The example you gave was “I live in a house at 123 Maple.”, which is none of these … I’m not saying it’s not better than “password” or even “123Maple” … but to say it is the same as 31^70 is just misinformation.
It just proves there are bad passwords within the 31^70 possibilities. At worst it’s a bad example not misinformation.
Also, given that I’ve been generating random passwords for web sites, for a long time now, I can tell you that there are a significant number that still only allow 8 characters … and probably most only allow 16/32, which cuts down your passphrase a lot
The whole point of this idea is to replace those 8+8 style authentication systems with ones that allow long passphrases.
Asking “how mathematically likely” a collision will be is the wrong question isn’t it?
Passwords collisions are essentially a social and/or psychological phenomenon. Password choice will be influenced by social context and the way our brains are wired.
So unless you have a mathematical model that takes both these factors into account, it’s not going to make useful predictions concerning the likelihood of password collisions. I’m not sure how practical it would be to create such a model.
Some other authenticators don’t suffer from this problem. E.g. smart cards use machine-generated secrets, so the probability of collision is vanishingly small. So for smartcard authentication, there’s no need to ask for a username. Also, I gather the fingerprint reader on the ThinkPad laptops logs you in. (Not tried it - I installed Vista on my T43p as soon as I got it, and the fingerprint reader isn’t supported on the Vista betas yet…)
scott lewis said:
Now Bob knows someone else on the system has that
password. He can just punch it into the login form
and gain access to that other user’s account.
I suppose the passwords could be generated by the system. This would also mean that the user wouldn’t have to think of a unique password…
As stated earlier, if password was the only criteria, you’d frequently have problems where someone could discover another user’s password when changing her own. Since you only need a password to login, you’ve effectively given users a password sniffing device.
You need to look at the psychology of the situation. Most people use passwords like “password”. Even forcing them to pick a tough one will get you “pa55w0rd”. So accidentally picking someone else’s is fairly easy.
What makes me crazy are the password dialogs that require you to double-enter, not the obfuscated password (which is necessary), but your plain-text email. My guess is that the practice catches only a tiny fraction of errors - and it’s a nuisance for 100% of users. Bad tradeoff.
As Ian pointed out, the probablilty that two people will choose the same passphrase accidently is greater than you hope. I imagine a large percentage of people would use quotes from pop culture. (“All your base R belong 2 us!”, “I coulda been a contender!”)
Second, everyone in the system becomes a potential hacker.
Third, just as a passphrase is easy to remember a bad passphrase is easy to guess. If you have a username and that user happens to be ignorant/lazy, you have a reasonably good chance of guessing his password. But what are the odds that out of the entire organization, one person will type “Go Packers” or “All your base R belong 2 us”?
I’m thinking of a passphrase that’s over 150 characters long, contains upper- and lower- case letters, numbers, and other characters. I live in the southeastern United States. I bet on that information alone, you or one of your readers will be able to guess my passphrase.
The username adds security.
Its much harder to guess a PAIR of values than it is to guess a single value.
Let’s say you had a 1000 users. That means that there are 1000 CORRECT ANSWERS (to a hacker). With a password-only login process, you are 1000 times MORE LIKELY to be able to break in with a brute-force attack.
I like this idea, but I think much more likely would be something that automatically put in our username (based on fingerprint, or proximity sensors, or something else), and we still have to put in the password.
I have to agree with Daniel and Scott Lewis. A passphrase only system would work fine in an environment with 100 users, or even 10,000. But what about Hotmail? You have hundreds of millions of accounts, is it still statistically impossible that a user will choose the same passphrase as someone else?
Users simply will not create random enough passwords, thereby cutting the statistical improbabilities down drastically. If you could force a user to have a 30 character password consisting of “uI987$$%aiAAncca@333ao” that would be secure, but who will remember that without a post-it on their monitor? I’m sure that at least two people would try to use “My dog’s name is Jake” as a passphrase.
That was good out-of-the-box thinking … but only goes so far as far as practicality is concerned.
I don’t think it’s gonna work.
As somebody said, there’s a trade-off between security and convenience.
The convenience you gain in not having to supply a username, is more than lost when you are required to remember and type in exactly a 30+ character pass-phrase!
May I suggest a better “convenience” workaround … use auto-suggest in the user name field.
…
…
Accepting your proposed model for a while …
Picture this… as an Individual, I log in into multiple systems … my webmail, my PC, my online banking etc etc … and all these system have their own password (rather, pass-phrase) policies. So it’s highly unlikely that you can set the same password for all accounts (Which is not safe anyway), or use a similar punctuation pattern on all of them.
So now I have to remember atleast half-a-dozen 30+ character pass-phrases, which are very likely not plain english.
…
…
And as a hacker if I try typing in just any phrase I like, say, after every coffee break,… there’s a good chance I will one day log in into a millionaire’s online banking account.
It’s almost like your wife sleeping with anyone who spells her maiden name correctly. She doesn’t care to look at the face to check if it’s you.
“We broadcast our username in every email we send. There’s no security in a username. It’s public information.”
It’s not totally public information. What if someone steals your laptop? They now have to try just passwords. Making them guess a valid username/pass makes it that much harder.
But what about Hotmail? You have hundreds of millions of accounts, is it still statistically impossible that a user will choose the same passphrase as someone else?
In that specific case (many millions of users), I agree. It’s too risky. But it seems safe enough to me for thousands or even hundreds of thousands of users. And that’s a much more common case.
I’m sure that at least two people would try to use “My dog’s name is Jake” as a passphrase
As Ian points out, we can’t mathematically model this. But I think the actual chance of this happening – with 30+ character pass-phrases that have numbers and punctuation – is negligible until you get to the millions of users case.
Bear in mind that a simple pass-phrase like “My dog’s name is Jake”, at 21 characters, would take 21^70 attacks (3.59e+92) to brute force. A typical 8 character password, even a highly secure one using most of the ASCII character set, would take 8^90 attacks (1.89e+81) to brute force. That means the pass phrase is 189,344,110,958 times more secure…
I think it’s easily secure enough to tolerate a couple hundred thousand users, even factoring in human fallibility. Opening up passwords to complete sentences makes it far easier for users to think up unique, easy to remember secure passwords.
“Ideally”, each user record in the database has a unique salt value and passwords are hashed using that salt. That way, if the db is compromised, the passwords are useless in other contexts. (I can’t take it and try a dictionary attack on other sites you may have an account at).
Of course, that’s probably true if using a system salt instead of an individual salt.
The trend I’m seeing with online banking software is to add more authentication input rather than less.
My ING account requires a customer id, a portion of my SSN, my password, and I have to sing the teapot song while jumping on my right foot to authenticate.
Theoretically speaking, you could require that a passphrase contain your username. That would enhance the uniqueness prospect.
So my password would never be “Who let the dogs out?” but would be “Who let the dogs out Mr. Haacked?”
So now I have to remember at least half-a-dozen 30+ character pass-phrases, which are very likely not plain english.
So you use the same exact password on every site you log in to? How is that any better-- once someone discovers your login name, they have access to every system you ever touched!
if I try typing in just any phrase I like, say, after every coffee break,… there’s a good chance I will one day log in into a millionaire’s online banking account.
You’d have an equal chance of doing this on any website today. Just pick a common 8 character login name, and an 8 character password. That’s only 16 characters, and the list of usernames is typically publically available… either in email, or user lists. It’s far more constrained than the list of possible passwords!
What’s the difference between a 16 character password and 8 character username + 8 character password?
And how is a 16 character password easier to hack than a 30+ character pass-phrase?
Users are fallible no matter what password approach we choose. The odds of a user picking an easy to remember 8 character password are just as high as them picking an easy to remember 30 character pass-phrase. The human factor is unchanged in either scenario. The main difference is that we have longer and more complex (yet easier to remember) passwords in the pass-phrase case.
Not possible, at least not in reasonable time. Remember we lock the logins after failure for 2^n seconds, where (n) is the number of consecutive failures in (m) minutes.
Then my distributed attack turns into a denial of service attack. The key point is that you can’t figure out what account is being attacked–any reaction you take will disable all accounts.
You’re right, Jeff. “It’s all about the quality of your password.” I think I see where you’re going with this now.
If we want a better security system what we really need is to change people’s behavior. We need folks to come up with secure passwords and NOT write them on sticky notes.
If you have 100,000 people in your system and drop the username field your system is now 100,000 times less secure. If the story ends there dropping the username is just plain stupid.
But the story doesn’t end there. You have to prevent password collisions. In so doing you eliminate the weakest passwords. As Jeff said, maybe having the password stand on its own will make users take security more seriously. Maybe they’ll choose more elaborate passwords. Maybe they won’t write the password down.
The immediate, obvious effect of dropping the username is your system is less secure. But we must also consider the secondary effects that make the system more secure.
As Jeff said, maybe having the password stand on its own will make users take security more seriously. Maybe they’ll choose more elaborate passwords. Maybe they won’t write the password down.
Eg, maybe we can better educate users about pass phrases.
Then my distributed attack turns into a denial of service attack. The key point is that you can’t figure out what account is being attacked–any reaction you take will disable all accounts.
Hmm, no, I think we’d lock your specific IP address out for 2^n seconds. Someone coming in from another IP address wouldn’t be locked out.
