Password Strength

[deanwebb]

Prompted by the recent episode of CSI: Cyber...

When the hacker portrayed by the actor formerly known as Lil' BowWow has his big scene where he figures out a password, he puts it together by reading numbers on a guy's tattoos. That's essentially reading through all the post-it notes nearby, with the difference being one cannot crumple up one's skin and/or toss it in a shredder. All I can say is, worst. cybercriminals. ever.

Also, they somehow had a password screen that specified an exact number of characters to use in the password. Another key ingredient of weak sauce.

So, what could have made the password stuff better?

Password strength can be measured by a formula X^Y, where X=number of characters possibly used in a character slot and Y=number of characters in the password.

So, if one uses only numbers 0-9 and the password is 20 characters long, the strength is 10^20, which is really not a lot. A brute force hack can run through that pretty quickly.

Now, if the baddies had used letters and uppercase letters, X in this case goes up from 10 to 36. Nice. Add in lowercase letters and X is 62. 62^20 is not fun for a brute force attack.

Now, if the baddies used phrases, a dictionary attack might get some headway in figuring out part of the password, but not get a complete view. Those dictionary attacks can be thrown off with deliberate misspellings and/or the inclusion of what I call the "uppercase numbers", or what you get when you hit SHIFT and a number. X is now 72 and rising... rising because there's also -, _, +, =, {, }, [, ], \, |, :, ;, ", ', <, >, ?, /, ., ,, and [space]. If you can use these characters, you can really go to town. X is now 93 with those characters in the mix.

Should we go all the way and use the ALT characters? Well, I can't type them from this laptop, so I'll say no now, but when I get to a proper keyboard, I will say yes. Windows allows those characters, and that can add another 200 or so to the mix. With X now close to 300, raising it to the 20th power gives a very, very strong password, indeed.

But in order to get the benefits of a high X value, one has to use elements that get into those higher ranges. If I don't use a ( in my password, I don't have an X of 72. If I don't use a {, X is not 93. No ALT character, and X remains out of the low hundreds.

This also shows the benefits of a long password. My current password is well over 12 characters long. It's a pain to type in, but that's the point. High security should NOT be easy to use. The difficulty *is* part of the security. If one had to eat a roach to use my computer, I could leave my password set on "password" and there would still be a lot of people unwilling to hack my box. Sure, there's that one guy who will eat a bug for a dollar, but you get the picture.

Knowing how some dictionary attacks work, I like to open up with a non-alphanumeric character. So, how's this for a strong password:

<_<I_am_\/3ryP4r4noid!>_>

25 characters, easy to remember, hard to type every time, and X at 93. 93^25 is just shy of 1.63e+49, or 1.63e+29 times more difficult than that 20-character password with all numbers. While a team trying to break the password can try to run a computer to crack it, that team will also likely find other means of cracking it, like rounding up my family members to threaten their lives if I don't type it in... or offering me $10 million in my bank account... Very un-cyber way of cracking a password, but if it works, it gets results in less than a gazillion years.

[Otanx]

First off, how dare you make a password post without the appropriate XKCD.

http://xkcd.com/936/

Funny you should mention this today. My wife and I just had this discussion last night. I am not a fan of the special character stuff. Going longer is more important than special characters. A higher Y increases entropy faster than a higher X. Using your example lets limit passwords to upper lower numbers and space. This gives me 63 possible characters. However, instead of 25 characters as used in your password I make my password "I am very paranoid about passwords" I have 33 characters. This is 2.39e+59. In my opinion this is easier to remember than using special characters. I don't have to remember I used underscores instead of spaces, or that I left the space/underscore out between very and paranoid, or the whole did I use a 4 or an a, o or 0, 3 or e, etc. I can even add normal punctuation; period, comma, question mark, exclamation point. This brings me up to 67^33 or 1.82e60.

A dictionary attack is more possible against my password than yours, but it is still not easy. I would stay away from common phrases, or opening sentences from books as those could be easy to dictionary attack. The XKCD is four random words, but I still would have problems remembering the words. Using a phrase that means something to me, but not to others is the way to go. "Her mask filled with water while scuba diving" would be easy to remember as it happened to my wife on vacation last week, but is not a common sentence.

The big problem with passwords is how much information a site gives you about passwords to unauthenticated users. As an example if you go to my bank, and ask to set up an account it will tell you the password must be 8 characters, but no longer than 15, must contain one upper, lower, number, and special character, and the special characters can only be one of this set (about 10). As an attacker I now can limit my brute force attack to only passwords that meet these requirements. This reduces the entropy by a lot. So I know I can start with 8 characters and stop once I get to 15, there are 72 possible characters, and I can skip any passwords that don't conform to the complexity requirements. This drops the number of possible passwords by a lot.

I will get off my soap box now as I have a meeting. Of course this is all a non-issue if people would just do two-factor, and do it correctly (two one-factor authentications does not equal two-factor)

-Otanx

[Fred]

I'm a fan of the passphrase, dictionary words be damned.  Even if you use a phrase from the beginning of a book, or a lyric from a song, you're still pretty golden if you vary it just slightly.

"It was the best of times" might not be a good choice, but "It was the best of times!" or "It was the best of times?" makes that a lot harder.  Or how about "'Twas the best of times!".  Using phrases has a weakspot, so this advice will probably change eventually, but for now, phrases are super powerful.

One other reason I really like passphrases: I can type them damn fast.  I can't tell you how many passwords I've inadvertantly learned key parameters for just by watching users type them. Watching users type an 8-character passphrase followed by 4 numbers that they type on the keypad gives me enough information to reduce that entropy down to 52^8+10^4, which is a huge reduction over the original 62^12. And they'd be in much worse shape if I was trying to find out their password.  But watch me touch-type "A man, a plan, a canal, Panama!" at 80WPM, and you know almost nothing about my password.

[icecream-guy]

  I can't tell you how many passwords I've inadvertantly learned key parameters for just by watching users type them. Watching users type an 8-character passphrase followed by 4 numbers that they type on the keypad gives me enough information to reduce .......

You just shot down my setting passwords using keyboard patterns method.  I guess it's off to set some pass phrases now.....

[deanwebb]

Move your fingers by one key in a particular direction, then touch-type in the phrase.

ThisIsASecurePassword becomes %y8w*wQW3d743)qww294e

Total gibberish, but very easy to remember.

[Ctrl Z]

Move your fingers by one key in a particular direction, then touch-type in the phrase.

ThisIsASecurePassword becomes %y8w*wQW3d743)qww294e

Total gibberish, but very easy to remember.

This works well until you find yourself needing to type in the password on some odd device, like a phone perhaps.

I've got this crazy random string of characters I've seemed to memorize by muscle memory. I'll be darned if I can remember the password when I find myself needing to type it into my phone.

[deanwebb]

One idea for a password:

Code Select Expand

???????????????

Hacker will crack it, but never know because the cracked password looks like what the cracking program displays when it's still uncracked.

[dlots]

%y8w*wQW3d743)qww294e

how did you ever guess my password for thisaccountisajoke@gmail.com?!?!

[deanwebb]

%y8w*wQW3d743)qww294e

how did you ever guess my password for thisaccountisajoke@gmail.com?!?!

<- I had these guys working for me. They're not just cute icons. The code in the animated GIF is actually part of my botnet.

[Dieselboy]

So I done a forum search (go me!) and found this old thread about password strength. Some valid information contained herein. It's now 2020 - what's the consensus today? I've been advised to enforce 20-char passwords.

I'm looking at my active directory policy to tweak this config and there is another setting to enforce "password must meet complexity requirements". I have this turned off at the moment but the description reads:

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.

I mention this here because 1) I'm OK with a number but most people just put '1' at the end of their password; so it's not really providing any more security. And having non-alphabetic chars just makes it harder for a normal person to remember their password.

I'm leaning much more to Fred's comments where you can get a few words and put them together, like "monkeytrouble99disco" -> which is 20 chars, lower case and numbers. Missing upper case and special chars.

A few years ago when I last looked into this I found a few online sites suggesting that the very complex passwords are not great because 1) it's really difficult for the normal person to remember and 2) it's not any harder for machines to brute force especially if the password is shorter because of the complexities.
The better alternative at the time was to use a longer password like the "monkey" example above. It's easier for human to remember and more difficult for a computer to brute force. But they monkey example is a dictionary password. There's 3 words straight from the dictionary there.

So, it seems complex to decide on a password policy

[deanwebb]

I'd recommend what I call "uppercase numbers" for special characters. Memorize a number, but type it out holding down the SHIFT key. So a birthday on 01-01-1980 would be )!-)!-!(*) . Dashes are optional, of course, but add characters and complexity. But that's 10 non-alphanumeric characters that are very easy to remember.

More advanced would be memorizing something like the years of a monarch's reign or something like that and incorporating into a password. Like the years Jimmy Carter served: 1977 to 1981. Using my uppercase numbers, I get !(&&!(*!Jimmy1977Carter1981. 27 characters, loads of complexity, skip the brute force on THIS password, gents!

I have a deep background in History and Economics, so I have loads of crazy stuff to pull out of those areas. I have my own algorithm for generating complex passwords that frequently involves misspelling foreign words, so I'm good to go here.

[icecream-guy]

certificates on encrypted devices, or 2-factor, in the only hope,
password generation sites are bunk, I assume they log generated passwords and requester's IP,  then they have the company name. A couple of phishing emails, to get the company username format, etc.etc.etc

[Dieselboy]

I agree with you mostly but I'm just against having things like %^&*( as a password I do like your idea though but if you move to a different device or a different keyboard then are you a bit screwed?

certificates on encrypted devices, or 2-factor, in the only hope,
password generation sites are bunk, I assume they log generated passwords and requester's IP,  then they have the company name. A couple of phishing emails, to get the company username format, etc.etc.etc

I'm thinking cert auth. and 2-factor. I read that the cert is not 1 factor ..


I want to propose my own solution - Gait password. It's encompasses the "something you are" as well as "something you have" so it should be good. To make it work, when you try and log in, you need to do your action in front of your computers camera. You can pick any action, you just have to repeat it each time you log on. You may pick a handstand or a breakdance or one of those hopscotch things you done back in school. You can even just walk around since no two people have the same gait.

... you may laugh now, but give it 15-20 years 

[icecream-guy]

I agree with you mostly but I'm just against having things like %^&*( as a password I do like your idea though but if you move to a different device or a different keyboard then are you a bit screwed?

certificates on encrypted devices, or 2-factor, in the only hope,
password generation sites are bunk, I assume they log generated passwords and requester's IP,  then they have the company name. A couple of phishing emails, to get the company username format, etc.etc.etc

I'm thinking cert auth. and 2-factor. I read that the cert is not 1 factor ..


I want to propose my own solution - Gait password. It's encompasses the "something you are" as well as "something you have" so it should be good. To make it work, when you try and log in, you need to do your action in front of your computers camera. You can pick any action, you just have to repeat it each time you log on. You may pick a handstand or a breakdance or one of those hopscotch things you done back in school. You can even just walk around since no two people have the same gait.

... you may laugh now, but give it 15-20 years 

Flipping the bird, it's going to be most popular..  Double bird flip. awsome.....

[deanwebb]

And then double bird flip plus the number 1, once that code gets broken...