back to article Who needs hackers? 'Password1' opens a third of all biz doors

Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units. The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks. The firm's threat intelligence …

  1. Michael H.F. Wilkinson Silver badge
    Facepalm

    No real surprise, really

    Whenever I let my laptop, tablet, or phone look for WIFI networks I am amazed at the sheer number of peoplpe who still have Linksys or some similar default as their network name. You just know that the majority of these will still have the default password on them.

    I never try to enter, however tempted I am, not really because I am virtuous (yeah, right), but more because I cannot be bothered, and besides, who knows whether these people have not been infected by some horrible malware which might bite my system.

    1. BenR

      Re: No real surprise, really

      And how much do people want to bet the next most common password is 'Swordfish'?

      1. Triggerfish

        Re: No real surprise, really

        It's always swordfish, works with every secret society as well.

  2. Anonymous Coward
    Anonymous Coward

    Have you got a link for the studies that show regular password resets are a bad idea? It would be very useful.

    1. Anonymous Coward
      Anonymous Coward

      Resets?

      Anecdote: I use relatively weak passwords because I have too many systems which require regular resets.

      The systems which only require a reset every 12 months or so get much better passwords...

      1. Valeyard

        Re: Resets?

        When i worked for a horribly by the book corporation that changed passwords every 30 days all that happened after a while was the numbers and symbols at the end of the password got shifted to the right of the keyboard by 1 key...

        At the other end of the scale if i see a website signup page berate me for daring to include a symbol in my password or for exceeding 8 characters I go elsewhere

        1. Anonymous Coward
          Anonymous Coward

          Re: Resets?

          Yeah, me too more or less, but I would like something that a manager might notice.

        2. J.G.Harston Silver badge

          Re: Resets?

          For ages I was getting thrown off my online debit card payment system for no stated reason, until I realised that it imposed a 12-character limit to the password and never told me that "fredandjimsmith" was not an acceptable password BECAUSE IT WAS TOO STRONG.

          1. A Non e-mouse Silver badge
            Thumb Down

            @ J.G.Harston Re: Resets?

            I use a password manager to generate passwords and I couldn't understand why the Inland Revenue wouldn't accept my new password: It was complaining it was too weak.

            After reducing the length and removing symbols the Inland Revenue finally accepted the password.

            The Inland Revenue was rejecting my passwords because they were too strong, not because it was too weak!

            1. Tim 11

              Re: @ J.G.Harston Resets?

              the worst offender I've found here is fasthosts (this was a few years ago and I wouldn't be surprised if they've fixed it now). The "change password" form allowed me to set a password with punctuation characters, but the login form did not allow me to log in using such a password - D'oh!

              1. breakfast Silver badge

                Re: @ J.G.Harston Resets?

                Twiiter was the same when I first signed up...

          2. Chris Miller

            @J.G.Harston

            The reason for the limitation on Visa (and other) operators is that they use the 'verified by Visa' system that asks you for the 2nd, 7th and 10th character of your password, with the actual ordinals changing randomly each time. They go up to a maximum of 12*. It's intended to make life more difficult for key loggers, shoulder surfers etc.

            More generally, the reason for forcing passwords to change regularly is to limit the damage when (not if) one of them 'leaks'.

            * not an unreasonable limit. If you allowed (say) 30 character passwords, the chances of most people being able to correctly identify which is the 23rd character of their password is slim.

            1. Allan George Dyer

              Re: Chris Miller Re: @J.G.Harston

              Which is one more reason why 'verified by Visa' is bad.

              1. mark 63 Silver badge

                Re: Chris Miller @J.G.Harston

                Surely visa could allow longer passwords and then just quiz you on the first 12 characters?

              2. Anonymous Coward
                Anonymous Coward

                Re: Chris Miller @J.G.Harston

                Re: Chris Miller Re: @J.G.Harston

                Which is one more reason why 'verified by Visa' is bad.

                It's not an unreasonably system, because the partial matches also prevent operators from mining your entire password. You could argue about the length, but remember that people generally have to do this off the top of their heads and the potential for users error thus increases, and thus the possibility that users abandon the security measures altogether.

            2. Anonymous Coward
              Anonymous Coward

              Re: @J.G.Harston

              > asks you for the 2nd, 7th and 10th character of your password

              I have to use a system with a similar approach, 3 randomly-selected numbers from a 6-digit PIN. Since I use the system once every few months, and never type the whole PIN, it never "sticks" in my mind. So (you guessed) I keep it on a post-it in my wallet. Not helpful.

              1. Anonymous Coward
                Anonymous Coward

                Re: @J.G.Harston

                > asks you for the 2nd, 7th and 10th character of your password

                The fact that they can validate the individual characters means that they hold the password in a way which is not oneway hashed -- that is pretty bad practice by any standards even if the plain-text password is stored in encrypted form.

                1. Nigel The Pigeon

                  Re: @J.G.Harston

                  "The fact that they can validate the individual characters means that they hold the password in a way which is not oneway hashed"

                  Not necessarily. They could store all combinations of 3 chars of your password pre-hashed.

                  Which on a 12 digit password is.... 12! / (3! (12 - 3)!) ....only 220 hashes!

            3. AndrueC Silver badge
              Facepalm

              Re: @J.G.Harston

              It's intended to make life more difficult for key loggers, shoulder surfers etc.

              And it fails miserably where I'm concerned. It seems I rely on finger memory for passwords and being asked for characters in random positions just doesn't work. I get round it by firing up Notepad and typing the password with the digits underneath.

              Oh and my VbV password is 14 characters long. I know because after 0 to 9 I have to repeat 1 to 4 :D

            4. J.G.Harston Silver badge

              Re: @J.G.Harston

              My Yorkshire Bank account has an 18-character case insensitive, no forced gobbledegook password, and I can always remember all 18 characters when it asks for a small random subset of them, because I can spell.

              1. Primus Secundus Tertius

                Re: @J.G.Harston and spelling

                I remember a work account used by a small group. After the password was set to 'pterodactyl' the non-spellers objected. These people were graduate engineers.

                1. Alan Brown Silver badge

                  Re: @J.G.Harston and spelling

                  "After the password was set to 'pterodactyl' the non-spellers objected"

                  Just for them I would have set it to "antidisestablishmentarianism"

                2. Irony Deficient

                  pterodactyl

                  Primus Secundus Tertius, of course the graduate engineers objected — they knew perfectly well that a word meaning “1000 gigadactyls” would have a “tera-” prefix.

                3. Number6

                  Re: @J.G.Harston and spelling

                  'Pterodactyl' should have been replaced by 'floccinaucinihilipilification' just to show that the IT department was listening to their complaints. It's what any good BOFH would have done.

              2. AndrueC Silver badge

                Re: @J.G.Harston

                because I can spell.

                But one of the cornerstones of avoiding a dictionary attack is to not spell things correctly My passwords aren't in any dictionary precisely because they aren't spelt correctly ;)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @J.G.Harston

                  My passwords aren't in any dictionary precisely because they aren't spelt correctly ;)

                  This is the first time I've seen an inability to spell correctly advertised as a benefit - well done.

                  :)

          3. Roland6 Silver badge

            Re: Resets?

            Re: "12-character limit to the password and never told me that "fredandjimsmith" was not an acceptable password "

            Yep, come across several of these sites over the years, they don't tell you at time of password setting that the password you've chosen is too long, leaving you to pull your hair out guessing what has gone wrong and then trying to rectify the problem...

        3. Tom 35

          Re: Resets?

          You can tell how long a sale person has worked for a company by the size of the number on the end of their password.

    2. David L Webb

      http://www.cerias.purdue.edu/site/blog/post/password-change-myths/

      explains why frequently changing passwords doesn't do much good by showing how useless it is at countering each of the moderrn threats to passwords. The policy of changing passwords once a month made sense when the main threat was someone stealing the encrypted password file and then spending a month to crack the passwords but it doesn't make sense nowadays.

      1. Chris Miller

        @David L. Webb

        Interesting article, and thanks for the link, but I don't entirely agree. The critical bit is:

        If any of the other attack methods succeed, the password needs to be changed immediately to be protected—a periodic change is likely to be too late to effectively protect the target system.

        There's some truth to this, but the biggest problem with passwords as opposed to more secure (and more expensive) methods of authentication is that you can 'lose' it without knowing that you've lost it. Periodic password changes are a long stop to catch such cases. I would argue that if your security requirements are such that immediate action is vital, passwords alone are the wrong authentication method.

    3. Uffish

      Anecdote

      Not a big sample but where i worked the "obligatory regular password changes" resulted in about a third of the passwords being written on a post-it stuck to the bottom of the keyboard or laptop.

      I couldn't believe it untill I checked one evening after working late. The regular change policy didn't last, probably because IT staff got tired of people moaning that they had lost their post-it. Mind you, I checked again later and a lot of the post-its were still there.

      1. Keith Langmead

        Re: Anecdote

        "I couldn't believe it untill I checked one evening after working late. The regular change policy didn't last, probably because IT staff got tired of people moaning that they had lost their post-it. Mind you, I checked again later and a lot of the post-its were still there."

        That's not just with regular changes, I've seen that with users when they only get changed once a year. My solution (after telling them that wallets were fine, just NOT under the keyboard), go round at night, remove the post-its, and reset the password to something longer. Wait a few days and repeat. People eventually got the idea.

      2. Alan Brown Silver badge

        Re: Anecdote

        We tell people that if we find a postit, they'll have to submit a handwritten letter acknowledging breach of company policies in order to regain access - and that letter will be held on file until they leave the outfit.

        Postit sweeps generally come up clean - People are actually pretty good at keeping pieces of paper secure if there's an incentive to do so - look in any wallet for those ones with pictures of the Queen to see what I mean.

        The funny thing is that "goodluckguessingthispassword" is far easier to remember than "5aHB$a%W" as well as being significantly more secure - so encouraging people to use phrase-based passwords is a good policy.

        Having said that, our random phrase generator has come up with "KillAllJews" and such gems as "TennisCorruptionScandal" during Wimbledon week...

      3. ps2os2

        Re: Anecdote

        To keep this short and to the point I have a disability that impairs by short term memory.

        The hospital where I have all my testing done has now gone to a system which requires a 10 character password and upper/lower case and several numbers. I simply cannot remember this password. I told them so and it bounced off like teflon. I simply asked to have my record deleted and to mail me all information that they wanted to me to have. I have not heard from them since (other than my ID being deleted). I hope I am not missing any important information.

        I suspect their system doesn't handle it well to have the ID deleted.

    4. Robert E A Harvey

      Anecdotally

      In my case it has led to me keeping an ascii file of all the business software passwords I use on my phone.

  3. Crisp

    Password fields need to be bigger.

    I have to truncate most of my favourite pass phrases in order to use them as passwords.

    1. Cliff

      Re: Password fields need to be bigger.

      The other problem is the word 'password' - if we IT savvy people start using the word 'passphrase' consistently instead, more people would understand that punctuation and spaces are allowed, and even welcomed, than trying to fit numbers, characters into a 'word' and still remember it.

      1. Fred Flintstone Gold badge

        Re: Password fields need to be bigger.

        The other problem is the word 'password' - if we IT savvy people start using the word 'passphrase' consistently instead, more people would understand that punctuation and spaces are allowed, and even welcomed, than trying to fit numbers, characters into a 'word' and still remember it.

        Yes and no - the problem is that many outfits actually do NOT permit the use of pass phrases, which is IMHO close to idiotic (and/or damn lazy coding). I agree with the use of pass phrases.

        I much prefer pass phrases for users, because you can make dreaming up a good pass phrase fun, which aids memorisation and recall (as it's one of the key techniques for memorising anyway) and thus prevents people writing things down.

        1. Ragarath

          Re: Password fields need to be bigger.

          Passphrases are what I advocate, the annoying thing with Active Directory is that you cannot create your own password requirements without a third party application.

          I want to specify that the users must have at least five unique words separated by spaces and a mix of upper and lower case (Numbers and symbols are allowed but not required). But to allow this you need to turn off the complexity requirements. I have found that people tend to forget if they used a 0 or an o in this word (same with the other common swaps) and so just using letters makes more sense.

          The same is true with a lot of online logins, they need to allow more options.

          1. NogginTheNog

            Re: Password fields need to be bigger.

            Good points, though in defence of AD I do like the fact it allows the space character in passwords. That's something many online systems would throw a hissy fit at!

            1. Alan Brown Silver badge

              Re: Password fields need to be bigger.

              "Good points, though in defence of AD I do like the fact it allows the space character in passwords. "

              Even unix DEScrypt allowed spaces in passwords.

              If online systems are throwing a hissy fit that's a damning indictment on the quality of the person who wrote the module - far too much shite in websites is based on people making assumptions about standards rather than actually reading them.

          2. Alan Brown Silver badge

            Re: Password fields need to be bigger.

            The standard unix PAM complexity checker has a great set of rules which support using long lowercase passphrases and require increasingly Byzantine character compbinations if people insist on using short password. (Under 10 characters can be tuned to require at least one from each of A-Z a-z 0-9 and symbols WITHOUT the common 37337 letter/number substitutions.)

            It can also suggest random passphrases (the default used to be 3 words, but that's changeable - 3 is no longer "strong enough")

            http://www.openwall.com/passwdqc/

      2. Tim 11

        Re: Password fields need to be bigger.

        one nice trick is to have a space at the end of the password - even if someone finds it written down or sees the plain text on your screen they're unlikely to be able to use it :-D

        1. veti Silver badge

          Re: Password fields need to be bigger.

          And the reason why all these things don't work is nothing to do with lazy coding, or gullible management suits. It's to do with testing.

          The basic exchange goes something like this:

          Tester: "What's the maximum length and character restrictions of a password field?"

          Manager: "From 12 to 4,294,967,295 characters length, 256 valid characters to choose from."

          Tester: "OK, that'll take about... four years to test. Assuming a team of six, with full-time engineering support."

          Manager: "Four YEARS!?"

          Tester: "Well, first we have to generate valid passwords of several different lengths. Then make subtle variations on each one - characters transposed, whole words transposed, upper/lower case, varying amounts and types of whitespace, and about three dozen other variations I haven't even thought of yet. Then we need to enter all of them in several different ways - typing, Swyping, pasting from clipboard, entry from imported file, interface from 'ShIT' portal. Then Sam, she's hot on this sort of thing, will try to generate hash collisions..."

          Manager: "You've got two people, and three weeks to test the whole site from soup to nuts."

          Tester: "OK, then we can test passwords with a range of 8-12 characters, letters and numerals only, case-sensitive. If you'll give us an extra day, we can even let it reject common dictionary words and phrases with one or two added characters and try the hash-collision thing."

          Manager: "No extra day!"

      3. Swarthy
        Thumb Up

        Re: Password fields need to be bigger.

        Obligatory XKCD (We were all thinking it)

        1. badger31

          Re: Password fields need to be bigger.

          <rant>

          I've always had a problem with the maths of that particular cartoon. It treats each word as a series of characters (plus common substitutions), be he actually states that passphrase be FOUR COMMON WORDS. Even if you tried all combinations of the top 2000 words, thats only 2000^4 = 1.6e+13 combinations. OK, thats only a smidge less than his 2^44 (1.8e+13), but I could easily prune that search tree with simple heuristics and word ordering. (I'm actually tempted to try this!). If the password is 8 random visible characters, thats 95^8 (6.6e+16).

          I type in login many, many times a day, so it needs to be as quick to type as to remember. No way I'm having a 25 digit password no matter how easy to remember. The only use for this I can think of is that 'verified by visa' bollocks, which won't allow it anyway. Every time I need to use that, I can't remember my password, and every possible variation of my memorable passwords has already been used, apparently, leaving me with no choice but to set a new password every time, with even less likelihood of me remembering it. And all that is needed to change the password is my card details and my DoB, so some thief with my wallet would have no problem.

          Anyway, my main point is that a sufficiently random 8 digit password will be hard to crack, and if you use it enough, your fingers will remember it, even if you don't.

          Oh, and password managers are just a pointless single point of failure (that could go 'tits-up' [http://www.theregister.co.uk/2014/08/12/lastpass_outage/]), and if someone hacks that password, they own you, bitch.

          And besides, who the fuck cares what your facebook or twitter password is? Generally speaking, the login password is not the weak link; unless you're a moron with a password like 'password1'

          I could go on, but ...

          </rant>

          1. AndrueC Silver badge
            Joke

            Re: Password fields need to be bigger.

            Password restrictions.

    2. Alan Brown Silver badge

      Re: Password fields need to be bigger.

      "I have to truncate most of my favourite pass phrases in order to use them as passwords."

      MD5 or SHA(anything) based hashers allow at _least_ 127 characters.

      Anything which is arbitrarily restricting the number of characters to a small number is indicative of a poor hashing algorithm. (14 is an indication of MS LanMan, which has a poor crypting AND is reversible. Good hashing algorithms are one-way operations.)

  4. cracked

    Two factor ...

    The problem is that 18 years will - presumably? - be half that time in 18-months. And then in another year and a half, half that again. Once 8-character passwords were considered more than strong enough ... now it's what, 20+?

    By 2030 everyone will need a chapter from their favourite novel (in reverse) in order to get back to the 18 years crack-time.

    --------------

    A second problem is that it isn't only a password securing an account. But because way too many websites at least imply - if not insist - that an email address is also your username, very many people use the same address across multiple sites.

    In the example in the article, if even the non-phonetic password was coupled with a user-name unique to that site, the time to crack would be much higher (if, in the real world, cracking was attempted at all?).

    1. Allan George Dyer

      Re: Two factor ...

      No, the username is NOT securing anything. It is an identifier, and not secret. It isn't hidden when you type it in, there is no expectation of secrecy.

      Actually, I find it convenient to use an email address as a username. It is guaranteed to be globally unique, and I don't have to remember that I was adyer1234 on site A and adyer4567 on site B. If I'm worried about spam, I use companyname@mydomain.com and I get a clue who resold my address.

      If we want to be secure, we need to insist on using 2048 bit RSA for logins instead of passwords.

      And your title? If you are suggesting that you wrote anything about Two Factor Authentication, you are wrong. A username + a password is a single factor: something you know. Two factor is any two from Something you Know, Something you Have, Something you Are.

      1. DanDanDan

        Re: Two factor ...

        What's the difference between Something you Have and Something you Are? [serious]

        1. breakfast Silver badge

          Re: Two factor ...

          I have soul but I'm not a soldier.

          1. Swarthy

            Re: Two factor ...

            I have soul but I'm not a soldier.

            I was a soldier, but had no soul. Then I quit and got my soul back. I think the Sargent was holding it for safe keeping.

        2. Swarthy

          Re: Two factor ...

          A token (RSA-type updating code, chipped card, a key, etc) is something you have, a bio-metric (finger print, iris/retina scan, DNA sample) is something you are.

          1. DanDanDan

            Re: Two factor ...

            I have fingers, irises, retinas and DNA in my cells... Looks like something I have rather than something that defines me. I think I'm being overly pedantic here though.

        3. John Robson Silver badge

          Re: Two factor ...

          You can lose something you have (or have it stolen)

          So a thief could steal my RSA token, and maybe beat the PIN out of me. But they'd need to go towards GBH to get my vein patterns (seems to be the in vogue biometric) - or just take me with them.

          Both of those are harder than just nicking a token/swipe card.

          1. Charles 9

            Re: Two factor ...

            So they just develop a portable biometric scanner. They can use a putty or jelly to snag your fingerprint, a syringe to get blood for DNA. Pretty sure they can whip up a vein scanner eventually. Put it this way: something you are may as well be something you have, for anything we can whip up to detect a live presence, someone else can whip up to simulate said presence.

  5. J.G.Harston Silver badge

    Users are failing to meet imposed complexity requirements because those complexity requirements are wrong. I remember my password as (eg) "fred and jim smith". Not capital-eff are three dee ampersand jay exclamation mark em five em one tee aitch but fred smith, and the system should b*****y well accept "fred and jim smith".

    1. monkeyfish

      The other issue is over zealous password for non-important sites. I tried to sign up for electronics stack exchange the other day day, and it insisted on 8 unique characters, a mixture of upper and lower case, and numerals. And that's for a bloody forum, not a financial transaction in sight.

      So my normal longish pass phases were not accepted, but Password1 would be fine. Whoop.

  6. Pete 2 Silver badge

    Choosing better heslos

    > across corporate America

    Where, presumably the passwords are all created on a QWERTY keyboard and use anglicised spellings. (Or should that be anglicized?)

    I wonder how much harder these guys would have found it to crack passwords in the other 95% of the world where words have letters not found in american: for example ñ and "password" might translate as senha or contraseña

    Maybe the "secret" is to employ multi-lingual systems administrators. Who says off-shoring is always a bad idea?

    1. Alan Brown Silver badge

      Re: Choosing better heslos

      I recall having quite voricious complaints from certain "non-anglo" users that the password system wouldn't let them set common arabic or hebrew words/phrases. They took this as a personal affront.

      This was despite being informed that they weren't allowed to use dictionary words. (Including a science dictionary unearthed several users using pi, E, avagardo's constant and Prime/Fib sequences)

  7. graham_

    You're password has expired, please change it

    OK.. Password2

    1. Primus Secundus Tertius

      Re: You're password has expired, please change it

      I did that at one place I worked. Not with 'Password', though. More like 'Fred'.

      Why pick on Fred? Look where the letters are on a US/UK keybooard.

  8. Anonymous Coward
    Mushroom

    It's all down to the stupid....

    ...complexity rules.

    Password1 = Strong

    Password1! =Amazing

    bfvjiegh iervieruvierhverv vheriov erohvuioheruiaf hferhjvgfi9erhj vgeiohbvgerh9hbgoeriho rehbverhboisjvonsdonv dosnvo = Fail

    Don't blame the users, blame the stupid policies.

    1. John H Woods Silver badge

      Re: It's all down to the stupid....

      Why not just have this list as part of your complexity rules. In addition to your complexity rules, why not just have a list of (hashes of) forbidden passwords? I reckon the best possible strategy is to allow users to choose anything but to regularly run password crackers on your own user database. Anyone whose password is cracked has to change it.

      1. Vic

        Re: It's all down to the stupid....

        regularly run password crackers on your own user database

        I once ran John the Ripper against a machine I looked after.

        I started the app in one terminal, switched to another, and looked at the log. It had already cracked 22 passwords :-(

        I managed to get the IT manager of that organisation to have a mini-rant at his users, but none of them changed their passwords...

        Vic.

        1. Charles 9

          Re: It's all down to the stupid....

          And the boss couldn't threaten to dismiss them?

          1. Vic

            Re: It's all down to the stupid....

            And the boss couldn't threaten to dismiss them?

            What, and create the opportunity for "PHB in gives-a-shit security shocker" tabloid headlines?

            That's not going to happen...

            Vic.

  9. roselan
    Childcatcher

    meanwhile

    Market price for stolen credit cards number, email addresses, and password lists are at an all time low.

    I look forward for the day when I will use such service to retrieve my own forgotten password.

  10. Ashton Black

    Any excuse..

    To post this xkcd toon. http://xkcd.com/936/

  11. Jim 59

    Correct horse battery staple

    Software authors need to update their code to allow passwords of the above variety, and quick. This "R3g1st3r" stuff is no more.

    'N^a&$1nG' could be cracked in approximately 3.75 days using one AMD R290X GPU

    Lol. Security fluffers always quote these times assuming 1000 guesses per second or whatever, without mentioning that 1 guess per second is the internet reality, moreover imposed by the target system. Also, I assume Trustwave are all in jail now ? Or did they nor really hack 600000 real passwords?

    1. Anonymous Coward
      Anonymous Coward

      Re: Correct horse battery staple

      Agreed, these results are only achievable when a list of passwords has been hacked and can be analysed offline. Websites could easily apply login delays, or timed lockouts to reduce brute-force attacks.

      But when a list of passwords is stolen, the time required to brute-force comes down to the complexity of the hashing algorithm used. So as processing power increases, it's the hashing algorithm which needs to adapt, not the password strength.

      1. Jim 59

        Re: Correct horse battery staple

        Hi AC agree if the crims manage to steal a list of hashed passwords they can brute force offline. Some posters say that that, combined with Moore's law, will eventually make all passwords risky but it ain't so. The entropy of a CHBC can easily increase faster than CPU speeds.

        For example, if today's GPUs can brute force "correct horse battery staple" in 550 years at 1000 guesses per second, then in 20 years time they will do it roughly 1000 times quicker, reducing the time to 6 months or so. However, just by adding 1 more word - "correct horse battery staple white", you multiply the whole lot again by 2048 (if you are selecting from a list of 2048 words), adding another 11 bits of entropy and extending the compute time again from 6 months to over 1000 years.

        In 100 years you will need 9 words in that CHBS password...

        1. Anonymous Coward
          Anonymous Coward

          Re: Correct horse battery staple

          "another 11 bits of entropy".........nearly but not quite true, remember that we're attacking offline your password hash eg "EB50644BE27DF70B2F11631B6B4E0B6F" and that we don't actually need to find your original password - just something possibly shorter, that gets the same hash.

          passwords are completely blown, passphrases certainly can help - and rather than xkcd I tend to use things like http://ecx.images-amazon.com/images/I/41P-oDmNABL.jpg

    2. brooxta

      Re: Correct horse battery staple

      > 'N^a&$1nG' could be cracked in approximately 3.75 days

      That was the most worrying part of the article!

      1. DanDanDan

        Re: Correct horse battery staple

        >> 'N^a&$1nG' could be cracked in approximately 3.75 days

        >

        >That was the most worrying part of the article!

        Agreed, nearly crapped my pants when I read that. 17 years isn't much better. Time we switched to storing out private keys on a USB stick and using those for authentication. Or something else. I'm getting super paranoid right now!

      2. b166er

        Re: Correct horse battery staple

        <= 8 character passwords have been iffy for a long time now friend. (I'm taking it that the quotes are literal and don't belong to that password)

        Have a quick look at some of the public rainbow tables and then consider what tables people with serious intent must have.

        It's interesting to hear that GoodLuckGuessingThisPassword is that much stronger. I believe a lot of people don't think passphrases are worth their salt (intended, sorry)

        That being so, just make minimum password length = 20 and let users put anything they want as their password.

        But when all is said and done, there needs to be a better way because, as someone pointed out earlier, it will only get easier to crack them as the power to do so increases.

  12. Alan Ferris
    Unhappy

    Policies !

    My (online) bank has never asked for a password change, in about 15 years of use, yet my NHS email account forces a change every 90 days.

    Why does changing my password make the email address more secure? Or is it just a ploy to keep IT staff employed doing exciting things like resetting the account, when I get locked out because one copy of Outlook isn't updated quickly enough?

    1. Anonymous Coward
      Anonymous Coward

      Re: Policies !

      > Why does changing my password make the email address more secure?

      It does not keep it more secure -- it only serve to fustrate. The requirement cam from very old-school security, probably dating back to WWII where the time to steal and use password were in the manner of weeks or months -- and there is make sense.

      Today the bigest risk for getting passwords stolen is not from the individuals, but from somebody breaking into the companys databse and lifting them all -- having users changing passwords for no reason is just a lack of understanding of where the security risk really is.

      So blame it on ignorance & the argument of "we have always done it this way".

    2. Alister

      Re: Policies !

      "Why does changing my password make the email address more secure?"

      It's not so much for your email, but as a general policy for corporate computer accounts. If someone has cracked your password, there is no easy way of knowing this - so long as the miscreant doesn't do anything obvious like send all your mates dirty pictures by email.

      Therefore, changing the password on a regular basis can offer a way to block the use of any compromised account. However, doing it every 90 days means that someone could have up to three months to do nasty things with a compromised account, so a shorter reset period is more secure - although more annoying to users.

      In the case of your bank, if someone has cracked your account then it's probably going to be fairly obvious, as transactions will be made that you didn't know about, and therefore a compromised password is easy to spot.

  13. David Pollard

    Basic honeypots?

    Is there not some fairly simple way to test that repeated attempts are being made to crack the login? And is it not it possible to deny 'password1' and similar to users and then route logon requests which use it to fake data, logging all details of the connection and add later adding this to a blacklist?

    1. Alan Brown Silver badge

      Re: Basic honeypots?

      "Is there not some fairly simple way to test that repeated attempts are being made to crack the login?"

      Of course there are - it's not at all uncommon to lock out remote addresses for XYZ time after N filed guesses.

      Not that it helps much if there are 200,000 separate zombies connecting in to try and breach ABC's password.

      1. David Pollard

        Re: Basic honeypots?

        Isn't it also fairly easy to recognise the arrival of a swarm of zombies, and in this case to log most of the 200,000 to plot the spread of the farm that's spawning them? The ratio of password rejections to traffic is presumably quite low and fairly constant, so an increase when the plague starts shouldn't be too difficult to recognise. Or is there something else of which I'm unaware?

  14. David Roberts

    Sad but true

    I just bought a brand new Buffalo home router.

    The administrator user ID seems to be hard wired to "admin" and the maximum password length is eight characters.

    When alligator time reverts to swamp draining it is getting DD-WRT or similar.

    Not the most secure set up I have ever seen.

    1. AndrueC Silver badge
      Meh

      Re: Sad but true

      Not the most secure set up I have ever seen.

      On the plus side one assumes no-one can get to the admin interface from outside your LAN and that anyone actually on your LAN is trusted. Sorta ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: Sad but true

        my router not only has hard wired "admin" but read this and enjoy.....

        Access to your DSL router is controlled through three user accounts: admin, support, and user.

        The user name "admin" has unrestricted access to change and view configuration of your DSL Router.

        The user name "support" is used to allow an ISP technician to access your DSL Router for maintenance and to run diagnostics.

        The user name "user" can access the DSL Router, view configuration settings and statistics, as well as, update the router's software.

        I haven't yet found the hard-wired "support" password in the Flash/ROM - but it's fair to assume that many of these devices are considered Telco property...even though I bought mine!

  15. JimmyPage Silver badge
    FAIL

    STILL no standard ?

    I posted a while ago, to general approval, that there really needs to be an ISO-level standard about how passwords (or more generally identity verification) should be carried out.

    At present, you have no idea what happens to that password, once you press "register", or "Login".

    Is it hashed and compared. Is it stored in plaintext ?

    You have no idea.

    If you forget it, can you reset it. Will it be emailed to you, in plain text ?

    You have no idea.

    I'm starting to think that usernames and password are starting to become obsolete, although the worry is, there's nothing (yet) to replace them.

    Is there space in the market, for something you can use on a phone ? Something like a virtual RSA keyfob, where it delivers a verification code based upon your credentials, and something unique stored on the phone ?

    1. (AMPC) Anonymous and mostly paranoid coward

      Re: STILL no standard ?

      I am quite fond of two-factor authentication (like that proposed by Google) which sends a 6 digit code to your phone when you try to log in from a different machine. Although that will suck when you don't have your phone handy.

      1. Alan Brown Silver badge

        Re: STILL no standard ?

        "Although that will suck when you don't have your phone handy."

        And suck even more when your phone has been stolen and it's the thief who's gleaned your google details who gets the 6 digit code directly.

        This _HAS_ happened.

        (FWIW, keep your backup stuff WELL AWAY from the computers. Several staff have lost computers AND backups in burglaries.)

    2. DropBear

      Re: STILL no standard ?

      If you forget it, can you reset it. Will it be emailed to you, in plain text ? You have no idea.

      Oh, but you do... it's mind-blowing how often I sign up to some new site just to immediately receive a greeting mail, with a cheerful "Welcome to XYZ, your login name is ABC, your password is 123..." - by which point I'm working very hard indeed trying to escape an attack of apoplexy...

      Is there space in the market, for something you can use on a phone ?

      You might want to check out InputStick...

      1. pabc

        Re: STILL no standard ?

        I challenged one small ecommerce website that sent me username/password in plain text after signup - accusing them of not even hashing, let alone salting my password as it should be lost to them after registration.

        I got a reply stating he'd looked at the registration script which did salt and hash prior to storage but used the original input whilst generating the confirmation email. He thanked me for raising the issue as he wasn't aware the script sent the password back out via plain text.

        I created a second account a week later - no password in the confirmation email. So there are some people doing it right.

  16. Anonymous Coward 101

    Stupid Password Policies

    I've noticed that some websites - with very high security requirements - often have unstated limits on password length. I created a very large new password using a password manager, it was accepted on the 'New Password' dialogue box, but then when I tried to enter it to log in, it was refused. It was clear that the maximum password length is set at about 15 characters. This is stupid; I don't know what these institutions gain from this policy.

    TSB and Legal & General, I'm looking at you here!

    1. Alan Brown Silver badge

      Re: Stupid Password Policies

      "It was clear that the maximum password length is set at about 15 characters."

      A lot of the time it's limited by the twats who programmed the dialogue box.

      Windows 2000 / XP / Server 2003: Technical limit is 127 characters. Password change dialog limits to 32 characters. If 14 or less characters are used, the old LanMan hash is used. If 15 or more are used, the newer NTLM hash is used.

      https://security.stackexchange.com/questions/22721/password-length-limits-in-history-of-operating-systems-and-popular-web-sites

      Windows 95 / 98 / LANMAN: 14 characters (split into two 7-character hashes)

      Note that this means that the security difficulty is the same as cracking 2 7 character passwords.

      Unix BIGCRYPT was 16 = 2 * 8DES and has exactly the same failing.

      Apparently OS/X barfs at 17 characters :(

  17. Tezfair
    FAIL

    BT guilty here..

    Number of new setups I have been to and BTs default password is.... welcome1

    1. Hollerith 1

      Re: BT guilty here..

      Welcome 1 is the standard password given out in my company for a specific system, with the u/n being your email. Fun thing is that users can't change their username or password. So it doesn't take a brainbox to be able to log in as anyone. Financial Services, yay!

  18. roger 8

    A common password i keep coming across in letme1n or their year of birth in twice

  19. Anonymous Coward
    Anonymous Coward

    has anyone done a study of how many times per day you type a password in? For me it is many. many.

    More than necassary actually due to the way things are set up. so im not going over 8 chars.

    lazy day today, only twice so far!

    1. Alan Brown Silver badge

      I enter mine 20-30 times/day and it's more than 21 characters.

      You develop muscle memory after 3 days and it stops shoulder surfers when it's typed in less than 2 seconds.

  20. ZSn

    Your dog is more popular than your daughter

    If you look at the link and read to the bottom it seems that the polpuarlity of names within a password goes in this order boys name -> dogs name -> daughters name .... It seems that people use their dogs name more frequently than their daughter (unless they've named her rover that is!).

    Also not sure about the actually analysis N^a&$1nG 3+ days yes, GoodLuckGuessingThisPassword 17+ years, not sure. Are they using english dictionary attacks, but if the used a password like N^a&$1nG but 16 characters long I make the password more than 100 bits long. As a key, that's certainly long enough....

    1. Tom 38
      Unhappy

      Re: Your dog is more popular than your daughter

      I think that depends on families, my mum's passwords are all about the dogs not me.

      1. ZSn

        Re: Your dog is more popular than your daughter

        Yes, but it seems that boys are more popular than dogs and girls less popular than dogs. Odd choice.

      2. Anonymous Coward
        Anonymous Coward

        Re: Your dog is more popular than your daughter

        I feel really sorry for your daughter.

    2. Jim 59

      Re: Your dog is more popular than your daughter

      Dog's name is maybe more secure because it is slightly harder to obtain that a son's name. Not sure about the daughter thing.

    3. Hollerith 1

      Re: Your dog is more popular than your daughter

      I'd like to think it's because parents (or dads, at least) instinctively ring-fence their daughters and keep them safe by not using their names. Am I a soft romantic?

    4. Dick99999

      Re: Your dog is more popular than your daughter

      @ ZSn "Not sure", agree.

      How can they crack GoodLuckGuessingThisPassword by brute force? Considdering letters only: one has to guess max 52^23=2.8E42 times which takes centuries. (or crack a PW of 140 bits entropy).

      Perhaps a Markov chain attacks works with these words. Might gain a factor 3(?) up front, but with the same performance for an exhaustive serach.

      Even if a combine-words-in-dictionary attack on a passphrase was undertaken with a 7776 word Diceware dictionary: it would take max 7776^5=2.8 E19 guesses. Or at ~20 billion/sec (if possible for phrases) some 40 years on average.

      I have not seen math for non-random phrases, that could be attacked by grammar based approaches. Perhaps they know how to do that?

  21. Captain Scarlet Silver badge
    Coat

    I know far to many users who use Password<number>.

    They don't seem to get it that its a stupid password, as well as they don't understand why I am very annoyed by the cracked screen on their laptop, which magically appeared but also seems to be the same size as the paperwork they have in their other hand.

  22. Len Goddard

    No long passwords

    Since I never access important/secure sites away from home I use a locally based password generator/manager. I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.

    Much as I dislike it, I think 2 factor authentication has to be the way to go for sites requiring genuine security and everyone else should accept at least 32 printable characters.

    Once or twice I have actually sent emails to webmasters at particularly bad sites (max 8 chars etc) saying that I have refrained from registering because the password policy was inherently insecure. I've never had a reply, though.

    1. Ben Tasker

      Re: No long passwords

      I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.

      Yup, but that's still better than the bastards that 'accept' it, silently truncate it down to their max length and leave you wondering why you can't log in.

  23. J.G.Harston Silver badge

    The passwords that really annoy me are on recruitment websites that insist on mindlessly secure password JUST TO APPLY FOR A F****G JOB!!!! The first time I go to the website I use my usual throw-away password, which is rejected, and then have to go through a sequence of trying to get it to accept a password. Some weeks later I follow up another vacancy to the same website and then have to try and remember: was this with a capital letter? a terminal number? a capital letter and two terminal numbers? some crazy punctuation as well? f*** it, if you're going to these lengths to stop people applying for your jobs, you've succeeded.

  24. Yugguy

    Nothing to worry about here!

    We're clever. We use P@ssword1

    Ah goddammit.

    1. Darryl

      Re: Nothing to worry about here!

      You want serious security, try P@$$word1

      1. Alan Brown Silver badge

        Re: Nothing to worry about here!

        "You want serious security, try P@$$word1"

        ASD user complains "You can't use that. It has ASS in it!"

        Seriously. *facepalm

  25. FlossyThePig

    Mobile phone password issue

    So you have a password based on a phrase, using simple number substitution, e.g. s becomes 5.

    On a computer keyboard use Shift+5 for upper case S. Then you get a nice new phone and have to enter the password. What is the character you type for Shift+5?

    Answer: It's % but how many people know the ten characters used on the numeric keys, and some are different depending on language and machine, " and @ are transposed on Macs compared to PCs in the UK

  26. Bronek Kozicki

    what if ...

    ... password replacement policies were based on time needed to brute-force an existing password? Say, you are new employee about to set your network password first time (because the one you received on welcome, comes with "must change" setting). You try "Password1" and since this is "cracked" by validator in real time it is not even accepted, since check for minimum password complexity can be run synchronously, as soon as you press Enter. So you try something a bit more complex and it is accepted, but within few hours or few days you receive an email explaining that you need to change your password again because it has been deemed too weak by automated password complexity assessment (i.e. cracked by security team). This comes with obligatory picture borrowed (legally, of course) from xkcd and a longer explanation about how password complexity works. Sounds like pain?

    But here is a good part: if you read the instructions carefully, you will figure out how to set a password that you won't ever have to change (bar emergencies). You simply make it complex enough!

    Now, if only one password was needed at work ...

  27. Rich 30

    At work our main password has to change every 30 days. I just n+1 to the number at the end of my very basic password.

  28. ecofeco Silver badge

    You get what you pay for

    You get what you pay for and if you can't afford decent IT services or staff, too bad for you.

    "Password1" it is then.

  29. Anonymous Coward
    Anonymous Coward

    I use a collection of words associated with my interest. Not all in English. So, for instance, Shimano105crevaisson.

    Good luck breaking that.

  30. Anonymous Coward
    Anonymous Coward

    Don't allow retries

    A password can often be cracked quickly, because the systems allow dozens of attempts per second. Simply don't allow more than one password attempt per 5 seconds, and an 8 character password would take more than a million years to crack.

    1. Charles 9

      Re: Don't allow retries

      One, they can send numerous zombies to simultaneously try the same account, creating a race condition. Two, many brute-force efforts come AFTER they purloin the shadow files (analogue: they take the still-closed safe with them) at which point they can crack at it at their leisure.

  31. Dick Emery

    There is a simple fix for this problem

    Most password hacking relies on having a system that allows continuous retries until a password works. ALL password systems should work on the basis of an incorrect entry equaling a wait time for each retry with the wait time increasing exponentially for each incorrect entry. First inccorect entry. 30 seconds. Second 5 minutes. Third 30 minutes and so on.

  32. This post has been deleted by its author

  33. Al_21

    Down with the password length limitations

    Should be able to add sentences or phrases.

    Question: Who likes short shorts?

    Password: We like short shorts!

  34. Nanners

    NO REALISTIC

    Who can humanly keep track of all the passwords needed in todays world? It's not realistic to use password security because of ALL the MOUNTAINS of passwords that are needed. Not even the human brain can keep track of it all. I know I use as little passwords as necessary...it's just not realistic to think people are going to create new 8 character obscure passwords for every little task in their lives.

    1. Charles 9

      Re: NO REALISTIC

      So what happened in the Middle Ages when most people were illiterate and STILL had to remember tons of usually-dissimilar things in their day-to-day lives?

  35. Robert E A Harvey

    welcome to the 1970s

    I am amazed that 50 years on we still have no better way of proving who someone is than the name of thier first girlfriend. It is bizzare.

  36. ITS Retired
    Boffin

    When I was working..

    I used the names of the towns on Oahu, Hawaii, plus the obligatory number of special characters, tacked on the end, to log on to my computer. Plenty of names longer than 10 characters with the padding.

    Of course, I had a printed cheat sheet with all my many passwords in the drawer with the security files I used.

    No way, with all the various differing password rules for the different log-ins I needed, could I remember them all.

  37. mns688

    No password change advice needs caveat

    It's all well and good to not change passwords as frequently, but in order for it to work you have to enforce a long password length - long enough to be longer than it would take a hacker with full access to your hashes to crack the hashes with the a GPU setup similar to what you've outlined in the article. Always ASSUME that your hashes are in the hands of the bad guys, because chances are, they are.

    I guess what I'm saying is, there is no substitute for doing the math. And re-doing the math every few months as the number of hashes that can be checked in a short time increases.

  38. Zane

    Ignorance on all sides

    One of the things that really annoys me about this - of course these stupid rules "upper+lower case, digit, special symbol" do not yield a good password. Not at all. And there are lots of good passwords that are lower case only, eg. wcbhfeae (easy to remember, isn't it?) is not that bad.

    Ranking passwords by these categories is completely senseless.

    /Zane

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon