dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
751

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

Many password strength meters are downright WEAK, researchers say

»www.networkworld.com/art ··· say.html from »it.slashdot.org/story/15 ··· hers-say

"... Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you only what you want to hear.

That’s the finding from researchers at Concordia University in Montreal, who examined the usefulness of those pesky and ubiquitous red-yellow-green password strength testers on websites run by big names such as Google, Yahoo, Twitter and Microsoft/Skype. The researchers used algorithms to send millions of “not-so-good” passwords through these meters, as well as through the meters of password management services such as LastPass and 1Password, and were largely underwhelmed by the results..."

An interesting read.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

1 edit

1 recommendation

NOYB

Premium Member


I found the article to be underwhelming.

Cites big names like Google, Yahoo, Twitter, Microsoft/Skype, LastPass, and 1Password. But gives no details or examples of any weak passwords any of these say are strong. Guess we're just supposed to take the author's (Bob Brown) word for it over that of these companies. Is that an axe I hear someone grinding in the background?

What I think is really going on with articles like this that bash passwords is "they" (whoever the they is) are driving (corralling, propagandizing, social conditioning) people so they will accept, even demand, an upcoming "solution" they want to implement. Like maybe chip implant or something. Something that will give them even greater control, traceability/trackability and continue to further erode privacy.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to antdude

MVM

to antdude
Bottom line, any non-random password is not secure enough. Not so good passwords would be something like Password1234! Where it has all four classes of characters (upper case, lower case, numbers, and symbol) in sufficient numbers, 13 characters in this example, but this password would fall very quickly to a structured attack. Password strength meters are based on a straight brute force attack, which is not how passwords are attacked.

Steve Gibson's Password Haystacking is similar. While haystacking is better than using a standard password, it still pales in comparison with a truly random password of the same length and complexity.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

3 edits

NOYB

Premium Member

said by Kilroy:

any non-random password is not secure enough


This is not so clear cut as that.

What is secure enough depends on what is being protected and what it is being protected from.

What is secure enough varies greatly from system to system. For instance. Here on this forum xyz124 is nearly as secure as any password (against offline attack). Because if I recall, and if it hasn't changed, this forum stores passwords in the clear.

But for a financial account that obviously would be an extremely poor password.

Even so. More to the point. Strong passwords do not necessarily need to be random. They just need to get passed structured attacks and be long enough to make brute force impractical.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

When was the last major story of a system getting compromised by even attacking the pass word of any users account?

Over the last 18 months to 2 years how many data breaches have happened and how many of those were from pass word hacks? None that i can recall were pass word attacks. All used exploits and or social engineering.

ashrc4
Premium Member
join:2009-02-06
australia

ashrc4

Premium Member

said by Nanaki:

Over the last 18 months to 2 years how many data breaches have happened and how many of those were from pass word hacks? None that i can recall were pass word attacks. All used exploits and or social engineering.

YEP!
So how is weak defined ? If they mean weeding out guessable passwords then sure but enforcing strong (this includes truly random of shorter lenghts) only, then that weakens rather than strengthens. Except when talking about cracking truly random hashes).

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to NOYB

Premium Member

to NOYB
said by NOYB:

this forum xyz124 is nearly as secure as any password (against offline attack). Because if I recall, and if it hasn't changed, this forum stores passwords in the clear.

No longer true, and hasn't been for a while.

My password for this forum is fairly weak because this is not a sensitive account. Why go to the extra effort?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy to Nanaki

MVM

to Nanaki
Front door attacks have been useless for years and are so last century.

Honestly, not reusing passwords is far more important than anything else. The odds that at least one of your online accounts will have its password compromised by the site that requires the password gets closer to 100% with every additional account you have online. If you reuse your password that could result in multiple accounts being compromised off of one successful attack.

After having unique passwords for everything comes complexity. That way when a password database containing your user name and password is lost it you will not be in the first 50% percent to fall. The longer it takes to "guess" your password increases that chances that it won't be guessed due to the effort required.

Just like locks, passwords only keep honest people honest.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned) to Kilroy

Member

to Kilroy
It is NOT OP password checking toolz, but I can understand your point of view ..... Kilroy
said by Kilroy:

Bottom line, any non-random password is not secure enough. Not so good passwords would be something like Password1234! Where it has all four classes of characters (upper case, lower case, numbers, and symbol) in sufficient numbers, 13 characters in this example, but this password would fall very quickly to a structured attack. Password strength meters are based on a straight brute force attack, which is not how passwords are attacked.

Steve Gibson's Password Haystacking is similar. While haystacking is better than using a standard password, it still pales in comparison with a truly random password of the same length and complexity.

dave
Premium Member
join:2000-05-04
not in ohio

2 recommendations

dave to antdude

Premium Member

to antdude
Many "research" articles are downright WEAK, cynical readers say.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to sivran

MVM

to sivran
Why not? Why not just be generating a hard, new password for any link? It can't hurt. I consider every site that needs a password the same...sensitive.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Saves mental energy for the couple of dozen passwords that really matter...

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to antdude

Premium Member

to antdude
Convenience is the eternal enemy of security. In password-ville, length AND randomness increase security, but the human mind really hates randomness - the longer the random string, the more the mind hates it. We memorize and recall associatively and in patterns. Consequently, random characters in a password are harder for humans to remember than character strings with patterns or "meanings" attached. And, as history will clearly demonstrate, when convenience/ease-of-usage crash headlong into security needs, be sure that security needs are the first thing that will be tossed over the side... 100% of the time. That reality is one of the essential engines that propel the entire world of spook-dom.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to jaykaykay

Premium Member

to jaykaykay
What dave See Profile said. Why invoke KeePass just to log into my youtube account, which only ever does youtube and nothing else, or random forum accounts, none of which share any commonalities with my truly sensitive accounts?
drjenkins
join:2005-03-30
Bealeton, VA

drjenkins to antdude

Member

to antdude
This is the random password generator I use:
»www.tmcm.com/tmcm/wp-con ··· 2181.jpg

Chubbzie
join:2014-02-11
Greenville, NC

Chubbzie to antdude

Member

to antdude
Passwords are sometimes on the agenda of a targeted attack with specific purposes. Honestly though, whats the point of brute forcing a password if you can simply dump some malware & capture the user's keystrokes, MiTM, phish, social engineer, etc.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

said by Chubbzie:

Passwords are sometimes on the agenda of a targeted attack with specific purposes. Honestly though, whats the point of brute forcing a password if you can simply dump some malware & capture the user's keystrokes, MiTM, phish, social engineer, etc.


But how are you going to capture the associated user id that is encrypted in a cookie that is never locally decrypted?

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Any number of other channels where the username might be exposed.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

said by sivran:

Any number of other channels where the username might be exposed.


And if it is not?
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

TheMG to antdude

Premium Member

to antdude
I suppose the password strength meters could be made "smarter" by detecting or blocking easily guessed and common passwords, but anything more than that wouldn't be that useful.

For most online accounts, the most important considerations are using a password that is not easily guessable, and not re-using the same password between websites.

Using lengthy purely random passwords is not practical for such accounts, and doesn't really add much security, since password attacks on a website front-end are quite ineffective even on short passwords.

Where lengthy random passwords are important is where the password is used as an encryption key to protect data. If an attacker gets a copy of the encrypted data, they can put as much resources as they have available toward cracking that key, so it is important to make sure the password is complex enough that no amount of processing power available now or in the near future can crack it in a practical amount of time (ie: it should be long enough so it takes at least 100 years to crack given access to huge cloud computing resources).

But going through a website front-end, things are sloooooooooow and even a structured dictionary attack can be a slow painful process that may never succeed.

The reality is that aside from easily guessed commonly used passwords, most attacks and data breaches occur through means that do not involve cracking a user's password. Finding and exploiting website vulnerabilities to gain back-end access, social-engineering (phishing), and keyloggers are much more effective techniques and are how the great majority of security breaches happen these days.

My bank uses 5 digit numerical pins to sign in to online banking. I don't feel insecure because of it. Why? You only get 4 tries and you're locked out. What are the chances an attacker is going to guess a 5-digit pin correctly if they have only 4 shots at getting it right? Unless I use an easily guessed pin, such as 12345, 00000, 11111, etc, the chances of anyone getting it right are slim to none.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer

Premium Member

said by TheMG:

Using lengthy purely random passwords is not practical for such accounts, and doesn't really add much security, since password attacks on a website front-end are quite ineffective even on short passwords.

Unfortunately that is one of the lingering misconceptions. A far greater concern is over offline attacks once (hopefully hashed or at least encrypted) password stores are breached.

Most sites have protections against repeated failed attempts through customer-facing interfaces. Apple had demonstrated not too long ago what happens when such protections are not put in place.

However if we look back at how many sites had breaches where password stores were "leaked"/"stolen" the concern over offline attacks becomes much more clear.

Over 2 years ago, an under-$25K gpu-based hashcat+ implementation broke world records by reconstructing almost 350 billion (that's a 'B') NTLM hashes per second. Every 8-character (or less) password was discovered in a matter of only hours. This has now been eclipsed.

Yes, there are newer stronger hashing algorithms available, but remember that customers don't have any control over how their passwords are actually protected (or even whether they are protected). We've seen, even recently, that there are very large enterprises that do not even encrypt, let alone hash, sensitive data including passwords - in those cases whether we used a 300-character password or a 1-character password would make no difference. However for those sites where static credentials are indeed protected we can only expect that protection to be viable for a short time once the stores are leaked or stolen. Choosing strong passwords helps maximize that time.

Hashcat has many modes, including pure brute-force, dictionary, combinator, and rule-based (among others). Cloud services now offer GPU computing at competitive cost. This is where the concern continues to increase (not online "front-end" attacks)

For what it is worth, in a pure "brute-force" attack, length is the primary factor. However since brute-force loses feasibility as length increases it is not the only method used. Dictionary, table, combinator, and other rule-based attacks are used as well which reduces the effectiveness of using length as the primary strength and is where randomness and using multiple character classes comes into play.

The reality is that aside from easily guessed commonly used passwords, most attacks and data breaches occur through means that do not involve cracking a user's password.

Actually, many breaches seek to obtain, among other data, user logins and passwords. Once those are captured, the attackers have all the time in the world to harvest those and either sell the list or use them to expand their attacks further.

Strong passwords are chosen to avoid being discovered in such offline attacks, or at least not discovered for long enough to allow passwords to be changed by the owner before they are discovered.

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to NOYB

Member

to NOYB
said by NOYB:

But how are you going to capture the associated user id that is encrypted in a cookie that is never locally decrypted?

If you've already gained access to the machine, via X subversion method, the cookie(s) are now yours to utilize however you see fit (even through impersonation). Also, its against standard security practices to store any server based auth mechanisms or credentials on the client's end whether encrypted or not. Any information provided by the client is suspect to having been tampered with.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

said by Chubbzie:

If you've already gained access to the machine, via X subversion method, the cookie(s) are now yours to utilize however you see fit (even through impersonation).


Except that the contents, a user id being discussed in this case, is encrypted. And it may not even be the actual user id but rather a cross reference that the backend uses and only accepts if provided via the cookie. Furthermore the cookie can be constructed to prevent it from being accepted from any other machine. Thus protecting it from external use if transferred to another machine.

So it has to be used on the current machine. If the machine is compromised to that extent then typed and other forms of input are also compromised and those can easily be used externally on other machines.
said by Chubbzie:

Also, its against standard security practices to store any server based auth mechanisms or credentials on the client's end whether encrypted or not.


Not being a standard security practice does not necessarily make method less secure. It may in fact even exceed the security of standard practices and be more secure.
said by Chubbzie:

Any information provided by the client is suspect to having been tampered with.


Including keyboard, or other entry method, user id.

Given the choice of encrypted user id, or cross reference, being provided via cookie. Or totally unprotected keyboard or other entry method. I'll take the cookie, standard security practice or not, thank you very much. It offers far more protection than keyboard and other entry methods. Can it be compromised? Probably so. But not nearly as easily as capturing credentials via key-logger and not as transportable for use from another machine of the hackers convenience. The hacker only has access while the machine is online.

Chubbzie
join:2014-02-11
Greenville, NC

Chubbzie

Member

Blathering blatherskite... machine already owned.