The availability of password-cracking tools based on increasingly powerful graphics processors means that even carefully chosen short passwords are liable to crack under a brute-force attack. A password of less than seven characters will soon be "hopelessly inadequate" even if it contains symbols as well as alphanumerical …
In other news
Yes 7 is bigger than 3!
I'll get my magical coat of 246 alphanumeric password strings..
Using a keylogger will defeat even the most complex password (assuming it's 1-factor). Well who knew??
Utterly pointless research. Passwords are good and bad and need to be a strong as the need requires. However you will always get an idiot who believes that the most mundane systems require uber-complex passwords. For example, at my workplace, we now have a new online room booking system for meetings. It's hosted internally, behind the firewalls, and the room bookings are free. The password for the new system requires 8 characters, upper and lower, with at least one digit and one special character and needs to be changed monthly. The AD logins have less complexity, so ironically, it's easier to break into a desktop (which you'd have to in order to get on the network to use the room booking).
AC as I'm sure the sysadmins consider this sharing a security breach...
It's the age-old battle between security and usability, and as ever the best way is a balanced approach.
Not looking forward to the start of a new school term with kiddywinks who STILL use an entire sentence as their password (30chars +), then asking for a reset despite being told to use something sensible.
(Though it is quite amusing to watch their red faces when you delete that extra space they'd added after their username in the login box...)
Surely they should just use AD authentication, otherwise they're missing half the point of domains?
If it were in our domain, yes. It's hosted by a third party, seemingly connected via a VPN (given it appears as an external address, which is inaccessible outside). But otherwise, yes, it should be by SSO - but the majority of our new web services are in the same boat, including travel, service management/workflow, billing, procurement & HR systems. Some hosted internally, but off-the-shelf with very little customisation and no integration in the AD SSO.
You, my friend, have just made the mistake of using common sense in your argument. It's not applicable here it seems :-(
If most people need longer passwords...
The only problem is with everyone asked to have much longer passwords, a lot of non-technical people will keep all their passwords in a root text file called passwords.txt
If you think thats bad, then just add in they will also need to carry their passwords.txt file with them on a USB stick in their pocket.
What could possibly go wrong.
(Sadly I'm only half joking).
I know of one site...
...where the password is 16 characters long to get into one system.
Mix of upper case, lower case, numbers and symbols.
And its written on the wall beside the machine.
"They suggest that some low-security sites (such as newspaper sites) insist on the use of passwords "primarily for psychological reasons ... as a justification for collecting marketing data and as a way to build trusted relationships with customers". ®"
While I understand that sentiment I imagine any online paper that allows comments or submissions also has a more practical reason, after all if you could simply post under anothers name (as with many blogs I read) you inevitably get some twazzock or another hi-jacking another posters name to troll.
Using the phrase "Best practice" often means I want you to accept what I'm about to say without question. In this case I'd question whether longer passwords help as users, in my experience, tend to change them less often and use recurring patterns as they find them just too much work.
I'd also like to point out that if my login mechanism makes you wait a second between each try and several seconds every third try, extra computing power isn't going to help. OK, you could open multiple login sessions but that's going to get you blocked too. If you've also got to guess the login name then you're going to be there even longer.
Yes, Graphic cards abilities are impressive but I'm not sure it's time to sound the alarm yet.
The attack isn't based on using your login mechanism, it's assuming access to your hashed password file and then computing power does matter. I agree that recommending (let alone enforcing) very long passwords is unlikely to work well in practice. If you have assets that require strong security protection, passwords alone are unlikely to be adequate - you need multi-factor authentication.
It is not that difficult when presented with an actual computer to reboot it into a CD or USB version of micro-Linux, where you can access the password hash file. You can take this offline and decode it, using the heavy GFX mips mentioned (and an intelligent password guesser), or through rainbow tables.
This will normally then allow you onto the machines company network - with only one password guess...
Most if not all business laptops keep a local copy of the password hash, so you can sign in to your open machine when you're off-network. They don't actually have to do it this way, you could have a different password for local use, and a login screen for the company network. This would not require any storage of the company password or its hash.
and in other news
When someone has a level of access to your machine in order to obtain your password hash they can then crack it. Hardly a leap of faith. Unless I'm missing something, the only use for this would be to obtain access to stored keychains as you already have a root level access to the system.
How does it go when full drive encryption is used?
Re : Agreed
"You can take this offline and decode it"
Not sure how you'd do this with a salted hash table on a Linux/Unix system
"when presented with an actual computer to reboot it into a CD or USB..."
Even with booting disabled from CD/USB/SD and the BIOS locked ?
Most BIOS passwords can be circumvented with a CMOS reset. Admittedly not all of them (Thinkpad's survive that method IIRC), but presumably it's possible to swap out the BIOS and CMOS chips from another identical laptop in these extreme cases (think back to the days when you had to recover a motherboard from a BIOS virus).
However none of this is needed. The more trivial method involves taking a screwdriver, removing the boot disk and mounting it in a separate machine. You can even clone it to an image and hack away at the hash files to your hearts content.
Usually you just have to disconnect the battery to reset the BIOS. In the worst case, you just move the disc drive into another machine.
Theoretically, the drive could be encrypted with a strong key that only the BIOS, or the drive itself, knows. However, I've not come across that. If the drive is encrypted with a password that the user types in, then that can be cracked using GPUs, etc, just like the password for the company network that is in most cases stored on the disc, as someone else just pointed out.
I wonder if this whole digital security thing will be sorted out before I die of old age. I see little sign of progress. It's still only a tiny minority of people who understand and care about the issue.
Re : No need
Not fast though - esp. with a locked case like I use - serious lock that is.
Wouldn't help with a Linux password anyway. But as others have already said if you have the physical machine you have the contents unless they are also seriously encrypted.
@chem Serious lock?
Seriously? Most PC case locks take less than 2 minutes to circumvent if your serious about getting in and have a little know how, a bit longer if your trying to not leave any physical evidence of the intrusion. :-)
All kidding aside though, valid point if you have physical access to the box you have the box and by extension possibly the network it's only a matter of time.
I've worked at places that went to great extremes, even to the point of "disabling" all external ports, in all cased if you really want to get in you can get in. Just like cracking a safe it's just a matter of having three things: 1) The time to get the job done, 2) the right tools and 3) the knowledge of how to use them.
What concerns me the most it the tools are more readily available, faster and easier to use than ever...
Mines the one with the lockpics attached to the USB stick.
Yes. My fileserver is in a case I found in a skip. This has welded lugs and a metal bar to take a padlock. so you'd need a hacksaw or crowbar. ( The dual core Atom ITX board and dinky power supply and disks occupy about a quarter of it.)
Security not an issue with this anyway due to no easy access.
We need a solution
We need a solution to passwords - I have about 500 passwords in use across many systems and perhaps 50 of these get used regularly. About 10 passwords are "vital" ones such as banking or router passwords.
There are a number of so-so solutions that will collect and protect passwords, but I have yet to find one that is painless to use (yes, please take this as in invitation to suggest products!) so I end up with my browser holding most of them (synced across different computers) and my poor brain holding all the ones that security really matters for. Most of the low security ones to end up sharing the same password, but not the vital ones.
Before long we may need to find a better solution than passwords that we can remember - but are strong enough to resist brute-force because there will be an ever decreasing number of people that can remember the ever increasingly complex passwords!
"..yes, please take this as in invitation to suggest products!"
For Windows, Roboform with online sync. I've got hundreds of long, complex passwords stored and it works well. (Recommend you try the beta 7 version - looks like it's close to release.)
I use 1Password and to date am happy with it. My master password for it is long and complicated and not written down anywhere.
LastPass works pretty well for me
browser add-on in Firefox/Chrome/WebKit, supports OSX *and* that toy OS from Redmond WA.
took a while to get comfortable with their architecture and with them; but it's been working well for a year now.
makes it easy to end the password-reuse trap even the best of us are prone to; its generator supports arbitrary password length and character-set options; system has as export facility for local backups.
what I really want, though, is an end-to-end idiot-proof simplified UI for setting up SSH authentications. the infrastructure mechanism for creating and using great big digital keys obviously works well enough for people with the technical knowledge to configure and maintain their own server accounts, but is nightmarishly incomprehensible for the majority audience. it shouldn't be that way, and it doesn't have to be.
OpenID was/is a well-meaning effort to simplify things, but it of course has its own issues; its adoption ramp also seems to have stalled.
OK, so it stores your passwords on a remote site, which does make a SPOF, but they are stored with 256-bit encryption, which makes it less likely a brute force attack will find them.
It's fairly painless to set up and use on FireFox - it's also available for Chrome but the UI isn't as good, and it successfully detects the majority of username / password fields (although it struggles with Wikia - it detects but won't autofill the login popup). Although you access your passwords with a single password, it you're smart enough to be using the program you'll probably choose a fairly long master password anyway.
The program also has the ability to generate secure passwords - tell it how long you'd like the password and what characters the site allows (many still don't allow non-alphanumerics, and several impose a limit of <12 characters, with some only accepting 8 letter passwords!), and it'll generate a completely random password, which you don't need to remember because it remembers them for you.
Oh, and you can download the (encrypted!) file of passwords, so even if something untoward happens to lastpass.com, as long as you've got the extension you can still access your passwords.
www.keepass.info 'nuff said.
two of 'em, actually
There's the one that Bruce Schneier made, but I can't remember what it was called. I have a Blackberry, which has a "Password Locker" app; these are stored under a separate key from the one used for the rest of the BB, so you get a password for the app itself, and the crypto's pretty strong. I put there all my zillion passwords, and it's pretty good to date. Backing up also helps in case my BB ever gets stolen :)
Use Ilium's eWallet .. runs on Windows, OSX, iPhone and Android. Has a password generator which I use. They say they use 256 bit AES encryption. Can back up the wallet and save it in multiple places.
Of course if I forget the 12 character password to the wallet I'm stuffed. Not looking forward to the day dementia kicks in.
Beer because my brain cells need it.
This we know
There's a well-known credit card company of whom I am a patron. Some months ago they shortened the HTML form on their secure log-in area to 8 characters, saying that that was all that was allowed. This, despite my own password somehow managing to have been set substantially longer. I guess the HTML limitation wasn't consistent across the site.
I complained, saying that 8 characters was not enough. They denied that, claiming all was fine. Just last month they extended the password length again.
Well, I suppose it's a bit much to ask for an admission that their security was lacking in the first place!
Can better that
Had a similar one with a large Forex company who shall also remain nameless, but given you'd typically be putting 5 or 6 figure trades through it you would hope for security. Nope.
My favourite issue was the block on too many guessed passwords, which was done with... a cookie. Delete the cookie (or ignore it, as you might if you were an automated scanner) and you could retry at your leisure. Unsurprisingly I still make my forex trades by phone.
Longer time between password entries
Brute force password cracking is only as good (or as bad?) as the password entry system it is used with.
For example you could not brute force passwords below 12-digits (in a reasonable time frame) if you can only try once every 10 minutes after you've got it wrong 5 times in a row!
Re : Longer time between password entries
In fact you couldn't brute force it in a very long time, on average, even if you could try every MICROSECOND. I estimate ~50 million years to the half-way point.
Longer .... exponential back off
If you once got access to the encrypted pass phrase ......There are more ways to compromise your pass phrase.
Well known exponential back off might help, if one has to run a dump brute force attack, as those outdated will die it renders this old approach useless (Netware 3.12)....
best regards, HA
No million of years ---- some days ......
1) Not one per microsecond, but 256 per nanosecond, about 250.000 times more powerful.
2) Not eight bit, but six bit. Requires a just a billionth the effort to invert a pass phrase with sixteen characters.
3) Pass phrases allow attacks by methods based on statistics.
Everything written down in my own article ;->
best, Hans Adams
Re : No million of years ---- some days .....
Are you seriously suggesting that a 'good' salted *ix password can be cracked in less than near geological time ?
I'm not sure it's time to sound the alarm yet.... either
Why not spend more time figuring out who needs passwords.
For 90% of what I do I don't want or need a password.
I'd use a common 3 character password if I could, but...
Software and admins increasingly demand longer more complicated passwords AND that I change them regularly.
A big pain in the neck.
Having things such as increasingly powerful graphics processors you can run CUDA crunching on is all very well and good, but kind of irrelevant in the context of web based attacks.
Consider a password which may be between 1 and 6 characters long, alphanumerics, giving a total of around 2 billion options, lets take another mathematical shortcut and ignore the missing digits from the smaller numbers and lets say that each option tried is 6 digits... so for each check you've got 6 digits, lets add 250 bytes for a decent sized HTTP POST header and presume that you're also going to need to send a 10 character login name and, while were at it, the fields will need to be identified so 'user=' and 'password=' add another 14.
That brings it to about 270,000,000,000 bytes to transfer or about 250 GB of upload to the server.
Lets presume that in order to know if you've succeeded in logging in or not you're going to need to receive the response, and for the sake of argument lets say your average webpage being about 15k totalling an additional 28 TB of bandwidth.
So all told you're talking about 28 TB of bandwidth to check all of the 6 character passwords for one user.
Now the question is, if you maxed out the bandwidth of a moderately sized server of the kind you may wish to attack without alarm bells going off all over the place due to the expensive DDoS and IDS protection you find on larger sites.. so let's say that's 10 mbyte/sec... about 3 million seconds to test them all or 30 days.
Using the assumption that somebody wouldn't noticing you sucking up 100% of their bandwidth for an entire month you then have to consider the poor server trying to check all of these details - running a password attack on an offline is all very well and good... but what is a server going to think when it's having its CPU burnt up by handling billions of extra page generations in ASP or PHP or whatever it may be.
Anyway, in summary, it is true that longer passwords are needed... but when you're dealing with websites, how many you can shove down the pipe to be processed by the server is much more important than how you generate the passwords in the first place.
And supposedly we're supposed to change the passwords every 30 days, so it could be that it would get changed before the attack even finished. And that is assuming best case scenario on the web page not noticing the attack.
You forgot the raptor pit and the crocodile on a rope!
Are we talking password encrypted files or online access?
A brute force attack against an online site should either be noticed, or hit the old 'you've exceeded the maxmimum number of logon attempts' threshold long before even the lamest of passwords is 'guessed'.
Now, of some has a copy of your laptop or other external medium, then yeah... make them take the better part of a day to crack in.
...a way round this is to use the same password on every users account instead of going through all the passwords on a single users account.
Yawn, wake me up later...
Until banks get a clue, I don't think there is much hope of much changing ...
It's setting up a memorable word as the 3rd step in the process (if you're so upset, realise that subsequently they only ask you 2 letters from this word at login, even less "secure").
As I recall, Barclays are one of the best in terms of security. Bear in mind they're moving to 2FA with their PINSentry devices, and even before that they required your surname, user ID and password before getting to the "enter 2 letters" stage.
It's very easy to pick holes in a system if you only focus on one aspect.
Re : So? (Anon)
"As I recall, Barclays are one of the best in terms of security"
Oh yes, like they sent a replacement bank card for my mother to an address from which she had moved 3 months earlier. They totally ignored her letter telling them the change of address because "anybody could have written it".
"They totally ignored her letter telling them the change of address because anybody could have written it."
Well, yes, you'd have been f***ing furious if they'd changed her address because some nefarious person had written to them. It used to be the most common way of defrauding an account back when I worked in a branch (yeeeaaars ago). Not to mention that relying on a letter sent (presumably) unregistered with no guarantee of delivery and assuming "job done" isn't the best technique for changing your address. I take heart in the fact that my bank (not Barclays) only lets me change my address in person or over the phone subject to the normal ID procedures.
Besides, I'm guessing the statement was about *online* security..
password file cracking
I occasionally have to do this sort of thing for audits / security checks and if you can get hold of the password file itself (from the local computer or from AD) then simple, free tools such as 0phcrack with the large dictionary (about 700MB) will pull out passwords of 12 unconnected characters in a few minutes. If you get hold of AD then you also get the last 5 or so changes so you can see the patterns people use when they have to change their password. I accept getting hold of the files in the first place may not be that easy, but once you have them you don't need a powerful computer or a long time.
Download a password liberator of your choice and and try it on your computer at home, you will be surprised at how easily your secure password can be exposed. Needless to say, don't try it at work unless you have permission to crack passwords or you know you are clever enough never to get caught.
Just check for obvious passwords.
back in the day when I thought (mad fool that I was, that most of the users in the office took passwords reasonably seriously, I tried a simple Unix password checker... only to be horrified at the freds and the condoms and so on...
Probably preaching to the converted.....
.... but here goes.
How do you compose a long, and hard to brute-force, password for a particular website?
The Free Method
1. Open up a simple word processor. Enter:
2. User Name: All symbols, e.g. (~(("}` Make this as long as the website allows.
3. Password. Think of something unique that associates you with that website (=memorable). Let's take online banking with Southern Sand Bank plc as an example.
Your own personal memory might be "I opened my account with Southern Sand Bank when we lived in Milton Keynes. It was in 1990; it's now bust". That translates into "IomawSSwwliMK.Iwi1990;i'snb"
Save the text file, then copy and paste the relevant strings into the registration page. Keep the txt file safe - job done.
The paid for, but cheap and convenient method:
Install 1Password (was Mac only, but now also Windows beta). Just use it straight out of the box. It's brilliant, and NO, I do not work for the company, and NO, I am not an affilliate!
And that's memorable?
Am I supposed to use this password everywhere or does each one of my 100 passwords have to look something like that?
Personally, I find my collegues passwords memorable: 88888888
even his gmail account uses it.
Illegal account/password combination.
according to your mnemonic, you ain't getting in.
be what you meant, instead?
This method of creating passwords is terrible. I'm probably preaching to the converted here, but obfuscated and complicated passwords are non-portable and unsafe. If you were to lose that file (Hard drive problems, your cat deletes the file, etc) then you've lost access to whatever it is you've password protected. Perhaps worse, if you find yourself on another computer, you're scuppered! I personally believe in a passphrase; several words forming a phrase - easy to remember, portable and can be stored in your head. You could even use several passphrases, based on the website or context in question. "I like to read El Reg!" would be an o.k. example.
Here's a site I stumbled upon earlier saying all this better and in more detail:
Paris: Because "That's hot" is her passphrase.
- Review Apple iPhone 6: Looking good, slim. How about... oh, your battery died
- Review + Vid Apple iPhone 6 Plus: What a waste of gorgeous pixel density
- +Comment EMC, HP blockbuster 'merger' shocker comes a cropper
- Moon landing was real and WE CAN PROVE IT, says Nvidia
- 46% of iThings slurp iOS 8: What part of this batt-draining update didn't you like?