Slashdot Mirror

← Back to Stories (view on slashdot.org)

An Algorithm For Better Password Checking (technologyreview.com)

Posted by Soulskill on from the please-tell-my-bank dept.

New submitter della writes: Password checkers — those things that tell you whether your password is strong or not — are good: various studies have found that they make users choose better passwords. Unfortunately, nowadays attackers use probabilistic strategies based on natural language processing to guess passwords earlier, and most checkers consist of heuristic rules that don't reflect well probabilistic attacks. To do better you could in theory simulate the attack, but if your password is not that bad, that would be very expensive or just unfeasible.

In a paper I wrote with Maurizio Filippone and presented at ACM's CCS conference, we show how you can take an attack model and a password, and through a simple formula come up quickly with a reliable estimation of how many guesses that attack would need to guess the password. You can use this to roll a better password checker, or — as we've also done in the paper — to compare different attacks.

17 of 103 comments (clear)

  1. STOP IT! by Anonymous Coward · · Score: 2, Insightful

    Stop saying my password is bad. If I make it more complicated, I won't remember it. So it would be even worse.
    And making me change it every now and then is even more stupid.

  2. Sick of Passwords by Anonymous Coward · · Score: 3, Informative

    I don't even care if they're secure or guessable or lexographic or written down or whatever other bullshit I'm supposed to care about.

    I am sick of these bullshit passwords and signins fucking everywhere. Every single site, every single service, every single day, input this, email that, account name, please re-enter, confirm, mandatory, change must contain a two numbers, must contain capital letters, cannot contain special characters, forgotton your password?

    I've given up. Fuck it. I'll just lurk, post anonymously while I still can. I must have over 200 accounts out there and I just don't care anymore. It's too much effort to remember all this bullshit anymore.

  3. Password1 by sims+2 · · Score: 3, Informative

    Lots of things really don't need highly secure passwords but insist on having ridiculous password requirements.

    Case in point Xbox one must login to microsoft account to setup for the first time password must have at least one capital, at least one number, at least one symbol and at least 8 characters Password1~ is an acceptable password. Pita to type on xbox controller.

    Netflix is a model for reasonable requirement's especially since it likes to log itself out at random. So less to type on wii remote is a definite plus. 4 letters minimum 0000 is an acceptable password.

    --
    Minimum threshold fixed. Thanks!
    1. Re:Password1 by buchner.johannes · · Score: 2

      at least one symbol and at least 8 characters Password1~

      This leads to extremely common patterns, or classes of passwords such as ULLLLLLLDS, which can be pre-computed for cracking.

      Knowing the 30 most common such topologies and allows an attacker to crack 90% of all passwords (according to leaked password lists).

      Smart password checkers like the one of Kaspersky take that into account https://blog.kaspersky.com/pas...

      Here is a talk https://www.youtube.com/watch?... and some material here: https://blog.korelogic.com/blo....

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. Define better by jklovanc · · Score: 2

    various studies have found that they make users choose better passwords.

    By better do you mean harder for computers to guess or easier for users to remember and not have to write down?

    1. Re:Define better by jklovanc · · Score: 2

      Attackers in China can't get into my desk drawer,

      Neither can you if you are not in your office.
      Pass phrases are easy to remember but don't follow the "at least one caps, special character and number" general rule. "unicornscraprainbows" is a pretty good password.

  5. Read the paper. Disagree with "symbols" by xxxJonBoyxxx · · Score: 3, Informative

    >> Symbols appear to be less predictable and placed in different locations of the password

    I disagree with the paper's conclusion based on the passwords I've seen, which FREQUENTLY just end in a "!" or other common character. Here's a different paper that goes into symbol frequency; I pulled out the relevant bit.

    In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-“), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.” - http://resources.infosecinstit...

  6. Here's an idea by Nidi62 · · Score: 3, Insightful

    Stop making us change them every 3 months and we could come up with stronger passwords.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Here's an idea by gweihir · · Score: 2

      Which is stupid anyways. If it is compromised by a competent attacker, then 3 months are far, far too long. If it is not compromised, then there is really no reason to change it.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Here's an idea by dbrueck · · Score: 2

      Yes! Also, stop remembering the hashes of my past N passwords.

      Forcing you to routinely change passwords, forcing the inclusion of mixed case or numbers or symbols, forcing you to not reuse a past password... net result is less security because most people will just end up writing their weird passwords down somewhere.

      All of these restrictions aren't fixing the problem, just shifting elsewhere to be not the site's problem.

    3. Re:Here's an idea by gweihir · · Score: 2

      And a competent attacker needs maybe a day. So this policy is exceptionally stupid even taking your argument into account.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Really no surprise by gweihir · · Score: 2

    I use randomly generated passwords of lowercase letters and numbers. Most "password checkers" tell me they are insecure. This just shows how bad they are. Bit it is good that somebody did a systematic evaluation of the problem. Maybe now the stupidity will decrease.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Password managers by LichtSpektren · · Score: 2

    What's easier, teaching somebody who isn't tech savvy: A) how to use KeePass X or some other offline password manager; or B) to manually compose a bundle of strong, memorable passwords, to change them at least once a year, but not to re-use them, not to use them on any computer that could keylog them, and not to write them down or save them in plaintext?

    The answer seems pretty obvious to me.

  9. Stop caring! by darkain · · Score: 2

    Let's stop caring about password complexity! It is a losing game. Let's stick with simple passwords that are super easy to remember and type.

    Security shouldn't be limited to a single factor. Two factor authentication is what we SHOULD be using. Something you know (the password), and something you have (some physical device). U2F is a damn perfect example of this. You can use your phone as an authenticator. You can add the authentication codes on multiple devices in case you lose the primary. These codes generate a time based sequence of numbers, so even if some MitM attach steals the entire login session details, it'll only be valid for at best ~1 minute.

    https://en.wikipedia.org/wiki/...

  10. zxcvbn by oojah · · Score: 2

    I haven't seen zxcvbn mentioned before, a similar look at password strength from 3 years ago.

    https://blogs.dropbox.com/tech...

    Demo is here: https://dl.dropboxusercontent....

    Personally I like the output of http://www.kurtm.net/wpa-pskge... for passwords:

    o|IRcWY;g_V]C}9'.@]@,]!YF.[Yj{K@QmuFCo%%!=~+ab,e2(pU97{V-)Qm*T

    --
    Do you have any better hostages?
  11. Re:Phonetic passwords by vux984 · · Score: 2

    Sure. I can remember one of those. But seriously the (r) and (c) symbols ... pray you never need type that in on someone elses laptop computer with an international keyboard and no numeric pad or a smartphone keyboard... etc.

    But more importantly I can't remember dozens of those.

    And password re-use is a bigger issue than using a good password.

    I use a mix of a password safe for most passwords, and subset of passwords i need to use commonly are 'algorithmic' based on what i need them for / the sites name / etc.

    However, I try to keep the algorithmic ones to a minimum because if you ever have to change an algorithm generated password, it really sucks... because the algorithm you normally use can't be used... because that would result in the password you have now, that you can't use.

    And as that starts to accumulate the benefit of algorithmic passwords rapidly declines.

  12. personal responsibility by thinsoldier · · Score: 2

    Services should not care about whether or not my password is easy to guess (easy to remember). They should only care about making sure nobody can hack into their data center and steal EVERYONE'S passwords.