Your Password is Too Damn Short

Working the Help Desk at a huge prestigious university, password resets were frequent, as was the frustration. My two favorite password related jokes (yes, I have so many that I have two favorites):

  1. User, having their fourth new password rejected – Holy s%&t! My bank password isn’t this complicated!

Me – shouldn’t you be angry at your bank, instead?

  1. User – oh, I just use the same password for everything.

Me – oh totally, what is it??

That second one is hysterical, but dangerous. Best case, they open their mouth, followed by a long pause where their face twists from friendly to horrified. Worst case, instead of a long pause, you hear actual sounds about to emerge that you have to rush to yell “DONOTTELLMENONONOJAYKAY” because it really is supposed to be a joke, not a social hack attempt.

Three levels of authentication security :

  1. Something you know (passwords),
  2. Something you hold (USB key),
  3. Something you are (biometrics).

Or

  1. Something you forget,
  2. Something you lose,
  3. Something you cease to be.
1 Like

Chrome, at least, is moving in this direction.

I’ve been disappointed with progress on this. I first saw the linked page years ago, and apart from a few tweaks to the way the proposed feature will work, nothing has really changed.

Probably the single greatest failing of people that devise their own security scheme are the assumption that it will millions/billions of brute force tries to break it. That isn’t how cryptographers work. At the end of the day, any passphrase or more specifically, human devised pattern is breakable. That xkcd post? Silliness. That password along with many, many passphrase combinations are now known. That book you read as a child with a cute phrase? Cracked. l33t the text? Cracked. Add your kids favorite word into it? Cracked (thank you Facebook). The only solution with passwords is to take the human devising the pattern out of the equation. A password manager that generates random passwords is orders of magnitude better than a human devised passphrase or password scheme. Two factor is even better.

I think you have just made an excellent case for the elimination of the password. Giving the level of hacking involved globally its pretty clear that passwords are no longer a solution for securing anything. There is some very good work being done by the FIDO alliance to create standards that will be widely supported. Key FIDO members are: Google, BOA, Discover, Ali Baba, PayPAl,
 Their standards allow for 2FA or even password elimination using various supporting biometric technologies (fingerprint, voive, etc
)

Hopefully the password will be dead soon and we will all be safer. You can check out the FIDO alliance at:
FIDO Alliance

If you’re looking from a purely mathematical analysis perspective, you’re right.

The thing about newer password cracking tools is they have the ability to create heuristic matching rules. Consider for a moment the sheer amount of leaked data available. Then consider that most of the leaked data has already been cracked.

If you process a sufficiently large sample data set (ex millions of leaked passwords) you can discover common patterns relatively quickly. Combine that with frequency analysis to order them by weight and you have a complex – but completely feasible – platform for cracking passwords.

Check this out:

DEFCON 17: Cracking 400,000 Passwords, or How to Explain to Your Roommate why Power Bill is a High

Consider 11111111111111111. The pattern of repeating the same number many times is an easily identifiable and will likely score a high weight in the pattern listing. Therefore, with modern cracking tools it would have a high likelihood of being cracked.

Relying on mathematical complexity alone assumes that password crackers are incapable of developing effective strategies to divide and conquer.

We use machine learning algorithms to do pattern matching on images using large sample sets of images. 2D data is a hell of a lot more complex than string data. Is it really so hard to believe that you can train a computer to pattern match common password patterns when you feed it with a sufficiently large data set?

1 Like

Thanks so much for this article which is so timely.

It happens I’m defining a secure password policy for a web application. For instance, I did not think other sites could be our biggest threats if they don’t properly protect their password database and, therefore, reveal the password used by our users if leaked and cracked. I was so much worried about protecting our own database.

Regarding

I don’t feel like pre-pending the domain name of the web site to your usual password is a great idea. Once one of your password is cracked, the pattern you use can be easily identified and your password on other sites easily generated. Maybe I’m wrong about the suggestion you made.

How would that happen, though? We’re talking about (in my case, testing the formula with this site) a 23 character password. It would only be possible

  • if the password is stored not as a hash, but as plain text
  • if a keylogger is installed on your system
  • the login form is not using https

I guess it depends on your level of paranoia. The formula can be adjusted to taste, ultimate is diceware.

My point is that the simple pattern of “user uses same password on x different sites” which is incredibly dangerous is blocked by using the domain as a salt. So no, it’s not perfect 
 but it is a huge, huge improvement over what most users do, which is reuse identical passwords a bunch of places.

I guess you assume it’s impossible to crack a 20+ characters password stored as a bcrypt/scrypt hash ? And that, whatever is the domain name, the password will be 20+ characters long.

I was taking a different assumption where the “salted” password could be 12 to 15 characters long. Eventually crackable. Once it’s cracked, the pattern can be identified and apply with the same global password on other sites.

I realize that pre-pending or appending the domain name will create a 20+ characters long password most of the time, especially when the global password is 12 characters long (once again I rather assumed 8). And that it’s very difficult to brute force, thus you’re safe.

I totally agree with that.

1 Like

I wrote a browser add-on for FireFox, which uses your “everyday” password and pin-code, along with the base domain name, to generate a password based on SHA512. Completely random-garbage-looking, and absolutely repeatable as long as you don’t forget the inputs. Not stored anywhere, so nothing to steal. Password Generator Toolbar for FireFox

Since I no longer know what the passwords are, I also wrote a companion desktop app and even an Android one, so that I can generate them when I’m away from my home browser.

I’m not just advertising my product (which is completely free anyhow)
 I’m trying to address one aspect of the problem: good passwords are hard to remember and type, and trusting somebody else to curate them brings its own concerns.

1 Like

This is quite similar to the way I generate passwords for most sites. Without going into to many details I use many iterations of the sha512 hash of a base password + site name + a salt derived from the time/date of sign up + a sha512 hash of a picture of [censored]. Anyone who can brute force that deserves my login credentials.

A salted secure hash function is generally more than enough, but I would also add a two factor authentication subsystem you can get one integrated with Authy very quickly. The other thing I would add is a NoCAPTCHA check on the login button.

The advantage of 2FA is it reduces my concern for a single point of attack, even if the password for the site is “password” they still need to know that and the actual 2FA value which is less likely.

The NoCAPTCHA check prevents bots from overloading the system.

A few years ago I wrote up a related idea in https://tools.ietf.org/html/draft-kistel-encrypted-password-storage-00. It seemed like a good idea at the time, but it didn’t get traction.

What’s the source for the “Matsano recommendations”? The only Google results for “Matsano recommendations” are your blog post and mentions of it :slight_smile:

Nice chart illustrating length benefits

1 Like

And my bank wants me to change my 16-character password every 90 days
 and this is in the last column. :roll_eyes:

2 Likes

:newspaper: BREAKING NEWS :newspaper: GPU hardware has gotten faster since 2015!

We might eventually need to push this up to 12 characters minimum. Also, for the love of {diety}, please never, ever create a numbers-only password. :scream:

All this fancy “make up a long pass phrase” talk is fine, until you have to start entering passwords on a mobile phone, and realize that mobile phones are probably the dominant form of computing for everyone, statistically speaking, moving forward
 the Chia project has a neat way of dealing with this, autocomplete for a set of 24 words:

and here’s a random new one I generated

As you type, it autocompletes from the available words, so you only have to type a few characters from each word


that’s really clever!

3 Likes

If you have to write down the code anyway, why is that any better than a similar number of bits-of-entropy worth of letters / numbers / symbols / a QR code / etc? I don’t really get what problem they’re trying to solve.

2 Likes

@matasano says

We changed our twitter name to @NCCsecurityUS

Which means I kinda typo’ed the name in there, my apologies. I’ll fix.

1 Like

That’s probably due to ISO27001 legacy shit.

My employer recently implemented a “must change password every 90 days” rule. I argued that NIST, Microsoft and UK’s National Cyber Security Centre (NCSC) recommend against periodic mandatory password changes, and they told me that ISO27001 still requires it :man_shrugging:

2 Likes

Fascinating: password strength measured in dollars. :dollar:

a 15-alphanum password will plausibly cost at least $330M to crack in 2030 (and an acceptable $59M in 2035)

The recently released RTX 4090 doubled hash rate.

1 Like