Working the Help Desk at a huge prestigious university, password resets were frequent, as was the frustration. My two favorite password related jokes (yes, I have so many that I have two favorites):
User, having their fourth new password rejected â Holy s%&t! My bank password isnât this complicated!
Me â shouldnât you be angry at your bank, instead?
User â oh, I just use the same password for everything.
Me â oh totally, what is it??
That second one is hysterical, but dangerous. Best case, they open their mouth, followed by a long pause where their face twists from friendly to horrified. Worst case, instead of a long pause, you hear actual sounds about to emerge that you have to rush to yell âDONOTTELLMENONONOJAYKAYâ because it really is supposed to be a joke, not a social hack attempt.
Iâve been disappointed with progress on this. I first saw the linked page years ago, and apart from a few tweaks to the way the proposed feature will work, nothing has really changed.
Probably the single greatest failing of people that devise their own security scheme are the assumption that it will millions/billions of brute force tries to break it. That isnât how cryptographers work. At the end of the day, any passphrase or more specifically, human devised pattern is breakable. That xkcd post? Silliness. That password along with many, many passphrase combinations are now known. That book you read as a child with a cute phrase? Cracked. l33t the text? Cracked. Add your kids favorite word into it? Cracked (thank you Facebook). The only solution with passwords is to take the human devising the pattern out of the equation. A password manager that generates random passwords is orders of magnitude better than a human devised passphrase or password scheme. Two factor is even better.
I think you have just made an excellent case for the elimination of the password. Giving the level of hacking involved globally its pretty clear that passwords are no longer a solution for securing anything. There is some very good work being done by the FIDO alliance to create standards that will be widely supported. Key FIDO members are: Google, BOA, Discover, Ali Baba, PayPAl,⊠Their standards allow for 2FA or even password elimination using various supporting biometric technologies (fingerprint, voive, etcâŠ)
Hopefully the password will be dead soon and we will all be safer. You can check out the FIDO alliance at: FIDO Alliance
If youâre looking from a purely mathematical analysis perspective, youâre right.
The thing about newer password cracking tools is they have the ability to create heuristic matching rules. Consider for a moment the sheer amount of leaked data available. Then consider that most of the leaked data has already been cracked.
If you process a sufficiently large sample data set (ex millions of leaked passwords) you can discover common patterns relatively quickly. Combine that with frequency analysis to order them by weight and you have a complex â but completely feasible â platform for cracking passwords.
Consider 11111111111111111. The pattern of repeating the same number many times is an easily identifiable and will likely score a high weight in the pattern listing. Therefore, with modern cracking tools it would have a high likelihood of being cracked.
Relying on mathematical complexity alone assumes that password crackers are incapable of developing effective strategies to divide and conquer.
We use machine learning algorithms to do pattern matching on images using large sample sets of images. 2D data is a hell of a lot more complex than string data. Is it really so hard to believe that you can train a computer to pattern match common password patterns when you feed it with a sufficiently large data set?
Thanks so much for this article which is so timely.
It happens Iâm defining a secure password policy for a web application. For instance, I did not think other sites could be our biggest threats if they donât properly protect their password database and, therefore, reveal the password used by our users if leaked and cracked. I was so much worried about protecting our own database.
Regarding
I donât feel like pre-pending the domain name of the web site to your usual password is a great idea. Once one of your password is cracked, the pattern you use can be easily identified and your password on other sites easily generated. Maybe Iâm wrong about the suggestion you made.
How would that happen, though? Weâre talking about (in my case, testing the formula with this site) a 23 character password. It would only be possible
if the password is stored not as a hash, but as plain text
if a keylogger is installed on your system
the login form is not using https
I guess it depends on your level of paranoia. The formula can be adjusted to taste, ultimate is diceware.
My point is that the simple pattern of âuser uses same password on x different sitesâ which is incredibly dangerous is blocked by using the domain as a salt. So no, itâs not perfect ⊠but it is a huge, huge improvement over what most users do, which is reuse identical passwords a bunch of places.
I guess you assume itâs impossible to crack a 20+ characters password stored as a bcrypt/scrypt hash ? And that, whatever is the domain name, the password will be 20+ characters long.
I was taking a different assumption where the âsaltedâ password could be 12 to 15 characters long. Eventually crackable. Once itâs cracked, the pattern can be identified and apply with the same global password on other sites.
I realize that pre-pending or appending the domain name will create a 20+ characters long password most of the time, especially when the global password is 12 characters long (once again I rather assumed 8). And that itâs very difficult to brute force, thus youâre safe.
I wrote a browser add-on for FireFox, which uses your âeverydayâ password and pin-code, along with the base domain name, to generate a password based on SHA512. Completely random-garbage-looking, and absolutely repeatable as long as you donât forget the inputs. Not stored anywhere, so nothing to steal. Password Generator Toolbar for FireFox
Since I no longer know what the passwords are, I also wrote a companion desktop app and even an Android one, so that I can generate them when Iâm away from my home browser.
Iâm not just advertising my product (which is completely free anyhow)⊠Iâm trying to address one aspect of the problem: good passwords are hard to remember and type, and trusting somebody else to curate them brings its own concerns.
This is quite similar to the way I generate passwords for most sites. Without going into to many details I use many iterations of the sha512 hash of a base password + site name + a salt derived from the time/date of sign up + a sha512 hash of a picture of [censored]. Anyone who can brute force that deserves my login credentials.
A salted secure hash function is generally more than enough, but I would also add a two factor authentication subsystem you can get one integrated with Authy very quickly. The other thing I would add is a NoCAPTCHA check on the login button.
The advantage of 2FA is it reduces my concern for a single point of attack, even if the password for the site is âpasswordâ they still need to know that and the actual 2FA value which is less likely.
The NoCAPTCHA check prevents bots from overloading the system.
Whatâs the source for the âMatsano recommendationsâ? The only Google results for âMatsano recommendationsâ are your blog post and mentions of it
We might eventually need to push this up to 12 characters minimum. Also, for the love of {diety}, please never, ever create a numbers-only password.
All this fancy âmake up a long pass phraseâ talk is fine, until you have to start entering passwords on a mobile phone, and realize that mobile phones are probably the dominant form of computing for everyone, statistically speaking, moving forward⊠the Chia project has a neat way of dealing with this, autocomplete for a set of 24 words:
If you have to write down the code anyway, why is that any better than a similar number of bits-of-entropy worth of letters / numbers / symbols / a QR code / etc? I donât really get what problem theyâre trying to solve.
My employer recently implemented a âmust change password every 90 daysâ rule. I argued that NIST, Microsoft and UKâs National Cyber Security Centre (NCSC) recommend against periodic mandatory password changes, and they told me that ISO27001 still requires it