Slashdot Mirror
Password Strength Meters on Websites Are Doing a Terrible Job (theregister.co.uk)
An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.
At first I was all like, so the security expert can tell me that some of these password meters rate things like "p@ssword" as secure when they're obviously not, but they're not /quite/ expert enough to come up with a better tool that can more accurately gauge password strength?!@
Then I read the article; lo and behold, the author actually points out an open source tool called zxcvbn by Dropbox that is actually good at it (or at least, doesn't suck on the harsh battery of tests that these products were subject to (basically just running five passwords through six different meters).
tldr: use zxcvbn
I spent 15 years developing and writing password / pass phrase security tools used on a huge number of web sites. I analyzed millions of brute force and dictionary attempts, as well as the offline tools.
In my professional opinion, where strength meters and password policies most often fail is that they greatly underestimate the importance of length. I recently encountered a site which required:
8-12 characters
Must include upper and lower case
Must include digits
Must include punctuation
Well we've all been taught since 1st grade or so that punctuation goes at the end of a sentence, and the first letter is capitalized, so most passwords on the system are of the form:
Capital lower lower lower lower lower lower digit punctuation.
Since the whole password is 8-12 characters, to get the digit and punctuation at the end you need a word that is 6-10 letters. Passwords are pretty predictable on that system. According to their policies, these are a good passwords:
Password1!
Passw0rd!
But this is a horrible password, that anybody can guess:
YRNKBV JSYZCXPRM ZOXADEKO JARQYTLY
OFOFBQ VKGDOSUE XFEUJQOHG TZBVHQIA WSBQHKVD SPIODPL
Allow and encourage long pass phrases. (Also encourage the term "pass phrase", not "password".) Making your pass phrase a tiny bit longer adds much more security than switching the number 0 for the letter O.
Ever heard of 2048 bit security? Or 1024 bit keys? That's how security professionals talk about strength - X number of bits. Those numbers refer to the LENGTH of the keys (passwords). That's what's most important above all.
See also:
http://imgs.xkcd.com/comics/pa...
Some of these "password requirements" actively force weaker passwords, in that they enforce a maximum length! I've seen some that force a 12 character maximum, making the xkcd 4 common word technique unusable, especially since they often stupidly require mixed case and a numeric and a special char.
My personal favorite was the bank that required my password to have exactly one number, at least one upper case character and exactly one special character. With a maximum length of 8 characters.
In the free world the media isn't government run; the government is media run.
It depends on what you call technically strong. As https://www.xkcd.com/936/ indicates, it is not intuitively clear which passwords are strong. Humans have a terrible instinct when it comes to entropy in data and therefore need to be guided in choosing a password. This often results in a check for length(which is a good thing), but also requirements for capitals, numbers and special characters(which is often used poorly). The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.
The 'technical' strength of a password is connected to its entropy. Using a password that satisfies some byzantine requirement, but contains not enough entropy is also weak in the technical sense. "Correct horse battery staple"-like passwords are strong, "Correct horse battery staple" itself is incredibly weak, thanks to mr. Monroe.
Knowledge is power. Knowledge shared is power lost.
populate_mah_rainbow_tables.js
Humor aside, people should never, ever, ever never type their real password into a site "checking strength". My humor has a whole lot of reality involved.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
It's not the password strength meters that bother me. I generally just ignore those. What drives me utterly insane are the restrictions on my password. And these are far too common. The two biggies are:
1) Restricting what characters I may use in my password (no / or % or & or whatever) == Oh hai, We're not bothering to sanitize my inputs. We are a bunch of morons and you shouldn't use our site or service.
2) Restrictions on the maximum length of my password. == Oh hai, we're not bothering to hash your password but are, instead, just storing it in a fixed-length field somewhere. We're a bunch of morons and you shouldn't use our site or service.
What really Really REALLY drives me up the wall is that these sorts of restrictions seem to most often be present in places where security is most important and where I don't have the *choice* not to use their service. (My current employer's medical and 401k providers, for example.)
Imagine all the people...
The result is that people will use passwords like Welcome0! which can be figured out by many people simultaneously and therefore is a weak password.
/me changes all his passwords to Welcome1@
The problem is one of usability.
Imagine a good password checker, which can actually does do some proper calculation of entropy.
User types in password "Password1".
Checker reports "password not strong enough".
The user says "Welll... it contains 8 chars, a capital and a number, that's usually enough" and tries "Password_1".
Checker reports "password not strong enough".
"Uhm... what more do I need to do?" the user thinks, "It doesn't tell me what's missing" and tries "ThisIsMyPassword_1!"
Checker reports "password not strong enough".
User gives up and signs up for a competitor's service.
The problem isn't that improving password checkers is hard (it's not), the problem it's nearly impossible to giving the user feedback that actually helps them.
I made a password generator which tries to do some sort of entropy calculation: http://random.toyls.com/.
When I tried to implement the same calculation for a password checker on a website, I ran into exactly these kind of usability problems.
Explaining you need 8 characters, atleast 1 capital and 1 digit is easy. Explaining a more involved algorithm is not.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Most of the celebrity hacks use exactly that vulnerability. How hard is it to find out what school Britney Spears went to, or what city she lived in?
I solution which still preserves the usefulness of the password reset questions is to answer them as if you were someone else. When it says "what high school did you go to?", pretend it says 'what high school did Chelsea Clinton go to?"
For example, if you wanted to password reset my account, you could easily find that that I went to a certain school. But that won't help, I fill in the information as if I were Colin Powell. Or maybe it's Abraham Lincoln. Or Justice Kennedy. Not knowing who I pretend to be, you can't determine how I'd answer those questions. On the other hand, if I ever forget my password, I can reset it by entering the name of Roger Waters' dog, rather than my own.
The solution is to just ban common passwords. Start with a list of dictionary words and leaked credentials from other sites, and simply ban the use of said passwords for accounts on your site. That's what Arenanet does for Guild Wars 2. You also ban new passwords as too many people try using them. As for messaging, you just straight up tell the user "That password is too well-known. Try something more creative."
You don't even need to store the password to implement popularity-based bans. When a user enters a new password, hash it and store the hash in a table (just the password hash, not the associated account). Each time someone else uses that password, increment the count. When it hits N, just ban new uses of that password, and optionally force current users of that password change it on login (by checking the plaintext they just entered against the banned hashes). (Meanwhile, store a salted hash associated with the account id for login purposes, to make it harder to crack passwords if your hashes get leaked.)
The article you linked to strongly supports the opposite conclusion: that four unrelated words is quite unlikely to be cracked .
First, it explains that most of the 15,000 passwords were 6-9 characters, so the cracker was able to break 7,000 of them in just a few minutes. It starts getting much harder (slower) after that. In mosts cases, 7,000 passwords is plenty for a single site. When a bad guy wants more passwords, typically they quickly crack 7,000 mlre easy ones from another site. They don't waste hours cracking the hardest ones.
For the article, they went ahead and "wasted" a few hours trying to get some more difficult ones. They even got some that were two words. As the Ars article explains:
----
Because these attacks are capable of generating a huge number of guessesâ"the square of the number of words in the dictâ"crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down.
------
That's the SQUARE of the dictionary, two words, and Ars explains crackers generally don't spend the hours to do that. "Correct horse battery staple" is FOUR unrelated words. Time required is proportional to dictionary size to FOURTH POWER. Ars didn't do that, nobody does that. Ars didn't even attempt three words, much less four.
Seriously I've spent fifteen years doing password security full time. I've done careful analysis on far more attacks than you've ever heard of.