dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1606
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

P@$$1234: the end of strong password-only security

»www.deloitte.com/view/en_GX/glob···RCRD.htm from »it.slashdot.org/story/13/02/07/2···eriously ...

"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. Inadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks. As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication..."
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.



NotTheMama
What Would Earl Do?

join:2012-12-06

My short, "insecure" (by design, because I don't really care) passwords might be 8 characters. My long, "secure" (because I care about what I'm "securing") passwords are closer to 50 characters. (Of course, nothing is really "secure".)
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



DarkSithPro

join:2005-02-12
Tempe, AZ
kudos:2
reply to antdude

So use a two phase password system.

1st password will be accepted and send you to the second password screen, even if first password is incorrect, the second one will kick you back to start all over. It will not tell if the first, or second password was correct, or incorrect. Therefore brute force/dictonary will be completely ineffective.

So lets say your first password is just 5 characters long and the second one is roughly the same. Going to a second password screen only to be kicked back out will make brute-force useless...



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

3 recommendations

reply to antdude

"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking.

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.


SoLostNow

join:2013-02-07
Haltom City, TX
reply to antdude

20 random characters from the "all ASCII printable character space," generated by a top quality pseudo random number generator, would be considered computationally secure against a brute force attack from any technology currently in the public domain. These characters provide slightly over 128 bits of entropy, and an attacker would encounter Landauer's limit. Quantum computing would halve the key space, but in the absence of that, reversible computing would be necessary.



NotTheMama
What Would Earl Do?

join:2012-12-06

If it actually gets as far as a brute force attack, you're safer with an easy to remember phrase longer than 20 characters than you are with 20 random characters. Longer is stronger. You just have to be sure to use a phrase that can't be either guessed or deduced, which really isn't that hard to do.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."


SoLostNow

join:2013-02-07
Haltom City, TX

A randomly generated password, like the one i described above, has none of weaknesses of human generated passwords. It won’t be in any cracker’s 20GB word list and probabilistic attacks can’t be used, so an attacker is always forced into a true brute force attack (an exhaustive search of all possibilities). "Longer is stronger" is valid only when comparing randomly generated passwords. Passwords like: "resworb beW a gnisseccA.A", "n47= ...Timeout Delay: {", or "pmar fo ytilibacilppa 5.1" (25, 25, & 27 characters) may seem clever, but they were cracked by an individual using a normal desktop computer with a single GPU last year. He cracked about 83% of 146 million password hashes over a period of several months.

If you really want to protect your data, locate a quality random password generator and use two-factor authentication whenever it’s available.



NotTheMama
What Would Earl Do?

join:2012-12-06

Yeah, I know--the "Death of Clever". But my passphrases aren't "clever". They're just longer. They're not in any dictionary or any hash list. I'd put one of my short 32-character phrases up against any other 32-character random string. Brute force would be the only way to crack it.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



rfhar
The World Sport, Played In Every Country
Premium
join:2001-03-26
Buicktown,Mi

1 recommendation

reply to antdude

Wow...and those of us who remember eight inch floppies also can remember when a secure password was a misspelled word or name.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by rfhar:

Wow...and those of us who remember eight inch floppies also can remember when a secure password was a misspelled word or name.

That's still true today. Passwords are at their most effective against their owner when either he can't remember them or when he keeps making a "pattern" error when typing them (finger persistently over a wrong key). While a hacker has all manner of resources to crack open an uncooperative password, the typical password owner often has only two: his sometimes-erratic memory or a written list he made way back when. Now... if he could just remember where he put that list...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

SoLostNow

join:2013-02-07
Haltom City, TX

@NotTheMama: A 32 character random string that contains mixed case/numeric/special characters would provide over 192 bits of entropy. It is computationally infeasible to crack strings containing over 128 bits of entropy by any technology currently available in the public domain. It's a matter of simple math and physics.

Although your 32 character phrase might be easier to type and remember there is absolutely no way to be certain that it does not appear in some cracker's wordlists, or that he/she can't apply custom rules to those wordlists to crack your passphrase. I'm certainly not saying that it is likely that your passphrase will be compromised, but I am saying that the 20+ random characters described above provides more security against advanced attacks.

Search for Theirus' blog post titled: "Cracking Story - How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords." It contains a link to over 80 gigabytes of wordlists from just one source, and the rules he used to crack the password hashes in my earlier post.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to DarkSithPro

Two 5 character passwords affords the same protection as one 10 character password.

(To a first approximation, ignoring the fact that you often don't need to know the password, you just need to know something that hashes to the same thing the password hashes to).



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Snowy

said by Snowy:

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.

The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack. By the time they are using your user name and password they already know what they are and the lock out policy won't be of any use.

The same issue applies to the suggestion from DarkSithPro See Profile. The password entry isn't the weakness. It is the loss of the password file. Having twenty levels of password checks does nothing if the one in charge of securing the data is the one who lost your user information in the first place.

The weakness comes from the off line attacks that are being run against the password files, provided the entity storing the data bothered to hash them.

NotTheMama See Profile, okay you use long pass phrases, do you have a different one for EVERY password? Probably not. So, once I have one of your pass phrases I can access other accounts that you have used the same pass phrase. Additionally if you used the same user name, if you had any choice and e-mail address isn't it, I already have all I need to be you.

A password generator is the only way to ensure that you have minimum exposure. I use LastPass with an Yubikey for two factor authentication to my passwords. The problem comes in when the places that want a password limit the length. Fidelity is a personal favorite with that issue. I don't remember what their length limit is, but I do know it is less than 15 characters. Thanks for holding my money and not taking much effort to keep it secure.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


NotTheMama
What Would Earl Do?

join:2012-12-06
reply to SoLostNow

I always use upper and lower case, numeric, and special characters in my passwords, even the "short" ones (and the pitifully short ones, like 8 to 12 characters, too); been doing it for many years (since I was a [computer] security officer back in the '80s). Even my short 32 character ones exceed 160 bits of entropy. If the system allows longer passwords, then I'll typically use 46 to 48 character phrases--which exceed 240 bits of entropy. So, I feel safe enough. I'm quite certain none of my strong passwords are in anyone's wordlists. I'm fairly certain none of my "weak" ones are. (I already know about your "Cracking Story...", thanks.)
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 edit
reply to Kilroy

said by Kilroy:

said by Snowy:

Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent.

The problem is that the current attack methods aren't brute force on the actual account, they are brute force on the captured password file, so lockout policies have nothing to do with the attack.

If Deloitte is talking about a 90% failure rate for passwords stored in the password file then logically the only way this can have any real world significance would be if 90% of all password files are insecure.
Sure, if their talking about illegally accessed password files with plain text or simple hashing, then yeah, the password is pretty much toast.
That's like the security sites that ask you to drop your defenses so they can show you how insecure you are.

EDIT to add: I have been unable to locate where Deloitte specified their study was about hacked password files.
where are you getting that from?

SoLostNow

join:2013-02-07
Haltom City, TX
reply to NotTheMama

@NotTheMama: How are you estimating the entropy of your passphrases? Most cryptologists would now agree that a reasonably accurate Shannon entropy model of human generated passwords/passphrases is just not possible. The entropy estimate for human generated passwords in NIST Special Publication 800-63-1 has proven to be unreliable many times over against the results of real world attacks. Shannon entropy of random strings and the guessing entropy of a human generated password are two very different concepts, and there is no way to accurately measure guessing entropy.



NotTheMama
What Would Earl Do?

join:2012-12-06

1 recommendation

The only thing you need to know or do about entropy is ensure that there's enough of it to relegate the cracker to using a brute force attack, at which point the longer your password is, the longer it will take to crack, presuming it can be done at all. As far as my "approach" to building a password goes, it's more like Diceware than anything else--mostly random, non-personal words (plus one, perhaps, that is personal) strung together, and, generally, at least seven of them. Each of the words is in a list somewhere for sure, but the final phrase/string is not. Of course, this is only possible when the system doesn't restrict the length of passwords by too much, which some do. Still, I make the assumption that at some point it or the system can and will be hacked, cracked, or compromised for nefarious purposes. I merely try to reduce exposure where it's inevitable.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Snowy

Note number 5 pointing to this link - »xato.net/passwords/more-top-worst-passwords/

quote:
Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
From that I would conclude that these are from publicly available leaked/stolen user name and password lists.

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Kilroy:

I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.

I completely agree with that.
I completely disagree with:
"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking."

I'll stand by:
"Snowy predicts that if Deloitte had factored in (or left in) account lockout policies their "90 percent" would drop to less than 5 percent."

Why?: Because if the Deloitte study was about hacked password files & they failed to mention that they'd be guilty of more than just sensationalism.


redxii
Premium,Mod
join:2001-02-26
Sherwood, MI

1 recommendation

reply to NotTheMama

I sort of do the same thing, but most of the important websites I use (bank, insurance, etc; they are big names everyone knows) impose asinine limitations, such as low max character limits around 12 and unable to use special characters.
--
Moe, I need your advice… See I've got this friend named Joey Joe-Joe... Junior... Shabadoo..



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by redxii:

I sort of do the same thing, but most of the important websites I use (bank, insurance, etc; they are big names everyone knows) impose asinine limitations, such as low max character limits around 12 and unable to use special characters.

That goes right back to the password lockout policy.
That needs to be factored into the relative strength of a password at a practical or real world level.
I'm not aware of any financial site that doesn't utilize an account lockout policy.
Take a financial site that doesn't have one in place add a script, a dictionary, & that complex password is a lot less secure than a simple eight character password protected by a lockout policy.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to NotTheMama

How many websites actually allow you to use such long passphrases though?



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

Given that we still see sites that have restrictions like "you can't use 'special' characters in a password", there's not a lot of skill invested in some web sites.

(What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)



NotTheMama
What Would Earl Do?

join:2012-12-06
reply to sivran

Email systems seem to be the least restrictive on length. I've yet to find a limit for Google, but I haven't bothered to check for longer than what I prefer to use. My credit union allows maybe half of what I'd prefer. Almost all other sites don't have anything I'm particularly concerned about securing. The restriction, though, doesn't change my method, just reduces the length--I use what they allow.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to dave

said by dave:

... (What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)

A long time ago I was told that special characters (non-letter/number) were used for field delimiters and control symbols in certain kinds of database structures, so they were forbidden as part of field entries like passwords and such. But that was years ago, and I can't imagine that the state of the art in software design hasn't moved light years beyond such archaic limitations... particularly with something like a password. Perhaps the real reason is that a lot of log-in software still has archaic interface modules that are 15 years or more behind the times...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

I don't understand why the banks can't get their act together. Chase, apparently, can't recognize a Win 8 computer and thus requires that I go through, EACH TIME, an intricate procedure whereby a code is sent to my email address and that I have to then enter and then do two challenges, etc( which I already did...but Chase claims my computer has never logged in there because it is Windows 8) and makes me do again. This happens on Fx 10.0.12 ESR. Then there is the separate Opera 12.14 problems at Chase where I can login (after the same "we don't recognize your computer" hassle), but cannot enter a payment amount that Chase sees and cannot logout at all unless I navigate to the main Chase Online page. As large as Chase is, you would think they could get these problems fixed quickly.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to antdude

I don't even know my passwords.
They are random gibberish created by a random password generator in KeepPass. The only password I'll ever need is my master password and a key file. Simple and highly effective.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to redxii

said by redxii:

I sort of do the same thing, but most of the important websites I use (bank, insurance, etc; they are big names everyone knows) impose asinine limitations, such as low max character limits around 12 and unable to use special characters.

TD Canada Trust is even worse. 8 characters max, one must be a digit.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

reply to Blackbird

said by Blackbird:

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

Kinda makes no sense when a video game lets me do more complex passwords than a bank.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports