Slashdot Mirror

← Back to Stories (view on slashdot.org)

An Algorithm For Better Password Checking (technologyreview.com)

Posted by Soulskill on from the please-tell-my-bank dept.

New submitter della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.

In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.

65 of 103 comments (clear)

  1. STOP IT! by Anonymous Coward · · Score: 2, Insightful

    Stop saying my password is bad. If I make it more complicated, I won't remember it. So it would be even worse.
    And making me change it every now and then is even more stupid.

    1. Re:STOP IT! by sysrammer · · Score: 1

      Yeah, I give up.

      (plasters stickynote on monitor)

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  2. Sick of Passwords by Anonymous Coward · · Score: 3, Informative

    I don't even care if they're secure or guessable or lexographic or written down or whatever other bullshit I'm supposed to care about.

    I am sick of these bullshit passwords and signins fucking everywhere. Every single site, every single service, every single day, input this, email that, account name, please re-enter, confirm, mandatory, change must contain a two numbers, must contain capital letters, cannot contain special characters, forgotton your password?

    I've given up. Fuck it. I'll just lurk, post anonymously while I still can. I must have over 200 accounts out there and I just don't care anymore. It's too much effort to remember all this bullshit anymore.

  3. Password1 by sims+2 · · Score: 3, Informative

    Lots of things really don't need highly secure passwords but insist on having ridiculous password requirements.

    Case in point Xbox one must login to microsoft account to setup for the first time password must have at least one capital, at least one number, at least one symbol and at least 8 characters Password1~ is an acceptable password. Pita to type on xbox controller.

    Netflix is a model for reasonable requirement's especially since it likes to log itself out at random. So less to type on wii remote is a definite plus. 4 letters minimum 0000 is an acceptable password.

    --
    Minimum threshold fixed. Thanks!
    1. Re:Password1 by buchner.johannes · · Score: 2

      at least one symbol and at least 8 characters Password1~

      This leads to extremely common patterns, or classes of passwords such as ULLLLLLLDS, which can be pre-computed for cracking.

      Knowing the 30 most common such topologies and allows an attacker to crack 90% of all passwords (according to leaked password lists).

      Smart password checkers like the one of Kaspersky take that into account https://blog.kaspersky.com/pas...

      Here is a talk https://www.youtube.com/watch?... and some material here: https://blog.korelogic.com/blo....

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Password1 by bondsbw · · Score: 1

      Pita to type on xbox controller.

      To be fair, anything is a pita to type on an Xbox controller.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    3. Re:Password1 by khasim · · Score: 1

      I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

      Of course the forbid process would take 1 second in order to block brute force attempts.

      And you can pre-seed the database of hashes by using various dictionary lists and other sites' cracked password lists.

      Over time you'll end up with unique passwords for all users that are not in any of the dictionaries.

      Also, demand "pass phrases" instead of "passwords". 15 characters or more.

      And use as much of the keyboard as possible. If your password system can accept ALT+15 then so much the better.

    4. Re:Password1 by aaaaaaargh! · · Score: 1

      I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

      You can use a good bloom filter implementation for that.

    5. Re:Password1 by ultranova · · Score: 1

      I think an even easier approach would be to maintain hashes of the passwords and forbid anything that matches an existing or previous hash.

      Thus giving an attacker a handy way to simultaneously brute-force every account on the site. That's a horrible idea.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  4. Define better by jklovanc · · Score: 2

    various studies have found that they make users choose better passwords.

    By better do you mean harder for computers to guess or easier for users to remember and not have to write down?

    1. Re:Define better by bondsbw · · Score: 1

      Writing down a complex password is generally better and more secure than using a simple one. Attackers in China can't get into my desk drawer, and the lock keeps most who have physical access out.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:Define better by jklovanc · · Score: 2

      Attackers in China can't get into my desk drawer,

      Neither can you if you are not in your office.
      Pass phrases are easy to remember but don't follow the "at least one caps, special character and number" general rule. "unicornscraprainbows" is a pretty good password.

    3. Re:Define better by mjwx · · Score: 1

      various studies have found that they make users choose better passwords.

      By better do you mean harder for computers to guess or easier for users to remember and not have to write down?

      Yes.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:Define better by reboot246 · · Score: 1

      Why would a unicorn be in the scrap business, and can you really recycle rainbows?
      That's how I first read it - unicorn scrap rainbows, instead of unicorns crap rainbows

      You have a point, though.

  5. Read the paper. Disagree with "symbols" by xxxJonBoyxxx · · Score: 3, Informative

    >> Symbols appear to be less predictable and placed in different locations of the password

    I disagree with the paper's conclusion based on the passwords I've seen, which FREQUENTLY just end in a "!" or other common character. Here's a different paper that goes into symbol frequency; I pulled out the relevant bit.

    In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-“), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.” - http://resources.infosecinstit...

    1. Re:Read the paper. Disagree with "symbols" by MobyDisk · · Score: 1

      1) Some systems limit which special characters you can use!
      2) I bet people don't like to use parenthesis, brackets, or braces because seeing mismatched pairs seems "wrong." Or maybe it's just programmers.

    2. Re:Read the paper. Disagree with "symbols" by Guybrush_T · · Score: 1

      Sooooo True.

      That's what happen when you fight against human beings : they work around you. We're constantly told that adding a special character makes your password so much stronger ... those people must be morons to think that because they enforce a special character, people will start using randomly generated password. We're human beings, not machines, so we'll choose myusualpassword1! and not 4@dE^5%3SfdSF because the first is so much easier to remember.

      And that's actually fine : we're now all using web interfaces to login which are able to slow down the try rate so that a 10000-ish complexity is enough for most cases.

    3. Re: Read the paper. Disagree with "symbols" by RoccamOccam · · Score: 1

      True story - my brother and I were at a financial services institution to take care of my mother's accounts when her Alzheimer's took over. So, he's creating a password and the system wouldn't take it -- it kept giving an obvious database error (not something that would normally be shown to an end-user). He showed me what he was typing and it contained a single-quote, something like "Mom's account". I told him to take out the single quote and it was happy.

      I insisted that the representative get their developers on the phone, immediately, which she did, and then I had her relay my concerns about their obviously vulnerable design.

    4. Re:Read the paper. Disagree with "symbols" by The+Raven · · Score: 1

      You failed to demonstrate your point. You show that symbols are not used in a way that would create the most entropy in the password. But that's not what the statement said... it said that symbols generally add more entropy than capitals or numbers. And unless you also compare the entropy added by capitals (barely 1 bit most of the time, capitalizing the first letter) or numbers usually a 1 at the end, or just a few digits at the end (and even fully random digits are only 3.2bits of entropy per character).

      Symbol usage may be poor, but capital usage is shit, and number usage not much better. So poor beats out shit.

      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
    5. Re:Read the paper. Disagree with "symbols" by Tom · · Score: 1

      I think it is generally known and trivially obvious to anyone who has done any research or statistics on this subject at all that the requirement of special characters is a total failure and where enforced it actually reduces the search space instead of enlarging it, due to human nature and the simple heuristics you can use.

      --
      Assorted stuff I do sometimes: Lemuria.org
  6. Here's an idea by Nidi62 · · Score: 3, Insightful

    Stop making us change them every 3 months and we could come up with stronger passwords.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Here's an idea by gweihir · · Score: 2

      Which is stupid anyways. If it is compromised by a competent attacker, then 3 months are far, far too long. If it is not compromised, then there is really no reason to change it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Here's an idea by dbrueck · · Score: 2

      Yes! Also, stop remembering the hashes of my past N passwords.

      Forcing you to routinely change passwords, forcing the inclusion of mixed case or numbers or symbols, forcing you to not reuse a past password... net result is less security because most people will just end up writing their weird passwords down somewhere.

      All of these restrictions aren't fixing the problem, just shifting elsewhere to be not the site's problem.

    3. Re:Here's an idea by ShanghaiBill · · Score: 1

      Stop making us change them every 3 months and we could come up with stronger passwords.

      None of the websites I use require me to periodically change my password. Are there any well known sites with this requirement?

    4. Re:Here's an idea by thoromyr · · Score: 1

      that isn't a web site thing, its a corporate thing. 30-days is an all-to common scenario. Friend of mine worked in a plant that had a disconnected network (no Internet). They were forced to use "complex" passwords with 30-day expiration and a history of the last twelve. Which was entirely ludicrous: what were they defending against? No one from the outside because it wasn't a connected network. An insider will just use the same post-it note that the user put on the monitor because they can't remember the password of the month.

      Of course, what often ends up happening is "P@$$word01" becomes "P@$$word02" becomes "P@$$word03", etc. so on and so forth. For environments that are connected to the Internet this is a serious problem. If an account is compromised the bad guy will have (on average) two weeks of fun. Then when the user changes the password if the bad guy somehow hasn't managed to establish persistence he just does the obvious increment and is back in.

      The reality is that passwords don't make for good security -- its about the same as pretending the last four of SSN authenticate an individual or that knowledge of a credit card number means you are an account holder. What is needed is something more, like using a second factor (usually "something you have" in addition to the "something you know").

    5. Re:Here's an idea by sims+2 · · Score: 1

      http://www.nicsezcheckfbi.gov/
      Used to run background checks for guns in 36 states or so.
      Password must be changed every 90 days

      I think that should qualify as well known.

      --
      Minimum threshold fixed. Thanks!
    6. Re:Here's an idea by gweihir · · Score: 2

      And a competent attacker needs maybe a day. So this policy is exceptionally stupid even taking your argument into account.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Really no surprise by gweihir · · Score: 2

    I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure. This just shows how bad they are. Bit it is good that somebody did a systematic evaluation of the problem. Maybe now the stupidity will decrease.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Really no surprise by ShanghaiBill · · Score: 1

      I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure.

      A random 8 byte password using only lowercase letters and numbers is more than a quadrillion times easier to crack than one that also includes uppercase and special characters.

      This just shows how bad they are.

      No, it just shows that they are designed for the common situation where a normal person is using a mnemonic password, rather than a geek using something random.

    2. Re:Really no surprise by gweihir · · Score: 1

      Depends on what security I need. Low-security: 8 chars, higher 12 chars, max 20 chars. That is 41 bit, 62 bit and 103 bit of entropy, roughly.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Really no surprise by gweihir · · Score: 1

      Yes, but I found that the mix of upper and lowercase letters is far, far more difficult to remember than just lowercase ones. For more bits just make it longer. Incidentally, 80 bits is about the spot were it will be secure for "the foreseeable future", so 119 bits is not really any better than 103 bits.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Really no surprise by sysrammer · · Score: 1

      A password can be secure using only the letters 'A' and 'B' if it's of sufficient length.

      I'll call your AlphaBeta, and raise you the binary digits.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    5. Re:Really no surprise by serviscope_minor · · Score: 1

      I used to do that:

      head -c 16 /dev/random | md5sum

      then use the checksum. A nice, full 128 bits of randomness, and frequently rejected for being insecure. Now I do:

      head -c 10 /dev/random | base64

      The nice thing about 10 chars is you always get == at the end giving the required symbols. The rest is of course 80 bits of randomness. Sometimes it won't have a digit, so you have to repeat.

      --
      SJW n. One who posts facts.
  8. Fix the bloody short limits first ... by UnknownSoldier · · Score: 1

    Some sites have a horrible password schemas:

    * Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.
    * Enter in a password only to have it rejected? Tell us _which_ characters are allowed and which ones aren't !

    1. Re:Fix the bloody short limits first ... by Bob+the+Super+Hamste · · Score: 1

      * Want to put in 16 characters for a password (think passphrase)? Nope, not allowed because some idiot thought you shouldn't be able to enter more then 8 chars.

      Sounds like my old bank. If I want to be able to use an epic poem written in the original language (we do support Unicode, right?) I should be able to, or if I am reasonably smart I should be using a password vault and should be able to enter 128 random characters if I want but far too many sites like to have a limit on password strength. I also like the stupid security questions they present as I just use them as an added source of entropy and are filled with other random chars. It is rather interesting when someone attempts to brute force your account and it ends up getting locked and you have to call the service center though.

      --
      Time to offend someone
    2. Re:Fix the bloody short limits first ... by fisted · · Score: 1

      * Tell us _which_ characters are allowed and which ones aren't !

      Yes, please. It will make the search space so much smaller!

      --
      CLI paste? paste.pr0.tips!
    3. Re:Fix the bloody short limits first ... by Tyrannosaur · · Score: 1

      * Tell us _which_ characters are allowed and which ones aren't !

      Yes, please. It will make the search space so much smaller!

      Implying that that would be good for attackers. If this is the case, why have the restriction in the first place?

  9. Re:Personal responsibility by avandesande · · Score: 1

    Except that if your company has no password policy and a bunch of bad stuff is done with a user's account, you can't hold the user accountable, because you are not sure that they did it.... and they were just following policy.

    Also there are pesky things like getting audited that come into play.

    --
    love is just extroverted narcissism
  10. Password managers by LichtSpektren · · Score: 2

    What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?

    The answer seems pretty obvious to me.

    1. Re:Password managers by mjwx · · Score: 1

      What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?

      The answer seems pretty obvious to me.

      Tech savvy people get passwords wrong as often as non-tech savvy people.

      This is because passwords aren't about technology in as much as they are about risk and I've met a lot of very tech savvy people who know nothing about managing risk.

      When it comes to risk, you have to quantify the risk and then classify it. What is the risk of this password being comprimised, what are the potential results of it being compromised, so on and so forth. A lot of people never think about these things.

      To me, I've got various levels of security. Things that represent a real problem if they become compromised like my bank or work account are high risk, therefore high security. For these sites I use unique passwords, change them regularly and all the other cliche's, above all else I never save or write down these passwords. Then there are the moderate security accounts, things that dont represent a financial risk but would still be a huge PITA if comprimised like my Gmail account, these have a unique password but I rarely change them. I also save the passwords on what I consider a secure device. Finally there are low security things like forums where I just dont give a shit. I have a few generic passwords that fit varying levels of complexity requirements.

      Personally I'd never use a password manager for a variety of reasons.
      1. It's a single point of failure, if you lose it you're fucked.
      2. It's a single point of failure, if it gets compromised you're doubly fucked.
      3. Its a single point of failure, if you forget your password manager password... well you get the picture.
      4. You need to keep it synced across all your devices, given that I have Windows, Linux and Android devices this is a pretty tall order to do securely. I imagine IOS would make it even harder
      5. Password managers in various browsers are good enough for low security applications and dont require a different application installed.
      6. Changing forgotten passwords are simple enough. The fact is we don't do this often however when we do it's usually annoying because it's when we're trying to do something.

      I'd also recommend against others, especially the non-tech savvy from using password managers. Its better in the long run to teach them about security and techniques on how to deal with it. Sure it's harder, but realistically all other methods are flawed shortcuts.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  11. Phonetic passwords by goombah99 · · Score: 1

    I'm a big fan of random phonetic passwords. The work well for my brain. Even a short base64 random letter password is harder for me to recall than a long phonetic password. Look at that co-author's butter tasting name " Maurizio Filippone". It's totally awesome to say that out loud. And do that 7 times right now and this evening you will still be able to say it. But you won't be able to recall 5(F{!X45*~d tonight. It's pretty easy to generate these where each phonem or di-phonem component has a very large library. I once wrote such a generator as a test and would just give people ten at a time to choose a password from. One person said it was a good way to choose baby names too.

    A way I've experimented with password recovery is to generate a very long sentence I can remember and hash this to a random number seed. Then generate rememberable phonetic passwords in order starting from that seed, then pick one of the first hundred you are offered. If you need to recover your password later you just have it recreate the password list again from that sentence. Your brain can easily spot the password you picked the first time.

    This latter test convinced me that phonetic passwords are easy to remember. If I had tried the same seeded passwrod generator on base64 passwords it less likely i'd spot my favorite in the mix.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Phonetic passwords by vux984 · · Score: 2

      Sure. I can remember one of those. But seriously the (r) and (c) symbols ... pray you never need type that in on someone elses laptop computer with an international keyboard and no numeric pad or a smartphone keyboard... etc.

      But more importantly I can't remember dozens of those.

      And password re-use is a bigger issue than using a good password.

      I use a mix of a password safe for most passwords, and subset of passwords i need to use commonly are 'algorithmic' based on what i need them for / the sites name / etc.

      However, I try to keep the algorithmic ones to a minimum because if you ever have to change an algorithm generated password, it really sucks... because the algorithm you normally use can't be used... because that would result in the password you have now, that you can't use.

      And as that starts to accumulate the benefit of algorithmic passwords rapidly declines.

    2. Re:Phonetic passwords by sysrammer · · Score: 1

      Nope, seen this several times. Not easy to remember.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    3. Re:Phonetic passwords by dotgain · · Score: 1

      Nah, all you need is Correct%Horse®Battery©Staple. A bunch of common words - not really related and not a meme

      Nope, Bruce Schneier debunked this https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

    4. Re:Phonetic passwords by diamondmagic · · Score: 1

      Bruce Schneier isn't usually wrong about this stuff, but it seems he's serverely mistaken into what the XKCD/Diceware method actually is. You're choosing four words totally randomly from a list of ten thousand or so. Knowing someone is using the diceware method, their password will (still) have 51 bits of security, way more secure than most passwords and even the scheme that he describes in the blog post.

      --
      Wonder what the public key field is for?
    5. Re:Phonetic passwords by radarskiy · · Score: 1

      Note that Bruce Schneier doesn't actually debunk it, he just assert that it is bad.

      Compare that with the "Schneier Scheme" "take a sentence and turn it into a password." He thinks of a sentence and takes the initial letter for long words, the whole word for short words, a digit for number words or homophones of number words, and and a arbitrary list of some other manipulations. However, from a brute force perspective this is functionally equivalent to always writing out whole words since a password brute force algorithm and just as easily apply those deterministic manipulations in constant time. In addition, starting from a sentence constrains the word choice by the rules of grammar for language used. For a given number of words, the sentence is less random than the non sentence. The user must also remember which manipulations were used and not used, while it is no more difficult for the brute forcer to just try everything in its list of manipulations.

    6. Re:Phonetic passwords by radarskiy · · Score: 1

      "But seriously the (r) and (c) symbols ... pray you never need type that in on someone elses laptop computer with an international keyboard and no numeric pad or a smartphone keyboard... etc."

      The particular symbols are not important, they are just to appease any password strength algorithm. The actual value of that kind of password comes from the string of words than can be meaningful to the user without being statistically prominent.

    7. Re:Phonetic passwords by vux984 · · Score: 1

      The post I was responding to was specifically asking for symbol characters that weren't 'above the numbers'. (r) and (c) the examples given ... aren't even on most keyboards, and the methods for inputting them can be wildly variable, and a royal PITA to even know if you are doing it right if all you get as feedback is the usual asterisk.

    8. Re:Phonetic passwords by s13g3 · · Score: 1

      Re: parent, while the XKCD for this is more or less correct, the fact of the matter is that there is no excuse today for all passwords - even those for simple forums - to be fully salted and encrypted, with an arbitrary minimum length of 4 - 8 characters, a max length of at least 64 characters, and no restrictions or requirements whatsoever on character usage, because at that point, beyond brute force attacks (for which there are a wide variety of available defense methods, from simple to complex), it really shouldn't matter at that point what combination of characters are or are not used - at least in terms of a compromised user password database - and it should be up to the user in all cases to decide on their own level of security vs. ease of use, and in the event it is their own poor selection of password that results in a compromise, should be accepting of the consequences of their choices.

      --
      "Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
  12. Re:English is not Spanish by Anonymous Coward · · Score: 1

    No, GP was correct. Written English is certainly a different set of registers from spoken English, but the original sentence is grammatical in neither. The original placement of "well" does not satisfy the correctness conditions of English syntax. It's not idiomatic. It's wrong.

  13. Stop caring! by darkain · · Score: 2

    Let's stop caring about password complexity! It is a losing game. Let's stick with simple passwords that are super easy to remember and type.

    Security shouldn't be limited to a single factor. Two factor authentication is what we SHOULD be using. Something you know (the password), and something you have (some physical device). U2F is a damn perfect example of this. You can use your phone as an authenticator. You can add the authentication codes on multiple devices in case you lose the primary. These codes generate a time based sequence of numbers, so even if some MitM attach steals the entire login session details, it'll only be valid for at best ~1 minute.

    https://en.wikipedia.org/wiki/...

  14. Allow pass phrases by MobyDisk · · Score: 1

    From the article:

    Making a password longer or including symbols was much more effective.

    Yet so many systems limit password lengths and forbid special characters. Example: My bank is one of the top 20 largest banks in the US, and they do not allow special characters in their web banking.

  15. Why is this still a problem? by lurker412 · · Score: 1

    I don't understand why brute force attacks can't be stopped by limiting the number of failed attempts on any given account name and password. After x failures on either, don't accept another attempt for y minutes. It can't just be stupidity, so what am I missing?

    1. Re:Why is this still a problem? by ledow · · Score: 1

      Failing on attempts from the same IP? They spread them across millions of IPs

      Failing on attempts on a particular account? Good luck explaining to your users why their accounts lock out every week and they have to come to you to unlock because of random people attempting to bruteforce them.

      Failing on attempts within a time-frame? These things are long-running attacks, millions of attempts per second across the globe. They only have to get lucky once.

      That said, it's not a brute-force that's your main problem. They only need one in and the number of vulnerabilities etc. mean they can move around. One password hash for one browser session or passwd file aand they can spend months offline on stolen hardware (Amazon accounts etc.) brute-forcing it not subject to your restrictions.

      Brute force attacks are not a problem, you can rate-limit them into obscurity. But, like spam email, even with rate-limiting, if you're being bombarded en-masse while trying to operate normal services, and they are being clever, things can still slip through and it only needs one.

      Weak passwords are brute-forcible even with rate-limits. Strong passwords aren't. They will obviously try weak ones first until they can get something which might give them a crowbar into a strong-passworded account (like, say, a local account not subject to the pass rate-limits on escalation requests).

  16. Re:bad article by sims+2 · · Score: 1

    This one was pretty funny; http://thedailywtf.com/article...

    Protip flog is not a good password on a golf website.

    --
    Minimum threshold fixed. Thanks!
  17. commentsubjectsaredumb by Falos · · Score: 1

    Fifty posts, didn't spot acronyms.

    rrrybgdts
    ttlshiwwya
    ratrpfop

    Nursery rhymes.

  18. Here it is by undecim11 · · Score: 1

    def IsPasswordHackable(password): return True

  19. NO, they are no good. by hyperar · · Score: 1

    They make you choose passwords like JaNjwMownpJu81% which is pure crap, hard to remember, easy to bruteforce. Most sites won't let you use pass phrases, which are much more secure that those cryptic bullshit.

  20. zxcvbn by oojah · · Score: 2

    I haven't seen zxcvbn mentioned before, a similar look at password strength from 3 years ago.

    https://blogs.dropbox.com/tech...

    Demo is here: https://dl.dropboxusercontent....

    Personally I like the output of http://www.kurtm.net/wpa-pskge... for passwords:

    o|IRcWY;g_V]C}9'.@]@,]!YF.[Yj{K@QmuFCo%%!=~+ab,e2(pU97{V-)Qm*T

    --
    Do you have any better hostages?
    1. Re:zxcvbn by sysrammer · · Score: 1

      How about the shibboleth "xyzzy"?

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  21. personal responsibility by thinsoldier · · Score: 2

    Services should not care about whether or not my password is easy to guess (easy to remember). They should only care about making sure nobody can hack into their data center and steal EVERYONE'S passwords.

  22. Re:English is not Spanish by TechyImmigrant · · Score: 1

    No, GP was correct. Written English is certainly a different set of registers from spoken English, but the original sentence is grammatical in neither. The original placement of "well" does not satisfy the correctness conditions of English syntax. It's not idiomatic. It's wrong.

    I didn't well understand that.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  23. Re:Arf5! by davester666 · · Score: 1

    dammit. now I have to change my password.

    --
    Sleep your way to a whiter smile...date a dentist!
  24. yes, please! by Tom · · Score: 1

    This is exactly what we need. An approach that tells users who strong their passwords actually are in real-life scenarios, and not how well they conform to some arbitrary policy.

    The alternative, that's been used by some for more than a decade, is to run your own password cracker at night, and everyone whose password it cracks by morning is sent a mail telling them to change it.

    We desperately need to get away from these awful policies that try to make passwords as random as possible for two reasons. One, they are a total failure, people are very inventice when it comes to finding a password that will satisfy the stupid computer but still be easy to remember (and guess). Two, if you make it complicated enough, people will just re-use and write down passwords more. Congratulations, one step forward, two steps back.

    --
    Assorted stuff I do sometimes: Lemuria.org
  25. Re:Arf5! by invictusvoyd · · Score: 1

    I think its cheaper to plug in a biometric scanner these days . Passwords are like the time when Stallman was at MIT.