Remember that famous xkcd cartoon, suggesting passphrases like “correcthorsebatterystaple” are harder for hackers to crack than the likes of “Tr0ub4dor&3”?
Well, I’m full of admiration for whoever the web developer was at Dropbox who implemented this on their sign-up form…
Turns out if you attempt to register “correcthorsebatterystaple” as your password on Dropbox, the site (quite rightly) objects.
Very droll.
Hat-tip: Reddit.
So is the four word password actually a better choice than the former?
The premis is based on the idea that the only 'true' security in password generation is length. not mixing characters (a-zA-Z) with specials (!@£$%^&*()).
So based on length alone, it will take longer to brute force an attack.
Not only this, but remembering a phrase such as "correcthorsebatterystaple" is much easier than one of these mixed up passwords. So it reduced the likelihood of a person needing to write it down somewhere (making it more secure, again)
Yes, the longer, memorable password is better, but using a well known example is not. Just like p455w0!’d is a bad password.
Checking a password against a list of well-worn examples and common passwords is a good idea – above and beyond looking for a certain mix of chars or minimum length.
I’m afraid this is not correct. The ‘true’ security in password generation is in the number of _truly random_ symbols which are employed.
So, the trick is that one must be first presented with a truly random sequence of a few words. It most likely would be a complete nonsense, but our psychology will do its magic and we’ll somehow make sense of it so that we’ll be able to remember it more easily.
The mistake is to try to come up with the words oneself: rest assuredly that there will be very little randomness in them no matter how hard we try.
Yes, it may be comical but is this in itself a security issue? by alerting the prospective user that they have used this password means they must sample each and every password used in the sign-up process, thus they could be recording them. Most systems I use (Forums etc) store passwords hashed with a salt so even the site Administrator does not know what the passwords are that members use. This "validation" must compare the entered password with some form of look-up table to enable it to pop up the silly message.
As a Dropbox user of long standing, I'm now more than a bit concerned…
Probably Javascript, so no need to worry…
I doubt they are sending anything to server; this would be simple enough to implement in JavaScript. You could compare the typed text against a hard-coded string in a conditional. If it matches, show the message. Given how dynamic the site is, this is probably what is going on.
No need to send anything to the server so nothing to worry about.
Um… this is before the password is transmitted (securely, encrypted with HTTPS), to the server… it's a little piece of client-side Javascript–the web browser *must* know the contents of the password field to transmit it, and the password strength meter uses the contents of the password field to estimate the strength (same with everyone else's password field–Google, Facebook, all of them have the password in plaintext before submission to the server.)
There's nothing bad about this in terms of security. At all.
How is Dropbox supposed to do the hashing of the salted password – unless you give them the clear text password?
Client-side.
That’s the most terrible idea ever – the client it’s always extremely insecure as it can be tampered by the user
Almost all web sites do some validation of passwords, so that means they look at what you typed. It doesn’t mean they keep it.
Just because a site stores a hash of your password does not mean they couldn’t save the real password if they wanted to. If you type text into a web form and hit a button, the site has access to that text. They probably hash it on the web server and then (presumably) throw away the original. Every time you login, you send your real password to them so they can hash it and compare it to the hash they have on file. So you give it to them every time you login anyway.
From the animated example in this article, it looks like Dropbox does this check in Javascript in the local browser (before you hit “create account”). Still, that’s only the verification that happens in the browser, the password eventually submitted is probably sent to the site for more verification, hashing, and storage.
This introduces no new access to your password text. Any web site you login on has always had access to your password text, how else could you login? The question is what they do with it and whether they keep it. But they have to look at it for anything to work.
Thanks for allaying my concerns Guys. I should have realised that it was client side scripting that did the checks, I've built enough forms and field validation scripts over the years (in ASP). Duh… :-
For anyone concerned, it *is* implemented in Javascript (as is the password strength meter). It's easy to see by taking a peek at the html code and the "password_strength.js" file that's referenced in there.
BTW, There's also a special note if you use "Tr0ub4dor&3" or "Tr0ub4dour&3".
the processing would be done on the field itself, the content of the object as it was rendered on the page. because off of that logic happens in real-time nothing is “saved”. Once you hit the Sign Up button however then that web form data will be captured and posted to their server. it is during this process that you need the encryption and such.
This processing is no different than when the po-up come up saying “&,$,%,*,^,@,!, not allowed please choose a new password” or what have you. It would take place at the same time as input bullet proofing. This is a non-issue.
After all, the most important characteristic that makes passwords stronger is LENGTH!
No. Randomness. “8946380365” would be safer than “9999999999999999”.
" You wascal wabbit ! " – more succinct ? ( but possibly unknown reference for anyone under 35….)
Sufferin' Succotach. I'm under 35.
…er, it's "succotash". Perhaps it was a typo error, but based on the epidemic of illiteracy that pervades the Internet, one is tempted to infer that people under 35 are less likely to know how to spell.
In Dan's defence, 'succotash' is hardly a commonly-used word. Picking up on that one forgiveable typo is a bit below the belt. I also take umbrage at your sweeping statement regarding all U35 year olds being illiterate. It's clearly not the case, unless the only place you frequent is youtube.
I'm under 35 as well, and I remember Sylvester very well thanks.
Well, did lisp. So Thufferin' thuccotash is more accurate… sorry, just had to clarify! And I'm under 35, but only because I hit that number in about half a year!
😀
I’m 30 and I grew up on Looney Tunes, as did many of my friends around my age. Not only that, but my best friend’s sixth-grader is a big fan. I have a feeling those cartoons are going to be well known for a long time.
Well duh. A password comprised from four dictionary words strung together has got to be secure. It’s the size that counts, right ladies?
I think it is appropriate that passwords be rated on a scale of :
too weak –> strong –> lol
I liked the message, also from dropbox when it was estimating how long it would take to upload my husband's files – This will take a while, so go have a snickers
Soon, hackers will do attack comprises of 4 dictionary words strung together. It's only ^4 brute force attempts.
Unless you're using 3 or 5 words, etc, real or made up words, formal or colloquial, your language or another, so on and so forth.
Yep, to the 4th power is all that it would take. If hackers can brute force 1000 attempts/second, and people limit themselves to the 2000 most common words in the English language, a single dictionary attack with the 2000 most common words take 2 seconds and 2000^4 attacks take 550 years.
Do you guys really not get that its correct horse battery staple and not correcthorsebatterystaple?
There's a massive difference, and it isn't length.
You’re wrong.
I mean… I once saw someone actually use correct horse battery staple as their password. Good on Dropbox for preventing that sort of stuff.
” I once saw someone actually use correct horse battery staple as their password.” 🙁
And here we are! Down to the biggest password security problem of all times: You s a w someone else using a password! In an ideal world this is not supposed to happen. As long as we can’t fix problems that are caused by human behaviour, there won’t be such a thing as a secure password. I strongly suggest using a password manager.