back to article Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Sysadmins trying to harden user passwords against brute force attacks, or everyday folk trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks. Redmond password provocateurs Dinei Florencio and Cormac Herley say password hardening …

  1. jake Silver badge

    So basically, MS says ...

    ... clueless idiots running MS products are clueless? I can live with that. I won't work on it, mind, but I can live without it.

    1. Sir Runcible Spoon

      Re: So basically, MS says ...

      Or M$ are admitting they are clueless.

      "For reversibly-encrypted codes that use a strong algorithms, crackers would need the relevant decryption key. Without it, they would have no effective means of offline attack even if the users' password was 123456, the duo wrote."

      Ok, so technically accurate, but misleading. Even if I couldn't crack the password offline, there's no reason I couldn't just 'have a go' at entering 123456 as a password, which would obviously work.

      Having a gnarly password doesn't just make it harder to crack, it makes it hard to guess, and if you re-use passwords from other sites, it only takes one of them to leak the password in a weak manner and all of your accounts are screwed.

      Have M$ got a product launch relating to passwords coming up soon or something?

      1. dogged

        Re: So basically, MS says ...

        Having a gnarly password makes it harder to remember and relying on a gnarly password is nearly as dumb as... well... jake.

        1. Dave 126 Silver badge

          Re: So basically, MS says ...

          >if you re-use passwords from other sites, it only takes one of them to leak the password in a weak manner and all of your accounts are screwed.

          In the article in which they discuss that, their advice is to reuse passwords across low-value sites - such as forums - and to reserve dedicated passwords for important sites, such as your email, shopping and banking services.

          In addition, attackers have to know which email address you have used as your username for each site in order to use compromised password - if you use you+ebay7antelope@gmail.com for eBay and you+amazon4mountain@gmail.com for those respective sites, a compromise of one site's system won't reveal your username for another.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Anonymous Coward

              Re: So basically, MS says ...

              > My online reputations have great value (built up over years)

              Erm... Judging by the voting tally of your post...

          2. JeffyPoooh
            Pint

            Re: So basically, MS says ...

            Dave proposed: "you+ebay7antelope@gmail.com"

            Hmmm. What if the hackers have heard about the gmail "+" trick? If they had, then they'd be able to write a script to defeat your countermeasure.

            1. Dave 126 Silver badge

              Re: So basically, MS says ...

              >What if the hackers have heard about the gmail "+" trick? If they had, then they'd be able to write a script to defeat your countermeasure.

              How?

              They would have to brute force your username at the same time as trying to brute force your password. And as we know: lots x lots = shitloads.

              1. JeffyPoooh
                Pint

                Re: So basically, MS says ...

                I see. The users' email addresses have been hashed too; not just the passwords.

                Right you are then. Here, have a beer. Thanks.

      2. James Delaney

        Re: So basically, MS says ...

        They're saying complexity isn't the answer. A memorable password might be the answer as long as it's only memorable to you i.e. not common.

      3. Anonymous Coward
        Anonymous Coward

        Re: So basically, MS says ...

        Why are they even suggesting two way encrypted passwords??

        We've been trying hard to convince people it's a bad thing, and Microsoft go and praise it.

    2. Adam 1

      Re: So basically, MS says ...

      >... clueless idiots running MS products are clueless?

      That statement may be true *cough* TIFKAM *cough*, sorry had to clear my throat.

      What was I saying? That's right, I think you missed the point. If say A! Company! Whose! Name! I! Will! Redact! So! As! Not! To! Embarrass! Them! stores your super duper unbreakable "wrong unicorn paperclip capacitor" password in clear text then it is compromised.

      BTW, congratulations reg; nice click bait :)

  2. AbortRetryFail

    Interesting

    So I guess what they're saying is that, if the thieves have your safe in a secluded lockup and have a range of power tools, plasma cutters, explosives, etc, it doesn't matter how good the locks are on the safe. Whereas if you have armed guards standing over your safe 24/7 then it's less important how good the lock is.

    Hmmmm.

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      I read more as "there is no point investing in really expensive locks (long passwords) if everyone makes the safe out paper (i.e. the other security is implemented wrong)".

      That said their approach is a race to the bottom - lets make everything as weak as the weakest part - rather than trying to improve industry best practise to reduce the number of "implemented wrong" instances in the wild.

      1. Tom 13

        Re: their approach is a race to the bottom

        I don't read it as a race to the bottom. I read it as trust your users to know how important the information they are putting on your website is and fix the things you've frelled up instead.

    2. Tom Wood

      Re: Interesting

      You're right. If they can steal the safe then it doesn't matter whether it's made from cardboard or plywood or hardened steel, they will find a way to attack it.

      The problem consumers have is that they are trusting their passwords to a safe of unknown quality surrounded by an unknown number of guards who may or may not be unfit and unable to run very fast and prone to fall asleep on the job.

      Security is only as strong as its weakest link, so given that we don't know how careful websites are with their password security (recent incidents would suggest: not very) we should still follow all the usual rules (long complex passwords, don't reuse them, etc).

      1. dogged

        Re: Interesting

        As an interesting aside, Apple are saying the iCloud attacks aren't their fault because the attacks were online.

        And apparently they don't lock you out after three (or even three hundred) failed login attempts.

        The users are apparently securing it wrong. Not Apple. Apple are infallible.

        1. Steve Todd

          Re: Interesting

          No, they are saying that their host systems weren't compromised, only individual user accounts due to weak passwords and security questions (there does seem to have been an issue where there was no rate limiting on guesses). If the host systems had been compromised then ALL users would have been at risk.

          1. dogged

            Re: Interesting

            That's exactly what I said, except for your pro-Apple spin.

            Failure to enforce lockout after multiple failed login attempts is pathetic and there's no excuse for it.

            Frankly, I hope Jennifer Lawrence sues.

            1. Steve Todd

              Re: Interesting @dogged

              No, they didn't say that it wasn't their fault, they have placed rate limiting code on the affected systems now. IMHO the best way to do this is to get exponentially slower returning a response after each failed logon. Humans will just go through the "forgot my password" procedure, machines will get only a couple of chances at guessing before things become too slow to use.

              What Apple did say is that it's not an issue for the vast majority of their users as the attacks were only on specific accounts and wouldn't have succeeded against harder passwords.

              The Apple hating community (of which I'm assuming you're a member) seem to overlook flaws in their own chosen platform and leap on the slightest error by Apple. Yes, it was a flaw. No, Apple don't create flawless code, nor have they ever made this claim.

              1. Fehu
                Paris Hilton

                Re: Interesting @dogged

                And to extend the safe analogy, guessing the combination of the safe if it is someone's birthday is low tech; actually drilling through a wall and cutting the safe away from the bolts that hold it to the floor takes a much higher level of criminal sophistication and commitment of resources. Lots of people can take wild guesses or less wild guesses if they know you have a habit of using your own birthday as your passcode; very few people have the expertise to actually steal the entire safe. But, to make it easy for every Tom, Dick and whoever to guess your easy password because someone might actually steal the safe? That's a very large logic fail. Make the easy stuff hard and the hard stuff close to impossible, then you can sleep at night.

                Paris, 'cause like M$ she has lots of money, but not much idea of how she got it or what to do with it.

            2. chr0m4t1c

              Re: Interesting

              >That's exactly what I said, except for your pro-Apple spin.

              My reading of your post was that it implied that Apple were lying. The iCloud servers were not breached, but individual accounts were hacked, pointing out the facts is not pro-Apple spin.

              >Failure to enforce lockout after multiple failed login attempts is pathetic and there's no excuse for it.

              Apple lock out accounts for eight hours after 12 failed attempts.

              Apple's reset process invloves providing email address, date of birth and the answer to any one of a number of securty questions (e.g. The name of your first pet). Unfortunately for people in the public eye most of that information is likely to be easily available from a number of sources and like most people they wouldn't think of just making up an answer, so a quick trip to Google will almost certainly allow you to gain ilicit access to the account of pretty well anyone famous.

              Is this Apple's /fault/? Debatable. There are more things they could do, but then there are already additional security features available for Apple accounts that do not appear to have been turned on in this case (e.g. if you have 2FA turned on, then the password reset process will also require you to go through that).

              So we're back to square one, is it the fault of any company if users who do not use the security features provided then have their accounts breached?

              No. It's the fault of the people who gained access, in the same way that if you forgot to lock your front door it's not your fault if someone steals your TV. What you did might have inadvertently made it easy for them, but make no mistake that the person at fault is the thief.

              1. Tom 13

                Re: it implied that Apple were lying.

                They are. They said they have NO responsibility for the breach. Then go on to admit they didn't have rate limits on an obvious brute force attack path.

                They may not be SOLELY responsible for the breach, but they share in the blame. Yes it is good that pleebs weren't hacked because they weren't targeted. But that didn't mean the pleebs were any safer than the celebs from the standpoint of a technical analysis.

            3. Anonymous Coward
              Anonymous Coward

              Re: Interesting

              @ Dogged.

              Whom?????

          2. This post has been deleted by its author

        2. mark 63 Silver badge

          Re: Interesting

          "And apparently they don't lock you out after three (or even three hundred) failed login attempts."

          That right there has got to be the simplest and obvious of 'online' security features. Rate limiting , lockouts , and email alerts of failed attempts.

          1. mark 63 Silver badge

            Re: Interesting

            saying "only as secure as the weakest link" - I disagree , If somone talks the guards into handing over the safe (loving these analagies btw) , and the safe is made of unbeakableium, then the contents are still secure.

            the phrase "Two factor Authentication", which seems to be heralded as the latest , greatest and safest would be redundant if "only as secure as the weakest link" were true.

      2. James Micallef Silver badge

        Re: Interesting

        Problem is, how do I as a user know what security a site is using? Some of them actually do front up and say "we use salted hashed tables" (usually after a breach has occurred), most sites are mum on the issue (citing security concerns, but most likely these are the ones with rubbish security, and attempting security through obscurity)

        What I do is pretty close to MS recommendation - use 1 common password for all unimportant sites / forums etc, and different passwords for important sites. I *hope* that email, bank, e-commerce sites DO have the requisite security to prevent user info being stolen in the first place, and I also *hope* that in that eventuality the passwords at least are secure.

        The 1 site that I know (rather than hope) I can trust is my bank's e-banking site, because in the T&C's they explicitly say that THEY are responsible for security breaches of "their side" of the site.

    3. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      > Whereas if you have armed guards standing over your safe 24/7 then it's less important how good the lock is.

      Depends on whether your guards are armed with AK47s or harsh words.

  3. hammarbtyp

    One password to rule them all

    There was a parody some time ago, where IT policy produced so many rules on acceptable passwords that in the end there was only one combination of characters that would meet the requirement,, which of course all users then were required to use.

    Sometimes it feels like that when you register for a new website, forcing you to be even more imaginative on your password. Unfortunately you are then forced to write it down somewhere just so you can remember it next time you log on.

    Of course by adding weak/strong password dialogs, the website owners look like they are being secure. Not a lot of uise however if they store them in some text file on a server.

    1. AndrueC Silver badge
      Facepalm

      Re: One password to rule them all

      Of course by adding weak/strong password dialogs, the website owners look like they are being secure. Not a lot of uise however if they store them in some text file on a server.

      I find it ironic that after being chastised for sending passwords in the clear and/or not encrypting them my Tesco groceries password is now one of the strongest I've got. At least I can rest assured that no-one is going to be ordering groceries for me I suppose :-/

      1. ByeLaw101

        Re: One password to rule them all

        I think you under-estimate the risk here AndrueC. Tesco has to be secure, what happens if someone orders you Marmite!

        You didn't think of THAT did you !?

        ;)

        1. adam 40 Silver badge

          Re: One password to rule them all

          I see your point - Tesco would probably substitute Vegemite, which is totally disgusting...

          1. Anonymous Coward
            Anonymous Coward

            Re: One password to rule them all

            Tesco's own brand marmite was subject to a recall a year or two ago as it contained something which "caused skin sensitisation" in "susceptible" people,

            What they fuck they added to salt and yeast shit to cause urticaria I dread to think.

            Ensured I only ever bough Marmite after that...

      2. Lyndon Hills 1

        Re: One password to rule them all - tesco

        have you read this ?

        Tesco and SSL

        1. AndrueC Silver badge
          Meh

          Re: One password to rule them all - tesco

          have you read this ?

          I hadn't but that pre-dates their change to more-strict passwords (they invalidated existing accounts so you had to create a new password) and it pre-dates their recent facelift (I still prefer the old look). On a practical level I've had an account with them almost since they started home deliveries and they are one of the few etailers that has never sent spam nor leaked my (Tesco specific) email address.

          I'm not saying that security doesn't matter nor that they are doing it right but my experience is that Tesco is more secure than most of the etailers I've dealt with over the years. So strictly from my personal POV they are very secure.

    2. Joe 48

      Re: One password to rule them all

      A trick I used a while back was to never know my passwords. Everytime I needed access I simply did a reset forgotten password. Added to 2FA on my google mail account and it suited my needs. I've since changed this as I figured my passwords bouncing around the net in plain text wasn't the best either. But for low risk websites I used at the time it did the trick.

      1. Mike Flugennock

        Re: One password to rule them all

        "A trick I used a while back was to never know my passwords. Everytime I needed access I simply did a reset forgotten password..."

        Damn. I've had to do a few forgotten password resets, but I'd never thought of that.

        Fiendishly clever.

  4. John Tserkezis

    "Strength meters - the small bars that tell you if your password is weak or strong - are useless, the pair argue"

    I can attest to that. I had an application that had a three-stage password strength meter, and you could only get to that elusive third band if you used non-alphanumeric characters.

    Great I thought - till I found out I can't use ()*&% and some others. They were even quite helpful in letting me know what characters I can't use, to save time on brute forcing. Must have been some division of Microsoft...

  5. jason 7

    I just use...

    approx 30 digit passwords made from 5 or 6 random words.

    If it limits me to 8 or 16 then I move on.

    1. frank ly

      Re: I just use...

      "whatthef**kismypassword"

      1. Tom 13

        Re: I just use...

        I knew an email admin who used "Iamamoron!" whenever a user forgot his password and needed a reset. When somebody complained about it he changed it to "Iamamaroon!"

        1. Darryl

          Re: I just use...

          I used to always give forgetful users "Blondemoment!"

    2. Anonymous Coward 101

      Re: I just use...

      I found that TSB and Legal & General do not limit the length of the password one may choose, but limit the length of the password one may type in to access the website. Note that this is highly stupid, particularly as these websites need to be highly secure.

      1. depicus

        Re: I just use...

        Not as bad as 3DSecure passwords which have to be alphanumeric and (if I remember correctly) no longer than 12 characters long.

        1. Anonymous Coward
          Unhappy

          Re: I just use...

          re: 3DSecure

          That's because your entering a 12 character password absolves them of responsibility for the transaction.

        2. Anonymous Coward
          Anonymous Coward

          Re: I just use...

          "Verified By Visa" another pandoras box

          It doesn't differentiate between upper and lower case.

          So if you use Tz123456Q, it will ask for 3 characters, and it doesnt matter if you input tZq for the requested digits, it will still work, its a sack of shit designed so the banks can pass on blame to you for "fraudulent" use.

          "But you enrolled on VBV, you MUST have given them access to your account. No compensation for you, me laddo"....

    3. Anonymous Coward
      Anonymous Coward

      Re: I just use...

      I wish it were that simple. My company has moved to office365...and my email password is now 50+ characters less than it was on the system(s) we had before.

      On the other hand, I'd bet real money that this report was commissioned and published to bolster Microsoft's position regarding the use of 8-16 character passwords in Outlook Online.

  6. DrXym

    Some truth to some of what they say

    I've had occasions where I click on the "I've forgotten my password" link and it's sent me back my PLAINTEXT password. In other words they never hashed it in the first place. This is indicative of a site which doesn't know what it is doing and is therefore likely to be hacked.

    Using a strong password on such a site is an utter waste of time and exposes other sites which take more care to salt and hash their passwords.

    These days I tend to rate sites in tiers - throwaway forums, one shot things, semi-frequent forums, online shopping / gaming stores, payment systems, banks & utilities. As I go up the tiers I become more stringent about security - the bottom tier may all share the same throwaway password. A tier up I might use a stronger password, with some uniqueness. Above that the passwords are all unique. By the time I get to banks / utilities it's usually augmented by whatever hard tokens, pins etc. that they issue. I also use different email addresses for most forum activity than I do for real life activity - I even use the likes of mailinator on the bottom tier. Everything is stuffed into Password Safe.

    Nothing can stop a site being hacked, but hopefully it minimizes the damage. If a site is compromised I review which sites share the same email/password and change them.

    1. Rich 11

      Re: Some truth to some of what they say

      In other words they never hashed it in the first place.

      Or it was reversibly encrypted.

      1. DrXym

        Re: Some truth to some of what they say

        "Or it was reversibly encrypted."

        Encryption or not is largely irrelevant. Industry practice is to salt and hash because a thief could steal the key while they're stealing the database.

        1. Anonymous Coward
          Anonymous Coward

          Re: Some truth to some of what they say

          "Encryption or not is largely irrelevant. Industry practice is to salt and hash because a thief could steal the key while they're stealing the database."

          Except for Microsoft who hash but don't salt

          http://security.stackexchange.com/questions/30654/why-doesnt-microsoft-implement-salt-on-users-passwords-in-windows

          1. dogged
            Stop

            Re: Some truth to some of what they say

            Disingenuous. They hash AND salt with online services, simply not with local OS level passwords (largely for historic/compatibility reasons).

    2. Anonymous Coward
      Anonymous Coward

      Re: Some truth to some of what they say

      There's a site for that: http://plaintextoffenders.com

    3. Anonymous Coward
      Anonymous Coward

      Re: Some truth to some of what they say

      My only addition is my crypto containers which have nightmare passwords, well beyond anything else. Otherwise, I follow your approach. My only concerns are keyboard-loggers and how secure are my pwsafe containers.

    4. Mark 65

      Re: Some truth to some of what they say

      Whilst it is true that server side implementation of security measures such as encryption, salting, hashing, plain text storage, password resets may be shoddily done that just does not it any way justify their end hypothesis. I'll happily go on using different passwords for every site setup to the limit of what they allow generated, encrypted locally (maybe poorly) and stored by lastpass or keypass. Sure if I get hacked/key-logged they get all my passwords but I figure that happens regardless of whether they're stored mentally or locally. At that point I'd have more serious issues anyhow but using shit passwords shared across multiple sites and thinking "ahh fuckit" isn't a good attitude. What if somebody posts something illegal and I have to prove (in this modern oppressive democracy concept) I didn't do it?

  7. Jonathan 29

    Password harvesting

    There must be hundreds of websites that are setup purely for the means of attracting users and harvesting passwords. It is such an obvious scam. A completely different password for each site is a minimum in my book.

  8. MacroRodent

    SOME password strength validation still useful

    I mean, if you don't stop people from using reportedly common choices like "123456", "password" or "qwerty" as their password, even the online attacks have a good change of success. But I agree torturing people with rules like "must contain uppercase, lowercase, numbers and punctuation" should be stopped.

    1. monkeyfish

      Re: SOME password strength validation still useful

      Especially since most people comply by putting the capital at the front of a single word, then a dot, then a one or two digit number. Completely compliant (and scores maximum in the helpful security bar!) while still being completely crap.

      1. Will Godfrey Silver badge
        Facepalm

        Re: SOME password strength validation still useful

        Not sure if I mentioned this before but...

        Allowing unlimited printable ASCII (including spaces) -> 95 possibilites

        Insisting on a capital -> 26 possibilities

        Insisting on a digit -> 10 possibilities ... utter lunacy!

        So, they are already trying to weaken passwords as much as possible.

    2. Andy A

      Re: SOME password strength validation still useful

      ... must contain uppercase, lowercase, digits and punctuation and NO PART OF IT MAY APPEAR IN ITS DICTIONARY... says one system I am forced to use.

      Considering the number of systems hiding behind this particular login, having the appearance of security is essential.

  9. John H Woods Silver badge

    Some valid points ...

    ... but I really cannot see the rationale for reuse. They seem to suggest that it reduces cognitive load, but you could just use different high-entropy strings for each website and just store the password in your browser. As long as you can remember your email password, you'll be able to reset any as required.

    1. MacroRodent

      Re: Some valid points ...

      "different high-entropy strings for each website and just store the password in your browser"

      Who in this day and age uses the new from just one device? Granted, some browsers have "cloud sync" features, but that opens its own can of worms...

      1. John H Woods Silver badge

        Re: Some valid points ...

        "Who uses just one device?" Well, a lot of people who don't read El Reg, and that (use random strings and rely on email reset if the browser forgets) is the advice I give them. What I use myself is this:

        echo -n 'PASS SITE USER' | sha256sum - | base64 | tr 'a-m' '!--' | cut -c -16 | head -1

        where PASS is my own secret password; SITE is the URL of the login page; and USER is the userid for that site. That gives me a unique password with 96 bits of entropy for every site (the tr allows me to pass arbitrary rules about including punctuation), and I can calculate it on any device with a terminal (including my Android phone). *Then* I user browser caching.

        1. Jan 0 Silver badge

          Re: Some valid points ...

          You have a nice strategy there, but your advice isn't helpful. I suspect that you haven't done many password resets if you think they're going to get a new password in a few seconds. Many sites take several hours to return a new password.(I've never had to wait more than a day, but maybe I've been lucky).

        2. Anonymous Coward
          Anonymous Coward

          Re: Some valid points ...

          @John H Woods

          Actually I think your method gives only 48 bits of entropy:

          The output of sha256sum(random) has 4 bits of entropy per output byte (it's hexadecimal digits) and base64 expands by a factor of 4/3 (as 4*log(64) = 3*log(256)), thus your 16 bytes of output only have 16/(4/3)*4 = 48 bits.

    2. Brenda McViking

      Re: Some valid points ...

      Because if you reuse a slightly stronger password than remembering 18 simpler ones, your overall security is often still better. And be honest - what is easier? Everything needs a login nowadays. If recall is more than 1 second for the user then you're wasting more time and raising their stress level unnecessarily.

      This is actually one of the few research papers that "get it" - realising that whilst the theory of entropy theoretically makes security stronger, adding in the meatbag actually MASSIVELY reduces entropy. If you're demanding a 6 character password with 4 types of characters, the entropy is orders of magnitude lower than a 6 character lowercase password, but the majority of people do not know that.

      That and security is often completely unnecessary - who needs a password taking 550 years to bruteforce protecting the corporate "how to sit at your desk without becoming a paraplegic" Health and Safety intranet portal? even nuclear launch codes only really need a few months of brute force protection. (and indeed, 0000 0000 was the launch code for some types of nuclear weapons during the cold war. For 20 years. Why? because psychology trumps security where humans are involved.)

  10. a53

    For me

    The safest protection is still by increasing time delay on repeated attempts.

    1. adam 40 Silver badge

      Re: For me

      And that the site/computer tells you when you last logged in (e.g. UNIX has done this for 30 years and the HMRC website does too.) That way you can self-monitor for breaches.

  11. Anonymous Coward
    Anonymous Coward

    bah passwords

    I must have at least 100 different logins which require passwords. Of all those logins only 3 would impact me if they were hacked. Therefore I have 1 difficult password and 1 simple password(*). Hackers can knock themselves out hacking my account for some obscure forum that no-one cares about.

    (*) actually several all on a theme, as each account has slightly different password requirements.

  12. Anonymous Coward
    Anonymous Coward

    Watts up.

    “Listen guys we need to look at the electricity usage for the crypto lab. Since not everyone is using government approved algorithms we are still spending a bunch of holiday cash on decryption runs. Does anyone have any ideas on this?”

    “Ban other algorithms?”

    “OK Good, we are working on that, anything else?”

    “Force 2 character passwords?” (much laughter)

    “Nice, anything else?”

    “Tell the average user simpler passwords are better?”

    “OK I'll bite, how?”

    “Tell them all they need is a simple word as we will protect them with very clever use of padlocks and magic” (more laughter)

    “No wait guys, he might have a point, if we can take away that drudgery of remembering passwords and get people believe that is simple good enough we could save a crypto rig or two, we'd probably want to pick a fairly IT illiterate crowd though" (laughter).

    “[REDACTED] users?” (much laughter)

    “You might just be on to something...”

  13. Hilmi Al-kindy

    I have maintained for years that complicating passwords beyond a certain point has no value in terms of security. Almost every instance of compromised password I have run across is a result of:

    1) Social engineering

    2) Key loggers

    3) Compromised server

    4) Use of stupidly predictable passwords like 1122334455

    So if you look at the above, forcing me to use passwords with complicated rules does not address any of the above except no. 4, which can be addressed more simply by banning certain straight forward passwords.

    I like the way my bank does it, I can do any transaction between my own accounts with the password only, but as soon as the transaction involves a third party such as transferring money to my wife or paying my phone bill, I am required to use a code that gets sent to me by SMS and is only valid for that session. So in order to do anything useful with my bank account, a hacker would need both my password an access to my mobile phone. Far better than forcing me to use ridiculously difficult to remember passwords.

    1. Anonymous Coward
      Anonymous Coward

      um... no

      Actually, all they'd need is access to your bank login and your email account that you associated with it, and depending on the bank, they'd then be able to change your phone number, reply to the change email (log in to complete, etc) and then they'd be able to empty your account before you check that SMS when you wake up the next morning.

      Face it, we're never going to win (those of us who play by the rules)

      1. Roland6 Silver badge

        Re: um... no

        @theodore - depends upon the bank!

        I could publish my online bank account details: bank, username and password and you still would't be able to access my account!

        That is because you also need my debit card, PIN and the code generator gismo.

        But yes the big weakness with respect to banking is all the mobile phone app's.

        1. Anonymous Coward
          Anonymous Coward

          Re: um... no

          Then they clone your card, skim your pin, and hack the gismo maker so as to replicate the code generator (Remember the RSA break-in?).

          1. dajames

            Re: um... no

            Then they clone your card ...

            While it's easy enough to clone a magstripe card, a chip card is another matter.

            1. Anonymous Coward
              Coat

              Re: um... no

              ....not really you only need the right kit and that is... obtainable

        2. Mark 65

          Re: um... no

          @Roland6: You might want to do a little rethink on that statement. Jeremy Clarkson thought the same way but it turns out it isn't quite true.

          1. Roland6 Silver badge

            Re: um... no

            @Mark 65 - I said "online bank account details" (ie. name of bank, username and "my super secure password") not my "bank account details" (ie. branch code and account number).

            Although yes with my online account details a third party could effectively deny me access to the online account up due to their repeated authentication failures.

  14. Joe 35

    The flaw with the "it doesn't matter" theory is that with a list of email addresses I can then do a brute force attack against those addresses and some are bound to be hits. eg if I try "pa$$word" on a list of a million hotmail accounts each only one try, I am probably going to get tens of thousands of hits. Now do it for the top 10 or 20 passwords, and I'd probably get 10% of the database. At least part of the iCloud attack is reputed to have used the top 500 passwords.

    So I suggest the first thing you need is a username that maps to an email address, and the user name is used to login, not the email. Now to even start an attack I first need to know your username for this account and thats not something thats going to be bandied around as much as your email.

  15. Hilmi Al-kindy

    Putting rules just means that people will take a common password and append a number and exclamation mark at the end. For example Password!123 how is that more difficult to guess than password? or Pa$$word? All you have achieved is made it more difficult for the user to remember. It is no more difficult to guess because you already know the rules and you know that users are likely to use ! or ? for special characters and replace S with $

    So I once again stress my point, complicating passwords has no genuine security value.

  16. Anonymous Coward
    Anonymous Coward

    As a non-security industry person

    My understanding is that in light of modern offline brute force capabilities the best way to ensure an offline attack is more trouble than it's worth is to make your password very long and not so generic as to be part of some possible predefined table (eg. the alphabet).

    Have things evolved from this, or is 'my cat is named John and he is 9' still more secure than Kv3T!Qr%@?

  17. William Donelson

    This is CRAP. Any programmer with half a brain knows that any good password system should allow only one attempt every 1-2 seconds at most, and only 3-4 attempts before requiring more information from the account trying to log in.

    1. monkeyfish

      Except that's a PITA when I have to guess which password I've used for your account and have to try more than 3 times and get locked out myself. When that happens, if the site is not important, I just don't bother logging in at all. Which is detrimental to the site.

    2. Charles 9

      The thing is that the article notes that the trend is more towards either offline attacks where gatekeeping is useless or with distributed attacks where the site is swarmed with a million attempts from a million IPs, each trying to crack a different user just once or twice. You can't filter by username because each individual user is only attempted once or twice, and you can't filter by IP because of the sheer number of IPs being used in the attack. It's basically indistinguishable from the legitimate use case of a million actual users actually logging in all at once.

  18. Eric Olson

    I feel like I've read these comments before...

    Every time a new study, database theft, or webcomic comes up regarding passwords, everyone has an oar to stick in. On one side, you have hardened IT security and ops bods; the folks who have been assaulted from both sides over the years and want nothing more than to tell the users and hackers to fvck off and die. On the other side, you have IT professionals and other super-users who come here who want nothing more than to access their bank accounts, email, forums, etc. without having to worry about complex password requirements or resetting those same passwords because someone made a hash (no pun intended) of database security and now a table dump of plaintext passwords with usernames is floating around out there.

    I'm more of the latter group, though I did work in IT ops long enough to have developed a certain amount of contempt for users who think "letters and numbers, 6-12 character long" is an onerous password requirement. However, with my hundred or so logins between work, play, and educational pursuits, it's hit a point where every time a breach occurs, I'm likely impacted, meaning I have to go out again and change my passwords that might be related to the email address or username I used for the compromised site.

    Because of that, I've developed a certain amount of cynicism over the years about the value of coming up with a 16 to 20 character password (assuming it's accepted by the site) that uses numbers, letters, special characters, etc. As amusingly debated above about the safe, the problem is that we don't know where the safe is, how it's protected, and how hard it is to penetrate. And that's assuming that your aren't being spear-phished or compromised by a man-in-the-middle attack that doesn't even care about best practices being used by both your safe-keeper and yourself (spear-phishing is getting better and better and even the smartest person can be hoodwinked by a well-crafted attack, or be surrounded by people who can be).

    So for those most important sites, accounts, etc., assume the worst and make a unique password that is complex, enable two-factor authentication if possible, device-logging and notification, and even treat the security questions and answer routine as password-esque, keeping a hard copy of the questions and answers offline and in your possession. That's about all you can do, unless you have the money and resources to create a dedicated link to the site, get biometric verification implemented, and require some kind of at-login phone-call to a randomly generated number that always goes to your secured and special built phone.

    Everything else is a crap-shoot and should be treated as such.

    1. Tom 13

      Re: I feel like I've read these comments before...

      I agree.

      First order of business is deciding how critically important a given site is. Appropriate levels of complexity depending on need. If it's one of those damn "give us your email name to download our trial software sites" yeah, you're gonna get my spam account and probably "password" or the nearest hash of it for the account. If you're a site that where I have a reasonably established identity I'll probably set a decent password. If you're my bank I've got a complex password and recorded it someplace safe.

      Let's face it, unless you have government size resources, you can't make something nobody can get into except others with government size resources. The bad news is, those bot armies controlled by the bad guys now constitute government sized resources and lots of people can rent them.

    2. Anonymous Coward
      Anonymous Coward

      Re: I feel like I've read these comments before...

      Amen! I've always worked both sides of the street, so when they invented DevOps, I've been there, done that for decades in addition to my irregularly scheduled duties. There's what should be and there's what works. And when someone mangles their password, and it's 2 A.M. I still don't give someone a hard time 'cause there will come a time when we are breached and I want to know right away that "Houston, We have a Problem."

  19. Ben Tasker

    Twats

    What an absolute shower of idiots.

    If you're storing credentials, assume whatever #defences you have in place will be breached at some point and an attacker will walk off with your database.

    Doesn't mean you shouldn't have other defences in place, but having other defences is never a suitable excuse for not doing your best to ensure those credentials can't be calculated if stolen - requiring strong passwords is just one part of that. Using a good hashing mechanism is another part.

    Advising against re-use is more about protecting your users - if the worst does happen, it's one (hopefully irrelevant) account, rather than every account they have on every service.

    <sarcasm>

    I mean, if we're working on the assumption that our defences are good enough, why even bother using salted hashes? An attacker's never going to get to the database, so plaintext passwords are fine, just like they have been for years

    </sarcasm>

    1. Eric Olson

      Re: Twats

      It's called picking your battles. If you know or expect that a site or account is going to be well-built and administered and it's of high-value to you, then by all means take the time and effort on your end to not be that weakest link. That means hardening the password reset system by using fake questions and answers, for example, making hideously complex passwords that either can only be remembered through obscure and personal mnemonic devices and hashes or writing them down in a secured environment (so your home, not your wallet), and turning on two-factor authentication and keeping that 2nd factor on a device or account that is also protected in a similar manner.

      But if it's high-value but associated with dodgy security practices, there is no reason to carry out the above, as it will just be compromised the next time the sys admin decides to install a turnkey device as a gateway to everything that has known unpatched vulnerabilities and keeps the install vanilla and default. Or they encrypt everything in plaintext and never bother to test for SQL Injections. Or has a hash table that is kept in the same vulnerable database as the username and password table.

      In those cases, your best bet is to take simple steps (which vary person to person) to secure yourself, turn on all the possible alerts and notifications about changes or modifications, and then sit back and pray. It's not if, it's when. It might even make sense to change the password on a monthly basis, just so that when it is compromised, you limit the window of vulnerability. Or just stop doing business with such miserable failures and find a new provider for your high-value services.

      1. Anonymous Coward
        Anonymous Coward

        Re: Twats

        And I'd hate to think what would happen if you had NO CHOICE but to use an insecure site (either because it's required for the one and only job you can take or because ALL the sites for a particular sector are equally bad). Meaning you can't trust it yet you can't walk away, either.

      2. Mark 65

        Re: Twats

        "It's called picking your battles. If you know or expect that a site or account is going to be well-built and administered and it's of high-value to you, then by all means take the time and effort on your end to not be that weakest link."

        Using a password generator and a storage mechanism such as a password manager isn't really time or effort.

  20. Roland6 Silver badge

    Website Builders...

    Has anyone done a security evaluation of the various off-the-shelf website builder packages and cloud services with respect to their out-of-the-box security credentials?

    It just that it seems that the security problems that have been reported are for bespoke websites that have been 'professionally' developed.

    I ask as it would seem that we've yet to create and promulgate good practise security patterns.

    1. Anonymous Coward
      Anonymous Coward

      Re: Website Builders...

      Go open source as there is an increased likely chance of detection and that the someone who finds will also know what needs to be fixed. I see those kinds of reports every day.

  21. Anonymous Coward
    Anonymous Coward

    Should have spoken to ebay

    they know all about strong passwords...

    #Not...

  22. MrDamage Silver badge

    Translation

    We've never taken security seriously. Why should you?

  23. Dodgy Dave

    The First Blast Against The Monstrous Regiment Of Passwords?

    If there's one thing I applaud the authors for, it's the epiphany (in corporate IT-space, at least) that HUMANS CAN'T DO PASSWORDS BETTER THAN MACHINES.

    It's 2014, I'm using a browser comprising 150,000,000 bytes of code, on a chip with 1,000,000,000 transistors, on a machine with 1,000,000,000,000 bytes of disk storage. Are we really saying that there is no technology we can deploy which will authenticate me to an (even more powerful) remote server that works better than me having to remember and type in 'Ding0E5Kidn3ys' every single friggin' time.

    Come on The Internet. Get your ass in gear - we're not the problem, you are.

  24. Jin

    Nice logic!

    "They found that requiring strong passwords is a waste of time when other security mechanisms, such as encryption and hashing, are absent or badly implemented." Then requiring safer automobile mechanism and better traffic regulations would be a waste of time when there are people who drive cars drunken. What a nice logic!!

    1. Roland6 Silver badge

      Re: Nice logic!

      Not quite. The logic is basically saying that requiring people to wear seat beats is largely a waste of time when the people who design and build the roads can't agree on which side of the road people should drive, get traffic lights to operate in phase, correctly label lanes etc. etc.

  25. Crisp

    It's a bit much when the obligatory XKCD is in the article.

    What's a commentard to post now?

  26. Dragonii

    Why use passwords ?

    What surprises me still is why are we still using passwords for authentication purposes.

    Focusing only on server-side attacks (i.e. SAM hashes dumps), why not use certificates to ensure *very* strong and random passwords at a 4 digits PIN access away ? Agreed, probably the solution is more enterprise oriented but aren't those targets the more attractive today ?

    Why rely on humans to come up with a good password ? Just let the machine do its thing and relieve the burden from the user. Yes, its individual password is still vulnerable to local attacks but if the password hashes DB is leaked, the contents are well protected.

    I've liked the paper to mention some words on this...

  27. Anonymous Coward
    Anonymous Coward

    XKDC?

    s/xkdc/xkcd/g

    FTFY

  28. Jes.e

    That reminds me..

    Speaking of Web site best practices..

    When I first signed up for the forums here several years ago, I noticed that The Register was not using SSL in any part of the transaction and my password was being transmitted in the clear.

    Is this still the case? (I'm on my phone right now..)

  29. Bob Carter

    Waste of Time

    Whilst the sites allow you to reset the password based on some spurious question such as your mothers maiden name or your date of birth or some other fact that can be researched then just how strong the original password was simply does not matter..

    from personal experience.....

  30. Adam Inistrator

    solution is lateral thinking

    I think that people should not be able to issue their own password but be able to receive randomish but memorablish passwords without great entropy to their email address on request. Three password or other failures would cause account lockout until some procedure is followed - possibly as simple as requesting a new password to their email address. This will solve a massive range of problems but introduce other problems which I think might be lessor.

  31. Jin

    A way to safely manage hard-to-break passwords

    Sufficiently strong passwords are the key. Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters.

    Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

    When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

    Incidentally, ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like