Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smarter People Don't Have Better Passwords, Study Finds (bleepingcomputer.com)

Posted by msmash on from the closer-look dept.

An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.

1 of 110 comments (clear)

  1. You might need to read about rainbow tables by raymorris · · Score: 4, Informative

    > Read about rainbow tables

    Good advice. You should take that advice. Maybe even try using one.

    Let's look at your claim regarding the length of the password. Back in the early 1990s, MD5 was the recommended algorithm. It had a short 128-bit hash. That's roughly the same entropy as an 18-20 character password. As long as two passwords were both at least 20 characters, a longer password wasn't better because they'd both get reduced to a 128-bit hash anyway. By the late 1990s weaknesses had been found in MD5 and we started recommending SHA-1 instead. I personally distributed sample code showing how to convert your MD5 password hashes to SHA1, something that sounds impossible at first.

    Then about 15 years ago MD5 was completely broken. Anyone with a clue moved to SHA1 or, later, SHA2. IF your web application is using an algorithm that has been broken for 15 years, AND your pass is at least 20 characters, longer than 20 isn't much more secure.

    You might be thinking "there is a four character password with the same hash". No, there isn't, in all likelihood. There are very few 4-character passwords, and very many possible 128-bit hashes. For any given long password, there probably is no short password with the same hash.

    SHA-1 is a 160-bit hash. It's even less likely that a short password of say 36 bits entropy is going to have the same 160-bit hash as a longer password. ALL possible 36-bit passwords combined only cover 1/2^124 of the outputs. In other words, the odds against getting a match, even trying ALL of the short passwords, are far less than the odds that you will win the lottery without even playing, by finding a winning ticket.

    SHA-2 came out in 2001. There are no rainbow tables for SHA2, because the key space is too large. So if your application has been *properly* updated in the last 10-15 years, rainbow tables simply do not apply.