:I hate your rules

[Megane]

I hate it when my low-security password is rejected by some ego-driven web site that thinks I should memorize a special password just for them.

I also hate it when a web site locks you out completely, requiring you to contact someone to do a manual reset, for failing your password three times. At work, the "enter my goals for this year for the stupid review" site is like this. It's not like this is something that lets people steal money from me, sheesh! Sure, if it was an online banking, etc. password, but most of the sites that do this don't have any information worth a lock-out with a manual admin reset.

The whole point of lock-outs was to prevent someone from trying hundreds of different passwords with a program, not "I forgot which password I have to use this month, and I fumble-fingered one of my three tries". Even a five minute automatic reset should be more than enough to prevent random automated guessing.

Even worse, do they even do a proper check that it's really you when they do the reset, especially if they have to give you a NEW password to do a reset, because their security policy is even more out of proportion with the kind of data they have?