I'm in the wrong job!
Like many will say here, it's stating the bleeding obvious.
Password1! = Great
jodfnbjiobioebvjiowrbvhuirbkomefbjonerinbkowmbvjibefirkobjoernobneriobvjklfnbjonfon = Bad
Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley (@MarkStockley) revisited his examination of …
This post has been deleted by its author
My company's website doesn't have any sort of password meter. I always thought them to be a bit suspect at the best of times.Nor does it limit choice of password characters.
What it does do though, is force a password length of 10 characters or more
It's about time we got rid of annoying character restrictions and focussed more on password length. The number of sites which still accept 6-character passwords is amazing.
perhaps the obvious isn't good enough.
back in the day, CompuServe generated a password for you, consisting of two unrelated words and something from the 'shift number' row on your keyboard. Same basic idea.
besides, abc123-fart would be just fine. It doesn't take much to destroy a dictionary attack. they're not that sophisticated. most of them are probably done by non-native English speakers or script kiddies anyway...
(but don't use 'fart' as it's probably going to go into a dictionary now)
so go ahead and use your easily remembered password, then add something else that's unrelated with a shift-number figure in between.
There are lots of sites out there that seem to be stuck in the 1980's when an 8 character password would have been enough. Times have changed. Storage space is now so cheap we can afford for our users to have passphrases hundreds of characters long.
While correcthorsebatterystaple style passwords have some flaws they are still several orders of magnitude better than Password1. The other "solution" used by US government sites is to force the users to change their password every few weeks - this gives another illusion of security as many users simply increment the number at the end of the password or write it on the monitor - I saw someone enter Password35 a while back.
Personally I always use Passowrd1 ... (OK, I'm kidding).
"The other "solution" used by US government sites is to force the users to change their password every few weeks"
That's mainly to close or detect undetected breaches. Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected as the user is prevented from changing the password (because the crook did it first) and raises the alarm with IT.
@Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected...
It also means, especially since the users cannot use passwords similar to old ones (along the lines of Password34->Password35), that a (more) significant portion of the user population gives up on mnemonics and starts writing passwords down. The overall effect is that the probability of breach increases.
Thumbs up to the initial letters method.
I favour lines, couplets, or even stanzas from poems or Shakespeare plays. You can include punctuation, it's far more memorable than horses, batteries and staples, and it's moderately incomprehensible to anyone who doesn't know the source quotation. If numerics are required, it's easy to add a bit of 1337 substitution.
For example: Nadwh,nafn,4hcttrwh - long and obscure, yet absurdly easy to remember when you know the secret. You can probably guess it, but it may take a while.
"I favour lines, couplets, or even stanzas from poems or Shakespeare plays"
Most people would likely choose one of the most well known quotes, and they are susceptible to dictionary attacks. Great if you have an interest and knowledge of more obscure quotations, but most people don't. One government dept, I did work for assigned passwords to users, non-changable by the users and were invariably the initials from common nursery rhyme lines. Randomly capitalising letters or adding unexpected punctuation would help if it's long enough. A personally memorable phrase that's not a literature quote would be even better.
The company I used to work for had two systems, both of which demanded you changed your password every few weeks- usually at random times during the day when you were in the middle of something more important (like speaking to a customer), and which couldn't be anything you had used before or something similar (So if you had used Password1, then Password<n> was verboten).
Several of us got into the habit of changing the password on the first of the month (which reset the timer) and instead of trying to think of something secure we just used the date. March2015 was sufficiently different from April2015 etc, and of course wouldn't be used again! Since it ended up with half the office using the same password, the system obviously didn't recognise that this was going on!
Why thay did this is unknown, it wasn't an environment where operator security was relevant.
"The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!"
And what about those with terrible memories, who take that and end up instead mixing it up with "enginestapledonkeywrong" and getting all lost?
Passwords always have been difficult for the non-spellers.
I remember a group shared account where the password was set to 'pterodactyl'. The non-spellers were complaining within the hour.
It is better to write it down in e.g. a diary, rather than on a post-it note by the screen.
I thought of a very efficient hashing system. Only store the length of the password. Up to 65,535 character length can be identified in 2 bytes. Oh wait - 32,767 characters; it's signed. And, yes, I'm allowing password length zero; someone's going to want it. Pedants, I expect.
How long ago was XKCD/936?
way back in the dard ages, I used passwords with about 60 bits of entropy, a long time before XKCD suggested that using something with 44 bits of entropy was a good idea, and now I'm happy using passwords with 150 bits of entropy (the XKCD scheme would require a dozen or more English words to match that); I guess our salvations is the good ole password safe.
Actually, given how many passwords I want (and how reluctant I am to use the same one twice) I's probably have to use a password safe even to hold that many passwords with 44 bits each of entropy (even more so with 64 bits of entropy, which I believe is more like the correct number for a sequence of 4 English words than XKCD's underestimate); and once I'm doing that, I can passwords as complex as I like, all I need to remember is a decent pass phrase (decent means more that 500 bits of entropy, and using famous bits of Shakrspeare or Chaucer or the like) in case someone gets access to my safe or its backup.
So I believe that the thing about passwords that needs rethinking isn't a switch from things we can't remember to things we can, but a switch to acceptance that passwords we can't remember are what we have to live with - I'm happy to remember one nice long pass phrase, bu I'm not going to truy to remember a hundred (and anyone who does try is crazy).
I never relied on those strength meters anyway. I use KeePass, and it has a built-in password generator which seems to be pretty good at coming up with complex passwords, and has configurable options as well. And, because KeePass is a password manager I don't have to remember those passwords, just the hellishly long one I use for the master password. I also use a keyfile, so it's not just a case of getting hold of my master password to try and get my online passwords. And, because it's KeePass, it's a local solution with no cloud interaction that means my password database stays out of other people's hands.
@Captain Scarlet
Yes, writing down passwords for online accounts is recommended by no less a provenance than Qi:
http://qi.com/infocloud/passwords
"The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware"
"Dream on."
"Oh? How do they get to it if it never goes online?"
-----
Your machine is compromised by visiting a website with an exploit.
Or is your machine free & your holy Keepass free from all past, present and future vulnerabilities.
Security is about being paranoid all the time, you sound smug and complacent, an accident waiting to happen.
"my password database stays out of other people's hands"
Dream on.
Er, well, short of the NSA or GCHQ breaking in to where I live and cracking the password on my laptop, then cracking the password for my encrypted partition; and bearing in mind I am absolutely not putting my password database file anywhere near a cloud service; and noting that I don't let most javascript run in my browser so there's little hope that a script could get a virus onto my laptop via web browsing; and no-one else has a login to my laptop so they can't get anything on to it; and it runs Linux Mint for general work; I don't quite see how anyone else is going to get hold of the database file. So what is my dream exactly?
This post has been deleted by its author
I was trying to configure our Virgin Superhub* 3 the other day, and I'd got as far as the wireless password, so I put in the one that we'd been using previously, which is eleven characters long, and a mix of upper/lower and numeric (with a token symbol).
Nope, the password strength meter stays on "bad".
OK, I think, maybe they don't allow symbols.
Nope, still no joy. It's only after really carefully reading the password restrictions that I notice "and must contain one or two numbers". The password I was trying to use had three numbers, and thus was deemed to be insecure.
Yup, nice work there Virgin, and by nice I mean crappy.
* (actual hub may be 60% less super than advertised)
My first email password was 'ncc1701' (and here's me thinking I was being clever! <facepalm>) because the email system only allowed a max of eight characters. Even now, the same email system allows a max of 10 characters (although they didn't tell me this until I gave it a 16 char password and it wouldn't let me login afterwards - that when support told me it had only registered the first 10 characters and when I was trying to login with all 16 - it wasn't actually the same password...)
I like long passwords, but ones that make sense to me, but are therefore very easy to remember.
2bOR!2bThatIsThe? is one I used for quite a while (where systems allowed for sufficient length)
But can you do that over and over again, hundreds of times, with different sites with different rules, without getting them mixed up? One or two good passwords can be doable for most, but most people have to manage well over 100, and any breach can result in a cascade as the knowledge gained from weaker sites can be used to break stronger ones.
"Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites."
The problem here is that weak sites can still be stepping stones to identity theft which can then be used to gain the credentials needed to break the higher-security sites.
"weak sites can still be stepping stones to identity theft"
Only if you're stupid enough to give your real details to sites that don't need them, instead of signing up as Jethro Q. Walrus-Titty, with an address in the Svalbard Archipelago.
But unfortunately, as George Carlin said, “Think of how stupid the average person is, and realize half of them are stupider than that.”
They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up
Hell, my IP points back to my domain name (RDNS). Nothing to hide there.
I use a number of throwaway email addresses (no idea how many, they're single use) eg 10minutemail.com for sites I want a quick answer from that I am not likely to visit again where I have to create an account to get the answer (and I can't find it reasonably quickly enough elsewhere). Cracking those sites would give you nothing, you don't have a valid or even existing email address. You might get my external IP (which gives you a few thousand possibilities for internal IPs) but that's about it.
For more secure things (bank, email etc including my spam address) I have unique passwords which hopefully are plenty secure enough, and not stored somewhere obvious (yes all are written or typed but even if you had the list you wouldn't know what belongs where).
Now tell me.. if you have my email address (as many hundreds or thousands of people do) but not my log in details for my email address, what use is that? If you have a couple of hundred of my weak passwords and can deduce what pattern I use, what use is that? So you can log in as me on a few dozen sites I've forgotten about (and probably did not use any identifying info on) - how can you breach anything that matters?
I would honestly like to know if there is some risk I've overlooked.
So what can you do? There seems to be an UNhappy rather than happy medium here. You reach a point where people can't remember their passwords yet they're still too simple to block brute forcing. And people don't have the best of memories nor have any other means of identification. So what do we use?
@AC Password strength meters should work like this:
"Well, your password is WEAK, so we won't allow it until you bring it up to standard."
Instead of:
"Well, your password is WEAK, but okay..."
Since the article points out that password-strength meters are useless, this seems like a pointless suggestion.
Password strength meters should work like this:"Well, your password is WEAK, so we won't allow it until you bring it up to standard."
Maybe not the greatest idea you've had.
Example. A while ago I created a new Skype account. I used a passphrase that was 5 or 6 words with symbols/numbers filling the "spaces". It wasn't based on anything common. MS's password strength tester told me it was too weak.
So I went with a line down and up the keyboard. The password of "3edcVFR$" is considered "secure" by MS's systems (yes, "MS" and "secure" in the same sentence... :) ) but a password like "Shorewall77cleans&*and79protectsmy*)sHiney" (yes, the last word is Shiney! :) ) is insecure.
Try as I might, MS's server would not allow me to use a secure password and insisted on the insecure one that is probably in every password dictionary since the day Noah wrote down the combination to his tool locker. Apparently too much of my password was made up of English words. But they weren't in a common combination (eg a well known quote) and had a considerable amount of other stuff in there as well (even if alternating use of shift over 77 78 79 80).
A common quote with normal spelling etc is quite weak. A common quote with a numbers or special characters replacing the spaces should be enough to get around any reasonable rate-limiting system (my own server has a limit of just 3 tries, then you're blacklisted until I manually remove your IP address from the blacklist; took less than 5 minutes to set up using a couple of standard tools).
The best password security is out of the user's hands; rate-limiting (like a lock out for a few hours on an account after 3 bad tries) and doing a damned good job at protecting your server's files. If you seriously limit number of tries against a password, even "12345" can become relatively secure again - if the baddies only get 3 goes then chances of them breaking even the weakest passwords are greatly limited. And yes, I would rather have to prove my identity after 3 mis-typed passwords then lose access to something that mattered.
I'll accept "we tried our best but they got in anyway" over "they didn't get in but only through their stupidity" any day.
Leave out vowels and you may not hit a block on using real words in a password. However, my method is a handful of random letters... that aren't vowels; when I make a password up, I expect it to be accepted.
Counter example as I've mentioned before: Fiqbly54 apparently contains a real word (I presume "Fiq", either a sort of fig or a mistyped one) and a personal name ("Bly" I suppose exists), so a strict password rejecter may reject it.
I presume you wrote or have seen the spoof password policy which allows at most one actual password to be used, so we will take that as read.
Most websites won't allow me to strengthen my password by lengthening it beyond an arbitrary eight or nine characters, and when they do they won't authenticate me next time because what gets accepted, what gets stored and what gets presented to the client for the login process are not standardized in the organization running the site.
It works as a countermeasure to undetected breaches. When the deadline hits, the password gets changed one way or the other. If the user changes it, the breach gets closed because the stolen password doesn't work anymore. If the intruder changes it, the user gets blocked and informs IT, which then notices the breach.
And yes, some breaches won't get detected because they're either very cleverly disguised or they're inside jobs so are easily masked.
PS. Don't smarter password systems detect the "just append something to the old password" approach?
"PS. Don't smarter password systems detect the "just append something to the old password" approach?"
I remember mentioning this the last time there was an article here about password stupidity. If you are only storing a hash of the previous password, you could maybe check a couple of characters added or subtracted, so see password1 from password or password2, but other than that it would take a very long time to check the hashes. Now, I've never set up a password checking system, but are the passwords hashed on the client side or the server side? If it's the client side, you cannot even do what I said above.
"But any password system that's out to block reuse and common foibles won't keep a hash but the actual password (encrypted if it's smart)."
Good point. It doesn't even need to keep the current password stored at all other than as the normal hash. At the point where the system asks you to change your password, it asks you to enter your existing password first. It can use this to match against the new one, at which point the old one is now forbidden and safe to keep stored and added to the list of n previously used passwords. Still encrypted preferably since if anyone got access to a users previous list of passwords, many will probably demonstrate a pattern of password construction.
"Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?"
Precisely the point!
If someone else changes a user's password without IT's knowledge (which is what an intruder would be forced to do if he stole account details and hits the forced-change deadline), then the real user would get locked out, find out about it, and inform IT. You WANT IT to be informed since that means a newly-detected breach.
"Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?"Precisely the point!
If someone else changes a user's password without IT's knowledge (which is what an intruder would be forced to do if he stole account details and hits the forced-change deadline), then the real user would get locked out, find out about it, and inform IT. You WANT IT to be informed since that means a newly-detected breach.
Actually point the AC was making was that changing a hacker changing a users password would make the breach undetected until there was a monthly forced password changed, evidenced by the first line of the paragraph I was replying to :
It works as a countermeasure to undetected breaches.
What you say is logical, but my post was in response to the implied "forced regular password changes mean hacks are detected more quickly" of the original post.
(In reality, I think you'll find most hackers won't change the password as they wish to remain undetected, and will try to find a way to get the new password as soon as it's entered)
"Work insists on a change every two months."
a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember. Changing it more often than your socks can only create confusion and resentment and HORRIBLY insecure passwords like "passwordAugust"
"solutions" that hyperfocus on pathetically insignificant details just irritate me, like the people who think them up AND the people who insist on implementing them. They probably 'feel' everything instead of 'think', too. How predictable, yeah.
"a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember."
No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.
Which would you rather have? A bunch of weak passwords that at least get changed every two months, closing any holes they might have made or stagnant passwords that in turn get stolen and go unnoticed?
No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.
At least one of mine is. It's for a secure server so I don't allow anyone in a place where they could see me log in to the account (and no, no way you could install cameras to catch it either), and requires a certain bit of cut'n'paste as well so is immune to hardware loggers (although as the keyboard is plugged into the machine as needed you'd have to doctor the keyboard itself, and as you can't be sure which keyboard would be used...).
With thought and location planning you can make a password completely immune to shoulder surfacing and to all but decently sophisticated software loggers. Which would be flagged up the moment they were installed on the machine as well (unless several systems fail, not realistically likely - but having said that I'll schedule a few checks to make sure all is as it should be over coming months, Murphy 'n'all).
At this point, with the problem of password reuse, why are we even allowing users to pick their own passwords? Unless it's something like a desktop login password, give them a random password of 24 or more characters and tell them to save the damn thing in a password manager.
"Here's your new password, you won't be able to type it, much less remember it. Please save it in your password manager and enter it twice now."
Probably because a business setting is more prone to insider theft and "shoulder-surfing". Most office settings are discouraged from storing anything of security significance, be it the Post-It on the monitor or the text file on the computer. It's something right out of Dilbert: they're required to produce a password too difficult to remember and then be required to remember it anyway.
Here's some needed perspective on passwords and analyzers:
According to https://Passphrase.Life, EVERY 8-character (and under) password will be automatically cracked in under 6 hours, assuming a database breach (offline attack)! It's just simple math. The GPU hardware cracking rigs are only getting cheaper. That means that "abc123", "trustno1" and "ncc1701" aren't worth consideration.
The slightly longer ones, "iloveyou!" and "primetime21" will be cracked in mere seconds, because they are lo-bound human passwords, not randomly created, and have little entropy. Again, Passphrase.Life makes this clear. It's the only analyzer that shows you the difference in strength between a truly random password, and one made the other way.
Since Passphrase.Life snidely rejects connection by Internet Explorer, feel free to tell me how it rates my recently discarded random-ish password: Mtlhrw13
(Mnemonic: "Metal harrow")
I have been sceptical of https://www.my1login.com/resources/password-strength-test/ which says,
"Time to crack your password: 443 years
Review: Fantastic, using that password makes you as secure as Fort Knox."
- but also says "Make your passwords at least 15 characters long": why? 443 years to crack that one, and it expires after about one month.
So... maybe the assumption about how good cracking hardware will be 442 years from now is not up-to-date.