Sophos Cloud Optix
About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.
Not whether it has a minimum of x or a maximum of y characters, not whether it’s got blah-blah amount of numbers, not whether it includes your frou-frou leetspeak ch@r@ct3rs, not whether it contains the verboten from lists of taboo words.
Syntax laws like those make up the typical password policy creations most organizations use and that many security practitioners preach.
But if you religiously follow such policies, Morris notes, you get situations like this: Facebook graded as “weak” a password he made up of 35 characters using the first letters of a random phrase, while it deemed a password “strong” when it matched the social network’s creation policies, which allow for use of common words.
Morris’s Facebook-appeasing password?
"cracked1!"
The time it would take to crack that supposedly strong password, according to tools that Morris has created to estimate password strength: less than one day.
Morris, a developer at defense contractor Partnet, told reporters that he came to his realisation after a half hour spent creating a tough-to-crack password.
That 30 minutes of password creation labor was followed by the realization that he’d have to go through the whole rigamarole again when he had to change it in a month’s time.
Stop right there. That has the aroma of a password myth.
As Paul Ducklin and Chester Wisniewski discussed in a Sophos Techknow podcast, “Busting Password Myths”, the idea that regular password changes lead to better security dates back to the days when passwords were stored in plain text files on Unix systems.
Regular password changes actually decrease security, for a few reasons: 1) your poor users are going to start using sucky passwords because they’re easy to remember and to increment, and 2) doing something security-related on a regular, predictable schedule (quarterly? monthly?) is a gift to hackers.
This regular password change-out distracts the IT department for a predictable chunk of time on a predictable schedule. Predictability is a gift you don’t really want to hand to attackers.
At any rate, being influenced by the myth that regular password change equates to good security, Morris thought it would be neat to set password expiration based on the strength of a password. He couldn’t find a way to measure password strength, though.
Hence, he started building a collection of tools to do just that.
Those open-source tools are out now. Morris handed them over to the Open Web Application Security Project (OWASP) in January.
Morris is inviting people to give them a try. One tool, called Passfault Analyzer, predicts how long it will take to crack a given password.
He also created a Password Creation Slide-Tool that lets administrators configure password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).
The tool lets users move a slider bar to increase or decrease the amount of time passwords should take to crack.
All good, yes? But then came the next step in what came to be a password kerfuffle: Morris’s premise and tools quickly lit a fire under SecurEnvoy, maker of two-factor authentication technology.
SecurEnvoy blogged that, basically, Morris was right about password creation policies, but he didn’t take it far enough, because, in fact, conventional ID/password security is toast.
The company’s blog quoted co-founder Steve Watt as putting it this way:
"This isn’t to say that Cameron is wrong - far from it - it’s just that the reasons why passwords are coming to the end of the line in today’s online environment are multi-faceted, with company password policies being only one issue of concern."
"One of the other major issues we have observed is that people have great difficulty remembering more complex passwords than the six or eight alphabetic strings that most Internet users rely on. Because of this, they fall back on an eight digit passphrase that is usually a family member’s name or place of birth, and which—unfortunately—are all too easy to hack using brute force password attacks."
It will not shock many readers to find that Watt proposes that the answer is what his company sells: i.e., tokenless two-factor authentication.
Watt does have good points about corporate password policies: they spawn mutant, impossible to remember passwords. Users wind up storing them on their mobile phones or, worse, writing them on sticky notes or on the undersides of their keyboards.
This is, in fact, the heart of the matter that Morris got right, SecurEnvoy says: overly complex passwords prompt users to find easy ways to remember them.
Yes. But the idea that passwords are going away is nuts.
The reasons for this were well laid out by ZDNet’s Manek Dubash.
Dubash suggests that two-factor authentication isn’t going to save us, given that we’re all bringing our smartphones to work and logging on to Facebook in the enterprise:
"The reality today is that the division between enterprise and personal environments has all but evaporated."
"In the course of their jobs, people increasingly access their personal services at work using their personal devices. And enterprises cannot mandate two-factor authentication for access to Facebook, for example, which might well be the chosen method of communication of a key supplier, or a way of communicating with potential customers."
"All FB wants is a password, and it's not alone."
So if two-factor authentication isn’t going to save us, what’s the answer?
I rely on password generation using the scheme that Sophos’s Graham Cluley teaches in this video.
So I put one of my Graham-inspired passwords – containing seven characters – through Morris’s Analyzer and found that it would take approximately one day to crack it.
I would prefer that it get up into the range of a year, at least, if not a few centuries, and that is exactly what happened when I appended a range of characters from the keyboard, left to right and then the same string right to left.
Presto! Up in the centuries range.
That points not to a flaw in Graham’s technique, of course, but rather a confirmation of Carnegie-Mellon’s 2011 study (PDF) that concluded that length was the only thing that really influences password strength.
ZDNet’s Dubash, for his part, writes that he uses a “tiny portable password generator,” as well as KeePass, an open-source password manager that can even be bolstered with two-factor authentication.
It’s all good. We have a technique from Graham that shows us how to create easily remembered passwords. We have password managers. We have a bunch of busted security myths from Chet. We have the Carnegie Mellon study that shows that making them long makes them strong.
And now we have a tool to analyze that strength in terms of how long it takes to crack a given password.
0nw@rd&upwrd!
Cracked safe image courtesy of Shutterstock.
This exactly what Steve Gibson said when he introduced the term 'Password haystack'.
See https://www.grc.com/haystack.htm or listen to episode 303 of "Security Now" http://www.grc.com/securitynow.htm
I'm not sure I'm agreeing with the Passwored Analyzer. I follow Steve Gibsons Haystack logic more, so take the two examples from the Haystack page and paste them into the Password Analyzer … Yikes
D0g…………………
PrXyc.N(n4k77#L!eVdAfp9
Haystack is talking about cracking the HASH. The Password Analyzer is looking at the plain text before it is hashed. That's very much comparing apples to oranges
I love Steve Gibsons Password Haystacks. I've referenced him several times in my presentations on passfault. I'm glad someone mentioned it. Comparing the two tools, I'd say that passfault goes a lot farther. If you remove all the password pattern finders, except for random, passfault would provide similar results as password haystacks.
Hi, guys,
If you're interested in password streight checkers, you may be also interested with the one from dropbox http://tech.dropbox.com/?p=165
The app described in this article can be easily downloaded from github: https://github.com/lowe/zxcvbn
Does a password become less secure the more locations it's used ?
i.e can I use the same difficult to crack/easy to remember password for every login
You've asked two separate questions. I'll take them one at a time:
1. It depends on what you mean by "less secure". The password itself takes the same amount of time to break regardless of whether you use it in one place or a hundred places. So in that sense, it doesn't become decreasingly secure with increasing frequency of usage.
2. Yes, you "can" use the same password for every login, but that POLICY (not the password itself) is less secure than using different passwords for each login. Why? Because you cannot necessarily control security on the other end…that is, your password is only as secure as the site where you use it.
I'll give you an example. I recently changed my password at a site I use. As it turns out, they had just completely rebuilt their website from the ground up. In the rebuild process, they somehow managed to configure the site to send an email confirming that I had changed my password, but…AAACCCKKK!!! …the email (unencrypted, of course) contained my new password. %$#@&?! WTF? How intensely stupid is that? Grrrrrr…
That's one example of things you can't control that compromise the security of your password. Passfault calculates that one of my typical passwords takes 56,345 centuries to crack, but if some bozo website gets hacked and my password falls into the wrong hands, I'm toast if I've used the same password for my bank, my credit card accounts, my PayPal account,…and everywhere else.
So the important thing to remember is that a good password is only part of good security. You need good security practices as well.
I don't think it's less secure in and of itself. But if your password is cracked, you've provided access to every account you use it with.
You've only missed one things – xkcd's cartoon about the same issue! http://xkcd.com/936/
I was thinking of including that great cartoon! I included it the last time I wrote about passwords, though, so I decided to not be redundant…
Also my first though – and entering "correct horse battery staple" into Morris's Passfault Analyser gives: 13819626 centuries. Unmangled plaintext (if you *actually* choose pretty random words) is the Way To Go.
Currently it says “Time To Crack: 1 year, 11 months”.
.. Not too fast on the last lines, Lisa: I do agree that we as knowledgeable IT-people can hack our way through a portable app for generating passwords, then storing them on KeePass, but what your ordinary admin who's on top of most of the corporate sensitive docs ?
Not convinced yet, and still think we're doomed in the end …
Ah, well spotted. See, now, I was waiting for somebody to call me out on the atypical use of optimism with regards to password security. You're probably right: we're all doomed. If it isn't ordinary admins who do us in, it will be either capitalism or the Tea Party (speaking as a US citizen).
It is also worth taking a look at GRC's password haystac sites, aswell as listen to the podcast on this site: https://www.grc.com/haystack.htm
Lots of good advice on passwords.
Great post. I tested the password tool and found that the sort of passwords I use would take "268 centuries
Total Passwords in Pattern:
812 Quadrillion"
Sweet! Admittedly, I used one of my shortest/feeblest Graham-inspired passwords. And on the subject of submitting precious passwords to a site, I must admit, I tested one I've only used once for a site I haven't been back to since. If somebody wants to go crack my Hoover's access, go have a ball. I should have addressed this question in the post: how safe is it to go submitting your passwords to sites such as this? I derive assurance from the fact that it's under OWASP, but I'm going to shoot Cameron a note and ask him for feedback on this.
I tend to follow Steve Gibson’s “Trust No One” motto.
me too which is why I wouldn't try an actual password on that website 😉 who knows what they are doing with it (I tried some similar though, and found i need to lengthen almost all of my supposedly 'strong' passwords)
I always thought that was from Special Agent Fox Mulder.
Following Graham's "how to create a strong password" video, I went to https://passfault.appspot.com/password_strength.h…
and tried the password "F+Wsd4adoH&E".
1903 centuries
Total Passwords in Pattern:
6 Quintillion
Fair enough.
But… trying the phrase "FredAndWilmaSatDownForADinnerOfHamAndEggs"
Time To Crack:
5.834579934027189e+30 centuries
Total Passwords in Pattern:
18,000,000,000,000 Decillion
So.. the plain dictionary words version is much better than the codified mnemonic version because of its length?
That's correct. The longer the password, the more secure it is…er, sort of. It depends on how hard it is to guess the password. There isn't much difference between a 4-character password and a 32-character password if both passwords consist only of the letter "a".
But assuming the password isn't so trivial, the math is straightforward. Just take all 26 alphabetical letter keys, add the 10 numeric keys, and that's 36 possible characters in each position. If the password is case-sensitive, double that…72 characters. (I'm excluding other keys for simplicity.)
With a fixed rate of computation in guessing the characters in each position, the time it takes to crack the password depends only on the number of positions. A password consisting of 1 position takes only as long as it takes to try all 72 characters. A password with two positions has 72 x 72 possible combinations; 3 positions has 72 x 72 x 72 combinations…so we can generalize: the total number of possible combinations is 72^n (72 to the nth power), where n is the number of positions in the password.
Now, what those characters are and how they're arranged can affect the strength of the password. A password containing 13 ones ("1111111111111") can be broken in less than a day, but a password containing 13 random characters will take 654,637,370 centuries to crack, according to Passfault.
So, assuming a non-trivial combination of characters, yes…the longer a password is, the longer it takes to crack it.
But the attacker doesn't know how long the password is, right? So there is a huge difference between a^4 and a^32.
The problem with long passwords with mixed case isn't remembering them – if you have a mnemonic then you'll remember it.
Try and input that example at normal typing speed, and you will mistype it moderately often (many people frequently fail to find shift when typing fast, or fail to type one character, if there is a bit of dirt that makes that key slightly harder than normal to be responsive). So you retype it more slowly, and a shoulder surfer (who wouldn't have got the passphrase at normal speed), can now get your passphrase.
And then there are all the other sites you have that have passwords…
@Angie – On a whim I decided to take your above "strong" password (the first one) and put it through JohntheRipper. It took 15 hrs 49 min 26 sec to break using the basic brute force method on my rather modest desktop.
So while *in theory* it may take 1903 centuries, in reality, against a computer with barely enough RAM to run Windows 7 well, it doesn't take long at all. The truth is, if your password for a Windows system is less than 15 characters, it's relatively trivial to crack. And if someone has physical access to the system, they don't even need that long to reset it.
I use the Cisco Complex Password Specification to create ones like this and do not
change them unless they are suspected of being or have been breached.
It is a random string of upper/lower case, numerics, and at least 4 special symbols or
characters at least a field of 15 long. Unfortunately some websites will not allow some
of these conditions for password creation, and over time I've found them decrease the
complexity of passwords allowed, by not allowing special symbols or characters any-
more and/or shortening the length to as little as 8 characters.
Example: Ga#7c5*Dr$A&zY9
I maintain a password list using a typewriter, on no computer, with no password man-
agement programs on any system. Believe it or not, using them almost daily I remem-
ber them consistently on sites used most. They are all unique and completely random
for every website and network device.
I advise everyone to do the same, and administrators to do away with the 3 month myth
of changing passwords. There is no need to following this Cisco Specification unless
a password has been compromised somehow, online or not.
This kind of ignores the that a lot of attackers don’t even bother trying to crack some average person’s password.
They spearfish access to web sites and forums, steal the whole database, and then build login password combos from that data.
Password re-use isn’t going away till tools that let people store cryptographic keys easily and manage them take off. Computational power is rising far faster than our brains can deal with storing complex passwords. It can’t all be stuck in our heads.
And as benign as it may seem or come from, I am NOT typing any of my passwords into a “Password Checker”.
haha I said the same re the 'checker', supicious is my middle name. 😉
I just used passwords that follow the same pattern as some of my passwords. I was pleased that my method works pretty well. 🙂
Length is really the one factor that matters regarding password strength : see more about entropy.
Lisa, please give out sound advice.
A. Password length is not the *only* measure of strength, it is merely the most significant. ZHg7!$3d5; is less likely to be broken than qwertyasdf. You have to recognize how the tools work. I don't need every password. I need any password. As soon as I have the easiest one, I'm done, which is why dictionary attacks are the first method used. I'm always going to guess admin:admin long before I guess jsmith215:I like my pancakes hot!
B. Rotating passwords is not worthless, nor does it lower security.
1. Users can’t use “sucky” passwords if you enforce a password policy. Preach security in depth.
2. Doing something on a “regular basis” is only true if you force every user to rotate their password at the exact same time.
3. If you rotate passwords, if a password is broken, it is broken for a finite amount of time before it has to be recracked.
You're right, password length is not the only measure of strength. I was referring to the Carnegie Mellon study's conclusion, which was that length was the most important factor. But as others have mentioned, a long, simple to crack password, such as one character repeated a great many times, does not equate to strength.
1. I guess that depends on the policy, but yes, of course teaching security in depth is better than just inflicting rules that force users to keep changing passwords and thereby coming up with security-weakening ways to remember them.
2. Good point.
3. True.
I believe the authors miss a key point; password changing is not primarily designed to shorten the opportunity to crack it, it is a preventative and correct control to reduce the liklihood of password sharing.
Time To Crack:
503866 centuries
Total Passwords in Pattern:
2 Sextillion
That was for a passphrase, but not one I have ever used before. Also, don't forget things like dashes, quote marks, other punctuation and spaces. Here's one you can try:
O'er the land of the free and the home of the brave?
1.6477554781643315e+32 centuries
Total Passwords in Pattern:
499,000,000,000,000 Decillion
My time at a large financial institute has shown this is correct. I used to complain about them but management didn't agree. We had to change monthly, so when bob (Robert) had to change he use bobmay for May and bobdecember for December and continued like that for the year. The system stored a full year of used password to compare and enforce the changing of no duplicate for a year. As you can tell, security was daft, no problem getting into most accounts.
I've worked in places like that. Frequent password changes (with complicated rules about capitalisation other symbols) and re-use forbidden. So, what happened? Everyone used Month and year. Resulting security? Nil.
If a pass phrase is secure, it doesn't _need_ to be changed.
Great article, Lisa! Thanks for that. I'm sending links to all my associates…and several bonebrains who are "too busy" to read NakedSecurity.
Thanks, Nigel, and thanks to all you Naked readers who make such excellent points on these matters.
There was a project that used PS3 running linux to crack passwords some time ago which had great success.The PS3 managed to conduct over 1.4 billion MD5 calculations a second.
No matter the decillion count, if someone tells someone else their password the security has been compromised. Does the use of one password for multiple accounts example: yahoo, facebook, hotmail, financial, gmail, etc. decrease its strength? If someones gmail account is hacked, does the person/ program that hacked it search the world for that password or is it the other way around in that the guessed password is revealed in on list of accounts? Thank you ahead of time. See now I don't even want to put anything that related to me fearing that the hack monster will nail me. AHHH!
The Hack Monster (AAAHHHHHH!!!) is repelled by garlic and by not using the same password in multiple places,—not because the hack monster has an easier time cracking passwords used in multiple places (as a reader previously commented, the password that's hard or easy to crack is hard or easy to crack regardless of how many places it's used), but the hack monster does appreciate the thrifty savings of cracking energy when it only has to crack one account and zingo bango gets into all your goodies with just that one password.
I don't quite understand the gmail account question. I would welcome input from other readers or Sophos security people on that one.
It's 17 years since I retired and we were saying then that 2 part security was dead! It's still with us and it will be in another 17 years.
I use a coded system that enables me to record a few digits and reconstruct the full password instantly. Password lengths are from 8 to 15 or so depending on sensitivity of application. You need a system when you have 81 different passwords, as I have (NOT character substitution, nor any serialization). I tested several and they would all take over 1 year, many over thousands of years to break.
Though years ago I advocated regular changes (with no repeats for 13 months – spoils annual recycling!) I have long since concluded that it wasn't necessary and now only change key passwords randomly. Of course if there is any breakin all passwords should be changed and employ a changed coding system as well. Interestingly I can change every password and the coding system without having to change any of the short codes in my password book. Possession of the book would, of course, get you absolutely nowhere. Its loss would be inconvenient but these days there are password recovery capabilities on the vast majority of systems. Perhaps that's where the weakness in all our systems really lies?
Using passphrases vs passwords seems to ramp up the difficulty pretty quickly.
My PGP passphrase (actually, a slight variation of it — I don't trust that he isn't adding everything that gets entered into a new dictionary file), came up with
Time To Crack:
3.1262184477004073e+25 centuries
Total Passwords in Pattern:
95,000,000 Decillion
Even though there are obvious English and Spanish words in it. It's a phrase and it's almost 40 characters long including spaces and punctuation.
I knew it would be extremely difficult to change my PGP passphrase once me key was out and about, so I made sure it would be a phrase I could remember but made sure it was a relatively long one.
Interesting: I punched in an almost-random 8 character password, and it said it would crack it in 4 days. I punched in another one and it said 1 week, and said that the phrase "swordfish" was decryptable from a substitution cipher — good to know, considering the actual characters entered were pretty much random.
Then I typed in "the password is crack3d"
Time To Crack:
31112 centuries
Total Passwords in Pattern:
94 Quintillion
SUBSTITUTE
Common
33%
of total strength
WORD
Common
1%
of total strength
SUBSTITUTE
Common
66%
of total strength
RANDOM CHARACTERS
[Latin, Numbers]
0%
of total strength
Seems to me that this tool relies overly on password length and not enough on actual complexity; of course, it depends on what sort of attack against the password is being attempted, as a brute force method with a randomly generated dictionary would indeed pick up the random passwords much faster due to the length, and the one that just happens to hash to the same value as swordfish would fall immediately (thus it is always good to validate new passwords against common password hashes, as you wouldn't want to pick a colliding hash).
From personal experience over the years, I've found that using a variant of Graham's method, never using the same password twice, and picking secure password storage where possible is almost always enough. Because it doesn't matter how strong your password is if it's hashed into a 8 character hash which also hashes against common passwords.
Wait just a minute … what password protected site gives any user, whether friend or foe, more than three consecutive failed attempts per hour to get into any given account, or six, max, per day? What's a hacker going to achieve when restricted to ~2,000 attempts per year on any given account? And then what's so critical about lengthening your choice of pass-string?
Isn’t password strength only an issue if the hashed password file is stolen? That’s got to be a rare event. So long as a site blocks the account after 3 failed login attempts, then even a pathetically weak password is ok.
In an ideal world, yes. In ours, hash files are stolen surprisingly often, and it only takes one to screw you up if you're only using one password. For example, a friend I work with had his website's forum logins comprimised, with about 5000 users' passwords and usernames. The passwords were in salted hashes, so it wasn't terrible, but easier passwords could still have been easily cracked.
The killer part is that he works in the security field and had properly locked down his server for the most part, but was planning on installing an update on weekend when he had time (and got owned as a result).
My credentials were on there 🙁
Lists of the most commonly used pass words are available at many security and hacker sites. A brute-force attack will almost always work simply because:
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Length and entropy are the most important factors to consider, along with ease of recollection.
A simple password phrase such as – Dancing the Homestretch – would take 317 Quadrillion years to break using a desktop computer
according to the Passfault Analyser / and about 480 septillion years
using http://howsecureismypassword.net/.
When considering the NAS super code-breaking computer facility being currently built in Utah, that discrepancy becomes a factor also. As in “Who really has the Goods?”
I am a systems admin and I always have to think about the users remembering passwords so I just made a tool that generates passwords with the following algorithm.
"word 2digits word" (baboon84insanity)
The great thing about this is you pick funny passwords and by doing this the user is more likely to remember them.
about10seconds
How long it would take to crack one of those with a dictionary attack, where a whole word is equivalent to one token. This would be a three-token password at best, given that low numbers would be in a dictionary.
This is another site that is quite cool! http://howsecureismypassword.net/
Author,
You arrive at this point: “So if two-factor authentication isn’t going to save us, what’s the answer?” based on a statement from Manek Dubash
“And enterprises cannot mandate two-factor authentication for access to Facebook, for example, which might well be the chosen method of communication of a key supplier”
But I really have to wonder about the enterprise which communicates critical, private information via Facebook. Does that really happen? Sure there are a few consumer transactions accessible via “F-commerce” but I don’t imagine it is a channel a company like Caterpillar corporation interacts with the sheet metal fabricator who makes their fuel tanks (to make up a random example).
It may be that two factor auth is not the best solution, but coupling it with reasonable and enforced enterprise security policies makes it a leap ahead of any password policy regardless of length or complexity.
You can throw a spanner in the works by including dictionary words as tokens when brute-forcing… taking the famed CorrectHorseBatteryStaple from 25 characters to 4.
Is FiveFourThreeTwoOne really that much stronger than 54321?
This needs to be available as a standalone tool… I am not going to enter my password into some random website thank-you-very-much.
Of course I didn't enter real used passwords into the tool. I'd take a guess no-one else has.
But I did test various formats; the 8 digit format required by work vs using the first line of a poem. The results were clear; whatever option I put in that would meet the requirements at work was more easily cracked than the single line of poetry. As a bonus I already know loads of poems so I don't have to learn anything new.
If poetry isn't your thing how about children's songs? tw*nkletw*nklestar would take 315 centuries to crack.
Just tried the Password Evaluation on my work password and got 8878 centuries to crack.
I go by the "the longer the password" principle. Password is 14 caharcters/numbers long.
Keep up the good work Sophos.
Cheers
Our systems admin forces regular changes, every month, on every system. Just for fun it's not synched, so those changes are made on different days.
Thanks for this article – I am forwarding it to my risk colleagues.
Was shocked yesterday by BT's approach to password security (BT is a major telecomms company in the UK).
Just signed up for an account as part of setting up a new phone line. It then asked for an 8 character password made from numbers and letters, and after a bit of fiddling I came up with one that I could remember but the website said was "Strong".
Some minutes later, I get an unencrypted plain text email with the password prominently displayed!!!!!!!
This is shockingly bad, and I have no clue who thought this was a good idea. Seriously, if anyone wants to hack BT accounts, they just need to watch internet traffic for these confirmation emails, and they can harvest the passwords as easy as pie.
Well looks like I am secure. I still think the password is very easy, but it has no relation to me, it's just complete randomness.
Time To Crack:
2273 centuries
Total Passwords in Pattern:
7 Quintillion
Personal Password security check:
Time To Crack:
3 years, 5 months
Total Passwords in Pattern:
102 Trillion
I do agree on having the policies updated across the board. In other words, It shouldn't be just
"3 failed attempts and I can make another attempt in 10min" It should be "I failed to
login 3 times in 6 seconds AND I can't make another attempt at all until something else releases the restriction to allow to attempt to login again."
Summary: Password security needs just as much attention and improvement as anti-virus security gets.
How long does the tool takes to answer?
Tried a password three times, but got no results.
So. I talked to Cameron about how dangerous it is to input passwords into a random site online, and he said that this was absolutely a concern from the get-go. At first, he addressed the issue by writing the code in Java, since, he said, Java applets will run fine and won't leave your browser. But it didn't work on iPhones or anything else that doesn't run Java applets, and besides, he wanted a back-end service that you could send the password to and that would send analysis back.
He didn't opt for an SSL server, given the high cost. But he did wind up putting it on the Google App engine, to piggyback off of Google's SSL, which sends the password analysis request off to a separate site, as you can see. He made sure Passfault won't accept passwords over Git—a distributed revision control and source code management system—which ensures that password submissions won't wind up in URL history (BTW, I'm not a coder, so assume that any errors in this interpretation are mine, not Cameron's).
That, at least, will protect password submissions from passive attackers, Cameron says. But you still have to trust that what he put up in the tools is safe, and you have to trust Google (stop laughing, Google h8rs!).
If you don't trust his code, you can download it and try it on your own instead of trusting his service.
As far as trusting Google goes, Cameron thinks they'd have to go out of their way to get the passwords out. Google would have to write special code for that. He made sure the password submissions aren't getting sent to any logs, and he made sure that memory gets zeroed out so passwords aren't hanging around.
In sum, it's easy enough to test out Cameron's code and see what it's up to, given that it's open source. So the real rub is how paranoid you are about Google not only keeping track of everything (which, OK, they pretty much do), but how much of a special project you think the company would want to make out of digging the passwords free of his carefully engineered analysis tools.
So what is to be summized from this article? There are some good tools presented and it's driving thought about passwords (which have been the bain of many security practitioners for years and many more to come). However, there are some flaws n some of the things mentioned. Lisa, you need to summarize the point you were trying to drive home. To this point I don't know what that is.
I have the following comments.
1. Password expiration is to ensure passwords are not shard and in the event it has been compromised, it will be changed, thus needing it to be compromised again (probably not a lot of work if it was done once, but work none the least)
2. password strength has and always will be a combination of length and complexity. To lean one way more than another is personal preference, but both have a level of importance.
You're forgetting how little time it would take using rubber hose cryptanalysis.
There is something not quite right about the algorithm used by the author of Passfault Analyzer. The program is clearly using what it ALREADY KNOWS about the password entered, in order to make its calculation. Try this… enter a one character password. If it is a number, you are told there are 10 combinations…. an Alpha character and it comes back with 26. In actual fact, a 1 character password can be any numeric, aplha or special character. This indicates to me that any password entered in the calculator is actually stronger than stated.
a1qs2wd3ef4rg5t
(that’s a, then jump up to the number, then the row below the number and continue with s and keep doing that til you hit the G)
result?
Time To Crack:
25215 centuries
Total Passwords in Pattern:
76 Quintillion
I work as a DOD contractor on classified systems, and as you can imagine, we have some pretty anal password creation and changing rules. I tend to bound around with different patterns based on my mood the day I'm forced to change one. Sometimes a passphrase, sometimes a password build on a song lyric, etc. Not long ago, I used a sentence with spaces, common words and only two special characters. For grins, I altered it a little and tossed it to the analyzer:
Password:
This Fender Strat cost $250.
The results were…interesting:
212262264052761730 centuries
Total Passwords in Pattern:
643 Nonillion
But what I found odd was the analyzers claim of 84% strength from "substitute Spanish". I tried to find the word "Strat" in a Spanish dictionary on line, and came up empty. The other 16% was 12% from special characters (yes, I included the period in the password), and 4% from "substitute common." I would have thought that "Word Common" would have been included in there somewhere, considering the two very common words ("this" and "cost"), but that analysis came up 0%.
Too bad I can't use it now since everyone's seen it. 😉
I always advise the use of "pass phrases" whenever possible. I entered a pass phrase that I've used in the past into the tool and it came back with
Time To Crack:
1.0486570436840951e+32 centuries
I find that a pass phrase is an easy way to encourage users to use a long password and they can use something that is reasonably easy to remember. I just warn them to not choose something they use as a security question, so no "My mother's maiden name is X." or anything of the sort.
according to morris, my everyday passwords are ridiculously strong, while all the passwords my boss comes up with can be brute-force cracked in no more than a week. his passwords are old school gibberish, hard for people, easy on machine. my passwords are hard for people and machine. my general purpose for work password would take 812 trillion years to break with a $180,000 hacking machine. it's surprisingly easy to remember. even if i didn't throw all that leet-speak in it should still take about a billion years.
Is it possible to tie a password to a “clock” so that a password would have at least a one second gap of passing time somewhere in the middle of the password; the computer would not receive the rest of the password until that time gap was finished. A brute force attack would have to wait impractically long, it would seem.
I have a password encrypted folder on my desk top with 32 digit randomly selected passwords in it which I copy and paste. Simple huh! And I don’t worry about anyone cracking them.
Much like attacking passwords, the analogies with breaking ciphers, private-keys and the like with brute force is similar and reminds me that one would do well to heed Gordon Welchman’s wise words in “The Hut 6 Story” ; this advice even applies to Hellman-Diffie which implies “these new ciphers can be broken, but only by programs that have to run an [unfeasible] amount of time…”. The vast combination of stecker combinations on the military enigma’s examined one-by-one would preclude the breaking of a daily key; or so the German’s believed. However the reality was that around 150 trillion stecker combinations were instantaneously eliminated from the equation even before the Bombe was designed when Welchman hunted out the females in the message indicator; this left around 26x26x26x60 (around a million) possible settings and then with the manual Jefferies sheet stacking (basically a load of giant cards with holes punched, stacked, then a torch shone through them), one could test all 676 ring settings in one fell swoop! (parallel processing in 1940). The Bombe, when it got going, was a reductio ad absurdum machine, able to examine all 150 trillion stecker combimations in a millisecond.
I guess what I’m saying that just because a password is strong enough to only be cracked in a few hundred centuries or so via brute force, dictionary, etc, don’t assume it will take that long, especially if Welchman, Turing, et al get on the case…
I tested my password, I had no plans to have a super secure password, but apparently my easily memorized password would take a couple quintillion years to crack. I guess I did a good job.
Good job. Now a note of caution… what service gave you that estimate? Did it calculate your password’s strength based on its entropy? Testing entropy is easy but it doesn’t reflect how password cracking works. Using entropy as a measure of password strength assumes your password will be attacked using brute force (random guesses) but it probably won’t be. Password cracking tools order their guesses based on an understanding of human behaviour, habits and biases.
For example, password crackers know that when we include uppercase characters in our passwords we tend to use just one and we tend to put it at the beginning or the end of the password.
A system measuring entropy doesn’t care where you put your uppercase character but a system that measures a password’s ability to withstand attack absolutely does.
One idea to make a stronger password is think of two specific types of animals, such as Bengal tigers and Hourglass dolphins, your favorite number (maybe like 125) and a favorite symbol (!)
Then just have BengalHourglass!125. Super complicated but easy to remember password.