The Register® — Biting the hand that feeds IT

Feeds

Short passwords 'hopelessly inadequate', say boffins

The availability of password-cracking tools based on increasingly powerful graphics processors means that even carefully chosen short passwords are liable to crack under a brute-force attack. A password of less than seven characters will soon be "hopelessly inadequate" even if it contains symbols as well as alphanumerical …

This topic is closed for new posts.

Page:

Anonymous Coward
Coat

In other news

Yes 7 is bigger than 3!

I'll get my magical coat of 246 alphanumeric password strings..

Anonymous Coward
FAIL
Reply Icon

and also...

Using a keylogger will defeat even the most complex password (assuming it's 1-factor). Well who knew??

Utterly pointless research. Passwords are good and bad and need to be a strong as the need requires. However you will always get an idiot who believes that the most mundane systems require uber-complex passwords. For example, at my workplace, we now have a new online room booking system for meetings. It's hosted internally, behind the firewalls, and the room bookings are free. The password for the new system requires 8 characters, upper and lower, with at least one digit and one special character and needs to be changed monthly. The AD logins have less complexity, so ironically, it's easier to break into a desktop (which you'd have to in order to get on the network to use the room booking).

AC as I'm sure the sysadmins consider this sharing a security breach...

C Yates
Thumb Up
Reply Icon

Too true!

It's the age-old battle between security and usability, and as ever the best way is a balanced approach.

Not looking forward to the start of a new school term with kiddywinks who STILL use an entire sentence as their password (30chars +), then asking for a reset despite being told to use something sensible.

(Though it is quite amusing to watch their red faces when you delete that extra space they'd added after their username in the login box...)

Anonymous Coward
FAIL
Reply Icon

SSO

Surely they should just use AD authentication, otherwise they're missing half the point of domains?

Anonymous Coward
Unhappy
Reply Icon

re: SSO

If it were in our domain, yes. It's hosted by a third party, seemingly connected via a VPN (given it appears as an external address, which is inaccessible outside). But otherwise, yes, it should be by SSO - but the majority of our new web services are in the same boat, including travel, service management/workflow, billing, procurement & HR systems. Some hosted internally, but off-the-shelf with very little customisation and no integration in the AD SSO.

You, my friend, have just made the mistake of using common sense in your argument. It's not applicable here it seems :-(

MinionZero
Joke

If most people need longer passwords...

The only problem is with everyone asked to have much longer passwords, a lot of non-technical people will keep all their passwords in a root text file called passwords.txt

If you think thats bad, then just add in they will also need to carry their passwords.txt file with them on a USB stick in their pocket.

What could possibly go wrong.

(Sadly I'm only half joking).

o.O

Anonymous Coward
Anonymous Coward
Reply Icon

I know of one site...

...where the password is 16 characters long to get into one system.

Mix of upper case, lower case, numbers and symbols.

And its written on the wall beside the machine.

Eden
Troll

Hmm

"They suggest that some low-security sites (such as newspaper sites) insist on the use of passwords "primarily for psychological reasons ... as a justification for collecting marketing data and as a way to build trusted relationships with customers". ®"

While I understand that sentiment I imagine any online paper that allows comments or submissions also has a more practical reason, after all if you could simply post under anothers name (as with many blogs I read) you inevitably get some twazzock or another hi-jacking another posters name to troll.

Matt 21

Hmmm

Using the phrase "Best practice" often means I want you to accept what I'm about to say without question. In this case I'd question whether longer passwords help as users, in my experience, tend to change them less often and use recurring patterns as they find them just too much work.

I'd also like to point out that if my login mechanism makes you wait a second between each try and several seconds every third try, extra computing power isn't going to help. OK, you could open multiple login sessions but that's going to get you blocked too. If you've also got to guess the login name then you're going to be there even longer.

Yes, Graphic cards abilities are impressive but I'm not sure it's time to sound the alarm yet.

Chris Miller
Reply Icon

Yes, but

The attack isn't based on using your login mechanism, it's assuming access to your hashed password file and then computing power does matter. I agree that recommending (let alone enforcing) very long passwords is unlikely to work well in practice. If you have assets that require strong security protection, passwords alone are unlikely to be adequate - you need multi-factor authentication.

Anonymous Coward
Anonymous Coward
Reply Icon

Agreed

It is not that difficult when presented with an actual computer to reboot it into a CD or USB version of micro-Linux, where you can access the password hash file. You can take this offline and decode it, using the heavy GFX mips mentioned (and an intelligent password guesser), or through rainbow tables.

This will normally then allow you onto the machines company network - with only one password guess...

Most if not all business laptops keep a local copy of the password hash, so you can sign in to your open machine when you're off-network. They don't actually have to do it this way, you could have a different password for local use, and a login screen for the company network. This would not require any storage of the company password or its hash.

Mark 65
Reply Icon

and in other news

When someone has a level of access to your machine in order to obtain your password hash they can then crack it. Hardly a leap of faith. Unless I'm missing something, the only use for this would be to obtain access to stored keychains as you already have a root level access to the system.

How does it go when full drive encryption is used?

Anonymous Coward
Anonymous Coward
Reply Icon

Re : Agreed

"You can take this offline and decode it"

Not sure how you'd do this with a salted hash table on a Linux/Unix system

Chemist
Reply Icon

"when presented with an actual computer to reboot it into a CD or USB..."

Even with booting disabled from CD/USB/SD and the BIOS locked ?

Annihilator
Boffin
Reply Icon

No need

Most BIOS passwords can be circumvented with a CMOS reset. Admittedly not all of them (Thinkpad's survive that method IIRC), but presumably it's possible to swap out the BIOS and CMOS chips from another identical laptop in these extreme cases (think back to the days when you had to recover a motherboard from a BIOS virus).

However none of this is needed. The more trivial method involves taking a screwdriver, removing the boot disk and mounting it in a separate machine. You can even clone it to an image and hack away at the hash files to your hearts content.

Anonymous Coward
FAIL
Reply Icon

BIOS locked?

Usually you just have to disconnect the battery to reset the BIOS. In the worst case, you just move the disc drive into another machine.

Theoretically, the drive could be encrypted with a strong key that only the BIOS, or the drive itself, knows. However, I've not come across that. If the drive is encrypted with a password that the user types in, then that can be cracked using GPUs, etc, just like the password for the company network that is in most cases stored on the disc, as someone else just pointed out.

I wonder if this whole digital security thing will be sorted out before I die of old age. I see little sign of progress. It's still only a tiny minority of people who understand and care about the issue.

Chemist
Reply Icon

Re : No need

Not fast though - esp. with a locked case like I use - serious lock that is.

Wouldn't help with a Linux password anyway. But as others have already said if you have the physical machine you have the contents unless they are also seriously encrypted.

Jerren
Coat
Reply Icon

@chem Serious lock?

Seriously? Most PC case locks take less than 2 minutes to circumvent if your serious about getting in and have a little know how, a bit longer if your trying to not leave any physical evidence of the intrusion. :-)

All kidding aside though, valid point if you have physical access to the box you have the box and by extension possibly the network it's only a matter of time.

I've worked at places that went to great extremes, even to the point of "disabling" all external ports, in all cased if you really want to get in you can get in. Just like cracking a safe it's just a matter of having three things: 1) The time to get the job done, 2) the right tools and 3) the knowledge of how to use them.

What concerns me the most it the tools are more readily available, faster and easier to use than ever...

Mines the one with the lockpics attached to the USB stick.

Chemist
Reply Icon

@Jerren

Yes. My fileserver is in a case I found in a skip. This has welded lugs and a metal bar to take a padlock. so you'd need a hacksaw or crowbar. ( The dual core Atom ITX board and dinky power supply and disks occupy about a quarter of it.)

Security not an issue with this anyway due to no easy access.

GettinSadda

We need a solution

We need a solution to passwords - I have about 500 passwords in use across many systems and perhaps 50 of these get used regularly. About 10 passwords are "vital" ones such as banking or router passwords.

There are a number of so-so solutions that will collect and protect passwords, but I have yet to find one that is painless to use (yes, please take this as in invitation to suggest products!) so I end up with my browser holding most of them (synced across different computers) and my poor brain holding all the ones that security really matters for. Most of the low security ones to end up sharing the same password, but not the vital ones.

Before long we may need to find a better solution than passwords that we can remember - but are strong enough to resist brute-force because there will be an ever decreasing number of people that can remember the ever increasingly complex passwords!

TaabuTheCat
Reply Icon

You asked...

"..yes, please take this as in invitation to suggest products!"

For Windows, Roboform with online sync. I've got hundreds of long, complex passwords stored and it works well. (Recommend you try the beta 7 version - looks like it's close to release.)

a53
Reply Icon

Password solution

I use 1Password and to date am happy with it. My master password for it is long and complicated and not written down anywhere.

adrianrf
Reply Icon

LastPass works pretty well for me

browser add-on in Firefox/Chrome/WebKit, supports OSX *and* that toy OS from Redmond WA.

took a while to get comfortable with their architecture and with them; but it's been working well for a year now.

makes it easy to end the password-reuse trap even the best of us are prone to; its generator supports arbitrary password length and character-set options; system has as export facility for local backups.

what I really want, though, is an end-to-end idiot-proof simplified UI for setting up SSH authentications. the infrastructure mechanism for creating and using great big digital keys obviously works well enough for people with the technical knowledge to configure and maintain their own server accounts, but is nightmarishly incomprehensible for the majority audience. it shouldn't be that way, and it doesn't have to be.

OpenID was/is a well-meaning effort to simplify things, but it of course has its own issues; its adoption ramp also seems to have stalled.

mittfh
Reply Icon

LastPass?

OK, so it stores your passwords on a remote site, which does make a SPOF, but they are stored with 256-bit encryption, which makes it less likely a brute force attack will find them.

It's fairly painless to set up and use on FireFox - it's also available for Chrome but the UI isn't as good, and it successfully detects the majority of username / password fields (although it struggles with Wikia - it detects but won't autofill the login popup). Although you access your passwords with a single password, it you're smart enough to be using the program you'll probably choose a fairly long master password anyway.

The program also has the ability to generate secure passwords - tell it how long you'd like the password and what characters the site allows (many still don't allow non-alphanumerics, and several impose a limit of <12 characters, with some only accepting 8 letter passwords!), and it'll generate a completely random password, which you don't need to remember because it remembers them for you.

Oh, and you can download the (encrypted!) file of passwords, so even if something untoward happens to lastpass.com, as long as you've got the extension you can still access your passwords.

Jason 24
Thumb Up
Reply Icon

Keepass

www.keepass.info 'nuff said.

Daniel B.
Boffin
Reply Icon

two of 'em, actually

There's the one that Bruce Schneier made, but I can't remember what it was called. I have a Blackberry, which has a "Password Locker" app; these are stored under a separate key from the one used for the rest of the BB, so you get a password for the app itself, and the crypto's pretty strong. I put there all my zillion passwords, and it's pretty good to date. Backing up also helps in case my BB ever gets stolen :)

Bill B
Pint
Reply Icon

Password wallets?

Use Ilium's eWallet .. runs on Windows, OSX, iPhone and Android. Has a password generator which I use. They say they use 256 bit AES encryption. Can back up the wallet and save it in multiple places.

Of course if I forget the 12 character password to the wallet I'm stuffed. Not looking forward to the day dementia kicks in.

Beer because my brain cells need it.

Anonymous Coward
Alert

This we know

There's a well-known credit card company of whom I am a patron. Some months ago they shortened the HTML form on their secure log-in area to 8 characters, saying that that was all that was allowed. This, despite my own password somehow managing to have been set substantially longer. I guess the HTML limitation wasn't consistent across the site.

I complained, saying that 8 characters was not enough. They denied that, claiming all was fine. Just last month they extended the password length again.

Well, I suppose it's a bit much to ask for an admission that their security was lacking in the first place!

Anomalous Cowherd
Reply Icon

Can better that

Had a similar one with a large Forex company who shall also remain nameless, but given you'd typically be putting 5 or 6 figure trades through it you would hope for security. Nope.

My favourite issue was the block on too many guessed passwords, which was done with... a cookie. Delete the cookie (or ignore it, as you might if you were an automated scanner) and you could retry at your leisure. Unsurprisingly I still make my forex trades by phone.

a1exh
WTF?

Longer time between password entries

Brute force password cracking is only as good (or as bad?) as the password entry system it is used with.

For example you could not brute force passwords below 12-digits (in a reasonable time frame) if you can only try once every 10 minutes after you've got it wrong 5 times in a row!

Chemist
Reply Icon

Re : Longer time between password entries

In fact you couldn't brute force it in a very long time, on average, even if you could try every MICROSECOND. I estimate ~50 million years to the half-way point.

adamsh
Stop
Reply Icon

Longer .... exponential back off

If you once got access to the encrypted pass phrase ......There are more ways to compromise your pass phrase.

Well known exponential back off might help, if one has to run a dump brute force attack, as those outdated will die it renders this old approach useless (Netware 3.12)....

best regards, HA

Anonymous Coward
Stop
Reply Icon

No million of years ---- some days ......

1) Not one per microsecond, but 256 per nanosecond, about 250.000 times more powerful.

2) Not eight bit, but six bit. Requires a just a billionth the effort to invert a pass phrase with sixteen characters.

3) Pass phrases allow attacks by methods based on statistics.

Everything written down in my own article ;->

best, Hans Adams

Anonymous Coward
Anonymous Coward
Reply Icon

Re : No million of years ---- some days .....

Are you seriously suggesting that a 'good' salted *ix password can be cracked in less than near geological time ?

Bruce Ordway

I'm not sure it's time to sound the alarm yet.... either

Why not spend more time figuring out who needs passwords.

For 90% of what I do I don't want or need a password.

I'd use a common 3 character password if I could, but...

Software and admins increasingly demand longer more complicated passwords AND that I change them regularly.

A big pain in the neck.

Mark Randall

Online Attack

Having things such as increasingly powerful graphics processors you can run CUDA crunching on is all very well and good, but kind of irrelevant in the context of web based attacks.

Consider a password which may be between 1 and 6 characters long, alphanumerics, giving a total of around 2 billion options, lets take another mathematical shortcut and ignore the missing digits from the smaller numbers and lets say that each option tried is 6 digits... so for each check you've got 6 digits, lets add 250 bytes for a decent sized HTTP POST header and presume that you're also going to need to send a 10 character login name and, while were at it, the fields will need to be identified so 'user=' and 'password=' add another 14.

That brings it to about 270,000,000,000 bytes to transfer or about 250 GB of upload to the server.

Lets presume that in order to know if you've succeeded in logging in or not you're going to need to receive the response, and for the sake of argument lets say your average webpage being about 15k totalling an additional 28 TB of bandwidth.

So all told you're talking about 28 TB of bandwidth to check all of the 6 character passwords for one user.

Now the question is, if you maxed out the bandwidth of a moderately sized server of the kind you may wish to attack without alarm bells going off all over the place due to the expensive DDoS and IDS protection you find on larger sites.. so let's say that's 10 mbyte/sec... about 3 million seconds to test them all or 30 days.

Using the assumption that somebody wouldn't noticing you sucking up 100% of their bandwidth for an entire month you then have to consider the poor server trying to check all of these details - running a password attack on an offline is all very well and good... but what is a server going to think when it's having its CPU burnt up by handling billions of extra page generations in ASP or PHP or whatever it may be.

Anyway, in summary, it is true that longer passwords are needed... but when you're dealing with websites, how many you can shove down the pipe to be processed by the server is much more important than how you generate the passwords in the first place.

Bullseyed
Reply Icon

Good Show!

And supposedly we're supposed to change the passwords every 30 days, so it could be that it would get changed before the attack even finished. And that is assuming best case scenario on the web page not noticing the attack.

C Yates
Happy
Reply Icon

You forgot the raptor pit and the crocodile on a rope!

=D

Anonymous Coward
Thumb Down

I'm confused...

Are we talking password encrypted files or online access?

A brute force attack against an online site should either be noticed, or hit the old 'you've exceeded the maxmimum number of logon attempts' threshold long before even the lamest of passwords is 'guessed'.

Now, of some has a copy of your laptop or other external medium, then yeah... make them take the better part of a day to crack in.

Marcus Aurelius
Pirate
Reply Icon

Yes but

...a way round this is to use the same password on every users account instead of going through all the passwords on a single users account.

Tom Chiverton 1

Yawn, wake me up later...

Until banks get a clue, I don't think there is much hope of much changing ...

http://rachaelandtom.info/gallery/v/falken-random/fail/broken8e.png.html

Anonymous Coward
Thumb Down
Reply Icon

So?

It's setting up a memorable word as the 3rd step in the process (if you're so upset, realise that subsequently they only ask you 2 letters from this word at login, even less "secure").

As I recall, Barclays are one of the best in terms of security. Bear in mind they're moving to 2FA with their PINSentry devices, and even before that they required your surname, user ID and password before getting to the "enter 2 letters" stage.

It's very easy to pick holes in a system if you only focus on one aspect.

Nuke
FAIL
Reply Icon

Re : So? (Anon)

"As I recall, Barclays are one of the best in terms of security"

Oh yes, like they sent a replacement bank card for my mother to an address from which she had moved 3 months earlier. They totally ignored her letter telling them the change of address because "anybody could have written it".

Annihilator
FAIL
Reply Icon

@Nuke

"They totally ignored her letter telling them the change of address because anybody could have written it."

Well, yes, you'd have been f***ing furious if they'd changed her address because some nefarious person had written to them. It used to be the most common way of defrauding an account back when I worked in a branch (yeeeaaars ago). Not to mention that relying on a letter sent (presumably) unregistered with no guarantee of delivery and assuming "job done" isn't the best technique for changing your address. I take heart in the fact that my bank (not Barclays) only lets me change my address in person or over the phone subject to the normal ID procedures.

Besides, I'm guessing the statement was about *online* security..

Anonymous Coward
Anonymous Coward

password file cracking

I occasionally have to do this sort of thing for audits / security checks and if you can get hold of the password file itself (from the local computer or from AD) then simple, free tools such as 0phcrack with the large dictionary (about 700MB) will pull out passwords of 12 unconnected characters in a few minutes. If you get hold of AD then you also get the last 5 or so changes so you can see the patterns people use when they have to change their password. I accept getting hold of the files in the first place may not be that easy, but once you have them you don't need a powerful computer or a long time.

Download a password liberator of your choice and and try it on your computer at home, you will be surprised at how easily your secure password can be exposed. Needless to say, don't try it at work unless you have permission to crack passwords or you know you are clever enough never to get caught.

Thad
Reply Icon

In fact,

Just check for obvious passwords.

back in the day when I thought (mad fool that I was, that most of the users in the office took passwords reasonably seriously, I tried a simple Unix password checker... only to be horrified at the freds and the condoms and so on...

Sergie Kaponitovicz

Probably preaching to the converted.....

.... but here goes.

Question:

How do you compose a long, and hard to brute-force, password for a particular website?

The Free Method

Answer:

1. Open up a simple word processor. Enter:

2. User Name: All symbols, e.g. (~(("}` Make this as long as the website allows.

3. Password. Think of something unique that associates you with that website (=memorable). Let's take online banking with Southern Sand Bank plc as an example.

Your own personal memory might be "I opened my account with Southern Sand Bank when we lived in Milton Keynes. It was in 1990; it's now bust". That translates into "IomawSSwwliMK.Iwi1990;i'snb"

Save the text file, then copy and paste the relevant strings into the registration page. Keep the txt file safe - job done.

The paid for, but cheap and convenient method:

Install 1Password (was Mac only, but now also Windows beta). Just use it straight out of the box. It's brilliant, and NO, I do not work for the company, and NO, I am not an affilliate!

RISC OS
Reply Icon

"IomawSSwwliMK.Iwi1990;i'snb"

And that's memorable?

Am I supposed to use this password everywhere or does each one of my 100 passwords have to look something like that?

Personally, I find my collegues passwords memorable: 88888888

even his gmail account uses it.

adrianrf
Reply Icon

Illegal account/password combination.

lol!

according to your mnemonic, you ain't getting in.

would

IomawSSBwwliMK.Iwi1990;i'snb

be what you meant, instead?

Anonymous Coward
Paris Hilton
Reply Icon

Memorable? Convenient?

This method of creating passwords is terrible. I'm probably preaching to the converted here, but obfuscated and complicated passwords are non-portable and unsafe. If you were to lose that file (Hard drive problems, your cat deletes the file, etc) then you've lost access to whatever it is you've password protected. Perhaps worse, if you find yourself on another computer, you're scuppered! I personally believe in a passphrase; several words forming a phrase - easy to remember, portable and can be stored in your head. You could even use several passphrases, based on the website or context in question. "I like to read El Reg!" would be an o.k. example.

Here's a site I stumbled upon earlier saying all this better and in more detail:

http://www.baekdal.com/tips/password-security-usability.

Paris: Because "That's hot" is her passphrase.

Page:

This topic is closed for new posts.