Slashdot Mirror
Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk)
An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.
Terrible code is terrible... news at 11.
Honestly, wtf did you expect? Some fancy AI behind the scenes testing each password given? This is the age of "get it done and out the door, fuck quality" when it comes to programs/scripts/whatever.
it's a simple javascript. i'm sure a register page doesn't need to download a database of worst passwords or ajax the server to verify it.
Be or ben't
... a password is tecnically strong, yet popular?
This is hands down, an absolute waste of my life to read. Everyone here knows how password strength meters rate on character complexity in terms of avoiding brute force attacks. The fact that some dumb people choose dumb passwords will remain. Even if you blocked a group of what you might consider "common cliche" passwords, people will adopt others as you chase an endless moving target. Simple fact is, people need to be somewhat educated to protect themselves. This is no different than locking your door but leaving your key under the mat. If that is an "illusion" of security, you are just a moron.
https://xkcd.com/936/
Considering some of the passwords that I give and still manage to get a "Strong" rating I'm not surprised. It's a silly piece of javascript code that tries to measure complexity... quick and dirty.
What sucks is this obviously lulls people into thinking they've got a great password when a password like "1PaR0fSt1nkYS0cks!" while it'll get a strong rating... isn't strong...
Yes Francis, the world has gone crazy.
...grant little more than an illusion of protection
I thought that was their job.
I have an account with a financial institution which enforces maximum lengths on both passwords and account IDs. Both my preferred password and account ID are longer than this limit. The user ID they simply won't accept, so I must use a shortened one on that site. The password they accept but truncate, so I can type any random garbage after a certain position, and it will be accepted as long as the beginning matches. I have seen other cases where the password is not permitted to contain, e.g, non-alphanumeric characters, or must "start with a letter" or something equally silly.
Stop doing that shit, web sites. And don't make me change it every 3 months, either, because that's annoying. I have a nice,
"pwgen 25" generated password per site that's quite secure, thank you, and making me submit a new one every few months and go through some email verification process introduces potential for mistakes.
As the 'strength' meter increases, the 'usefulness' decreases. If the password is long and uses a lot of characters, it be harder to remember, which leads to it being written down. If there's some minimum threshold of complexity, which is often tied to the meters, that reduces entropy.
I've generated super-strong passwords and then it turns out the site I used it on not only let their DB loose but they weren't properly encrypting passwords anyway
1 password per site minimizes the damage, that's about it
These technical purists are out of control and it is hurting their cause. The demand for complex password and frequent password changes is causing users to create stupid iterative passwords and I don't blame them.
So fucking what if your relatively strong password is on the top 10,000 passwords list. That's a 1:10,000 chance of guessing it. The account should lock after 5 failed guess. That's pretty strong and likely strong enough.
Don;t make user's lives difficult with some epic shit requiring them to remember ^KE*lwr7()kwers5kkoaaaaaw78!@~ every 30 days. That's just going to get written on a Post-it note and probably emailed around.
Eight to 10 character minimum, 5 failure lockout, and 2FA if you've got it.
My password is eatdick, but even knowing it you still can't login to my accounts.
At first I was all like, so the security expert can tell me that some of these password meters rate things like "p@ssword" as secure when they're obviously not, but they're not /quite/ expert enough to come up with a better tool that can more accurately gauge password strength?!@
Then I read the article; lo and behold, the author actually points out an open source tool called zxcvbn by Dropbox that is actually good at it (or at least, doesn't suck on the harsh battery of tests that these products were subject to (basically just running five passwords through six different meters).
tldr: use zxcvbn
A lock only keeps an honest man honest. Same goes for a password. While a more complex password will do the job much better, as does a better lock, neither will keep out someone who wants to get in. Rather than meaningless password strength meters next to the password box, there should be some graphic that helps create or suggests stronger passwords. It may not prevent them from using more common passwords or phrases but it might better get their attention. On the other hand, some people just don't care enough to be bothered.
Some of these "password requirements" actively force weaker passwords, in that they enforce a maximum length! I've seen some that force a 12 character maximum, making the xkcd 4 common word technique unusable, especially since they often stupidly require mixed case and a numeric and a special char.
. . . .uses his name as a password. Because NOTHING can break Chuck Norris. . . .
I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions of brute force and dictionary attempts, as well as the offline tools.
In my professional opinion, where strength meters and password policies most often fail is that they greatly underestimate the importance of length. I recently encountered a site which required:
8-12 characters
Must include upper and lower case
Must include digits
Must include punctuation
Well we've all been taught since 1st grade or so that punctuation goes at the end of a sentence, and the first letter is capitalized, so most passwords on the system are of the form:
Capital lower lower lower lower lower lower digit punctuation.
Since the whole password is 8-12 characters, to get the digit and punctuation at the end you need a word that is 6-10 letters. Passwords are pretty predictable on that system. According to their policies, these are a good passwords:
Password1!
Passw0rd!
But this is a horrible password, that anybody can guess:
YRNKBV JSYZCXPRM ZOXADEKO JARQYTLY
OFOFBQ VKGDOSUE XFEUJQOHG TZBVHQIA WSBQHKVD SPIODPL
Allow and encourage long pass phrases. (Also encourage the term "pass phrase", not "password".) Making your pass phrase a tiny bit longer adds much more security than switching the number 0 for the letter O.
Ever heard of 2048 bit security? Or 1024 bit keys? That's how security professionals talk about strength - X number of bits. Those numbers refer to the LENGTH of the keys (passwords). That's what's most important above all.
See also:
http://imgs.xkcd.com/comics/pa...
I really want to understand why tech companies are so incredibly inept when it comes to things of actual importance. This password problem should have been solved years ago. It's not that hard, for Pete's sake.
universal id number
pin code
biometric id (finger, hand, eye)
cell phone nfc
key fob
Industry consortium needs to get together to standardize on each of these and then services can mix and match depending on their particular security requirements.
Personally I am starting to think passwords are still being used *because* they are easy to crack. And oh how they love to ask personal "security questions" -- more like "unsecurity questions". I lie my ass off on those.
:T:R:A:N:S:
I built a decent server side implementation. The password gets sent to the server (securely) and the server does a series of checks and returns a simple score. Some checks include comparing similarity against the top 1000 list, checking for simple substitutions such as "@" for "a", and making sure users don't just use trailing numbers. Plus about a dozen other little checks, which I researched were common password features.
The scary thing was, my email password got a very low score when I tested it. But I fixed that now. :)
The only way I create a password is to randomly type while randomly hitting SHIFT (usually to more than 25 characters), and save to my computer in a PW file. That PW file is encrypted with a password that's actually a sentence that I made up. I know it's not 100% fail-proof.
Politics; n. : A religion whereby man is god.
For me, the annoyance is worst when you are forbidden from making a truly secure password. I've seen sites which forbid more than 12 (or even 8) characters, forbid spaces (or all non-alphanumerics).
Back when I did IT support in the 80's, our minicomputer-based servers required six digits, and must be changed every 90 days (didn't check for repeats). I knew I could go to any admin's desk and have a good chance of logging in with SPRING, SUMMER, AUTUMN or WINTER. Later they changed it to 8 characters, so I knew I could use SPRING87, etc.
Design for Use, not Construction!
2Password5Me
People don't all independently come up with a plan of making up terrible password rules - it's just a difficult to extinguish meme propagated by clueless deal makers.
Many systems I've worked on have terrible password rules. Symbols and numbers, and requirements to change them all the time (thus guaranteeing they'll be written down)... but it was never really our decision. We had to follow the security document, and the security document had to have those rules, because we'd agreed to follow those rules in order to work with a certain client or vendor. Ever wonder why some system won't let you change your password more than once a day? It's dumb, right? It's just one of those things that makes it into someone's weird viral rules.
That client or vendor probably didn't want those rules either, but their security document said they could only use vendors and clients that agreed to those rules, and their security document said that because it was part of a deal with one of their clients.
And it's not just this. There's tons of companies out there trying to get in on this viral security racket. We'll work for you for free! And for extra security we'll do audits of all your vendors and/or clients... and then blackmail them all into buying our software, so that they can be assured they'll pass the security audit they now need to work with you (quite possibly something they need to survive). And maybe some of them, we'll offer a "free" deal with, as long as they set policies that will allow us to blackmail all their vendors. Some of them don't even bother to hide it, they just send you the audit notice, namecheck the client you'll lose, and a price.
Let's not stir that bag of worms...
Tr0ub4d0r&3 passed with flying colors at http://www.passwordmeter.com/. That (and its close variants) really should be in the "common passwords/automatic fail" bin for all password checkers.
On the other hand, the same site gave correctâhorseâbatteryâstaple a score of only 25%, which means "this is a weak password."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's fine to use a relatively-weak password for an "I don't care if this gets compromised" task.
An example would be a web site that let you upload a file but it would automatically be deleted an hour later, BUT you could delete it sooner if you created a password. Does it really matter if your password is relatively weak (but not something trivial, like "password")? As long as it's a one-off password that you don't use elsewhere, it's still "suitable" for the task.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
https://xkcd.com/1053/
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
populate_mah_rainbow_tables.js
Humor aside, people should never, ever, ever never type their real password into a site "checking strength". My humor has a whole lot of reality involved.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
It's not the password strength meters that bother me. I generally just ignore those. What drives me utterly insane are the restrictions on my password. And these are far too common. The two biggies are:
1) Restricting what characters I may use in my password (no / or % or & or whatever) == Oh hai, We're not bothering to sanitize my inputs. We are a bunch of morons and you shouldn't use our site or service.
2) Restrictions on the maximum length of my password. == Oh hai, we're not bothering to hash your password but are, instead, just storing it in a fixed-length field somewhere. We're a bunch of morons and you shouldn't use our site or service.
What really Really REALLY drives me up the wall is that these sorts of restrictions seem to most often be present in places where security is most important and where I don't have the *choice* not to use their service. (My current employer's medical and 401k providers, for example.)
Imagine all the people...
I started using a passwordless approach. Its been a couple of months now, and I recently wrote an article about this: https://biogeniq.ca/en/article... Bottom line is, its possible to create a service that does not use passwords, but you still have to rely on other services (such as emails). And these are still protected by passwords...
Decode your health
that I can think of, is the so-called "security questions" that will "help you recover if you forget your password"! Questions like, mother's maiden name, town where you were born, your first school, your first car etc. etc.
How bloody stupid can these idiots possibly get? If I wanted to hack somebody's account I'd head straight for the genealogy sites!
I DO NOT loose passcodes, nor can I remember them, because I use an encrypted passcode wallet and every passcode in there is long and completely random. When some idiot has written mandatory security questions into a site that I need to use, every answer is a complete lie which I then have to enter into the free text field of my passcode wallet. So for me these questions are not a security risk just a damn nuisance.
Ubuntu 16.4 has an absolutely useless Password Strength meter. I installed it on my laptop and wanted to give my 6-year-old a minimally difficult password to get in, but i could not circumvent the strength meter. So instead, i had to give him a passwordless login which is, uh, obviously not the intended result.
For giggles I just tried the top two hits in Google for "password strength meter".
http://www.passwordmeter.com/
https://www.my1login.com/resou...
I typed in "NCC-1701".
The first said it's a strong password with a score of 69%. The second said it was a medium password that would take 30 hours to crack. Making it "NCC-1701-d" upgraded it to very strong and 100% on the first and very strong at 112 years to crack on the second.
So yeah. Those meters are garbage. Don't trust them. Much better to generate random strings with the maximum length and character set the site will allow; and use a password manager locally.
Imagine all the people...
In general (not talking about actual crypto here), the whole password/passcode policy thing is nothing more than a CYA and comfort food for the paper pushers.
You make a password more complex than 8 characters and a cap (or number or special)... you got the easiest password to break. The monitor post-it. Even if you have physical audits checking this, you end up with unlocked drawer post-its. Curtail that and so on, you eventually end up with fake tech support calls.
The human side basically cares less and less with every complexity iteration of the password policy. And the human has always been the weakest link in the chain.
But really, there is few shit out there that needs highly complex passwords. Your utilities, shopping, club, and similar accounts do not need a bank level password complexity. Your banks, credit cards, and other financial institutions shouldn't even be using passwords. They should have a 2 factor authentication.
Also, they should get rid of all the Q&A garbage. They all pretty much ask the same questions. Most people will provide the same truthful answer (usually easy to figure out). In net, one compromise now will compromise all the others.
The picture should be looked at holistically. An ATM shouldn't have the same level of protections as a bank vault. The security presence inside an auction house shouldn't be as large as the one outside.
I wrote a toy demonstration at http://pgen.chalisque.org/ and explained at http://pgen.chalisque.org/abou...
Obviously you can use something slighly more elaborate, and given either bash and standard hashes (e.g. sha256), or javascript and cryptojs, you can roll your own string manipulation.
You basically have a secret phrase or two, something obvious related to the website in question (e.g. pw://domain.name/user.name/index), combine it to produce e.g. 'mypwmachine(SuperSecretPhrase-pw://domain.name/user.name/43)', and them bung that through e.g. sha256 (or bcrypt with high cost if paranoid), take the binary output, convert to base64 and take the first 16 characters as your password. Unless you're rich or a terrorist, it isn't worth the effort to crack. Importantly the difficulty of reversing a hash means one compromised password isn't too dangerous, since unless they can reproduce your string manipulations, they can't easily generate passwords for anything else. I find it fun when a website deems the output of this process unnaceptable for e.g. not including punctuation.
John_Chalisque
If I care enough about my password being hacked (if it effects me financially) I'll create a super impossible password to crack. ... of course, I never remember them and so have to get my password reset every time I visit that page.
"That's the way to do it" - Punch
Diet coke and Mentos? :)
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
all my passwords are ace02468bdf13579. as its nsa approved
Most of the celebrity hacks use exactly that vulnerability. How hard is it to find out what school Britney Spears went to, or what city she lived in?
I solution which still preserves the usefulness of the password reset questions is to answer them as if you were someone else. When it says "what high school did you go to?", pretend it says 'what high school did Chelsea Clinton go to?"
For example, if you wanted to password reset my account, you could easily find that that I went to a certain school. But that won't help, I fill in the information as if I were Colin Powell. Or maybe it's Abraham Lincoln. Or Justice Kennedy. Not knowing who I pretend to be, you can't determine how I'd answer those questions. On the other hand, if I ever forget my password, I can reset it by entering the name of Roger Waters' dog, rather than my own.
> properly encrypt/salt the database to protect against offline attacks
Strong hashes, properly salted, ARE important*. However protection from offline attacks requires BOTH a strong salted hash (~encryption) AND a strong password.
A good hash means that given the hash, you can't get the password BY REVERSING THE HASH. However, if you can GUESS the password, there's no need to reverse the hash; you just guessed the password correctly.
* On Linux, you can get a strong salted sha256 hash by using crypt() with a hash of the format "$5$random$'.
Perl:
crypt($password, '$5$' . $random . '$'):
MySQL:
ENCRYPT( ?, CONCAT('$5$', ?, '$') ), password, randomstring
Your password can be fuckyourmama1 fuckyourmama2 and fuckyourmama3 etc. Nobody is going to hack your shit except the employees of the US government who are in the process of failing to usurp the global power structure.
What happens if you pick a password like MyDogIsNamedBitch--()()34235xxx33523aAa3535ZRr you will forget that shit. Then comes the tying together of the mapping of your personal accounts. You have to go to two-factor auth with phone or another email. All tied together.
Anybody who understands databases knows this is a royal bitch to do billions of times so let them do it for you.
Promoting password strength as security is a farce. Only the US government and foreign alliances want into your shit. Old school hackers are busy now playing video games because the refresh rates and graphics are tight as fuck. Only the "paid hackers" who are the spy agencies give a flying fuck about your Target VISA info and hotmail pass including lower/upper and a number. They tie you in.
What's wrong with hunter2 ? It only shows stars for me.
Reference for the kiddos :
http://www.bash.org/?244321
Comment removed based on user account deletion
Stop using the "batterystaplehorse" or whatever... years ago ars technica made a few simple test on cracking password with gpu and turn out those are easily cracked with combined dictionaries attack. And moderate gpu array can brute force any password under 8 characters (including with symbol) http://arstechnica.com/securit...
The solution is to just ban common passwords. Start with a list of dictionary words and leaked credentials from other sites, and simply ban the use of said passwords for accounts on your site. That's what Arenanet does for Guild Wars 2. You also ban new passwords as too many people try using them. As for messaging, you just straight up tell the user "That password is too well-known. Try something more creative."
You don't even need to store the password to implement popularity-based bans. When a user enters a new password, hash it and store the hash in a table (just the password hash, not the associated account). Each time someone else uses that password, increment the count. When it hits N, just ban new uses of that password, and optionally force current users of that password change it on login (by checking the plaintext they just entered against the banned hashes). (Meanwhile, store a salted hash associated with the account id for login purposes, to make it harder to crack passwords if your hashes get leaked.)
Your mom's? That would be Anonymous Coward, of course. ;)
had a site the other day would only accept numbers in password, go figure
I use
pwgen -y
and select a random password from the page
Gei&zae2 wo{Thoo5
I quite like their memorability
but if you want more pwgen -sy
&:Rj5w*z zP$M_\6~
Go well
The article you linked to strongly supports the opposite conclusion: that four unrelated words is quite unlikely to be cracked .
First, it explains that most of the 15,000 passwords were 6-9 characters, so the cracker was able to break 7,000 of them in just a few minutes. It starts getting much harder (slower) after that. In mosts cases, 7,000 passwords is plenty for a single site. When a bad guy wants more passwords, typically they quickly crack 7,000 mlre easy ones from another site. They don't waste hours cracking the hardest ones.
For the article, they went ahead and "wasted" a few hours trying to get some more difficult ones. They even got some that were two words. As the Ars article explains:
----
Because these attacks are capable of generating a huge number of guessesâ"the square of the number of words in the dictâ"crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down.
------
That's the SQUARE of the dictionary, two words, and Ars explains crackers generally don't spend the hours to do that. "Correct horse battery staple" is FOUR unrelated words. Time required is proportional to dictionary size to FOURTH POWER. Ars didn't do that, nobody does that. Ars didn't even attempt three words, much less four.
Seriously I've spent fifteen years doing password security full time. I've done careful analysis on far more attacks than you've ever heard of.
I prefer using a password vault and inane gibberish on the security questions.
So you go onto a site and find out your password strength by typing it in and probably from the same pool of ip addresses. Now someone out there has your password. The classic entropy calculation uses each search space of one character multiplied by the key length to generate the entropy. But! If you have a dictionary, that entropy gets drastically reduced. If you are forced to input only four letter combinations of valid words, what is the entropy on that? Similarly if you provide someone with the patterns of your password selection, the classic entropy calculation is the same, but for whomever with the password list, that search space is narrowed and the site owner's concept of entropy wrt your choice selection becomes close to nil.
https://www.youtube.com/watch?v=K6xXngYnVK8
Way better than what you currently find on normal websites.
They should just make it easier to integrate the thing on your own webpage.
https://password.kaspersky.com...
Atari rules... ermm... ruled.