dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
27
NoHereNoMo
join:2012-12-06

NoHereNoMo to SoLostNow

Member

to SoLostNow

Re: P@$$1234: the end of strong password-only security

I always use upper and lower case, numeric, and special characters in my passwords, even the "short" ones (and the pitifully short ones, like 8 to 12 characters, too); been doing it for many years (since I was a [computer] security officer back in the '80s). Even my short 32 character ones exceed 160 bits of entropy. If the system allows longer passwords, then I'll typically use 46 to 48 character phrases--which exceed 240 bits of entropy. So, I feel safe enough. I'm quite certain none of my strong passwords are in anyone's wordlists. I'm fairly certain none of my "weak" ones are. (I already know about your "Cracking Story...", thanks.)
SoLostNow
join:2013-02-07
Haltom City, TX

SoLostNow

Member

@NotTheMama: How are you estimating the entropy of your passphrases? Most cryptologists would now agree that a reasonably accurate Shannon entropy model of human generated passwords/passphrases is just not possible. The entropy estimate for human generated passwords in NIST Special Publication 800-63-1 has proven to be unreliable many times over against the results of real world attacks. Shannon entropy of random strings and the guessing entropy of a human generated password are two very different concepts, and there is no way to accurately measure guessing entropy.
NoHereNoMo
join:2012-12-06

1 recommendation

NoHereNoMo

Member

The only thing you need to know or do about entropy is ensure that there's enough of it to relegate the cracker to using a brute force attack, at which point the longer your password is, the longer it will take to crack, presuming it can be done at all. As far as my "approach" to building a password goes, it's more like Diceware than anything else--mostly random, non-personal words (plus one, perhaps, that is personal) strung together, and, generally, at least seven of them. Each of the words is in a list somewhere for sure, but the final phrase/string is not. Of course, this is only possible when the system doesn't restrict the length of passwords by too much, which some do. Still, I make the assumption that at some point it or the system can and will be hacked, cracked, or compromised for nefarious purposes. I merely try to reduce exposure where it's inevitable.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran

Premium Member

How many websites actually allow you to use such long passphrases though?

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Given that we still see sites that have restrictions like "you can't use 'special' characters in a password", there's not a lot of skill invested in some web sites.

(What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)
NoHereNoMo
join:2012-12-06

NoHereNoMo to sivran

Member

to sivran
Email systems seem to be the least restrictive on length. I've yet to find a limit for Google, but I haven't bothered to check for longer than what I prefer to use. My credit union allows maybe half of what I'd prefer. Almost all other sites don't have anything I'm particularly concerned about securing. The restriction, though, doesn't change my method, just reduces the length--I use what they allow.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to dave

Premium Member

to dave
said by dave:

... (What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)

A long time ago I was told that special characters (non-letter/number) were used for field delimiters and control symbols in certain kinds of database structures, so they were forbidden as part of field entries like passwords and such. But that was years ago, and I can't imagine that the state of the art in software design hasn't moved light years beyond such archaic limitations... particularly with something like a password. Perhaps the real reason is that a lot of log-in software still has archaic interface modules that are 15 years or more behind the times...
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 recommendation

Mele20

Premium Member

I don't understand why the banks can't get their act together. Chase, apparently, can't recognize a Win 8 computer and thus requires that I go through, EACH TIME, an intricate procedure whereby a code is sent to my email address and that I have to then enter and then do two challenges, etc( which I already did...but Chase claims my computer has never logged in there because it is Windows 8) and makes me do again. This happens on Fx 10.0.12 ESR. Then there is the separate Opera 12.14 problems at Chase where I can login (after the same "we don't recognize your computer" hassle), but cannot enter a payment amount that Chase sees and cannot logout at all unless I navigate to the main Chase Online page. As large as Chase is, you would think they could get these problems fixed quickly.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

1 recommendation

Kearnstd to Blackbird

Premium Member

to Blackbird
said by Blackbird:

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

Kinda makes no sense when a video game lets me do more complex passwords than a bank.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

Has anyone ever heard of a US bank account being compromised via a weak password?
I know that I haven't.
Between phishing, vishing, post-it notes etc... illegal access occurs daily but it has nothing to do with a weak password.
If anything, the password reset function presents a larger risk than current simple password restrictions.
But not to dilute the challenge - Can anyone find a verifiable reference to a US bank account hacked via a dictionary or brute force attack?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to Kearnstd

MVM

to Kearnstd
said by Kearnstd:

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

But did you know case doesn't matter for your World of Warcraft account? So, that cuts out 26 characters.

Snowy See Profile, you're just not getting it. Did you even read the article?
said by Deloitte Aritcle :
How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.
NO ONE tries to brute force passwords directly, due to incorrect password lockouts.

I agree that password resets are a major problem.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Yes, I read the article.
I just didn't get that the scope was framed around
90% of user generated passwords would fail if the password file were attacked"
If it were I'd think the title would have been 90% of password files are not secure.

The article would make even less sense if that's what it's about because at the point of attack the password becomes dependent on the strength of the password file.
If it's stored in plain text then it's not 90% that would fail - it would be 100%.

How or if the password is salted would come into play etc... there's too many variables to come up with a hard number as they did (90%).

Even if it were about passwords stored in a password file that was subjected to an attack:
1. They should have attacked a plain text file to get a 100% failure rate
2. I'm not aware of any US financial institution that lost their password files - though anything is possible.
3. If their point was a stronger password to offset a lost password file advocating a best policy in password file encryption would be more practical than changing the habits of 90% of humankind.
Snowy

Snowy to Kilroy

Premium Member

to Kilroy
said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Aah, it took reading that twice,
I usually just gloss over this type of noise
"Most organizations keep usernames and passwords in a master file. ...
So far, so secure. However, master files are often stolen or leaked....


I hope Deloitte is just setting the stage for a breach disclosure rather than actually believing that.
Deloitte's 90% figure still doesn't change any fact.
It's still true that 0% of US banking customers have had their accounts compromised due to a brute force or dictionary attack or even a weak password being cracked via a leaked or stolen password file.
Phishing, vishing, post-it notes, impersonation, forgery, ACH fraud, bank losing master password file.
It doesn't even look right.