0936: "Password Strength"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

rewolff
Posts: 5
Joined: Wed Aug 10, 2011 6:19 am UTC

Re: 0936: "Password Strength"

Postby rewolff » Thu Aug 11, 2011 7:57 am UTC

jonadab wrote:Even if you know my methodology for generating these passwords, they remain strong if the passages are chosen arbitrarily.
Now that's where you're wrong. The strings look random and hard-to-remember, but once you know the methodology, they are "easy".

Let us consider "take a passage from the bible and use the first letters". There are some 66 books. Logical places to start the "passage". 6 bits. Weak to the extreme. You can start somewhere "important" in each book. Maybe 8 bits extra. 14 bits. Veryvery weak. Maybe you might use a different translation of the bible. There are 100 common translations (biblegateway.com), 7 more bits. But with three more bits you can cover the about 1000 translations that exist. Now we're at 24 bits. That's 4 hours at 1000 guesses per second. Still way too weak.

This method is great at generating passwords that are long and look random to someone who doesn't know how they are generated, but do not have a whole lot of entropy once you know the trick.

If you have a room of 100 people (7 bits) and tell them this trick, I expect that you will find one account opens up within say 7+6 bits of effort. (One of the people used the bible and the start of a book.) I'm pretty sure you will break 50% of the passwords with less than 27 bits of effort (i.e. some 20 bits of effort per account).

rewolff
Posts: 5
Joined: Wed Aug 10, 2011 6:19 am UTC

Re: 0936: "Password Strength"

Postby rewolff » Thu Aug 11, 2011 8:05 am UTC

FishStik wrote:Can anybody see any drawbacks in using the same 'base' password and just adding an account- or site-specific string to the end? For example:
Account: Facebook
Password: hunter2facebook

Account: Gmail
Password: hunter2gmail
Yes... Suppose through a snafu at Facebook a hacker has captured your password at Facebook. Howmany tries (on average) do you think he'll need to guess your password? I'd say the number is "less than two".

User avatar
Plasma Mongoose
Posts: 213
Joined: Tue Feb 01, 2011 1:09 am UTC
Contact:

Re: 0936: "Password Strength"

Postby Plasma Mongoose » Thu Aug 11, 2011 9:50 am UTC

sotanaht wrote:I don't get why people bother to use strong passwords, or even variable or different passwords for unimportant sites like 90% of all web forums. I could use "Bob" for my password here and on every other webcomic forum and a number of other things, and it wouldn't matter. As long as I am not using that for my email (and then only the ones attached to the other things mentioned), bank account, any site that involves my credit card information at any time, and any site or game involving anything I would care to lose.

People who use strong passwords on frivolous things are just wasting their time. Worse are people who make requirements for strong passwords for frivolous things, as they are wasting not only MY time and energy, but possibly risking the security of whatever I would choose to use strong passwords for.


Agreed, while the password I use for the 'frivolous' sites is fairly simple, I doubt that anyone can just guess what it is even if they knew about who I am and other personal details, they would still need to use one of those fancy password cracker to do it.

I doubt anyone would even bother trying as I am not exactly a major commenter in this forum.

In short, cracking my passwords is more trouble than it's worth for most people and beneith any true code cracker's interest to even bother with.
A virus walks into a bar, the bartender says "We don't serve viruses in here".
The virus replaces the bartender and says "Now we do!"

rikkus
Posts: 3
Joined: Wed May 25, 2011 7:31 am UTC

Re: 0936: "Password Strength"

Postby rikkus » Thu Aug 11, 2011 10:18 am UTC

Code: Select all

grep -E '^\w+$' /usr/share/dict/words | tr 'A-Z' 'a-z' | shuf -n 4 | paste -sd ' '


Just need a more simple list of words. This gives silly stuff like:

turnipwise infratrochanteric upflung hobnobbers


I'm ok with upflung and hobnobbers, but turnipwise and infratrochanteric aren't words I use often.

dropshots cutuno knowingest unknightliness


etc.

Anyone have a word list designed for 5 year olds?

tahrey
Posts: 94
Joined: Tue Nov 25, 2008 9:48 am UTC

Re: 0936: "Password Strength"

Postby tahrey » Thu Aug 11, 2011 10:40 am UTC

I take issue with this comic i'm afraid.... hopefully the points have been raised already but i've had this tab open 2 hours without having chance to log in, so not really the time to read 7+ pages

1/ pretty vulnerable to dictionary attacks. OK, they have to stack multiple words, but that still makes the attempts far more trivial. a dictionary with 262144 words represents 18 bits of entropy - or maybe 3 characters in a gobbledegook passwords that includes upper/lower case, numbers, and a small selection of punctuation characters. So your 4 words come out to the same as a 12-character "normal" one. Merely more memorable... possibly. But a hell of a lot harder to reliably type quickly, especially if you're trying to log into something with a smartphone. I've got my muscle memory down pat for the 10 or so passwords (aka 6 main ones with some having variants) that I use, even the longer ones take little longer than a second to input.

2/ Who, in this day and age, implements a log-in system that can check 1000 user/pass combinations a second - and will happily do so for the same account - and has unlimited logins without so much as a captcha, prompt to send a reset email, or just locking it out for a certain amount of time / until the PW is reset after a certain number of attempts? Most of my logins take several seconds, and I'm limited into how many attempts I can make and even how quickly I can submit repeats (assuming the server even responds fast enough for that).
????

Oh and you don't know how many subsitutions there may be for a particular word, and are missing 2-4 anyway in Troubadour - "b" for "8" or "6" or "B", "T" for "7" (or just "t"), "r" for "2" (or "R"), etc. The actual number of entropy bits is significantly higher, probably beyond 32, and attempts per second hopefully quite a bit lower than 1000. I should think a cracking attempt along those lines, rather than doing something simpler e.g. trying to keylog, phish, or otherwise get hold of details directly, may take the better part of a year, by which point a corporate network will have already prompted the user to implement another regular PW change.

Also, what of the mileage in using foreign words, things from fantasy novels, or unusual proper nouns, etc? I have various combinations of those, along with the substitutions, inserts, etc in my own PWs. Never had any trouble; they're practically unguessable / unhackable unless someone keylogs me (but easy to remember as they were things that either meant something to me - privately - at one point, or were nicked off someone else (then modified) because it was an interesting/unusual pass and they let it slip in plaintext, or was some snatch of random and rather bizarre text I saw on a poster... plus there's the whole muscle memory thing).

Apart from that time Gawker was hacked and their stupidly unencrypted PW database stolen, of course...

(I work at a college, in the IT dept, and even the root users don't have access to the PW database. Only the server's internal processes has access to the unencrypted data of submitted user info and the stored passwords. If someone forgets theirs, or mistypes it enough times (5, in our case, with the third one implementing a 30-second delay before the entry boxes become available again) that their account is locked out, the only option is for them to come to the office along with their campus photo ID card, answer a couple security questions, and have it reset to a random string which they then have to change - to something other than their last 6 passwords - at first login, before they can get access. All this is standard MS Active Directory stuff. The better online services operate similar schemes. The worse ones have unlimited attempts and will send you your forgotten password in plaintext ... but still don't seem to be even CAPABLE of allowing more than one login attempt every couple of seconds, let alone specifically made to allow such obvious attacks)

Jan_d
Posts: 2
Joined: Fri Feb 04, 2011 12:59 pm UTC

Re: 0936: "Password Strength"

Postby Jan_d » Thu Aug 11, 2011 11:29 am UTC

I feel a bit embarrassed now, because I have given lots of people the advice to make a secure password by using the first letters of a memorizable sentence.
Reading this thread it seems everyone is using quotes from star wars for this.
A list with the most popular quotes from movies, popsongs or novels would not be that long, would it?
Besides, if i would try to guess the passphrase for a useraccount called "Jedimaster", i would know which list list to choose :)

User avatar
jonadab
Posts: 79
Joined: Fri Oct 08, 2010 11:31 am UTC
Location: Ohio
Contact:

Re: 0936: "Password Strength"

Postby jonadab » Thu Aug 11, 2011 11:54 am UTC

The calculation in the comic assumes that you already know the "recipe" used to build the password you want to brute force.


It is safest to assume that the attacker has this information. Even though they don't (usually) actually know which specific recipe you use, they don't have to if they're at all clever about the order in which they try different things. As a general rule, attackers try to use the lowest-complexity recipes first (once they resort to brute-forcing; FIRST, of course, they run through a very short list of extraordinarily popular passwords, and then if they know who you are they try obvious demographic data like your graduation year, phone number, mother's maiden name, and any hobbies you frequently write about on your blog; THEN they get around to brute-force attacks), but patterns that are fairly similar in complexity level aren't always tried in exactly the same order, since not every attacker is using exactly the same software. The take-home point from all this is that whatever pattern you use, the attacker will get around to trying that pattern in an amount of time that is in keeping with the complexity of your own password's format. Thus, if you assume the attacker does know your password-generating template (and can correctly calculate how much actual complexity said template contains), you will have a fairly realistic idea of how secure your password is. On the other hand, if you assume that your uber-unique idea of starting with the name of your favorite sport and *prepending* a numeric digit (instead of tagging it on the end like everyone else) is the most awesomely radically secret trick ever and they'll never figure it out, you will have a rather unrealistic notion of how secure your password is.

User avatar
jc
Posts: 356
Joined: Fri May 04, 2007 5:48 pm UTC
Location: Waltham, Massachusetts, USA, Earth, Solar System, Milky Way Galaxy
Contact:

Letters? Who needs letters?

Postby jc » Thu Aug 11, 2011 12:20 pm UTC

To put it in some sort of perspective, we might consider that our money is now mostly in the form of bits inside computers that are owned and operated by organizations run by people who think that 4 digits is a good password.

Actually, I have a debit card with one that has strengthened their scheme to a 6-to-8-digit PIN. Woohoo!

User avatar
Oracle
Posts: 25
Joined: Tue Sep 05, 2006 6:22 am UTC
Location: N. America

Re: 0936: "Password Strength"

Postby Oracle » Thu Aug 11, 2011 12:57 pm UTC

So why are so many posts about single word passwords when we just learned that aBc@r9U3% is not nearly as strong as "correct horse battery staple"?
"Get the facts first. You can distort them later."
-Mark Twain

darthmark
Posts: 5
Joined: Wed May 26, 2010 4:52 pm UTC

Re: 0936: "Password Strength"

Postby darthmark » Thu Aug 11, 2011 1:16 pm UTC

this has been on my mind recently because one of my passwords got hacked recently. get out of my head, randall.

Andrusi
Posts: 52
Joined: Wed Mar 28, 2007 9:43 pm UTC
Location: YES TOWN
Contact:

Re: 0936: "Password Strength"

Postby Andrusi » Thu Aug 11, 2011 1:19 pm UTC

MrSnowman wrote:Isn't 4 common words extremely easy to crack? I always start with a wordlist.

The idea of passwords that are "easy" or "difficult" to crack is misleading. There is only "amount of time needed," which translates directly into "number of possible passwords that fit this pattern." If you can put enough common words together that going through the wordlist to guess them takes as long as or longer than it would take to bruteforce a more traditionally "secure" password, then you're good.
Not named Dennis Miller.

raymcgill
Posts: 1
Joined: Thu Aug 11, 2011 12:57 pm UTC

Re: 0936: "Password Strength"

Postby raymcgill » Thu Aug 11, 2011 1:28 pm UTC

Yes, we've all heard this before. Two major changes for the modern world....

1. Like the previous poster said, LASTPASS is required. Its truly secure and can manage your 400 passwords with ease.
2. Steve Gibson (Spinrite/Security Now) had a great revelation. Length counts, and entropy doesn't.

https://www.grc.com/haystack.htm and SecurityNow! episode 303 https://www.grc.com/securitynow.htm

so, Xk5!!!!!!!!!!!!!!!!!!!!! is much, much more secure! (all four character sets. same 24 character length as xkcd example)
and why go to such password lengths? use grc's tool and you can see that 10-12 characters is enough.

R

User avatar
Autocracy
Posts: 11
Joined: Tue Sep 25, 2007 2:16 am UTC
Location: Portland, Maine
Contact:

Re: 0936: "Password Strength"

Postby Autocracy » Thu Aug 11, 2011 1:38 pm UTC

For those who are interested, we had some lively discussion about it at a security specialist site: http://security.stackexchange.com/q/6095/836 (actually, it's the most-viewed question we've ever had).
SIG: HUP

Svafa
Posts: 2
Joined: Thu Aug 11, 2011 1:43 pm UTC

Re: 0936: "Password Strength"

Postby Svafa » Thu Aug 11, 2011 2:24 pm UTC

In addition to tahrey's complaints, the comic's claim concerning memorization is wrong in at least some cases. Perhaps that's part of the point of being "trained", but I memorized the first password on sight, while I still can't recall anything but that the second had to do with a horse. This morning one of my cousins commented to me that when she read my complaints on this she instantly recalled the first password but could not remember the second at all. Even having just reread the second password a minute ago I still struggle to recall it ("correct horse... something"), while I retain perfect clarity as to the first password a day later ("Tr0ub4dor&3"). Not everyone's memory works the same and mnemonic devices, especially images, have always been a hindrance, rather than a help, to my ability to memorize; I hardly think I'm unique in that aspect.

To that end, the vast majority of my passwords belong to the first category, as they take little effort on my part to memorize, but have ample complexity to prevent brute-force attempts. If someone spends 3 days at 1000 attempts/sec trying to brute-force one of my passwords, then there are far bigger issues at hand than the level of complexity I impose.

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26819
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Thu Aug 11, 2011 2:26 pm UTC

MrSnowman wrote:Isn't 4 common words extremely easy to crack? I always start with a wordlist.
Right, but your wordlist doesn't tell you the order of the words being used. If my password is a random sequence of 4 words out of a list of 4096, that's 48 bits of security. The same as an upper-lower-number password that's completely random and 8 characters long. Each additional word on my password is an additional two completely random characters on yours. And the contention is that another common word tends to be easier for most people to remember than a pair of truly random alphanumeric characters.

tahrey wrote:I take issue with this comic i'm afraid.... hopefully the points have been raised already but i've had this tab open 2 hours without having chance to log in, so not really the time to read 7+ pages
You probably should have, since all your points have indeed been made several times before, by people who like you seem to have missed the point of the comic.

a dictionary with 262144 words represents 18 bits of entropy - or maybe 3 characters in a gobbledegook passwords that includes upper/lower case, numbers, and a small selection of punctuation characters.
True, but the point Randall was making is that people very rarely make truly gobbledygook passwords, instead altering single words as in the comic.

Who, in this day and age, implements a log-in system that can check 1000 user/pass combinations a second
The problem isn't someone trying to log into your facebook account manually, but rather someone who for example has a database of what a site's passwords get stored as (because hopefully they're not stored in plaintext), and knows the algorithm used to store them thusly. Then it's a matter of using their own processing time and attempting to get matches as fast as they like.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

N_8_
Posts: 7
Joined: Thu Aug 11, 2011 2:32 pm UTC

Re: 0936: "Password Strength"

Postby N_8_ » Thu Aug 11, 2011 2:44 pm UTC

Just created an account to state that I did this about two years back... but instead of concatenating words, I concatenated my hard to remember passwords.

On the other hand, after the PSN breach, I now generate a different email address selected from one of 4 of my domains as my registration email which then forwards to a gmail account using 2 step verification that calls my skype phone.

I know I'm paranoid...

(not exaggerating unfortunately, just waiting for our culture to find something more secure than ascii chars to verify identity)

User avatar
Carlington
Posts: 1588
Joined: Sun Mar 22, 2009 8:46 am UTC
Location: Sydney, Australia.

Re: 0936: "Password Strength"

Postby Carlington » Thu Aug 11, 2011 2:49 pm UTC

I know a person who uses a [pseudo-]random number generator to generate 16-digit sequences of numbers. He has a unique sequence for each of his passwords, and he changes all of them every two weeks. Never writes any of them down. I've no idea how he does it. It's terrifying, frankly.
Kewangji: Posdy zwei tosdy osdy oady. Bork bork bork, hoppity syphilis bork.

Eebster the Great: What specifically is moving faster than light in these examples?
doogly: Hands waving furiously.

Please use he/him/his pronouns when referring to me.

User avatar
McClow
Posts: 30
Joined: Wed Jul 27, 2011 4:12 pm UTC
Location: Massachusetts, USA

Re: 0936: "Password Strength"

Postby McClow » Thu Aug 11, 2011 2:50 pm UTC

Cloudchaser wrote:Careful about biometrics, though. Mythbusters defeated a fingerprint scanner with a wet piece of paper.

That episode was pretty eye-opening.

(retinal scanner joke! HA!)


Why did I laugh at that? It must be way too early.

User avatar
Ragnavald
Posts: 1
Joined: Thu Aug 11, 2011 2:40 pm UTC

Re: 0936: "Password Strength"

Postby Ragnavald » Thu Aug 11, 2011 2:52 pm UTC

The problem with everyone suggesting lastpass etc is that there are times you're going to need to have remembered the site-specific password, away from lastpass.

I surf a lot from my android phone, and as yet, something like lastpass wouldn't help me remember what my password was for the couple of forums I surf from it. This goes as well if you have to log in from a friends machine for whatever reason (the debate about whether you should be logging into anything from a computer you don't control is for another day.)

heck, I must admit to falling for the macho nerd thing and setting up a wireless key thats completely random and long enough to be unmemorisable (much longer than it needs to be, in fact.) Which causes me great consternation every time I reinstall/reflash my phone (custom rom user, happens more often than you'd think.)

I must admit, so far, for actual secure passwords, I've been a fan of the "random string mixed character set" with larger password lengths, and relying on muscle memory. The problem with this whole business is there's still this trade off between difficulty to break through brute force (and rainbow tables) and memorability.

User avatar
AvatarIII
Posts: 2098
Joined: Fri Apr 08, 2011 12:28 pm UTC
Location: W.Sussex, UK

Re: 0936: "Password Strength"

Postby AvatarIII » Thu Aug 11, 2011 3:14 pm UTC

I use made up portmanteaus for my passwords, plus a small handfull of numbers. both easy to remember and difficult to guess.

adriankemp
Posts: 5
Joined: Thu Aug 11, 2011 3:09 pm UTC

Re: 0936: "Password Strength"

Postby adriankemp » Thu Aug 11, 2011 3:29 pm UTC

Okay look, first of all everyone saying that passphrases are weak clearly doesn't *actually* know anything about security. But we'll ignore that; here is a password scheme that should be common place:

thisisareasonablylongbuteasilyrememberedpasswordspecifictoxkcd.com$J@

that little $J@ (changed for each person) can be put anywhere in your password string and can remain constant over every password you ever use. It takes the search out of the dictionary realm, and even if someone eventually does grab your "token" they still have an unbelievably challenging password to crack that is unique to each site you use. Obviously you can further tailor passwords by having two small tokens, one for secure things like banking and one for forums, you can add punctuation, you can toss in fake words like "cromulant" (thanks, Simpsons).

ie. Holyc%S^rapifyouactuallymanagedtograbthispassword,youdeserveadundieaward!
(this person places their secure token after the first letter of the second word in the phrase, further destroying any possible word lookups)

Bottom line, anyone using passwords of that kind of complexity is not going to be the subject of a brute force attack, because it takes enough resources that no attacker is going to bank on a specific attack scheme. When you're complex enough to prevent the use of a specific attack scheme, you're in the realm of brute forcing every character.

Of course, that does require that said site doesn't limit passwords to 30 characters. WTF?

P.S. you'll note that knowing this password scheme really doesn't meaningfully reduce the complexity of solving it; one of the many things that make it robust.

mikey_p
Posts: 2
Joined: Wed Aug 10, 2011 5:47 pm UTC

Re: 0936: "Password Strength"

Postby mikey_p » Thu Aug 11, 2011 3:43 pm UTC

Munksgaard_ wrote:If you like password security across websites, check out this browser add-on my friend made:

https://github.com/brinchj/RndPhrase/wiki

A little writing about it:
http://brinchj.blogspot.com/


I didn't get time to fully read through how this works, but if it's anything like SuperGenPass (http://supergenpass.com/) then there is a major vulnerability in the concept, namely that a non-trustworthy site could steal your 'master' password with some malicious javascript. This is especially critical since folks may be lured into using the same master password across multiple sites since you're using the site's domain to generate a custom hash for each site.

I'm pretty sure the only way around this is to have some non-JS code that allows you to popup a dialog box that is not part of the DOM and enter your password there, hash it, and then it pastes that into the password field for the site.

User avatar
Maxpm
Posts: 34
Joined: Fri Mar 11, 2011 2:01 pm UTC

Re: 0936: "Password Strength"

Postby Maxpm » Thu Aug 11, 2011 4:55 pm UTC

I'd say the "dictionary words" passwords are harder to remember.

"Now, was it 'horse battery correct staple?' No, it had to be 'stable,' because of the horse. So 'correct horse stable battery...?'"

zumboorukchee
Posts: 4
Joined: Sat May 08, 2010 3:10 pm UTC

Re: 0936: "Password Strength"

Postby zumboorukchee » Thu Aug 11, 2011 4:59 pm UTC

I think people are really missing the point of this comic when they apply it to themselves as an individual. The point is not what you as an individual can do to protect your account but rather what recommended scheme would best protect the general population of users from a brute force attack.

I think the best scheme for an individual concerned about their security thus far is the guy who generates random 16 character passwords, memorizes them, and then changes them every two weeks. However, end user resistance would be tremendous if you tried to actually enforce such a scheme to a general user base.

Most people don't care deeply about security. Most people only care about the feeling of security and do not concern themselves with ensuring that their security protocols are robust.

Another way to look at it: If you tell a room full of real people (representative sample of the population) to use a particular scheme (e.g. must be between 6 and 14 characters, must include a number, symbol, and capital OR must be long, suggest that you can concatenate four words to make something simple), what percentage of passwords of the people in that room would be hacked within a week? Within a month? Within a year?

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26819
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Thu Aug 11, 2011 5:01 pm UTC

mikey_p wrote:if it's anything like SuperGenPass (http://supergenpass.com/) then there is a major vulnerability in the concept, namely that a non-trustworthy site could steal your 'master' password with some malicious javascript.
Yeah, I don't trust browser addons for this purpose. If I want to use a hash as my password, I do it with passhash, but have saved that html file locally and manually copy and paste my passwords into the relevant fields.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

SRC
Posts: 3
Joined: Wed Aug 10, 2011 7:14 pm UTC

Re: 0936: "Password Strength"

Postby SRC » Thu Aug 11, 2011 5:10 pm UTC

raymcgill wrote:Yes, we've all heard this before. Two major changes for the modern world....

1. Like the previous poster said, LASTPASS is required. Its truly secure and can manage your 400 passwords with ease.
2. Steve Gibson (Spinrite/Security Now) had a great revelation. Length counts, and entropy doesn't.

https://www.grc.com/haystack.htm and SecurityNow! episode 303 https://www.grc.com/securitynow.htm

so, Xk5!!!!!!!!!!!!!!!!!!!!! is much, much more secure! (all four character sets. same 24 character length as xkcd example)
and why go to such password lengths? use grc's tool and you can see that 10-12 characters is enough.

R


Of course, when password crackers start to check short dictionary words and/or 5-character arbitrary strings, followed by repeated special characters of various lengths, this approach becomes less attractive. It would take very little time for a brute forcer to append from 1 to N exclamation points (and then cycle through other possible repeated characters) to a given short password. If one is restricting a search to short passwords with N repeated chars appended, then the actual number of bits of entropy added is fairly low. So you are banking on the fact that they don't know your algorithm (which may be reasonable), and that it won't become so popular that it turns into an algorithm that a cracker will check before proceeding to systematic cycling through all possible character permutations.

im3w1l
Posts: 11
Joined: Mon Nov 24, 2008 12:41 am UTC

Re: 0936: "Password Strength"

Postby im3w1l » Thu Aug 11, 2011 5:23 pm UTC

protip: if you have a super ultimate way of creating a password, dont tell anyone about it

User avatar
gmalivuk
GNU Terry Pratchett
Posts: 26819
Joined: Wed Feb 28, 2007 6:02 pm UTC
Location: Here and There
Contact:

Re: 0936: "Password Strength"

Postby gmalivuk » Thu Aug 11, 2011 5:41 pm UTC

im3w1l wrote:protip: if you have a super ultimate way of creating a password, dont tell anyone about it
Not necessarily, because as already mentioned, if it's actually a good algorithm, it won't matter if people know about it. And if it isn't, it's best you are told by someone more knowledgeable than you, rather than finding out after your account gets hacked.
Unless stated otherwise, I do not care whether a statement, by itself, constitutes a persuasive political argument. I care whether it's true.
---
If this post has math that doesn't work for you, use TeX the World for Firefox or Chrome

(he/him/his)

User avatar
SmoothBlade
Posts: 28
Joined: Sun Apr 03, 2011 4:44 am UTC

Re: 0936: "Password Strength"

Postby SmoothBlade » Thu Aug 11, 2011 5:44 pm UTC

Now I wonder if Randall's password really is correcthorsebatterystaple
Otherwise known as Cheesy or Machete

A conservative furry! What a rarity!

FoolishOwl
Posts: 52
Joined: Mon Jun 29, 2009 8:36 pm UTC
Location: San Francisco, California
Contact:

Re: 0936: "Password Strength"

Postby FoolishOwl » Thu Aug 11, 2011 5:55 pm UTC

The goal isn't perfect security, which is impossible. It's more like harm reduction -- or vulnerability reduction, to be more accurate. Lots of people use ridiculously obvious passwords -- look at an analysis of hacked password databases. I've read several, and they're all similar. You could just create a list of the most common few passwords, and try every known user name with that short list until you found one the user whose password is "123456" or "password". It wouldn't take long.

The point of this comic is, if you're giving advice to someone who is "not a computer person" about choosing a password, suggesting Randall's passphrase method, and assuring them that the math behind it is good, is good advice that's likely to be accepted. I may use 'tr -dc "[:alnum:]" < /dev/urandom | fold -b15 | head' to generate a password for the root account on a server (thanks for that suggestion, by the way), but someone who is "not a computer person" is not going to do that, and will instead use "mynameYYYY" on every message board and email account they use. And, I think Randall's passphrase method may work well for me in most cases that don't have strict rules about case, symbols, etc.

Oh, incidentally, someone mentioned four digit bank PIN codes. Those have bothered me, but I've noticed banks have started allowing longer PIN codes. More importantly, the PIN is used together with a bank card -- that's two-factor authentication, so it's more secure than just a password.

Here's my shell script, by the way. Tested on Ubuntu 11.04.

Code: Select all

#! /bin/bash

# RandomWord
# Randomly select words from the system spelling dictionary. Possessive nouns,
# i.e., words ending with "'s", are culled. If an integer is supplied as an
# argument, that number of random words will be selected; the default is to
# select one random word.
#
# FoolishOwl
# 2011 August 11

if echo "$1" | /bin/grep -Eq '^[[:digit:]]+$' ; then
   COUNT="$1"
else
   COUNT=1
fi

while [[ COUNT -gt 0 ]] ; do
   if /usr/bin/shuf -n 1 /usr/share/dict/words | /bin/grep -v "'s$" ; then
      (( --COUNT ))
   fi
done

Joep
Posts: 5
Joined: Thu Aug 11, 2011 5:42 pm UTC

Please make a comic about for C/Java and VB/Delphi!

Postby Joep » Thu Aug 11, 2011 5:57 pm UTC

Now that the highest authority officially judged that I had been right all the time (thanks Randall!), I can't wait for a comic that ends with "Through 30 years of effort, we've successfully trained all programmers to think that case sensitivity in programming languages adds actual meaning to the code while it was only meant for lazy compiler builders".

Anonymously Famous
Posts: 242
Joined: Thu Nov 18, 2010 4:01 am UTC

Re: 0936: "Password Strength"

Postby Anonymously Famous » Thu Aug 11, 2011 6:00 pm UTC

SmoothBlade wrote:Now I wonder if Randall's password really is correcthorsebatterystaple

I'm betting he did a simple "give me four random words" script, then generated strings until he found one that he thought would be funny.

laddiebuck
Posts: 2
Joined: Thu Aug 11, 2011 6:25 pm UTC

Re: 0936: "Password Strength"

Postby laddiebuck » Thu Aug 11, 2011 6:28 pm UTC

jpk wrote:Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because [they think?]* Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

*edited this in and out about four times... if this is a troll on his part, I give him great props for his deadpan... )


So my initial reaction was one of disbelief too, so I whipped out bc and calculated it. Assuming just 2000 English words to be in the base set, that's 2000^4 possible passwords, which is (rounding to the nearest integer) indeed 44 bits of entropy.

By the way, I always use normal-sounding passphrases for my SSH keys, but unfortunately most websites force you to use the kind of gibberish he was railing against.

joggle
Posts: 1
Joined: Thu Aug 11, 2011 7:05 pm UTC

Re: 0936: "Password Strength"

Postby joggle » Thu Aug 11, 2011 7:10 pm UTC

I've used a mixture of names and words from foreign languages with punctuation for years. So something like (some name from China) + (word from Aarabic) + (some punctuation). It may be difficult to memorize, but is also hard to guess. Only advantage over the easy to memorize one in the strip is that I can still keep the password reasonably short but still very random.

jpgoldberg
Posts: 5
Joined: Wed Aug 10, 2011 11:19 pm UTC

Re: 0936: "Password Strength"

Postby jpgoldberg » Thu Aug 11, 2011 7:19 pm UTC

Briantho2010 wrote:Having done some brute force password cracking this comic isn't truthful to real life from my experience.

May I ask what tools you used? My understanding is that John the Ripper has a system of plug-in rule sets, including those that look for exactly the same kind described in the first panel.[/quote]

When brute forcing a password you can do various types of attacks but the larger the pool of characters for each character of a password, the higher total # of password possibilities.

Of course, but your calculations assume that any string of characters using a particular alphabet are equally likely. We know from analyzing passwords (or even looking at the advice people give for generating them) that this assumption isn't at all true.

The crucial thing to keep in mind is that the strength of a password isn't a function of its length and character set, it is a function of the system used to generate it.

Cheers,

-j

soy.lor.n
Posts: 1
Joined: Thu Aug 11, 2011 7:39 pm UTC

Re: 0936: "Password Strength"

Postby soy.lor.n » Thu Aug 11, 2011 7:45 pm UTC

Just had to register for a comcast account. They said that my password was required to be 8-12 characters, at least 1 number, at least one capital and one lowercase letter, and a special character.

However, when I put in a password meeting all these requirements, they wouldn't accept it and kept repeating all the rules to me. Finally, I got rid of my special characters, and they were happy with it.

Their rule is that you have to have a special character, but they don't allow special characters. Brilliant. Made me think of this comic :-)

bigjeff5
Posts: 127
Joined: Tue Nov 10, 2009 3:59 am UTC

Re: 0936: "Password Strength"

Postby bigjeff5 » Thu Aug 11, 2011 8:09 pm UTC

Maxpm wrote:I'd say the "dictionary words" passwords are harder to remember.

"Now, was it 'horse battery correct staple?' No, it had to be 'stable,' because of the horse. So 'correct horse stable battery...?'"


You just need a little practice with this type of mnemonic tool, that's all.

The important thing is to come up with the picture and dialogue/story of the mnemonic yourself. That way it is meaningful to you, and you will get it correct just about every time. It is a little more difficult to remember someone else's mnemonic, but even so it should be very clear how powerful the method is. For practice just grab a random list of items and try to create a silly visual dialogue between each item. Chances are you'll amaze yourself, as it's a pretty potent technique that is effective the first time you try it (though it does take a little creative effort).

Compare the slight difficulty you had with the word order with remembering Tr0ub4dor&3 and I'd be shocked if you didn't find the passphrase easier, and it is 20 orders of magnitude more secure to boot. I think you'll find occasionally forgetting the exact order and having to enter the phrase twice much preferable to having to keep the password written down somewhere because it doesn't make a lick of sense.

jpgoldberg
Posts: 5
Joined: Wed Aug 10, 2011 11:19 pm UTC

Re: 0936: "Password Strength"

Postby jpgoldberg » Thu Aug 11, 2011 8:29 pm UTC

rednebmas wrote:Can someone explain Wolfram|Alpha says that is going to take a billion years to crack and the comic says 3 days?


Alpha, along with every other password strength checker, is forced to assume that the strength is a function of the length and character set used. But that is an incorrect assumption. Instead it is a function of the system by which the password was created.

I described this for a general, non-techie audience, here:

http://blog.agilebits.com/2011/06/toward-better-master-passwords/

And as a follow-up to that, I've "explained" this comic.

http://blog.agilebits.com/2011/08/better-master-passwords-the-geek-edition/

In both cases, the point I elaborate on is
The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.


Cheers,

-j

aaronb1138
Posts: 5
Joined: Thu Aug 11, 2011 8:13 pm UTC

Re: 0936: "Password Strength"

Postby aaronb1138 » Thu Aug 11, 2011 8:49 pm UTC

I don't understand all this talk of various automated and computerized password attacks. If we're talking about corporate america as a target the policies are based upon a relatively standardized ruleset based on a person's position and department. More common policies of which to be aware are as follows:

Accounting Dept Drone:
Password will be a single word with extra characters added to meet password requirements. This will be found on the post-it note on the monitor frame an commonly includes one of the following words, "jesus, god, love"

Finance Dept VIP, most other employees addressed by a 3 or less-letter acronym (CEO, CIO, VP):
Password will be the name of their significant other or first born child along with their birthdate to increase security. The full password will be found on a page labeled "Personal Information" inside a Franklin Covey product.

IT Personnel:
Personal passwords will have lots of 1337-speak. Generic passwords for multiple admins / support personnel will have hardware vendor names and typically the year the password was implemented somewhere in the equipment. It is quickest to get these passwords off the easiest to hack hardware. They use the same one on all the heavier duty equipment (i.e. attack the linksys router a customer uses or a consumer grade NAS box used for backups). Also, just look for a file, "Passwords.doc" or "Passwords.xls" which is usually not password protected itself.

Operations Personnel:
Their password will either be their first name, or the businesses name. This can be deduced by an estimation of their ego vs. loyalty quotients. Capitalize the first letter and add the numeral "1" and punctuation "!" to the end as complexity requires.

Secretaries / Administrative Assistants:
2 Categories here: Competent - Password will be unbreakable. Incompetent - See "Operations Personnel" above.

Design / Marketting / Artistic:
Find out the name of their favorite band, director, actor etc... use the formula under "Operations Personnel."

Any personnel with an MBA:
Call their extension, tell them you are tech support and fixing their e-mail account. They will give you the password over the phone without hesitatation, often before you ask.

Svafa
Posts: 2
Joined: Thu Aug 11, 2011 1:43 pm UTC

Re: 0936: "Password Strength"

Postby Svafa » Thu Aug 11, 2011 9:43 pm UTC

bigjeff5 wrote:You just need a little practice with this type of mnemonic tool, that's all.

The important thing is to come up with the picture and dialogue/story of the mnemonic yourself. That way it is meaningful to you, and you will get it correct just about every time. It is a little more difficult to remember someone else's mnemonic, but even so it should be very clear how powerful the method is. For practice just grab a random list of items and try to create a silly visual dialogue between each item. Chances are you'll amaze yourself, as it's a pretty potent technique that is effective the first time you try it (though it does take a little creative effort).

Compare the slight difficulty you had with the word order with remembering Tr0ub4dor&3 and I'd be shocked if you didn't find the passphrase easier, and it is 20 orders of magnitude more secure to boot. I think you'll find occasionally forgetting the exact order and having to enter the phrase twice much preferable to having to keep the password written down somewhere because it doesn't make a lick of sense.
That might work well enough for you, but as I pointed out in my previous post, not everyone's memory works in the same manner. I personally find mnemonic devices to hinder my ability to memorize a list of random items and am much better at simply remembering the list for what it is- a list. Visual methods are the worst in my experience, because I do not visually represent things in my mind. I cannot visualize a horse without physically being in the presence of a horse, so attempting to create a visual mnemonic is impossible.

Instead, my own memorization relies heavily on text and concepts. Memorizing the first password took no effort on my part and was easily filed away for later use. Simply reading the password was enough to memorize it and recall it a day later. The second passphrase took a great deal more effort and was quickly forgotten as the concepts have no logical relation. Without the ability to visually represent the passphrase in my mind, it's much more difficult to commit to memory than the first password. In fact, it's easier for me to memorize lists if I remember that the items have no relation to one another. For others I'm sure the passphrase is much easier to recall than the password. I doubt I'm alone in the way I think and relate things mentally though, and for those like me, the passphrase is more difficult.

And I've had people telling me I just needed a little more practice with these sorts of mnemonic devices for a quarter of a century now. If practice and their insistence hasn't proven any more effective in that amount of time, I highly doubt it ever will.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: No registered users and 116 guests