Passwords should not be random characters and numbers.
|
| Author | Content |
|---|---|
| dotmatrix Apr 19, 2016 9:18 AM EDT |
Passwords should be sentences... like this one: Once_upon_a_time_I_ate_5_hotdogs! You can test the entropy of your password here: http://rumkin.com/tools/password/passchk.php My example sentence scores well:
However, it's well past time to retire passwords altogether and start using cryptographic keys instead Again... there's a cartoon for this one: https://xkcd.com/936/ |
| vainrveenr Apr 19, 2016 12:02 PM EDT |
Quoting:Passwords should be sentences...On the other hand, it is security technologist Bruce Schneier's contention in the piece 'Choosing Secure Passwords' found at https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html that rather passwords SHOULD BE random characters and numbers. As Schneier specifically writes : Quoting:Pretty much anything that can be remembered can be cracked. Quoting:Again... there's a cartoon for this one:But in the same piece as above Schneier specifically addresses that cartoon: Quoting:Modern password crackers combine different words from their dictionaries: Perhaps the thread title of "Passwords should not be random characters and numbers" is rather poor advice to give for the more security-conscious, i.e., poor advice for those requiring heightened security for their more sensitive, confidential programs & data. |
| dotmatrix Apr 19, 2016 1:17 PM EDT |
I've only had one of my passwords get broken. It was a length twelve alpha-numeric with special characters. I use a throw away password on this site, because all passwords and usernames are transmitted in plain text... for reasons unknown to me. However, at any given moment, some random attacker capturing clear text traffic could log on to LXer as me and post stuff...All other places I use sentences which include at least one number and three special characters. My typical password entropy is around 180 bits, and none of those have been broken. In general, most passwords are at least as safe as the website's security. And it is much more likely that the website's database will be cracked rather than a given user's password... and then the web site owner has a problem because he/she failed to salt properly. In most other cases, social engineering is quicker and has a higher success rate in compromising accounts than brute forcing passwords. Bruce Schneier has some really good advice, but the password stuff... no. It's much better if you can remember your password. It's even better when you don't have one. *** In the context of the posted article: If you can't remember your password, then you must change the password. |
| jdixon Apr 19, 2016 1:23 PM EDT |
> Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. I use KeepassX for that purpose. |
| dotmatrix Apr 19, 2016 1:33 PM EDT |
If you use a password safe for passwords, you are trusting the security of the passwords to the password safe. If there is a remote exploit for the given password safe, you are sunk. I'm sure passwords generated and secured via most password safes are probably fine. But, in effect, all your passwords have been written down -- on the computer. As I've posted before, I lament the basic failure of web developers in creating an authentication path for PGP keys. If such a thing existed and was in wide use, smart cards could be purchased for a few dollars like this one: https://www.sigilance.com/store/ If a user generates the keys on the card, the secret key is never exposed beyond the card boundary. And then, passwords would be entirely unneeded and so would the discussion about password entropy. |
| jdixon Apr 19, 2016 1:59 PM EDT |
> If there is a remote exploit for the given password safe, you are sunk. Yep. But an analysis of the alternatives indicates that it's probably the best solution for most people. They only need to remember one good password (well, two if they have a logon password). |
| jdixon Apr 19, 2016 2:00 PM EDT |
> ... smart cards could be purchased for a few dollars like this one: 25 is not "a few". :) |
| NoDough Apr 19, 2016 2:19 PM EDT |
To assure ultimate security, I insist that web site operators deny access to my account unless I show up at the hosting location with government issued photo ID and log on to a locally connected workstation. This post alone cost me 8 hours of driving. Please don't ask me any questions. By the time you read this I will have already left and the answer would require another 8 hour drive. Signed, No (security by insanity) Dough |
| dotmatrix Apr 19, 2016 2:35 PM EDT |
Keepass in 2012: http://www.cvedetails.com/product/23054/Keepass-Keepass.html?vendor_id=12214 http://www.vulnerability-lab.com/get_content.php?id=615 Passwordsafe in 2006: http://www.securiteam.com/windowsntfocus/5NP0Q20I0E.html Of course these are old and patched... but it shows that 'password keepers' are not necessarily to be blindly trusted, even ones written by Schneier himself. >They only need to remember one good password. If there is one good password and malware has been installed on the system... your good password is no longer a problem for the attacker. >(well, two if they have a logon password). Login password is immaterial, since once one is logged in to a system -- that user is logged in... and presumably the logged in user is the user using the password keeper. >indicates that it's probably the best solution for most people. I won't argue that point. Simply that most worthwhile account compromises are probably not the result of brute forced passwords -- regardless of entropy. The big money is in social engineering aka spear phishing, not brute force. http://www.infosecurity-magazine.com/news/average-cost-of-a-spear-phishing/ >25 is not "a few". :) $25.00 is less than a Raspberry Pi. And that particular card has NFC... which means you can put in your pocket-protector shirt pocket [like all us nerds have] and just swipe your phone over the card to access your authentication key. My authentication security is worth a $25.00 one time fee. |
| jdixon Apr 19, 2016 2:44 PM EDT |
> If there is one good password and malware has been installed on the system What makes you think I'm using Windows? :) Well, I am at work, but that's not my choice. > $25.00 is less than a Raspberry Pi. ... My authentication security is worth a $25.00 one time fee. I have no doubt that it's worth the money. That still does not make 25 "a few". |
| mbaehrlxer Apr 19, 2016 3:15 PM EDT |
i am sorry, but can someone explain why, if "tlpWENT2m" is a good password, should "This little piggy went to market" be a worse one? if the cracker can guess the written out sentence, it is just a few permutations to generate and guess the shorter version. greetings, eMBee. |
| jdixon Apr 19, 2016 3:45 PM EDT |
> i am sorry, but can someone explain why, if "tlpWENT2m" is a good password, should "This little piggy went to market" be a worse one? The first requires a brute force attack, since it (in theory) wasn't in a dictionary. The second only requires a dictionary attack. |
| dotmatrix Apr 19, 2016 4:08 PM EDT |
@jdixon: That's why the sentence needs to use underscores for spaces, include the punctuation, and throw in a number. My given example, in the first post, is also not in anyone's dictionary. The Schneier example is a strawman argument based on an xkcd comic about the inanity of using passwords that are compact and secure versus passwords that are sparse but longer and easier for humans to remember. Example: iloveyou changes to: I_love_you_2! The memorability of each of these is about the same. But... The first version is 28 bits and weak. The second version is 62 bits and "Strong - This password is typically good enough to safely guard sensitive information like financial records." However, I wouldn't recommend either since the general phrase "I love you" is common enough to be discovered in either case. But... a good password sentence is something interesting like: The_black_phone_on_my_desk_rings_40_times_a_day! I don't know about most people, but I have no problem remembering something like that for a few months or so... and that sentence is very very unlikely to be discovered via a dictionary attack and has... 243 bits of entropy. |
| patrokov Apr 19, 2016 4:15 PM EDT |
I used to let KeepassX generate my passwords for me until I had to enter my password into a computer that didn't have Keepass on it. Looking at my phone and trying to type sF34;'22#@(')FJej2l,m] is REALLY hard, and even harder when the password is obscured. I think the xkcd style passwords can still be effective if you're using different symbols between letters and possibly include punctuaton and numbers like dotmatrix says.. But then again, I'm not a cracker. On the other hand, I've only had one password cracked in 20 years of using the interwebs. |
| BernardSwiss Apr 19, 2016 7:12 PM EDT |
OK... I'm not an expert, and security is notoriously tricky even for experts, but as I understand the matter ... - - - The XKCD style passwords are in fact generally more secure -- but only IF 1) you are using a "password" that is at least six words long (ie. ~30 characters, not a mere dozen characters). An eight or twelve character "not really random" password including one or maybe two dictionary words (even if obfuscated by " a -> @, r -> 4, o -> 0, before -> B4 " style transliterations) are not terribly secure against modern cracking methods. In fact, the crackers likely won't even bother turning to their dictionaries, for such short passwords. (note: I respect and admire Bruce Schneier -- but those weren't actually xkcd-style passwords) But a string of more than half a dozen randomly selected words (from a list of several thousand 5+ character long words), is still big a problem for even modern methods. (Otoh, cloud computing is redefining "too big" at a scary rate). 2) the "password" isn't being silently truncated to some more "reasonable" length. that apparently is (was?) a fairly significant problem on many websites (including some banks), and situations where the password setting routine and the password checking routines had different assumptions about how long a password could be, and a problem with many "single sign-in//log-in" situations, where one's signed-in status/credentials are shared among several related sites = = = = = = = = = = = = = = = = here's some interesting links: Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” http://arstechnica.com/security/2013/05/how-crackers-make-mi... Diceware passwords now need six random words to thwart hackers http://arstechnica.com/information-technology/2014/03/dicewa... Why your password can’t have symbols—or be longer than 16 characters http://arstechnica.com/security/2013/04/why-your-password-ca... |
| dotmatrix Apr 19, 2016 9:06 PM EDT |
OK... just do this and be done with it.. $uuidgen -r | sha512sum |awk '{print $1}' **** It's unclear to me how choosing 6 words from a 'special' list of exactly 7776 words is going result in a password that is easier to remember or more secure than thinking of a few random sentences on your own like these: Did_the_red_spider_have_7_flies_in_its_web? I_drove_over_the_gray_mouse_last_night_at_8_o'clock. All_your_hair_fell_out_because_you_drank_3_extra_beers. **** Oh well. I suppose it's off to play with gpg authentication or off to the funny farm for us all. |
| BernardSwiss Apr 19, 2016 10:42 PM EDT |
Straightforward math: (7776)^6 = 2.210739197×10²³ * (possible combinations of 6 words -- all lower case, no spaces) from the dice-words list (7776)^7 = 1.7190708×10²⁷ (possible combinations of 7 words -- all lower case, no spaces) (*) (technically, only 2.206477761×10²³, :-) because you won't use a word twice) - - - - - - - - - - - (62)^12 = 3.226266762×10²¹ (possible combinations of 12 alphanumeric characters) (62)^13 = 2.000285393×10²³ (possible combinations of 13 alphanumeric characters) (80)^12 = 6.871947674×10²² (possible combinations 12 alphanumeric characters plus special characters) - - - - - - - - - - - of course, both probabilities can be expanded by padding with special characters. so a long string (30+ characters) of a half-dozen easily remembered words, beats out a short string (10-14 characters?) of random characters. The difference between 6 random words and a sentence, is that sentences aren't random -- so a sentence is going to be much more vulnerable to a sophisticated (non brute force) attack. |
| mbaehrlxer Apr 20, 2016 4:58 AM EDT |
"tlpWENT2m" is not in the dictionary, but it can be generated with a few transformations: let's assume that "This little piggy went to market" is in the crackers dictionary. the cracking code will use it to generate a few likely passwords: This_little_piggy_went_to_market Thislittlepiggywenttomarket Thislittlepiggywent2market Tlpwtm Tlpm2m Thislpw2m Tlittlepw2m Tlpiggyw2m Tlpwent2m Tlpw2market these are all straight forward transformations. add a few more with variations using upper and lower case and tlpWENT2m is found. greetings, eMBee. |
| dotmatrix Apr 20, 2016 8:42 AM EDT |
@BernardSwiss: I understand the math and the probabilities... but I have yet to see proof, mathematical or philosophical, that the 5 sentences I wrote are somehow 'not as good as' using 6 words from the 'magic' list of 7776 words. I was curious -- and looking through the list, I see I generally hit many of the words anyway. There shouldn't be anything special about the choice of words nor the 'randomness' of choosing the words - remember the list is a dictionary and the 'strength' of the password sentence is only good within a certain amount of available attacker computing power. It's simply the predictability of certain word combinations. So, I suppose if most human password creators are not creative enough with the password sentence, there may a problem. Perhaps, there may be 200 "I_Love_You_2!" sentences in a long list of user passwords... However, I strongly refute the need for choosing 6 random words from the special list... and challenge anyone to retrieve my particular password sentences from a list of hashes. Bad password sentences would be: How are you doing today? Thank goodness it's Friday. *** And so on... It should be very easy for people to understand that: I_like_the_2_yellow_dresses_you_bought! is a better choice than: letsgopatriots even though both are easy to create and remember. |
| mbaehrlxer Apr 21, 2016 11:18 AM EDT |
maybe counting the hits of a phrase on a search engine might give a hint on how likely it is that such a phrase appears in an attackers phrase list. greetings, eMBee. |
| flufferbeer Apr 21, 2016 4:05 PM EDT |
@vainrveenr and other "pro-randomizerers", >> Perhaps the thread title of "Passwords should not be random characters and numbers" is rather poor advice to give for the more security-conscious, i.e., poor advice for those requiring heightened security for their more sensitive, confidential programs & data. Great link to that Schneier siuggestion on random passwds https://www.schneier.com/blog/archives/2014/03/choosing_secu... . Already bookmarked this. 2c |
| dotmatrix Apr 21, 2016 9:10 PM EDT |
@flufferbeer: How to use ssh keys with a DD-WRT router: http://linuxneophyte.com/dd-wrt-ssh-remote-management-with-public-key-authentication/ I have a DD-WRT router... but I have become disenchanted with the limited capability to do certain things... and, speaking of passwords, I think the passwords are hashed with MD5 -- not great. My router is definitely the weakest security link... and that should just not be the case. I think the following is going to be my next router in a little while because many things are just so much easier when you build it yourself. http://www.newegg.com/Product/Product.aspx?Item=N82E16856173128 with this: http://www.newegg.com/Product/Product.aspx?Item=N82E16820191523 and this: http://www.newegg.com/Product/Product.aspx?Item=N82E16820016001 |
| flufferbeer Apr 24, 2016 11:12 AM EDT |
> Seems that those better randomized and shorter 10 to 14 mixed character+symbol ones --- as maximally acceptable --- are absolutely EXCELLENT for changing away from those default router passwords that too many rushed admins use! BTW, that's likely for WE rushed admins..... mostly any of us usaing your basic home routers like Linksys/Cisco's with firmware variants DD-WRT or Tomato variations or OpenWRT. On the one hand seems to me that word-delimiters in sentences of ANY sort --- standard single blankspaces, underlines, dashes, commas, whatever --- will SOONER rather than later get figured out. OTOH, while it's not great security-wise in terms of passwword-selection, K.I.S.S. really helps in memorization. 2more c's |
| dotmatrix Apr 24, 2016 11:46 AM EDT |
>word-delimiters in sentences of ANY sort There is a 72 character limit on bcrypt password hashes using php's password_hash()... That's this long: 123456789012345678901234567890123456789012345678901234567890123456789012 Even if an attacker can guess that the beginning of the sentence is a capital letter and the end of the sentence is some punctuation... that doesn't change the entropy that much... |
| flufferbeer May 11, 2016 10:07 AM EDT |
@jdixon >> Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. > I use KeepassX for that purpose. now there's this that bob just submited..... https://www.linux.com/learn/two-best-password-manager-gui-ap... both KeepassX AND Password Gorilla look interesting 'nuf -fb |
| jdixon May 11, 2016 7:15 PM EDT |
> both KeepassX AND Password Gorilla look interesting 'nuf I've used both. I have a slight preference for KeepassX, but either will do the job. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!