Oh Randall, you do confound me so.
August 10, 2011 1:11 AM Subscribe
Is Randall Munroe right about passwords in today's xkcd? Are very long (all lower case) plain text passwords more secure than short ones using a mix of numerals and upper/lower case text?
Or am I missing the point, and it's just about not using dictionary words, or something else?
Or am I missing the point, and it's just about not using dictionary words, or something else?
Best answer: I don't know about the math, but I think it might be irrelevant, given that many sites demand passwords that include upper and lower-case characters and at least one numeral or symbol. Maybe those sites are dumb, but it's the programmers' world, and we're just living in it.
posted by Gilbert at 1:27 AM on August 10, 2011 [9 favorites]
posted by Gilbert at 1:27 AM on August 10, 2011 [9 favorites]
Best answer: I've been using movie quotes for a while because I ran out of clever ways to rearrange stuff I'd remember.
I have a paragraph long Army of Darkness quote for one system that I've never missed a beat on because it's so intuitive and burned into my brain. Also it makes me feel quite boss everytime I think of the quote.
Been adopting book / movie quotes everywhere now, and it's miles easier to remember.
posted by bbtomo at 1:27 AM on August 10, 2011 [7 favorites]
I have a paragraph long Army of Darkness quote for one system that I've never missed a beat on because it's so intuitive and burned into my brain. Also it makes me feel quite boss everytime I think of the quote.
Been adopting book / movie quotes everywhere now, and it's miles easier to remember.
posted by bbtomo at 1:27 AM on August 10, 2011 [7 favorites]
Best answer: Dictionary attacks can still be a problem - if the attacker suspects passphrases are being used they can try combining entire words rather than trying to guess the entire string letter-by-letter.
If the passphrase is common or well known then it's still easy to guess, so "correct horse battery staple" is no longer a good passphrase.
However, if you tweak the passphrase very slightly (add one symbol, or an extra space, or mis-spell a word) you're safe against this, and they are indeed very secure. Even with simple words they are more secure than short complicated passwords (<8 characters).
posted by BinaryApe at 1:27 AM on August 10, 2011 [2 favorites]
If the passphrase is common or well known then it's still easy to guess, so "correct horse battery staple" is no longer a good passphrase.
However, if you tweak the passphrase very slightly (add one symbol, or an extra space, or mis-spell a word) you're safe against this, and they are indeed very secure. Even with simple words they are more secure than short complicated passwords (<8 characters).
posted by BinaryApe at 1:27 AM on August 10, 2011 [2 favorites]
Best answer: From simple permutations alone, I get:
Example 1, ~70 character combinations, 11 character length: 70^11=1.98x1020
Example 2, 26 character combinations, 25 character length: 26^25=2.37x1035
posted by devnull at 1:30 AM on August 10, 2011 [5 favorites]
Example 1, ~70 character combinations, 11 character length: 70^11=1.98x1020
Example 2, 26 character combinations, 25 character length: 26^25=2.37x1035
posted by devnull at 1:30 AM on August 10, 2011 [5 favorites]
Best answer: If the passphrase is common or well known then it's still easy to guess, so "correct horse battery staple" is no longer a good passphrase.
Nonsense. Do you know how many English words there are? My /usr/share/dict/words is about 100k, and that's a rather low figure. If you choose four of those words at random that's approximately 1000004 (= 1020) combinations to try which is MUCH larger than Randal's stated entropy of 244 (≈1013). Saying that this password is easy to guess just because it uses common English words is saying that you don't know what you're talking about.
BTW rainbow tables are only good to 8 to 10 characters.
posted by Rhomboid at 1:38 AM on August 10, 2011 [11 favorites]
Nonsense. Do you know how many English words there are? My /usr/share/dict/words is about 100k, and that's a rather low figure. If you choose four of those words at random that's approximately 1000004 (= 1020) combinations to try which is MUCH larger than Randal's stated entropy of 244 (≈1013). Saying that this password is easy to guess just because it uses common English words is saying that you don't know what you're talking about.
BTW rainbow tables are only good to 8 to 10 characters.
posted by Rhomboid at 1:38 AM on August 10, 2011 [11 favorites]
Best answer: Are very long (all lower case) plain text passwords more secure than short ones using a mix of numerals and upper/lower case text?
It seems intuitively obvious that they are. The difficulty of brute forcing a password scales non-linearly with length. But it's immaterial. We don't only need to remember one password, we need to remember dozens. Unless you're on the top tail of the memory bell curve you're not going to be able to remember that many passwords no matter what you choose, so you either write them down, use a password manager, use the same password for everything, or develop some sort of system where you generate the password based on the website URL or whatever such that you can derive the password without having to remember it.
All of these things have advantages and disadvantages. But, yes, the password "kf*@2#j" is easier to brute force than "Cake lackey chicken pumpkin".
posted by Justinian at 1:41 AM on August 10, 2011 [4 favorites]
It seems intuitively obvious that they are. The difficulty of brute forcing a password scales non-linearly with length. But it's immaterial. We don't only need to remember one password, we need to remember dozens. Unless you're on the top tail of the memory bell curve you're not going to be able to remember that many passwords no matter what you choose, so you either write them down, use a password manager, use the same password for everything, or develop some sort of system where you generate the password based on the website URL or whatever such that you can derive the password without having to remember it.
All of these things have advantages and disadvantages. But, yes, the password "kf*@2#j" is easier to brute force than "Cake lackey chicken pumpkin".
posted by Justinian at 1:41 AM on August 10, 2011 [4 favorites]
Best answer: Probably inspired by the Daily Mirror scandal, NPR recently had a series of online safety reports, including this one on passwords.
ilovecatstoo
posted by TheSecretDecoderRing at 1:47 AM on August 10, 2011 [1 favorite]
ilovecatstoo
posted by TheSecretDecoderRing at 1:47 AM on August 10, 2011 [1 favorite]
Best answer: I can't say that this is specifically what Randall had in mind, but the general argument is very similar to parts of Thomas Baekdal's Usability of Passwords, which spends a lot more time explaining itself. That may shed some light on the position. Be sure to also read the two updates linked at top.
posted by Su at 1:49 AM on August 10, 2011 [4 favorites]
posted by Su at 1:49 AM on August 10, 2011 [4 favorites]
Best answer: He's not pointing to the length of the password, but to something subtler. He's basically claiming that when asked to create strong passwords (i.e. with numbers, mixed case, and punctuation), people end up following a predictable formula. The formula is explained in the first panel, with an estimate of how much variation there is in each piece, measured in bits. E.g. a number can be stored in just three bits (actually wrong, you need four), while a single bit suffices to indicate whether there's an initial capital or not.
The four-common-words password is also a formula, and his estimate of 11 bits for each one is equivalent to assuming that the words are chosen from a list of 2048 words. (Which is an adequate definition of "common".)
I think he's underestimating the "strong password" variability-- e.g. three bits for "common substitutions" means he thinks there are only 8 possibilities, which is awfully low. It looks like he's just counting the vowels, but there are other easy substitutions.
On the other hand, I think he's underestimating the pool of dictionary words too. No one has the OED memorized, but an educated speaker knows at least ten times that number of words, so his total goes up to 56 bits. And even more if you use a quirky non-dictionary word.
posted by zompist at 1:53 AM on August 10, 2011 [8 favorites]
The four-common-words password is also a formula, and his estimate of 11 bits for each one is equivalent to assuming that the words are chosen from a list of 2048 words. (Which is an adequate definition of "common".)
I think he's underestimating the "strong password" variability-- e.g. three bits for "common substitutions" means he thinks there are only 8 possibilities, which is awfully low. It looks like he's just counting the vowels, but there are other easy substitutions.
On the other hand, I think he's underestimating the pool of dictionary words too. No one has the OED memorized, but an educated speaker knows at least ten times that number of words, so his total goes up to 56 bits. And even more if you use a quirky non-dictionary word.
posted by zompist at 1:53 AM on August 10, 2011 [8 favorites]
Best answer: Even without the mathematics to back it up I intuitively feel that a random string of 4 plain text words is a much better system than than a string of nonsense. Not just because it seems logical that a longer string of characters would be more difficult to crack, but because these kind of passwords really are much more easy to memorise. And I completely disagree with Justinian on this point:
Unless you're on the top tail of the memory bell curve you're not going to be able to remember that many passwords no matter what you choose
If you use something like a mnemonic link system then you can very easily remember dozens of passwords like the one shown in the comic, even if you only have an average memory. The comic even shows a similar technique of using strong images to remember strings of words. I don't need to remember the words, just the image. Which even now I can remember is of a correct horse and a battery with a staple on it.
posted by Spamfactor at 2:03 AM on August 10, 2011 [2 favorites]
Unless you're on the top tail of the memory bell curve you're not going to be able to remember that many passwords no matter what you choose
If you use something like a mnemonic link system then you can very easily remember dozens of passwords like the one shown in the comic, even if you only have an average memory. The comic even shows a similar technique of using strong images to remember strings of words. I don't need to remember the words, just the image. Which even now I can remember is of a correct horse and a battery with a staple on it.
posted by Spamfactor at 2:03 AM on August 10, 2011 [2 favorites]
Best answer: Sorry Rhomboid, I should have been clearer and written "still easy to guess by a computer using a list" - not easy to guess from scratch, and definitely not by a mere human. I was referring to common or known passphrases, not common words.
I build and maintain authentication systems for a living so I hope I know what I'm talking about, and I recommend passphrases whenever possible, so I agree with you on their strength.
Most of the successful attacks I've seen use lists of complete passwords, or mostly-complete base passwords that are varied by adding a few extra characters to the beginning or end. It doesn't matter how long or complicated a password is if it's on a list of common passwords. "correct horse battery staple" will be on a list soon, if not already. The attacking software simply tries the entire known password/passphrase at once.
posted by BinaryApe at 2:04 AM on August 10, 2011 [2 favorites]
I build and maintain authentication systems for a living so I hope I know what I'm talking about, and I recommend passphrases whenever possible, so I agree with you on their strength.
Most of the successful attacks I've seen use lists of complete passwords, or mostly-complete base passwords that are varied by adding a few extra characters to the beginning or end. It doesn't matter how long or complicated a password is if it's on a list of common passwords. "correct horse battery staple" will be on a list soon, if not already. The attacking software simply tries the entire known password/passphrase at once.
posted by BinaryApe at 2:04 AM on August 10, 2011 [2 favorites]
Best answer: As zompist says there are some predicable patterns in the way people harden their passwords:
For my password I will choose the name of my dog:
fido
But wait - I need a capital letter. So I will capitalise the first letter like I was taught in school:
Fido
And I need at least one character which is not alphanumeric. I will choose one that is easy to find and type - and I will put it at the end:
Fido!
That validates OK. But after 3 months I have been asked to change my password to something else. There is no way I am going to start again so I just add a number at the end:
Fido!1
The password policy has been tightened and now I need an expression of at least 10 characters that follow all the above rules. I'm not going to rename Fido so I select "S3mper*F1d3l1s" and write it on a piece of paper in my wallet that says "pw aug11=S3mper*F1d3l1s".
posted by rongorongo at 2:11 AM on August 10, 2011 [5 favorites]
For my password I will choose the name of my dog:
fido
But wait - I need a capital letter. So I will capitalise the first letter like I was taught in school:
Fido
And I need at least one character which is not alphanumeric. I will choose one that is easy to find and type - and I will put it at the end:
Fido!
That validates OK. But after 3 months I have been asked to change my password to something else. There is no way I am going to start again so I just add a number at the end:
Fido!1
The password policy has been tightened and now I need an expression of at least 10 characters that follow all the above rules. I'm not going to rename Fido so I select "S3mper*F1d3l1s" and write it on a piece of paper in my wallet that says "pw aug11=S3mper*F1d3l1s".
posted by rongorongo at 2:11 AM on August 10, 2011 [5 favorites]
Best answer: I just use a little app called 1Password, 40 character mixed case passwords for everything I care about as well as extensions for Chrome/Safari/Firefox and an iPhone app that make it fairly easy to use. I've also heard good things about KeePassX, which is essentially a free alternative. If you keep a lot of precious data online and you're not using at least some form of password manager you should really look into it.
posted by _frog at 2:21 AM on August 10, 2011 [2 favorites]
posted by _frog at 2:21 AM on August 10, 2011 [2 favorites]
Best answer: Yes, the comic is accurate.
The little grey boxes he has drawn represent bits of entropy, and they're pretty accurate (or close enough that his argument is persuasive). More bits of entropy == your password is harder to brute-force (i.e. "better").
posted by richb at 3:06 AM on August 10, 2011 [1 favorite]
The little grey boxes he has drawn represent bits of entropy, and they're pretty accurate (or close enough that his argument is persuasive). More bits of entropy == your password is harder to brute-force (i.e. "better").
posted by richb at 3:06 AM on August 10, 2011 [1 favorite]
Best answer: Everything you need to know about safe passwords as told by The Gibson Research Corporation.
posted by Foci for Analysis at 3:31 AM on August 10, 2011 [4 favorites]
posted by Foci for Analysis at 3:31 AM on August 10, 2011 [4 favorites]
Best answer: I don't think the comic is accurate. If you want to try and reproduce Randall's math, you could take a look at Appendix A of NIST's Special Publication 800-63. Here is a TL;DR version. I did a little back-of-the-napkin math trying to reproduce his numbers and I can't figure out what assumptions he made on either the first or the second example. If you are assuming the passwords are random -- clearly neither one is, but an attacker may or may not make that assumption -- you will get a different answer on entropy than if you assume a password generation scheme. I would have rated both passwords as having a much higher entropy (based on a brute force attack assumption); Randall appears to be assuming an attacker would understand and exploit the "scheme" for generating each password, especially the first one, where he is only assigning 2.5 bits of entropy per symbol.
posted by kovacs at 3:54 AM on August 10, 2011 [1 favorite]
posted by kovacs at 3:54 AM on August 10, 2011 [1 favorite]
Best answer: The point is, the passphrase is longer, and that's all that matters. YOU know the passphrase doesn't have any funny characters in it, but the computer trying to brute force attack the password doesn't know that. The brute force attacker also doesn't usually know the length of the thing, or even that it is words versus random numbers. It can use all the dictionaries it wants, it has to try to get 25 characters in the right order. And before it gets to that, it has to have already tried ALL the 24, 23, 22, 21, ... letter/word combinations.
posted by gjc at 4:16 AM on August 10, 2011 [4 favorites]
posted by gjc at 4:16 AM on August 10, 2011 [4 favorites]
Best answer: Brute force isn't really brute. A password is guessed according to some model and how safe your password is depends on the model used to either measure its safety or to try and crack it. Someone above used the count of 100K for the number of dictionary words. But if the model were using is dictionary word for people with a 5th grade reading level, there are a lot fewer words. If the model is characters at random, then longer is better but if the model is based on some dictionary, longer using words isn't necessarily better.
So, we can choose models based on which cracking programs we know exist, which words we believe are likely to be used, common names for pets, common cultural ways of thinking about passwords, etc.
If I wanted to crack random passwords, I'd probably use lists of previously released passwords (from previous security breaches) since people believe they are more original than they actually are.
I used to choose passwords based on things I'd already had to memorize--e.g. phone numbers, license plates, etc. But someone trying to crack just MY password (rather than cracking a random collection of passwords) who knew me might guess that I was using that model. Especially after reading this answer.
posted by Obscure Reference at 4:39 AM on August 10, 2011 [4 favorites]
So, we can choose models based on which cracking programs we know exist, which words we believe are likely to be used, common names for pets, common cultural ways of thinking about passwords, etc.
If I wanted to crack random passwords, I'd probably use lists of previously released passwords (from previous security breaches) since people believe they are more original than they actually are.
I used to choose passwords based on things I'd already had to memorize--e.g. phone numbers, license plates, etc. But someone trying to crack just MY password (rather than cracking a random collection of passwords) who knew me might guess that I was using that model. Especially after reading this answer.
posted by Obscure Reference at 4:39 AM on August 10, 2011 [4 favorites]
Best answer: That's true- any clue the attacker has about the scheme in place reduces the amount of time/effort required by orders of magnitude. The passphrase works best when it isn't known. The same way funny characters work best when nobody thinks to try them.
posted by gjc at 4:55 AM on August 10, 2011 [1 favorite]
posted by gjc at 4:55 AM on August 10, 2011 [1 favorite]
Best answer: you will get a different answer on entropy than if you assume a password generation scheme.
Precisely. The "raw" entropy is one thing, it's just a certain number of bits per character depending on the size of the character space.
Then there's the sort of partial knowledge entropy where the attacker knows the scheme but not the password. So if you know that the password is a string of English words then your keyspace is constrained by that and you gain fewer bits of effective entropy per character.
In the real world, we've got sort of a hybrid. There's a sort of game theory type situation where the ratio between the raw entropy per bit and the effective entropy per bit depends on how good attackers are at guessing the password generation scheme (probably good) and how good users are at coming up with such schemes (probably bad).
Given that attackers are better at guessing the ways that people come up with passwords than users are at devising those schemes, it's best to take a worst case view and come up with a scheme that is sufficiently strong even if the attacker knows what it is.
posted by atrazine at 5:06 AM on August 10, 2011 [2 favorites]
Precisely. The "raw" entropy is one thing, it's just a certain number of bits per character depending on the size of the character space.
Then there's the sort of partial knowledge entropy where the attacker knows the scheme but not the password. So if you know that the password is a string of English words then your keyspace is constrained by that and you gain fewer bits of effective entropy per character.
In the real world, we've got sort of a hybrid. There's a sort of game theory type situation where the ratio between the raw entropy per bit and the effective entropy per bit depends on how good attackers are at guessing the password generation scheme (probably good) and how good users are at coming up with such schemes (probably bad).
Given that attackers are better at guessing the ways that people come up with passwords than users are at devising those schemes, it's best to take a worst case view and come up with a scheme that is sufficiently strong even if the attacker knows what it is.
posted by atrazine at 5:06 AM on August 10, 2011 [2 favorites]
Best answer: Yes, longer passphrases are better. Tell that to the many (important!) databases which still limit passwords to 12 characters.
posted by muddgirl at 5:32 AM on August 10, 2011 [7 favorites]
posted by muddgirl at 5:32 AM on August 10, 2011 [7 favorites]
Best answer: kovacs: I think he's assuming that the attacker knows the password scheme, and just has to guess your specific password in that scheme. That's a worst case scenario, but not that out-there, as part of his message is that strict pw rules like "your pw must contain a punctuation mark" constrain many people into the scheme used in the first example. I think his maths works out, given that assumption.
posted by richb at 5:40 AM on August 10, 2011 [1 favorite]
posted by richb at 5:40 AM on August 10, 2011 [1 favorite]
Best answer: Heh, longer is better. And the sad truth is that entropy decreases with the mandatory password schemes. If you must have a capital letter, then you're trading one character of Lower/Upper/Space/Digit/Punct for one character of Upper. Even worse is having to have one digit or one punctuation.
posted by zengargoyle at 5:46 AM on August 10, 2011 [2 favorites]
posted by zengargoyle at 5:46 AM on August 10, 2011 [2 favorites]
Best answer: Boing Boing claims that the basis for the comic was this paper.
posted by OmieWise at 6:02 AM on August 10, 2011 [1 favorite]
posted by OmieWise at 6:02 AM on August 10, 2011 [1 favorite]
Best answer: What about sentences? Are those safe?
Example: MetaFilter, a community weblog, is 12 years old.
Password: MF,acw,i12yo.
posted by phunniemee at 6:03 AM on August 10, 2011 [2 favorites]
Example: MetaFilter, a community weblog, is 12 years old.
Password: MF,acw,i12yo.
posted by phunniemee at 6:03 AM on August 10, 2011 [2 favorites]
Best answer: To me, a good password scheme is one that is entered into a login screen that does not allow more than 3 guesses before locking down or introducing other security measures. It's really upon the security provider to recognize hacking attempts. Allowing brute force over a network login is just a bad design decision.
Encryption on the other hand, completely different story. When the hacker has full control of the authentication environment and can act on the password hash without restriction, that's where you should be seeing the real threat of dictionary based or brute force attacks. An example of this was last year's security breach at Gawker, which exposed 1.3 million accounts to potentially exploitable passwords.
The real damage by the breach at Gawker was done to the users who used the same email/password combination for other online services such as facebook, their bank accounts, or even their email itself. This is another equally common mistake users make when choosing a password, regardless of complexity. Once they have one made, complicated or not, they'll use it for other services to cut down on the number of passwords that need to be memorized. The danger is, not all sites treat security equally, and once one site is compromised, and a password hash is decrypted, it's a matter of time before that account becomes part of a login list that's used to log into other major services.
posted by samsara at 6:39 AM on August 10, 2011 [4 favorites]
Encryption on the other hand, completely different story. When the hacker has full control of the authentication environment and can act on the password hash without restriction, that's where you should be seeing the real threat of dictionary based or brute force attacks. An example of this was last year's security breach at Gawker, which exposed 1.3 million accounts to potentially exploitable passwords.
The real damage by the breach at Gawker was done to the users who used the same email/password combination for other online services such as facebook, their bank accounts, or even their email itself. This is another equally common mistake users make when choosing a password, regardless of complexity. Once they have one made, complicated or not, they'll use it for other services to cut down on the number of passwords that need to be memorized. The danger is, not all sites treat security equally, and once one site is compromised, and a password hash is decrypted, it's a matter of time before that account becomes part of a login list that's used to log into other major services.
posted by samsara at 6:39 AM on August 10, 2011 [4 favorites]
Best answer: What about sentences? Are those safe?
Example: "MetaFilter, a community weblog, is 12 years old".
Password: MF,acw,i12yo.
- Feeding these into the The Gibson Research Corporation password checker posted above
The first one needs a search of a space size of 8.62 x 1094combinations.
The second is still a good password - but the space size is a much smaller 5.19 x 1025. The author makes the point that you only really have to add ONE upper case character to ensure that a brute force search which starts (reasonably) with just lower case options does not find it - and just one non alphabet character to ensure you are not caught in the mixed case search either. That small change could keep you safe for another few trillion years.
Finally the site has some great links at the bottom - including the Ten Most Common Passwords and a longer list of 500 bad password choices.
posted by rongorongo at 6:52 AM on August 10, 2011 [2 favorites]
Example: "MetaFilter, a community weblog, is 12 years old".
Password: MF,acw,i12yo.
- Feeding these into the The Gibson Research Corporation password checker posted above
The first one needs a search of a space size of 8.62 x 1094combinations.
The second is still a good password - but the space size is a much smaller 5.19 x 1025. The author makes the point that you only really have to add ONE upper case character to ensure that a brute force search which starts (reasonably) with just lower case options does not find it - and just one non alphabet character to ensure you are not caught in the mixed case search either. That small change could keep you safe for another few trillion years.
Finally the site has some great links at the bottom - including the Ten Most Common Passwords and a longer list of 500 bad password choices.
posted by rongorongo at 6:52 AM on August 10, 2011 [2 favorites]
Best answer: BinaryApe Writes:
Dictionary attacks can still be a problem - if the attacker suspects passphrases are being used they can try combining entire words rather than trying to guess the entire string letter-by-letter.
GJC writes:
YOU know the passphrase doesn't have any funny characters in it, but the computer trying to brute force attack the password doesn't know that.
From what I'm reading into the math, the calculation actually says there are 44 bits of entropy, even if you assume the attacker knows for sure that your password consists of 4 lower-case common words. The implicit math, I'm guessing, is this:
Assume there are 2048 "common words" to chose from. You'd need 11 bits to specify which one (since 2^11=2048). So, to specify 4 words, you'd need 44 bits. You don't have to obscure the fact that your password is 4 words to get that security.
Put differently, even if I tell you that my passwords is 4 common lower case words, chosen at random from the top 2000 common words, that would narrow down my choice of passwords to 2000*2000*2000*2000 possible passwords. That's 16 trillion possible passwords.
(All this math makes a number of assumptions of course, among them the idea that every "common" word is equally likely. I'm not defending the math in the comic, just trying to understand/describe it)
posted by ManInSuit at 7:25 AM on August 10, 2011 [1 favorite]
Dictionary attacks can still be a problem - if the attacker suspects passphrases are being used they can try combining entire words rather than trying to guess the entire string letter-by-letter.
GJC writes:
YOU know the passphrase doesn't have any funny characters in it, but the computer trying to brute force attack the password doesn't know that.
From what I'm reading into the math, the calculation actually says there are 44 bits of entropy, even if you assume the attacker knows for sure that your password consists of 4 lower-case common words. The implicit math, I'm guessing, is this:
Assume there are 2048 "common words" to chose from. You'd need 11 bits to specify which one (since 2^11=2048). So, to specify 4 words, you'd need 44 bits. You don't have to obscure the fact that your password is 4 words to get that security.
Put differently, even if I tell you that my passwords is 4 common lower case words, chosen at random from the top 2000 common words, that would narrow down my choice of passwords to 2000*2000*2000*2000 possible passwords. That's 16 trillion possible passwords.
(All this math makes a number of assumptions of course, among them the idea that every "common" word is equally likely. I'm not defending the math in the comic, just trying to understand/describe it)
posted by ManInSuit at 7:25 AM on August 10, 2011 [1 favorite]
Best answer: Thinking about it in the shower this morning, my issue with this comic is that it seems to be comparing apples to oranges.
Which is stronger, "troubador" or "Tr0ub4doR@"? Which is stronger, "correcthorsebatterystaple" or "coRr3cTHor5eb@T3ry5tAplE"?
Furthermore, it assumes that we can remember a pictoral mneumonic for every single password we have to generate. This may be true for some people, but certainly not for everyone. Personally, I remember passwords based on muscle memory, because 99.99% of the time I am typing them in.
posted by muddgirl at 7:25 AM on August 10, 2011 [1 favorite]
Which is stronger, "troubador" or "Tr0ub4doR@"? Which is stronger, "correcthorsebatterystaple" or "coRr3cTHor5eb@T3ry5tAplE"?
Furthermore, it assumes that we can remember a pictoral mneumonic for every single password we have to generate. This may be true for some people, but certainly not for everyone. Personally, I remember passwords based on muscle memory, because 99.99% of the time I am typing them in.
posted by muddgirl at 7:25 AM on August 10, 2011 [1 favorite]
Best answer: Whoops, I intended my examples to be the exact same length, but then I went back and screwed it up. Please pretend that they're the same length.
posted by muddgirl at 7:45 AM on August 10, 2011 [1 favorite]
posted by muddgirl at 7:45 AM on August 10, 2011 [1 favorite]
Best answer: Yes, the comic is factually correct. What it leaves out is many websites limit the user to 8 character passwords, so it's often impossible to use a passphrase. (Why? Because they are built by incompetent assholes.)
posted by Nelson at 8:00 AM on August 10, 2011 [3 favorites]
posted by Nelson at 8:00 AM on August 10, 2011 [3 favorites]
Best answer: > Which is stronger, "troubador" or "Tr0ub4doR@"? Which is stronger, "correcthorsebatterystaple" or "coRr3cTHor5eb@T3ry5tAplE"?
"Stronger" is a loaded term. In the Upper-lower-num-symbol character space, the first two are equally likely to be chosen at random, and the second two are equally likely to be chosen at random.
Password cracking doesn't proceed randomly, though; there are strategies. troubador will be hit first because the attacker is likely to begin with words from the dictionary. correcthorsebatterystaple will be hit first, if certain rules regarding password construction are known to the attacker.
In most publicized security breaches, the attacker is rarely interested in any specific account. They are interested in getting as many accounts as possible. They're not going to spend much time hammering on an account using Tr0ub4d@R as a password when that time could be spent instead on the thousands of accounts using password, passw0rd,12345678, and so on.
posted by ardgedee at 8:10 AM on August 10, 2011 [1 favorite]
"Stronger" is a loaded term. In the Upper-lower-num-symbol character space, the first two are equally likely to be chosen at random, and the second two are equally likely to be chosen at random.
Password cracking doesn't proceed randomly, though; there are strategies. troubador will be hit first because the attacker is likely to begin with words from the dictionary. correcthorsebatterystaple will be hit first, if certain rules regarding password construction are known to the attacker.
In most publicized security breaches, the attacker is rarely interested in any specific account. They are interested in getting as many accounts as possible. They're not going to spend much time hammering on an account using Tr0ub4d@R as a password when that time could be spent instead on the thousands of accounts using password, passw0rd,12345678, and so on.
posted by ardgedee at 8:10 AM on August 10, 2011 [1 favorite]
Best answer: Which is stronger, "troubador" or "Tr0ub4doR@"? Which is stronger, "correcthorsebatterystaple" or "coRr3cTHor5eb@T3ry5tAplE"?
I think the point was that correcthorsebatterystaple is stronger than Tr0ub4doR@. And also that the former has the benefit of being much easier to remember so people are more likely to use secure passwords if they do that.
posted by Kimberly at 8:19 AM on August 10, 2011 [1 favorite]
I think the point was that correcthorsebatterystaple is stronger than Tr0ub4doR@. And also that the former has the benefit of being much easier to remember so people are more likely to use secure passwords if they do that.
posted by Kimberly at 8:19 AM on August 10, 2011 [1 favorite]
Best answer: I'm less concerned about the strength of any one password and much more concerned about the need to use different passwords for different services.
posted by pollex at 8:33 AM on August 10, 2011 [1 favorite]
posted by pollex at 8:33 AM on August 10, 2011 [1 favorite]
Best answer: Yeah, I got what Munroe's point was, but it's like saying, "Apples are better than oranges because you don't have to peel them." correcthorsebatterystaple is stronger in part because it's longer, and since we still need a different set of 4 words for each service, we're writing them down or using a password manager anyway, at which point we can generate close-to-random strings with any characters we want that are stronger than 4 words in the dictionary.
posted by muddgirl at 8:34 AM on August 10, 2011 [2 favorites]
posted by muddgirl at 8:34 AM on August 10, 2011 [2 favorites]
Best answer: In other words, just make it longer.
posted by muddgirl at 8:38 AM on August 10, 2011 [2 favorites]
posted by muddgirl at 8:38 AM on August 10, 2011 [2 favorites]
Best answer: Nonsense. Do you know how many English words there are? My /usr/share/dict/words is about 100k, and that's a rather low figure. If you choose four of those words at random that's approximately 1000004 (= 1020) combinations to try which is MUCH larger than Randal's stated entropy of 244 (≈1013). Saying that this password is easy to guess just because it uses common English words is saying that you don't know what you're talking about.
I assumed that he meant it was no longer safe because the string "correct horse battery staple" has now been given as a sample password by a popular website. Kind of like why "password" is much less secure than any other eight-letter word.
posted by Holy Zarquon's Singing Fish at 8:43 AM on August 10, 2011 [3 favorites]
I assumed that he meant it was no longer safe because the string "correct horse battery staple" has now been given as a sample password by a popular website. Kind of like why "password" is much less secure than any other eight-letter word.
posted by Holy Zarquon's Singing Fish at 8:43 AM on August 10, 2011 [3 favorites]
Best answer: Yes, he's correct. If you make truly random choices from a known wordlist, it's very easy to calculate the entropy of a given passphrase.
Research has repeatedly shown that human beings are terrible at making random (that is, unpredictable) choices unaided though, so using a phrase that you make up could very well be less secure. It wouldn't be difficult to do a study to determine just how much worse a mentally made up passphrase typically is.
posted by elektrotechnicus at 8:45 AM on August 10, 2011 [1 favorite]
Research has repeatedly shown that human beings are terrible at making random (that is, unpredictable) choices unaided though, so using a phrase that you make up could very well be less secure. It wouldn't be difficult to do a study to determine just how much worse a mentally made up passphrase typically is.
posted by elektrotechnicus at 8:45 AM on August 10, 2011 [1 favorite]
Best answer: a passphrase of a given length
posted by elektrotechnicus at 8:46 AM on August 10, 2011 [1 favorite]
posted by elektrotechnicus at 8:46 AM on August 10, 2011 [1 favorite]
Best answer: Someone should do a post in the Blue about the history of passwords. Can't we really trace the confusion about length vs. complexity to the fact that in primitive (20th century) times, system-level passwords typically had hard limits of, say, 8 characters because storage was more precious and processing was not so fast?
posted by mkultra at 8:48 AM on August 10, 2011 [2 favorites]
posted by mkultra at 8:48 AM on August 10, 2011 [2 favorites]
Best answer: In practicality, does it make a difference? My work password is limited to 12 characters. My banking password is limited to 8. Are there sites that accept 24 character passwords?
posted by desjardins at 9:03 AM on August 10, 2011 [1 favorite]
posted by desjardins at 9:03 AM on August 10, 2011 [1 favorite]
Best answer: The long and short of it is yes.
User chosen passwords have been deeply scruitinized by researchers. The two techniques these people used was very cheap mechanical turk labor, and a mathematical technique to decompose sources of entropy so we don't need millions of hacked password databases created with specific policies to measure how entropy works.
One caveat here is that Randall is also confusing user selection of passwords with random selection. I suspect if you were to generate your own passphrase, the password would be harder to remember and easier to crack. Each box in password panels represents a bit and you can clearly see he's assuming each word contributes 11 bits of entropy. But given what we know about the English language, grammar, and user selection, this is optimistic.
posted by pwnguin at 9:05 AM on August 10, 2011 [1 favorite]
User chosen passwords have been deeply scruitinized by researchers. The two techniques these people used was very cheap mechanical turk labor, and a mathematical technique to decompose sources of entropy so we don't need millions of hacked password databases created with specific policies to measure how entropy works.
One caveat here is that Randall is also confusing user selection of passwords with random selection. I suspect if you were to generate your own passphrase, the password would be harder to remember and easier to crack. Each box in password panels represents a bit and you can clearly see he's assuming each word contributes 11 bits of entropy. But given what we know about the English language, grammar, and user selection, this is optimistic.
posted by pwnguin at 9:05 AM on August 10, 2011 [1 favorite]
Best answer: Sorry I don't have time to dive into this discussion; I knew this one would lead to a lot of arguments :)
But to clear up a point or two, zompist is right—there are some subtle problems here, and I was looking at the math pretty carefully (at least, carefully for a webcomic). Information theory is one of my favorite areas, and I spent a while recently working on practical password cracking, which is what I based a lot of this on. I tried to pack in as much context as I could for the math for people who wanted to follow, but I figured there wass only so much wall-of-text people would read before they get bored and switch over to Garfield :)
aram:~$ cat plaintext_passes.txt | egrep -oi "[0-9]$" | sort | uniq -c
52 0
350 1
63 2
168 3
76 4
62 5
99 6
71 7
60 8
42 9
In practice, I think the ending digit probably has more like 2.5 bits of entropy, if you're looking only at passwords constructed of the form in my comic.
Anyway, I hope that clears a few things up! I'm not sure I got everything right, and there are a lot of fundamentally hazy unknowns that depend on the person and the schema, but I think the assumptions and math are basically solid for what they cover. On the other hand, I'm just a guy with a webcomic, so I'll defer to any actual CS and security experts out there.
Information theory is a really cool field, and if you find these issues at all interesting but don't know a lot about them, I definitely recommend picking up a book that talks about entropy and randomness. It's one of the most interesting things I've ever studied.
posted by xkcd at 9:17 AM on August 10, 2011 [254 favorites]
But to clear up a point or two, zompist is right—there are some subtle problems here, and I was looking at the math pretty carefully (at least, carefully for a webcomic). Information theory is one of my favorite areas, and I spent a while recently working on practical password cracking, which is what I based a lot of this on. I tried to pack in as much context as I could for the math for people who wanted to follow, but I figured there wass only so much wall-of-text people would read before they get bored and switch over to Garfield :)
He's not pointing to the length of the password, but to something subtler. He's basically claiming that when asked to create strong passwords (i.e. with numbers, mixed case, and punctuation), people end up following a predictable formula. The formula is explained in the first panel, with an estimate of how much variation there is in each piece, measured in bits. E.g. a number can be stored in just three bits (actually wrong, you need four),I was rounding to the closest bit, since that gives you a smaller error on the resulting time than rounding up—even though four is the number of bits required (since for storage you obviously have to round up). But there's actually another reason–I don't think all numbers are equally probable, so the entropy is actually less than 3 bits. Here's a table of ending digit frequency from an actual set of decrypted passwords:
aram:~$ cat plaintext_passes.txt | egrep -oi "[0-9]$" | sort | uniq -c
52 0
350 1
63 2
168 3
76 4
62 5
99 6
71 7
60 8
42 9
In practice, I think the ending digit probably has more like 2.5 bits of entropy, if you're looking only at passwords constructed of the form in my comic.
while a single bit suffices to indicate whether there's an initial capital or not.I actually cheated a little on that one, because "staple" isn't actually in the 2048-most-common wordlist I checked, but it sounded funnier to me :P (and it depends on your choice of list anyway.)
The four-common-words password is also a formula, and his estimate of 11 bits for each one is equivalent to assuming that the words are chosen from a list of 2048 words. (Which is an adequate definition of "common".)
I think he's underestimating the "strong password" variability-- e.g. three bits for "common substitutions" means he thinks there are only 8 possibilities, which is awfully low. It looks like he's just counting the vowels, but there are other easy substitutions.There are other easy substitutions, but they're made in a pattern, so the practical entropy is again reduced. People usually either do all the numeral substitutions or none, and the more esoteric ones (like 7 for t) come up a lot less frequently. That aside, you also have to look at how frequently there are opportunities for substitutions in the pool of base words. I came up with my number based on frequencies of common and uncommon substitutable letters in a list of six- to nine-letter words. But my guesses for what substitutions are most common could, of course, be wrong!
On the other hand, I think he's underestimating the pool of dictionary words too. No one has the OED memorized, but an educated speaker knows at least ten times that number of words, so his total goes up to 56 bits. And even more if you use a quirky non-dictionary word.I did random sampling from the default Debian dictionary and from a few other corpuses, and against whatever algorithm they have at http://testyourvocab.com/ and decided that even if people *were* picking randomly, 60,000 was a generously high estimate for the number of base words in their vocabulary. 30,000 is closer to typical based on dictionary words. I suspect including non-dictionary words doesn't expand the list nearly as much as one might think; we spend all our lives reading and learning dictionary words, and comparatively little of the text we write pulls from any larger vocabulary of strings. Now, if I took into account the fact that people are without a doubt not capable of generating anything close to a "random word", my entropy would actually be a serious overestimate, but I decided to be generous with that one to make the comparison more fair—since I was assuming that in the passphrase example, the person had a good method for picking a random word. In practice, I bet if you asked a bunch of people on the street to pick a random word they thought no one else would guess, the result would have 8 or 9 bits of entropy at best; I mean, half of them would say "lol, ok, i'm so random ... penguin!"
Anyway, I hope that clears a few things up! I'm not sure I got everything right, and there are a lot of fundamentally hazy unknowns that depend on the person and the schema, but I think the assumptions and math are basically solid for what they cover. On the other hand, I'm just a guy with a webcomic, so I'll defer to any actual CS and security experts out there.
Information theory is a really cool field, and if you find these issues at all interesting but don't know a lot about them, I definitely recommend picking up a book that talks about entropy and randomness. It's one of the most interesting things I've ever studied.
posted by xkcd at 9:17 AM on August 10, 2011 [254 favorites]
Best answer: To avoid dictionary attacks, use at least one portmanteau word or willful misspelling.
posted by Sticherbeast at 10:34 AM on August 10, 2011 [4 favorites]
cinnamon leopard thunder boycycleA dictionary attack *could* get the first three words, although it would take a mindboggling amount of work to get all three of those in the right order. However, "boycycle" does not exist in the dictionary, so now you just have a very long, secure password.
posted by Sticherbeast at 10:34 AM on August 10, 2011 [4 favorites]
Best answer: cinnamon leopard thunder boycycle
Except I don't think most passwords allow spaces, so it'd really just be "cinnamonleopardthunderboycycle"
I mean, guessing 5 words is hard, but it'd be better if it was 3 words and 1 non-word, I'd imagine.
posted by JauntyFedora at 10:41 AM on August 10, 2011 [3 favorites]
Except I don't think most passwords allow spaces, so it'd really just be "cinnamonleopardthunderboycycle"
I mean, guessing 5 words is hard, but it'd be better if it was 3 words and 1 non-word, I'd imagine.
posted by JauntyFedora at 10:41 AM on August 10, 2011 [3 favorites]
Response by poster: Thanks zarq, too busy chortling my head off and favoriting everything in sight to do the sensible stuff first.
And thank you xkcd!!! That just made my day, my week and my month. It's a wonderfully gracious response, and it more than answers my question. I hope it also answers others that arose in the thread.
Really deep and sincere thanks to everyone else too. The answers, links and discussion here had me trotting off following links all evening and actually learning stuff. I'm pretty sure the entropy side of things is the first new maths I've learned in more than a decade, and that's something truly wonderful and very much appreciated.
posted by Ahab at 10:51 AM on August 10, 2011 [1 favorite]
And thank you xkcd!!! That just made my day, my week and my month. It's a wonderfully gracious response, and it more than answers my question. I hope it also answers others that arose in the thread.
Really deep and sincere thanks to everyone else too. The answers, links and discussion here had me trotting off following links all evening and actually learning stuff. I'm pretty sure the entropy side of things is the first new maths I've learned in more than a decade, and that's something truly wonderful and very much appreciated.
posted by Ahab at 10:51 AM on August 10, 2011 [1 favorite]
Best answer: My next password is going to be "penguin penguin penguin penguin" cause that will be 4 times as random as one random word. No one will ever guess.
posted by cotterpin at 11:33 AM on August 10, 2011 [8 favorites]
posted by cotterpin at 11:33 AM on August 10, 2011 [8 favorites]
Best answer: I'm pretty sure the entropy side of things is the first new maths I've learned in more than a decade, and that's something truly wonderful and very much appreciated.
As part of prep for a still unpublished blog post I went to something close to the original materials from Bell Labs on the subject: "A Mathematical Theory of Communication".
It's quite a long paper, but once you've understood it there's a wide variety of situations where it applies with ease. For example, the canonical paper on password entropy is only one page, because it cites previous findings in otherwise totally unrelated fields of physics. And it only showed up in 1994, even though UNIX gurus (also from Bell Labs) published on the problem like 25 years earlier.
posted by pwnguin at 11:50 AM on August 10, 2011 [2 favorites]
As part of prep for a still unpublished blog post I went to something close to the original materials from Bell Labs on the subject: "A Mathematical Theory of Communication".
It's quite a long paper, but once you've understood it there's a wide variety of situations where it applies with ease. For example, the canonical paper on password entropy is only one page, because it cites previous findings in otherwise totally unrelated fields of physics. And it only showed up in 1994, even though UNIX gurus (also from Bell Labs) published on the problem like 25 years earlier.
posted by pwnguin at 11:50 AM on August 10, 2011 [2 favorites]
Best answer: I think pwnguin's link should have been: http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html
posted by Obscure Reference at 12:06 PM on August 10, 2011 [1 favorite]
posted by Obscure Reference at 12:06 PM on August 10, 2011 [1 favorite]
Best answer: My next password is going to be "pwnguin pwnguin pwnguin pwnguin."
posted by desjardins at 12:12 PM on August 10, 2011 [8 favorites]
posted by desjardins at 12:12 PM on August 10, 2011 [8 favorites]
Best answer: desjardins i writes "Are there sites that accept 24 character passwords?"
Metafilter
posted by Mitheral at 12:29 PM on August 10, 2011 [1 favorite]
Metafilter
posted by Mitheral at 12:29 PM on August 10, 2011 [1 favorite]
Best answer: Schneier argues that a complex password in your wallet is safer than a weak password in your mind. Generally, I agree with him, a person with the contents of my wallet could probably talk their way into resetting many of my passwords anyway. Wallets also have a nice bit of intrusion detection associated with them.
But I've stopped memorizing more than the half-dozen passphrases I can't punt to LastPass.
posted by KirkJobSluder at 12:53 PM on August 10, 2011 [1 favorite]
But I've stopped memorizing more than the half-dozen passphrases I can't punt to LastPass.
posted by KirkJobSluder at 12:53 PM on August 10, 2011 [1 favorite]
Best answer: So for people who advocate having length mnemonic passwords and memorizing them, what happens if you incur brain damage from an accident or stroke?
posted by dgeiser13 at 1:05 PM on August 10, 2011 [1 favorite]
posted by dgeiser13 at 1:05 PM on August 10, 2011 [1 favorite]
Best answer: dgeiser13: So for people who advocate having length mnemonic passwords and memorizing them, what happens if you incur brain damage from an accident or stroke?
For work stuff, my supervisor would contact the system administrator. For personal stuff, the person who has legal power of attorney can request a password reset. For almost everything else, it's probably not worth recovering.
posted by KirkJobSluder at 1:15 PM on August 10, 2011 [2 favorites]
For work stuff, my supervisor would contact the system administrator. For personal stuff, the person who has legal power of attorney can request a password reset. For almost everything else, it's probably not worth recovering.
posted by KirkJobSluder at 1:15 PM on August 10, 2011 [2 favorites]
Best answer: So if I wanted to pick up a book about entropy and randomness, what might this book be titled, or who might the author be?
I have passwords for systems that do not allow any vowels, capital letters, or special characters in the system. This seems like odd security design.
posted by jeather at 1:57 PM on August 10, 2011 [1 favorite]
I have passwords for systems that do not allow any vowels, capital letters, or special characters in the system. This seems like odd security design.
posted by jeather at 1:57 PM on August 10, 2011 [1 favorite]
Best answer: Diceware (FAQ, wikipedia) is a technique to build a passphrase from words chosen from a list based on a throw of 5 dice (65 = 7776 possibilities.)
Each word means 12.9 bits of entropy (log2 of 65), so 5 words is fractionally more than 64 bits of entropy, which is good by password standards, as good as 10 randomly selected characters from among all printable ASCII characters, or 11 from mixed-case alphanumeric. (That doesn't sound that impressive, but the randomly selected part creates a much, much larger pool than real people really choose for a 10 or 11 character password.)
I'd use a larger pool than 2048 words, like, say, the diceware list, but it's a good basic technique. The figures I've usually seen quoted (but I don't have citations and would love 'em if you got 'em) are that about 4000 words make for basic English literacy; educated speakers typically know about 19000. Yes, I know that you know much more than that.
posted by Zed at 2:10 PM on August 10, 2011 [1 favorite]
Each word means 12.9 bits of entropy (log2 of 65), so 5 words is fractionally more than 64 bits of entropy, which is good by password standards, as good as 10 randomly selected characters from among all printable ASCII characters, or 11 from mixed-case alphanumeric. (That doesn't sound that impressive, but the randomly selected part creates a much, much larger pool than real people really choose for a 10 or 11 character password.)
I'd use a larger pool than 2048 words, like, say, the diceware list, but it's a good basic technique. The figures I've usually seen quoted (but I don't have citations and would love 'em if you got 'em) are that about 4000 words make for basic English literacy; educated speakers typically know about 19000. Yes, I know that you know much more than that.
posted by Zed at 2:10 PM on August 10, 2011 [1 favorite]
Best answer: samsara: To me, a good password scheme is one that is entered into a login screen that does not allow more than 3 guesses before locking down or introducing other security measures. It's really upon the security provider to recognize hacking attempts. Allowing brute force over a network login is just a bad design decision.
I think it was urbandead who had what struck me as a really cool system. You had to enter your password correctly as many times as you had entered it incorrectly to enter. So, you typo the first time, you have to enter it correctly twice to get in. Fumble it twice, type it right three times. It may also have just been that you had to answer it twice after each incorrect attempt, I have had some wine, and it's been a few years. I like to think of it as being incremental like that tho.
posted by Iteki at 2:19 PM on August 10, 2011 [3 favorites]
I think it was urbandead who had what struck me as a really cool system. You had to enter your password correctly as many times as you had entered it incorrectly to enter. So, you typo the first time, you have to enter it correctly twice to get in. Fumble it twice, type it right three times. It may also have just been that you had to answer it twice after each incorrect attempt, I have had some wine, and it's been a few years. I like to think of it as being incremental like that tho.
posted by Iteki at 2:19 PM on August 10, 2011 [3 favorites]
Best answer: Munroe is right about the entropy and information theory, and that word combinations are better choices in terms of security.
But my password manager currently has 211 passwords in it, and that's just the important ones I've imported. There are probably over 400 that aren't imported from previous schemes.
There's no way I'm remembering that many passwords, regardless of what mnemonic I use. And since I'm using a password manager anyways, I might as well use a random password as muddgirl points out.
posted by formless at 2:23 PM on August 10, 2011 [1 favorite]
But my password manager currently has 211 passwords in it, and that's just the important ones I've imported. There are probably over 400 that aren't imported from previous schemes.
There's no way I'm remembering that many passwords, regardless of what mnemonic I use. And since I'm using a password manager anyways, I might as well use a random password as muddgirl points out.
posted by formless at 2:23 PM on August 10, 2011 [1 favorite]
Best answer: Also, seconding that Information Theory is cool. There are some fun computer science puzzles that at their heart are about information theory. And when you start analyzing algorithms and sorting methods, at the root it all comes down to IT, and how can we use as much information as possible to reduce the number of choices.
In terms of Information Theory references, Elements of Information Theory is a good book.
posted by formless at 2:30 PM on August 10, 2011 [2 favorites]
In terms of Information Theory references, Elements of Information Theory is a good book.
posted by formless at 2:30 PM on August 10, 2011 [2 favorites]
Best answer: So, in what context is this discussion useful?
If you've got access to the password hash, I'm told that rainbow tables make passwords of any reasonable length mostly useless, unless the password+salt exceeds the size of the rainbow table, which becomes more and more improbable each day.
If you're trying to brute-force a login prompt, the rainbow table won't do you much good, but most decent systems should throttle or lock out accounts after a number of successive failed attempts.
So, where does the highly-entropic password actually still have a use?
posted by schmod at 2:37 PM on August 10, 2011 [1 favorite]
If you've got access to the password hash, I'm told that rainbow tables make passwords of any reasonable length mostly useless, unless the password+salt exceeds the size of the rainbow table, which becomes more and more improbable each day.
If you're trying to brute-force a login prompt, the rainbow table won't do you much good, but most decent systems should throttle or lock out accounts after a number of successive failed attempts.
So, where does the highly-entropic password actually still have a use?
posted by schmod at 2:37 PM on August 10, 2011 [1 favorite]
Best answer: If you've got access to the password hash, I'm told that rainbow tables make passwords of any reasonable length mostly useless, unless the password+salt exceeds the size of the rainbow table, which becomes more and more improbable each day.
Whoever told you that was just plain wrong. Decent use of salt kills rainbow tables deader than it does snails.
most decent systems should throttle or lock out accounts after a number of successive failed attempts
Most decent systems shouldn't subject their users to denial of service due to the actions of others, and bots can just switch tactics to trying lots of different accounts sequentially instead of lots of different attempts on a single account. And going by IP doesn't buy you much 'cause they can look up a list of http proxies. It's an arms race where it's hard to remain sure you're discommoding your attackers more than your users.
posted by Zed at 2:52 PM on August 10, 2011 [2 favorites]
Whoever told you that was just plain wrong. Decent use of salt kills rainbow tables deader than it does snails.
most decent systems should throttle or lock out accounts after a number of successive failed attempts
Most decent systems shouldn't subject their users to denial of service due to the actions of others, and bots can just switch tactics to trying lots of different accounts sequentially instead of lots of different attempts on a single account. And going by IP doesn't buy you much 'cause they can look up a list of http proxies. It's an arms race where it's hard to remain sure you're discommoding your attackers more than your users.
posted by Zed at 2:52 PM on August 10, 2011 [2 favorites]
Best answer: schmod: "If you've got access to the password hash, I'm told that rainbow tables make passwords of any reasonable length mostly useless, unless the password+salt exceeds the size of the rainbow table, which becomes more and more improbable each day.
So, where does the highly-entropic password actually still have a use?"
Well first off, password cracking isn't even near the top of our biggest security problems. Password length won't stop phishing attacks, and a rogue AP in the bar district will probably catch a substantial portion of campus over the weekend. But that said, we do have obligations to protect student data from copying or modification, access to the hash is not impossible.
Windows machines get compromised on occasion. In a non-Kerberos world, the salt can easily be made longer, with little computational expense on your end and a huge one on rainbow table attackers. Every extra salt bit adds one bit per user in your system, but doubles the rainbow table size. In a kerberos world, we make the salt predictable per user but still unique. This is a tradeoff you make to not send passwords or hashes out over the wire in the course of normal operation.
Where I think this cartoon is useful is in IT policy setting. Somewhere deep in the bowls of NIST, a rogue Appendix to a Memo deemed that password composition policies increase entropy. Security teams establish a policy for the organization to follow, and when presented with a trade-off between usability and security, rarely sign off on the "less security" option. Fortunately research is showing that NIST was overly optimistic and there may be ways to have cake and eat it too. Still, it's going to be difficult to propose passphrases and not have security tack on number and symbol requirements.
It also means fewer calls to helpdesk about password resets--in a given day password resets dominate helpdesk calls. It also means far less user frustration; we estimate it takes about 3 attempts to select a good password, although we've fixed up our webUI to improve the process.
posted by pwnguin at 3:10 PM on August 10, 2011 [1 favorite]
So, where does the highly-entropic password actually still have a use?"
Well first off, password cracking isn't even near the top of our biggest security problems. Password length won't stop phishing attacks, and a rogue AP in the bar district will probably catch a substantial portion of campus over the weekend. But that said, we do have obligations to protect student data from copying or modification, access to the hash is not impossible.
Windows machines get compromised on occasion. In a non-Kerberos world, the salt can easily be made longer, with little computational expense on your end and a huge one on rainbow table attackers. Every extra salt bit adds one bit per user in your system, but doubles the rainbow table size. In a kerberos world, we make the salt predictable per user but still unique. This is a tradeoff you make to not send passwords or hashes out over the wire in the course of normal operation.
Where I think this cartoon is useful is in IT policy setting. Somewhere deep in the bowls of NIST, a rogue Appendix to a Memo deemed that password composition policies increase entropy. Security teams establish a policy for the organization to follow, and when presented with a trade-off between usability and security, rarely sign off on the "less security" option. Fortunately research is showing that NIST was overly optimistic and there may be ways to have cake and eat it too. Still, it's going to be difficult to propose passphrases and not have security tack on number and symbol requirements.
It also means fewer calls to helpdesk about password resets--in a given day password resets dominate helpdesk calls. It also means far less user frustration; we estimate it takes about 3 attempts to select a good password, although we've fixed up our webUI to improve the process.
posted by pwnguin at 3:10 PM on August 10, 2011 [1 favorite]
Best answer: I think the figures on the diceware page assume a diceware-specific attack (trying all the word combinations on a given wordlist). I think they're much stronger if you assume an alphanumeric brute-force attack.
I think Munroe is wrong here in that attacks on stolen hash tables appear to be dirt common these days. But ultimately, I think this is like the joke about outrunning the bear. I don't need to be the fastest, I just need to be faster than you. But the argument that you're better with a longer passphrase of randomly chosen words than trying to mangle a single word or trying to memorize a sequence of random characters is generally sound.
Pretty much everything based on a single word, with or without simple padding, with or without common substitutions can be trivially broken.
posted by KirkJobSluder at 3:18 PM on August 10, 2011 [1 favorite]
I think Munroe is wrong here in that attacks on stolen hash tables appear to be dirt common these days. But ultimately, I think this is like the joke about outrunning the bear. I don't need to be the fastest, I just need to be faster than you. But the argument that you're better with a longer passphrase of randomly chosen words than trying to mangle a single word or trying to memorize a sequence of random characters is generally sound.
Pretty much everything based on a single word, with or without simple padding, with or without common substitutions can be trivially broken.
posted by KirkJobSluder at 3:18 PM on August 10, 2011 [1 favorite]
Best answer: One possible problem with his scheme is that some websites and operating systems will silently truncate your password and store that hash instead of hashing your entire password, e.g. "correct horse battery staple" truncates to "correct " because of an 8 character maximum somewhere in the bowels of an old VAX. In this case you think your password is uncrackable, but anyone with access to the hashes and a dictionary attack will get it in a few minutes.
posted by benzenedream at 3:32 PM on August 10, 2011 [3 favorites]
posted by benzenedream at 3:32 PM on August 10, 2011 [3 favorites]
Best answer: So for people who advocate having length mnemonic passwords and memorizing them, what happens if you incur brain damage from an accident or stroke?
Umm...the same thing that happens to a person with a simpler password when they get brain damage?
posted by allkindsoftime at 11:53 PM on August 10, 2011 [3 favorites]
Umm...the same thing that happens to a person with a simpler password when they get brain damage?
posted by allkindsoftime at 11:53 PM on August 10, 2011 [3 favorites]
Best answer: Once passwords become too secure to break the fun will be in getting into the LDAP system, searching for all the usernames on the domain and deliberately using wrong passwords en-masse for all users in the domain to create mass-lockout DOS against the enterprise. (LDOS?)
Imagine the fun of having to unlock 50-100 thousand user accounts? Yeah I suppose you could use a script to undo it, but all you have to have is a smartphone anywhere on-net running the script to re-lock all the accounts every few minutes.
In short, cracking passwords scare me less than draconian lockout policies.
posted by roboton666 at 3:27 AM on August 11, 2011 [2 favorites]
Imagine the fun of having to unlock 50-100 thousand user accounts? Yeah I suppose you could use a script to undo it, but all you have to have is a smartphone anywhere on-net running the script to re-lock all the accounts every few minutes.
In short, cracking passwords scare me less than draconian lockout policies.
posted by roboton666 at 3:27 AM on August 11, 2011 [2 favorites]
Best answer: During his company's periodic password audit, a employee was found to be using this password:
GoofyHueyLouieDeweyDaisyDonaldMickeyMinniePhoenix
When he was asked why he had such a long password, he said, "The boss said that my password had to be at least eight characters long and have at least one capital."
posted by blob at 6:54 AM on August 11, 2011 [6 favorites]
GoofyHueyLouieDeweyDaisyDonaldMickeyMinniePhoenix
When he was asked why he had such a long password, he said, "The boss said that my password had to be at least eight characters long and have at least one capital."
posted by blob at 6:54 AM on August 11, 2011 [6 favorites]
Best answer: IT Stack Exchange on the xkcd comic.
posted by Blazecock Pileon at 6:58 AM on August 11, 2011 [2 favorites]
posted by Blazecock Pileon at 6:58 AM on August 11, 2011 [2 favorites]
Best answer: DIsappointed that Monroe didn't sign that Summer Glau, obviously.
posted by jaduncan at 8:46 AM on August 11, 2011 [1 favorite]
posted by jaduncan at 8:46 AM on August 11, 2011 [1 favorite]
Best answer: Whichever manual password creation scheme you use, making up passwords is a pain in the arse, remembering them is a pain in the arse, and given the existence of KeePassX and similar free tools, both are mostly unnecessary.
The only strong password I need to remember (and it's easy to remember, because I need to use it every time I need a password) is the encryption password for my KeePassX password safe. Every other password I use online was created using KeePassX's inbuilt random password generator. They're all at least 16 characters long (and that one's only short because the website in question wouldn't accept anything longer) and drawn from a large alphabet, and I have only ever actually looked at about three of them; the rest I just blindly copy and paste or autotype.
At present, I use the same strong password for my KeePassX safe as I use for a logon password on most of the computers I use. That's kind of a shame. It would be nice to have a KeePassX-like (preferably KeePassX-compatible!) password safe embodied in a USB hardware device that I could insert between a USB keyboard and a PC; that way I could keep my logon passwords in my pocket, and I wouldn't need to know or remember those either.
If anybody feels like building such a device, the way I would like mine to work is as follows:
It would appear to the computer as a four port USB hub with a standard mass storage device connected to one of the ports and the other three brought out to connectors, into any of which a keyboard could be plugged. There should be a short piece of cable between the body of the device and the USB plug for the PC, to avoid the horrible crowbar effects that happen when you plug a big rigid thing into a helpless little USB socket.
Making it work as a password safe would simply require writing passwords.kdb (a password database in KeePassX format) to the root directory of its FAT32-formatted and otherwise completely general-purpose mass storage section.
Any sequence of typed characters between ` (backtick) and , (comma) would get saved as a decryption key; on seeing the comma, the device would attempt to open passwords.kdb using that key. Subsequent characters before a Tab would be saved as an entry name, and on seeing the Tab the device would attempt to find a credentials entry matching that name. If successful, it would emit enough backspace keystrokes to erase all typing back to and including the backtick, then whatever keystrokes were defined by KeePassX as the auto-type string for that credentials entry. If not, it would just pass through the Tab. So if I had my logon credentials saved in passwords.kdb under "logon", I could type `keepassxpassword,logon and hit Tab, and in an astounding flurry of backspaces and auto-text I'd be logged on.
If I cared about shoulder surfers I could simply set up the auto-type for that KeePassX entry to type only the password, which would let me do the whole `, dance inside a password entry field that doesn't echo stuff. If not, the KeePassX auto-type could have both username and password, and I'd be able to see my KeePassX password while typing it into a username field.
Once opened, the passwords database should stay open for five minutes, much the same way sudo works, and let me enter credentials just with their entry names by typing something like `,email[Tab]. Typing `,[Tab] would close the database.
I would unhesitatingly pay $50 for such a device.
posted by flabdablet at 11:58 AM on August 11, 2011 [1 favorite]
The only strong password I need to remember (and it's easy to remember, because I need to use it every time I need a password) is the encryption password for my KeePassX password safe. Every other password I use online was created using KeePassX's inbuilt random password generator. They're all at least 16 characters long (and that one's only short because the website in question wouldn't accept anything longer) and drawn from a large alphabet, and I have only ever actually looked at about three of them; the rest I just blindly copy and paste or autotype.
At present, I use the same strong password for my KeePassX safe as I use for a logon password on most of the computers I use. That's kind of a shame. It would be nice to have a KeePassX-like (preferably KeePassX-compatible!) password safe embodied in a USB hardware device that I could insert between a USB keyboard and a PC; that way I could keep my logon passwords in my pocket, and I wouldn't need to know or remember those either.
If anybody feels like building such a device, the way I would like mine to work is as follows:
It would appear to the computer as a four port USB hub with a standard mass storage device connected to one of the ports and the other three brought out to connectors, into any of which a keyboard could be plugged. There should be a short piece of cable between the body of the device and the USB plug for the PC, to avoid the horrible crowbar effects that happen when you plug a big rigid thing into a helpless little USB socket.
Making it work as a password safe would simply require writing passwords.kdb (a password database in KeePassX format) to the root directory of its FAT32-formatted and otherwise completely general-purpose mass storage section.
Any sequence of typed characters between ` (backtick) and , (comma) would get saved as a decryption key; on seeing the comma, the device would attempt to open passwords.kdb using that key. Subsequent characters before a Tab would be saved as an entry name, and on seeing the Tab the device would attempt to find a credentials entry matching that name. If successful, it would emit enough backspace keystrokes to erase all typing back to and including the backtick, then whatever keystrokes were defined by KeePassX as the auto-type string for that credentials entry. If not, it would just pass through the Tab. So if I had my logon credentials saved in passwords.kdb under "logon", I could type `keepassxpassword,logon and hit Tab, and in an astounding flurry of backspaces and auto-text I'd be logged on.
If I cared about shoulder surfers I could simply set up the auto-type for that KeePassX entry to type only the password, which would let me do the whole `, dance inside a password entry field that doesn't echo stuff. If not, the KeePassX auto-type could have both username and password, and I'd be able to see my KeePassX password while typing it into a username field.
Once opened, the passwords database should stay open for five minutes, much the same way sudo works, and let me enter credentials just with their entry names by typing something like `,email[Tab]. Typing `,[Tab] would close the database.
I would unhesitatingly pay $50 for such a device.
posted by flabdablet at 11:58 AM on August 11, 2011 [1 favorite]
Best answer: It seems to me to solve the problem of several random words that could still be forgotten or something, you need several words pulled in a structured way from a given place that is easy to refer to. A random shelf-pull and opening reveals the first word on each successive line of page 61 of the hardcover version of P.J. O'Rourke's The Bachelor Home Companion is:
Burgundy
room
Worcestershire
makes
off
sage
Simon
That seems nigh-unbreakable, and requires nothing to remember as long as you still have the book on the shelf (possibly with a bookmark or a star pencilled in the corner of the page).
Am I the only one who ever embedded his gym locker combination in a cell phone as an ersatz phone number under the name "Jim"?
posted by ricochet biscuit at 12:36 PM on August 11, 2011 [3 favorites]
Burgundy
room
Worcestershire
makes
off
sage
Simon
That seems nigh-unbreakable, and requires nothing to remember as long as you still have the book on the shelf (possibly with a bookmark or a star pencilled in the corner of the page).
Am I the only one who ever embedded his gym locker combination in a cell phone as an ersatz phone number under the name "Jim"?
posted by ricochet biscuit at 12:36 PM on August 11, 2011 [3 favorites]
Best answer: Why can't a dictionary attack simply include dictionary words to crack simple passphrases?
posted by Brian B. at 6:38 PM on August 11, 2011 [1 favorite]
posted by Brian B. at 6:38 PM on August 11, 2011 [1 favorite]
Best answer:
Also, if you want to see what kind of passwords can actually get cracked, there was a list of the passwords from 'mtGOX', the bitcoin exchange floating around a while ago. It was interesting to see what got cracked. They all followed simple patterns, but it was interesting to see which stuff that 'looked' strong, but really wasn't.
posted by delmoi at 10:31 PM on August 11, 2011 [1 favorite]
"If you've got access to the password hash, I'm told that rainbow tables make passwords of any reasonable length mostly useless, unless the password+salt exceeds the size of the rainbow table, which becomes more and more improbable each day.Rainbow tables aren't magical. In fact, even without a salt a strong password won't get cracked.
So, where does the highly-entropic password actually still have a use?"
Also, if you want to see what kind of passwords can actually get cracked, there was a list of the passwords from 'mtGOX', the bitcoin exchange floating around a while ago. It was interesting to see what got cracked. They all followed simple patterns, but it was interesting to see which stuff that 'looked' strong, but really wasn't.
posted by delmoi at 10:31 PM on August 11, 2011 [1 favorite]
Best answer: I went looking for that mtGOX list, and while I did not find it, I found this discussion of it on Bitcointalk to be really interesting. The speculation about the seemingly secure passwords that make it on the list of cracked passwords is that they had already been hacked in some other way and were there because they were part of a publicly available password dictionary. This seems plausible given what the passwords look like, and the posts from folks with relatively weak passwords that were not compromised. It's a pretty fascinating thread, and it highlights the notion that the biggest danger with password protection is probably the practicalities of good password hygiene (not reusing it, not writing it down, not making it one of the common 'bad' passwords, being careful about phishing, etc.) rather than brute force attacks.
posted by OmieWise at 6:54 AM on August 12, 2011 [1 favorite]
posted by OmieWise at 6:54 AM on August 12, 2011 [1 favorite]
Best answer: Brian B. Why can't a dictionary attack simply include dictionary words to crack simple passphrases?
A dictionary attack can, but the problem scales exponentially the more words you add to the passphrase. The formula for the number of possible passphrases is (dictionary size)^(tokens in passphrase).
posted by KirkJobSluder at 7:15 AM on August 12, 2011 [2 favorites]
A dictionary attack can, but the problem scales exponentially the more words you add to the passphrase. The formula for the number of possible passphrases is (dictionary size)^(tokens in passphrase).
posted by KirkJobSluder at 7:15 AM on August 12, 2011 [2 favorites]
Best answer: Google search for "rainbow tables".
Passwords are stored encrypted on servers. Hackers - even if they steal the encrypted version - can't go backwards with it, because it's one-way encryption. Your password is safe, even if you use it on multiple sites.
Rainbow tables are people precomputing the one-way encryption for *every* possible password. So an 8-character rainbow table, with both upper and lower case characters, numbers, and symbols, is about 100GB; it's something that someone can have on one computer. With that, any password 8 characters or less is much less secure.
So longer passwords are safer. Every extra character makes the matching rainbow table exponentially bigger. Much bigger. Right now, going over 12 characters in a password - using at least one number and character somewhere - puts it as "significantly unlikely" you'll be attacked in this way, unless the person attacking you was willing to spend some money to do it.
posted by talldean at 8:40 AM on August 12, 2011 [1 favorite]
Passwords are stored encrypted on servers. Hackers - even if they steal the encrypted version - can't go backwards with it, because it's one-way encryption. Your password is safe, even if you use it on multiple sites.
Rainbow tables are people precomputing the one-way encryption for *every* possible password. So an 8-character rainbow table, with both upper and lower case characters, numbers, and symbols, is about 100GB; it's something that someone can have on one computer. With that, any password 8 characters or less is much less secure.
So longer passwords are safer. Every extra character makes the matching rainbow table exponentially bigger. Much bigger. Right now, going over 12 characters in a password - using at least one number and character somewhere - puts it as "significantly unlikely" you'll be attacked in this way, unless the person attacking you was willing to spend some money to do it.
posted by talldean at 8:40 AM on August 12, 2011 [1 favorite]
Best answer: I went looking for that mtGOX list, and while I did not find it...
Check your Mefi mail.
posted by flabdablet at 9:14 AM on August 12, 2011 [1 favorite]
Check your Mefi mail.
posted by flabdablet at 9:14 AM on August 12, 2011 [1 favorite]
Best answer: It would be nice to have a KeePassX-like (preferably KeePassX-compatible!) password safe embodied in a USB hardware device that I could insert between a USB keyboard and a PC; that way I could keep my logon passwords in my pocket...
Or you could just use a password safe for your phone. Alternatively, Google now offers two factor authentication using a phone app.
posted by RikiTikiTavi at 9:20 AM on August 12, 2011 [1 favorite]
Or you could just use a password safe for your phone. Alternatively, Google now offers two factor authentication using a phone app.
posted by RikiTikiTavi at 9:20 AM on August 12, 2011 [1 favorite]
Best answer: It would be nice to have a KeePassX-like (preferably KeePassX-compatible!) password safe embodied in a USB hardware device that I could insert between a USB keyboard and a PC; that way I could keep my logon passwords in my pocket...
I think Yubikey is exactly what you're describing. It's a small USB device you can put on your keychain with a single button. When you hit the button it generates a new, random (but decryptable) password and send it to the PC as keyboard input.
I believe it only works with it's own authentication (Yubico), but it works with LastPass (which seems similar to KeePassX) to store all your other passwords by proxy (though only the pay version of LastPass, I think... maybe). I haven't played around with it myself much yet, so I'm not sure about this part.
My boss has had a Yubikey for a while and is a big fan. One has been ordered for me through work, which we plan to use to setup second-factor authentication for access to sensitive data.
posted by meandthebean at 10:54 AM on August 13, 2011 [1 favorite]
I think Yubikey is exactly what you're describing. It's a small USB device you can put on your keychain with a single button. When you hit the button it generates a new, random (but decryptable) password and send it to the PC as keyboard input.
I believe it only works with it's own authentication (Yubico), but it works with LastPass (which seems similar to KeePassX) to store all your other passwords by proxy (though only the pay version of LastPass, I think... maybe). I haven't played around with it myself much yet, so I'm not sure about this part.
My boss has had a Yubikey for a while and is a big fan. One has been ordered for me through work, which we plan to use to setup second-factor authentication for access to sensitive data.
posted by meandthebean at 10:54 AM on August 13, 2011 [1 favorite]
Best answer: (On second thought, it's not "exactly what you're describing" but does seem to be a means to a similar end.)
posted by meandthebean at 10:57 AM on August 13, 2011 [1 favorite]
posted by meandthebean at 10:57 AM on August 13, 2011 [1 favorite]
Best answer: I don't see how it would help me log on to Windows or Linux or a Mac.
I've been thinking a bit more about how my proposed keyboard interceptor device should work, and I've become unhappy with the idea of passing through the keystrokes for the KeePassX database password before recognising them. Needs a little more design time.
posted by flabdablet at 7:18 PM on August 13, 2011 [1 favorite]
I've been thinking a bit more about how my proposed keyboard interceptor device should work, and I've become unhappy with the idea of passing through the keystrokes for the KeePassX database password before recognising them. Needs a little more design time.
posted by flabdablet at 7:18 PM on August 13, 2011 [1 favorite]
Response by poster: flabdablet, I'm not sure I really understand what you want your device to do, but it sounds like a you might be able to do it with something like a rasberry pi (also here and here) attached to a usb hub. Plug a keyboard into one port and your computer into another, have the pi do whatever encryption/decryption tasks you need it to do via scripts running within or on top of the onboard linux os, then pipe the output to your computer?
This is not at all my thing, but I'm guessing your computer could either be off at the start (in which case the output from the rasperry pi after encryption tasks would need to be structured as something like - "on" command for a usb infrared remote > time to boot through to logon screen > change in how the rasperry pi represents its device status from IR remote to keyboard > enter keystroke > password > enter keystroke > normal keyboard input) or you could just have the computer turned on and booted through to the logon screen (in which case your pi's output after encryption tasks would only need to be something like - enter key > password > enter key > normal keyboard input).
Or something like that.
posted by Ahab at 5:06 AM on August 14, 2011
This is not at all my thing, but I'm guessing your computer could either be off at the start (in which case the output from the rasperry pi after encryption tasks would need to be structured as something like - "on" command for a usb infrared remote > time to boot through to logon screen > change in how the rasperry pi represents its device status from IR remote to keyboard > enter keystroke > password > enter keystroke > normal keyboard input) or you could just have the computer turned on and booted through to the logon screen (in which case your pi's output after encryption tasks would only need to be something like - enter key > password > enter key > normal keyboard input).
Or something like that.
posted by Ahab at 5:06 AM on August 14, 2011
Iteki if you were trying to log into your email and couldn't because last night someone tried to hack your password and this morning you had to type it in correctly a zillion times, how many times would you try before you gave up and called the admin to have her reset it?
People seem to be most worried about someone specifically attacking them in this way which seems silly to me. If you were the attacker, you'd find it much more efficient to simply ask a lot of people for their passwords. A small but significant fraction of them will give it to you. There are a lot of relatively simple things you can do to get that percentage up. There's no formula of password storage or complexity which is safe from this.
If the attacker does wish a password from you, a specific target, again you can expect to be asked for it.
posted by wobh at 8:09 AM on August 14, 2011
People seem to be most worried about someone specifically attacking them in this way which seems silly to me. If you were the attacker, you'd find it much more efficient to simply ask a lot of people for their passwords. A small but significant fraction of them will give it to you. There are a lot of relatively simple things you can do to get that percentage up. There's no formula of password storage or complexity which is safe from this.
If the attacker does wish a password from you, a specific target, again you can expect to be asked for it.
posted by wobh at 8:09 AM on August 14, 2011
That Raspberry Pi does look like an amazingly cool device, and if only it had a device-side USB port as well as a host-side one and could be powered from USB, surely could be scripted into doing what I want. Massive hardware overkill, though.
posted by flabdablet at 9:53 PM on August 14, 2011
posted by flabdablet at 9:53 PM on August 14, 2011
wobh, there are countermeasures to rubber-hose cryptanalysis.
Here's a rejigged UI proposal for the keyboard intercepter that means that the PC it's attached to only ever sees individual passwords, never the KeePassX database master password.
The intercepter normally passes through all keys as they're typed. But waiting at least one second, then typing ``` and waiting one more second, activates the interceptor (this is reminiscent of the +++ escape sequence employed by dial-up modems to get into command mode while online). Normally you'd do this when prompted for a username.
On recognizing the escape sequence, what the interceptor does depends on whether the passwords.kdb database is currently open or not.
If it isn't, the interceptor sends three backspaces to erase the ``` from whatever text entry box they've just been typed into, then sends Key: and waits for keyboard input. Each character of input is collected in a buffer and passed through as * (star); backspaces are allowed, erasing the last character in the buffer and passing through as themselves. Hitting Tab or Enter causes the interceptor to pass through enough backspaces to erase all the accumulated stars and the Key: prompt, then attempt to open passwords.kdb using the collected keystrokes as the master password.
If passwords.kdb was successfully opened, the interceptor would then send Login: and wait for more keys. These it would pass through as typed, as well as collecting internally. On detecting Tab or Enter, the interceptor would send enough backspaces to erase all the displayed characters and the Login: prompt, then look up the KeePassX credentials entry whose name is now in its buffer, then send the Auto-Type sequence defined for that entry (KeePassX allows this to be defined arbitrarily per entry; by default, it's a username, then Tab, then a password, then Enter).
Typing Tab or Enter immediately after the interceptor displays Login: or Key: would send enough backspaces to erase the prompt, and then close the database if it was open. The database would also close automatically, five minutes after the last credentials entry was extracted from it.
If passwords.kdb is already open at the time the ``` escape sequence is detected, the interceptor would send three backspaces and then go straight to the Login: stage without going through Key: first.
So, let's assume I've got credentials for my workplace's Windows login, my Gmail account, and my Internet banking set up in KeePassX (or KeePass - same database format) and saved under Work, Gmail and Bank respectively inside the passwords.kdb file on the interceptor's mass storage device. I'd walk up to my workstation, take my handy interceptor from my pocket and plug it in between the PC and its USB keyboard while the PC is powering up.
On being presented with the Windows login screen, I'd hit Ctrl-Alt-Del to begin, then click around as needed to make a Username box appear. Then I'd type ``` and wait for one second. On seeing Key: appear inside the Windows username box, I'd type my KeePassX master password; while typing it, the Windows username box would contain "Key: ***********". Then I'd hit Tab. I'd see the username box erase itself and then display Login: at which point I'd type Work and hit Enter. I'd see the username box erase itself again, then fill with my work username; I'd briefly see a password box fill itself with •••••••••••• and then I'd be logged on to Windows.
I'd fire up a Web browser, click the Gmail bookmark, then click in the Gmail username box, type ``` and wait one second. On seeing "Login: " appear inside the Gmail username box, I'd type Gmail and hit Enter. "Login: Gmail" would erase itself, the Gmail username and password boxes would fill themselves in and I'd be logged in to Gmail.
Halfway through composing a mail, I'm called away to a meeting. I type ``` and wait one second; the word "Login: " appears at the end of the text I'd been typing. I hit Tab to close the interceptor's passwords.kdb database; "Login: " gets backspaced out, I hit Windows-L to lock the workstatation and walk away.
posted by flabdablet at 6:47 AM on August 15, 2011
Here's a rejigged UI proposal for the keyboard intercepter that means that the PC it's attached to only ever sees individual passwords, never the KeePassX database master password.
The intercepter normally passes through all keys as they're typed. But waiting at least one second, then typing ``` and waiting one more second, activates the interceptor (this is reminiscent of the +++ escape sequence employed by dial-up modems to get into command mode while online). Normally you'd do this when prompted for a username.
On recognizing the escape sequence, what the interceptor does depends on whether the passwords.kdb database is currently open or not.
If it isn't, the interceptor sends three backspaces to erase the ``` from whatever text entry box they've just been typed into, then sends Key: and waits for keyboard input. Each character of input is collected in a buffer and passed through as * (star); backspaces are allowed, erasing the last character in the buffer and passing through as themselves. Hitting Tab or Enter causes the interceptor to pass through enough backspaces to erase all the accumulated stars and the Key: prompt, then attempt to open passwords.kdb using the collected keystrokes as the master password.
If passwords.kdb was successfully opened, the interceptor would then send Login: and wait for more keys. These it would pass through as typed, as well as collecting internally. On detecting Tab or Enter, the interceptor would send enough backspaces to erase all the displayed characters and the Login: prompt, then look up the KeePassX credentials entry whose name is now in its buffer, then send the Auto-Type sequence defined for that entry (KeePassX allows this to be defined arbitrarily per entry; by default, it's a username, then Tab, then a password, then Enter).
Typing Tab or Enter immediately after the interceptor displays Login: or Key: would send enough backspaces to erase the prompt, and then close the database if it was open. The database would also close automatically, five minutes after the last credentials entry was extracted from it.
If passwords.kdb is already open at the time the ``` escape sequence is detected, the interceptor would send three backspaces and then go straight to the Login: stage without going through Key: first.
So, let's assume I've got credentials for my workplace's Windows login, my Gmail account, and my Internet banking set up in KeePassX (or KeePass - same database format) and saved under Work, Gmail and Bank respectively inside the passwords.kdb file on the interceptor's mass storage device. I'd walk up to my workstation, take my handy interceptor from my pocket and plug it in between the PC and its USB keyboard while the PC is powering up.
On being presented with the Windows login screen, I'd hit Ctrl-Alt-Del to begin, then click around as needed to make a Username box appear. Then I'd type ``` and wait for one second. On seeing Key: appear inside the Windows username box, I'd type my KeePassX master password; while typing it, the Windows username box would contain "Key: ***********". Then I'd hit Tab. I'd see the username box erase itself and then display Login: at which point I'd type Work and hit Enter. I'd see the username box erase itself again, then fill with my work username; I'd briefly see a password box fill itself with •••••••••••• and then I'd be logged on to Windows.
I'd fire up a Web browser, click the Gmail bookmark, then click in the Gmail username box, type ``` and wait one second. On seeing "Login: " appear inside the Gmail username box, I'd type Gmail and hit Enter. "Login: Gmail" would erase itself, the Gmail username and password boxes would fill themselves in and I'd be logged in to Gmail.
Halfway through composing a mail, I'm called away to a meeting. I type ``` and wait one second; the word "Login: " appears at the end of the text I'd been typing. I hit Tab to close the interceptor's passwords.kdb database; "Login: " gets backspaced out, I hit Windows-L to lock the workstatation and walk away.
posted by flabdablet at 6:47 AM on August 15, 2011
I had assumed that Randall was pointing out the fact that using random easy to remember words with spaces would create a stronger password than a single word password with capitals and numbers.
posted by Peregrin5 at 9:56 PM on August 15, 2011
posted by Peregrin5 at 9:56 PM on August 15, 2011
OK, let me throw my password technique onto the pile here.
Currently, I use a phrase ("IUseAPhrase"), altered with two initials representing the site, and a digit for my password, everywhere. For instance, my passwords look like:
Metafilter IMF5UseAPhrase
Fark IFA5UseAPhrase
Mellon Bank IMB5UseAPhrase
In this way, my password is not composed strictly of dictionary words, does not (typically) contain leet-style substitutions, and does use Mixed Case and 0-9. It's easy-peasy for me to remember, and almost unique for each website.
Problem: there are stupid, STUPID websites out there that limit my passwords to only 8 characters, and/or only use the first 8 characters, and/or require me to have Mixed Case and a digit in my password. Ergo, a good password scheme should accommodate all those possibilities; mine does:
Dumb Website IDW5UseA
Either the website or I clip the password at 8 chars, which still meet the other criteria.
Let's move to four dice words:
main trump novo dyke
Add a randomly-chosen integer: 8.
Add a randomly-chosen special character, chosen from the keyboard character over a random digit: ^
And, of course, the website initials. Take two, so the frequency of repetition is low, but the certainty is high that you'll grab the right two initials (if I used *3* initials from Mellon Bank, did I use MEL, MBI, or... what?). I don't start with those initials, because if for any reason at all I have to give a single password to a friend, it's not immediately clear what my scheme is.
Metafilter Mainmf8Trump^NovoDyke
Fark Mainfa8Trump^NovoDyke
Mellon Bank Mainmb8Trump^NovoDyke
Dumb Website Maindw8T
OK, that's a lot of typing, but I now have a "single" password that I can use uniquely for every account. If a website is gathering passwords to use maliciously, it's incredibly unlikely they're hand-processing anything at all, and so my 2-initial customization means that a security leak on Metafilter or FB won't jeopardize my Mellon Bank password (and vice versa).
(If you don't have dice handy, you can still generate truly random numbers here.)
posted by IAmBroom at 2:05 PM on August 16, 2011
Currently, I use a phrase ("IUseAPhrase"), altered with two initials representing the site, and a digit for my password, everywhere. For instance, my passwords look like:
Metafilter IMF5UseAPhrase
Fark IFA5UseAPhrase
Mellon Bank IMB5UseAPhrase
In this way, my password is not composed strictly of dictionary words, does not (typically) contain leet-style substitutions, and does use Mixed Case and 0-9. It's easy-peasy for me to remember, and almost unique for each website.
Problem: there are stupid, STUPID websites out there that limit my passwords to only 8 characters, and/or only use the first 8 characters, and/or require me to have Mixed Case and a digit in my password. Ergo, a good password scheme should accommodate all those possibilities; mine does:
Dumb Website IDW5UseA
Either the website or I clip the password at 8 chars, which still meet the other criteria.
Let's move to four dice words:
main trump novo dyke
Add a randomly-chosen integer: 8.
Add a randomly-chosen special character, chosen from the keyboard character over a random digit: ^
And, of course, the website initials. Take two, so the frequency of repetition is low, but the certainty is high that you'll grab the right two initials (if I used *3* initials from Mellon Bank, did I use MEL, MBI, or... what?). I don't start with those initials, because if for any reason at all I have to give a single password to a friend, it's not immediately clear what my scheme is.
Metafilter Mainmf8Trump^NovoDyke
Fark Mainfa8Trump^NovoDyke
Mellon Bank Mainmb8Trump^NovoDyke
Dumb Website Maindw8T
OK, that's a lot of typing, but I now have a "single" password that I can use uniquely for every account. If a website is gathering passwords to use maliciously, it's incredibly unlikely they're hand-processing anything at all, and so my 2-initial customization means that a security leak on Metafilter or FB won't jeopardize my Mellon Bank password (and vice versa).
(If you don't have dice handy, you can still generate truly random numbers here.)
posted by IAmBroom at 2:05 PM on August 16, 2011
Ideas like Keepsafe and keyfob generators bug me, because I simply cannot guarantee web/app/keyfob access every fricking time I need a password.
posted by IAmBroom at 2:07 PM on August 16, 2011
posted by IAmBroom at 2:07 PM on August 16, 2011
If I don't have enough control (or security) to download KeePass and my encrypted password database off of dropbox, then there isn't any way to ensure that my password isn't being keyelogged.
I use "dumb" passwords for sites like Metafilter, that I might access safely on the road. For stuff like banks, my web server, and gmail, I wouldn't want to access those from a public computer in the first place.
posted by muddgirl at 3:03 PM on August 16, 2011
I use "dumb" passwords for sites like Metafilter, that I might access safely on the road. For stuff like banks, my web server, and gmail, I wouldn't want to access those from a public computer in the first place.
posted by muddgirl at 3:03 PM on August 16, 2011
Unplugging a keyboard's USB cable in order to insert the password interceptor would be a natural opportunity to detect at least some hardware keyloggers. It wouldn't help you find a logger embedded in the keyboard itself, or a software one running on the PC. However, any keylogger on the keyboard side of the interceptor would only get access to a KeePassX master password for a database that could easily be made completely inaccessible to the host PC (all that would take is a do-not-mount switch on the interceptor to prevent it exposing its mass storage interface). A logger on the PC side would only get whatever passwords you'd actually used in that session.
It would also be quite easy to stick an entire bootable OS on the interceptor's mass storage side, which could mitigate many of the security problems inherent in using public computers. This would actually be fairly safe if you always made sure to plug the interceptor into one of the on-motherboard USB connectors at the rear of a PC; adding hardware keylogging to one of those involves more soldering than most public computer owners are up for.
posted by flabdablet at 7:15 PM on August 16, 2011
It would also be quite easy to stick an entire bootable OS on the interceptor's mass storage side, which could mitigate many of the security problems inherent in using public computers. This would actually be fairly safe if you always made sure to plug the interceptor into one of the on-motherboard USB connectors at the rear of a PC; adding hardware keylogging to one of those involves more soldering than most public computer owners are up for.
posted by flabdablet at 7:15 PM on August 16, 2011
You could easily use actual randomness when initially generating the passwords. Two examples :
(1) You simply apply Randall's procedure beginning with a couple truly random dictionary words, which you might find using :
(2) Ignore all the silly characters and focus upon making a long but rememberable password by making nonsense words using pronounceable syllables, like say consonant-vowel-consonant combinations. In this next password generator, each consonant adds 4.3 bits of entropy and each vowel maybe 2.3 bits, giving 11 bits per syllable, but again requiring fine tuning to create a memorable password.
posted by jeffburdges at 9:15 AM on August 25, 2011
(1) You simply apply Randall's procedure beginning with a couple truly random dictionary words, which you might find using :
#!/usr/local/bin/perlAs my /usr/share/dict/words has 234936 line, the first n lines of output are a password with n * 17.8 bits of entropy. You should however select more familiar words and conjugate them to obtain something I'll remember, greatly reducing this entropy, but you'll certainly avoid the penguin penguin penguin problem.
use Tie::File;
tie (@D, 'Tie::File', "/usr/share/dict/words", mode => O_RDONLY) or die;
print ($D[rand $#D+1] . "\n") foreach (1..15);
untie @D;
(2) Ignore all the silly characters and focus upon making a long but rememberable password by making nonsense words using pronounceable syllables, like say consonant-vowel-consonant combinations. In this next password generator, each consonant adds 4.3 bits of entropy and each vowel maybe 2.3 bits, giving 11 bits per syllable, but again requiring fine tuning to create a memorable password.
#!/usr/local/bin/perlYou could slightly tweak up the entropy by using a flatter probability distribution on the vowels.
%vowel_freqs = (a => 82, e => 127, i => 70, o => 75, u => 28, y => 20);
while (($c,$f) = each %vowel_freqs) { push(@vowels,$c) foreach (1..$f); }
foreach $i (1..10) {
do { $c = chr(ord('a') + rand 26) } while ( $c =~ /[aeiouy]/ );
print $c;
print $vowels[rand $#vowels+1] if ($i % 2);
}
posted by jeffburdges at 9:15 AM on August 25, 2011
Just fyi, the entropy of a probability distribution is - Σi≤n pi log2 pi, which clearly equals log2 n when pi = 1/n for i ≤ n, i.e. the uniform distribution.
posted by jeffburdges at 9:37 AM on August 25, 2011
posted by jeffburdges at 9:37 AM on August 25, 2011
« Older Let's Make Like a Tree: and Leaf [Leave] hahaha! | Chrome prints image-only PDFs by default Newer »
This thread is closed to new comments.
The Wikipedia article on Passphrases gives a good overview.
posted by Gary at 1:25 AM on August 10, 2011 [1 favorite]