Security → Usability of Passwords

»www.baekdal.com/tips/pas ··· sability

quote:

---

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

---

Easily the best password policy thing I have ever seen. It's exactly what I have been trying to say for awhile.

I wonder how many web apps/forum sign-ins/etc. accept spaces in passwords. Many systems barely even accept "special characters" at all, and the truly dinosaurian legacy systems don't even take passwords over eight characters.

This^^

i still am amazed at how my banks will STILL not let me use my preferred password of 14 characters mixed alpha-numeric, case and special characters.... i did find out that BofA now lets you use "special characters" but NOT the whole set!! they do not let me use the $ that i like in my pass- so stupid probably because of poorly written code or something?

i just do not understand why it is so hard. let joe blow continue to use "monday123", but let me use "YGgmero873%F#$14lgs!"!!!

The author of that blog post has no idea what he's talking about. He says a 6 character random password will take 219 years to crack. This is flat-out wrong. A 6 character random password has 40 bits of entropy which can be cracked in a few minutes by a desktop machine with an off-the-shelf GPU. 40 bits is laughably weak. Google for GPU password cracking and see what you come up with. Some people are getting several *billion* password attempts per second with modern GPU's (it depends on the password hash used).

Second, he doesn't take dictionary attacks into account, but instead assumes that an attacker is just going to flip through a-b-c-d-e-f and 1-2-3-4-5 etc. until he tries all characters. Wrong. A dictionary attack will try the most common words and characters first, which greatly reduces the brute-force time.

Third, he doesn't seem to know what a salt is. Some passwords don't use salts at all which greatly reduces their strength (some versions of XP for instance). An attacker with a rainbow table and a GPU can crack an English phrase password rather quickly if it's not salted.

A strong password is dependent on two things which are *not* mutually exclusive: the randomness (entropy) and the length. I can create a LONG password that is really weak. For instance, "The quick brown fox jumped over the lazy dog" is roughly 44 characters, but it has nowhere near the strength of this:

b-$itI?u#J+}y`4-lw1yyZUK*.H?W;"0w3JAu{z'Of5@

which is also 44 characters. The latter password has about 288 bits of entropy while the former would be lucky to push 80. This guy actually seems to be saying that the former password is stronger! LULZ.

Finally, he called the NSA "NASA." lolwut? Instant credibility loss right there.

Spoken like someone who very briefly skimmed the article.

Oh really? He says that "this is fun" would take 2,537 years to brute force and considers it "secure forever." That is, well, retarded. Give me a top of the line Nvidia or ATI video card and I am cracking it in minutes, even without a dictionary.

He then says this:

quote:

---

If you want to be insanely secure; simply choose uncommon words as your password - like: fluffy is puffy.

---

And he claims "fluffy is puffy" would take 40 million years to brute force. 40 million years! *facepalm* Is this guy really that stupid?

He seems to be under the assumption that one can somehow "limit" an attacker by placing time-outs and attempt limits on the brute-force attempt. Yeah, that's well and good until Anonymous cracks his server, downloads his password hashes and then has all the kiddies with their SLI GPU's start crunching the hashes. His measly 3 word passphrase will be cracked in short order and all his personal data (and that of his employees) will be posted on PirateBay for the world to see. Epic fail.

The whole article is just so idiotic that I am wasting my time even responding to his ignorance. The sad thing is that this guy seems to have a "following" on his blog. Ah, blind leading the blind, I guess.

You missed a key point.

The blind leading the blind? I think Kodiac nailed it.

NSA is 'NASA'? Sorry, he just lost his audience, as well as estimating 'time to crack' on a measly 100 attempts per second. I bet my GTX 460 with 288 cores (and that's a low end GPU now) could top that, not to mention how Amazon's cloud computing gives anyone with some money access to a lot of crunching muscle.

Seems like you missed a key point too.

That's how many you may be able to do locally.

How many does the web application handle or allow?

A bank login, for example, will lock itself after X number of tries, where X is usually a low single-digit number.

What the article is trying to say is that brute-forcing over the web is much slower than local brute-force. He doesn't mention it, but the latency from you to the web server alone will significantly slow down password-guessing. At even 10ms, you're down to 100 attempts per second.

Tack on a delay for incorrect passwords, and suddenly "weak" passwords become much stronger.

Tack on account locking, and all bets are off, you are extremely unlikely to brute force the account.

The bad guys already know this of course. Why do you think phishing is such a big thing? All the password entropy in the world won't help if you're fooled into giving it away.

Also am I the only one who thought when he said NASA, he actually meant NASA? Just because they don't deal in espionage doesn't mean they don't have data they'd like to protect after all.

I'll give you that point on account locking. However, not every system utilizes it, and many people use the same password between systems. So let's say, for instance, I know you use a Facebook account (could be anything: WoW, DSLR, etc.) with an associated email address, and Facebook does not lock out an account after incorrect attempts. I can brute force my way into it and then try that email and password combination on any number of sites and probably have a good success rate with them.Yes, you are, because in the context of the sentence ("NASA and CIA"), the given set of agencies (intelligence) does not make sense. "NSA and CIA" on the other hand, make perfect sense, and far more once you realize that NSA is focused on networks.

There's no way you can remember "b-$itI?u#J+}y`4-lw1yyZUK*.H?W;"0w3JAu{z'Of5@" without a password manager, and that is the problem. People are supposed to remember passwords, not depend on software to do it for them.

true, but i have no problem remembering my 14 character one that is "almost" completely random (it does have a string of 6 numbers that is part of a 15 digit account number i own).

i can also change it up by keeping a core part of it the same and changing the beginning and/or middle and/or end

the only problem is almost no one will let me use it because it has "special/invalid characters", and sometimes it is too long also

Yes, I agree. My main point was that his assumptions were wrong, which lead to him overestimating the strength of the password examples he gave. If people think "this is fun" will take hundreds of years to crack, they've got another thing coming. One cannot assume that the attacker will not have local access to the password hash database which will allow him/her to perform a much faster local dictionary or brute-force attack. This kind of thing happens and is what has occurred with several high-profile breaches.

The answer is to use diceware or to create an easily memorable, yet nonsensical sentence with lots of 1337 characters and misspellings. For instance:

B!itz#nZoos1$@burnt0ut$ynicfr0mBeevert0n0r3g0n

Use something like the above as your master password and then generate each password for all of your e-mail and web accounts separately and protect them with this master password in an encrypted database (Keepassx for instance). I have probably 50 passwords for all my various online accounts and I don't know a single one of them. They are all 12-14 random characters generated by a PRNG.

How do you deal accessing those accounts away from your computer? Can you sync a Keepass database between devices (desktop, laptop, smartphone, for instance)?

I already use a similar method, but when places have passwords as short as eight characters, no special characters, there's not much you can do besides just fudge it up as much as you can. Then most of these places don't even encrypt their web logins....

For server security yes, you can usually have far bigger, and more complex passwords assuming some stupid sql injection or brute force via web errors/timeouts doesn't actually succeed anyway. I never liked how if the inputs were not sanitized they were actually ran as code, and not just taken as the string they originally were.

I upload my Keepassx database to the cloud (Dropbox, etc.) That way, as long as the computer has Keepassx on it, I can access the database from anywhere. The only thing I have to remember is the Dropbox password (in order to access the database) and the Keepassx password (to unlock it). The Dropbox password can be short since everything I keep on there is encrypted and thus I don't really care if someone "breaks in."Yeah, there's nothing you can do in that situation but make as strong of a password as possible. If you use a different password for every site, then the damage that can be done is confined to that site alone.