Size does matter: Outlook.com punters want meatier passwords Microsoft has come in for a bit of stick in security circles for only allowing a 16-character password for sign-ups to Outlook.com, Redmond's newly launched Gmail rival. The service – which has already attracted more than a million sign-ups – has a maximum password length of 16 characters, the same as Hotmail.com and Windows …
The security of long or complex passwords is overrated. Even for short passwords the probability of guessing a password randomly is low if only a few failed tries are allowed before the account is locked (source IP should be ignored for this). The guessing process becomes costly per account if a delay of several seconds is enforced after an unsuccessful attempt, especially if the few seconds occurs between the attempt and the failure notification and the notification provides no information to distinguish between failure to match an account at all and failure to give the correct password for an existing account. My previous employer required, at one time, 8 character passwords with a 62 character alphabet (UC, LC, Numeric, Special, two from each group), changed at least every 60 days. The account was locked on the third consecutive fail, requiring administrator intervention to unlock the account, and a new password was required at that time. The new password could not be any of the most recent 10 or have been valid during the previous 365 days and was failed if found in a password dictionary. By my reckoning, the probability of randomly guessing the password of a known account under these conditions is in the order of 1 in 10^13. The actual probability likely is several orders of magnitude larger, but still small enough to be ignored for many purposes.
The risk that concerns me is that the provider might store the password hashes insecurely or worse store them reversibly encrypted or not encrypted at all, and that the file would fall into the hands of someone with technical skills and nasty intentions. For plain text or reversibly encrypted passwords, password length has no benefit in this case. For hashed passwords, and only those, is length of significance, and should be enough to make finding any account/password combination economically unfeasible.
So I am leery of, and within reason avoid, services that
(1) can tell me my forgotten password (and think twice about those who can tell me my forgotten userid);
(2) respond in under several seconds if I make a mistake or respond to an error faster than a good login;
(3) allow more than a small number of failed attempts;
(4) do not require a new password after administrative action to unlock the account.
I am much less concerned with required length or complexity, but do use more of each for such critical accounts as those with banks or credit card issuers.
Am I wrong here?
A very long time ago, I had to have a MS account for acces to some dev resources (I think it was for Wince). So I created the account fine, using a fairly long but not exessively so password, and the found thst the website, ftp, dev program would only allow something like 8 chars, so I couldn't type it.
At the end of the day though, history has shown that you just need to say you've lost your password and type in what uou find looking on Google (ask Sarah Palin)
but with a specific target, social engineering.
I speak from experience: this last week, my octagenarian and infirm, though mentally alert, father was relieved of over fifty grand from his bank account... having been persuaded by the black hats to hand over sufficient information that they could extract the loot.
Although he was bright enough to insist on calling the bank, the black hats hung across the line and he believed them when they said things were OK. They then managed to redirect his phone (I haven't worked out how they did that yet) so no-one, in particular the bank, could contact him until we arranged a neighbour to wander round.
Irrespective of the complexity of his password, it wouldn't have stopped the attack.
(He has the money back now, thanks to the bank, and some improved protocols which require him to call someone whose voice he recognises before calling the bank (or other alleged agency)).
This advice is just sooooo utterly wrong, but for some reason perpetuated by even corporate IT departments. What do you think takes longer to brute force hack?
1"3$5Az@
or
thisisareallylongpasswordthatIcanremembereasilybecauseitsjustanormalphrase
Hint: work out the number of unique combinations of upper/lower case letters, digits, and symbols in each case. Let this be n, in case 1 the answer is n^8 ... in step 2 it's n^75 (unless the attacker knows that it doesn't contain any symbols or numbers, but he'd have to know the password to know that, so that arguments FUD).
This is also why people generally "salt" the stored versions of passwords ... to make them longer, not more complex.
All of the above is true, if and only if the attacker was using a brute force using all ASCII characters, instead of a dictionary attack (with some combinations in your case) or rainbow tables which are much more common attacks.
Plus you've also selectively picked your quote and ignored where the article points out that length is a factor of strength anyway.
Ok, so I can put a deliberate typo in somewhere and presumably thwart the dictionary attack.
As for the rainbow table, the example I gave was 75 characters, including at least one upper case, so the rainbow table would have to cover at least 32 (26 lower case and 26 upper case) characters.
Now let's forget about the fact that any sensible security scheme would have the passwords salted, so it's going to be even bigger than that. Also leave out character encoding complexities, and assume 1 character = 1 byte. Even in this very trivialised case, your rainbow table is going to take up 7.6957043352332967211482500195593e+100 terrabytes, which seems to me to be a bit of a case of "good luck with that"*.
Have I missed something?
*Someone with more energy than me can feel free to correct me on that calculation!
Over the last few days I have opened a number of accounts on Outlook.com.
The all have the same simple password.
This is because they are intended to be disposable accounts for websites that insist I join with an email ac in order to use their facilities or download something or buy something - you know the sort of thing.
There is no link back to me, and as soon as one account starts getting too much spam or junk I will dump it. Who cares if it gets hacked?
This talk of password hashing, salting etc has made me realise...when I log on to my bank's website, I'm asked for (say) the first, third and sixth letters of my password. This must mean they're storing the passwords in either plain text, or hashed in a reversible manner (is this the same thing as unsalted?). I'm no security expert so: is my conclusion correct and should I be concerned?
It depends ...
done *properly*, when the password is created, the app also creates a hashed code for each letter in the password. When you are prompted - it compares your input with the hash. Systems like this should be more secure, because even if you speak to an agent - you never give them your whole password (so they can't hightail it out back and hijack your account).
However, you highlight one thing: once you have entered your password, and pressed "return" you have absolutely no idea what happens to it. Which is why you should NEVER reuse passwords.
"generating all the letters to match the hash probably takes one micro second (incl. adding the salt, if present)."
So?
My bank's attempt at this kind of thing locks you out after three or so consecutive failed attempts.
In this set of circumstances, surely it's not the time it takes to generate the hash that matters, it's the chances of being right first time?
The secondary password fragments are just a fallback measure
- to avoid keyboard sniffing by entering from a drop-down list, so if some automated attack has already uncovered your ID and password it still doesn't have access
- to provide an extra variable, so some chancer looking over your shoulder (or watching a spycam) is left guessing.
At least that's how my bank does it.
"anyone who can guess your user name can have you locked out, right?"
Correct, but irrelevant in these particular circumstances.
It's not an internet-only bank, it's a telephone and online bank. Their telephone service is open 24x7 (x365), and the telephone folk can quickly remove the lockout using a *different* set of security questions. I know, I've used the facility several times (usually a little while after routinely changing the password and then forgetting the new one).
In a case where such independent re-authentication was not provided, an option might be to have a limited lifetime block of an hour or three. It'll sort itself out after a while, whilst still providing adequate security and adequate deterrent for most folk.
Other more creative alternatives are possible, especially in an era where cellphones (and, increasingly, smartphones) are near ubiquitous.
Now, where were we?
I have a random selection of passwords I use when joining sites and I sigh heavily when I enter a password only to be told that my password must "contain numbers and letter only". If you ignore that you then run into some stupidly short 'maximum' length at around 16 characters. Remembering different passwords over numerous sites is hard enough without having to shorten what you might use on some sites.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
