Most of the effort spent on making passwords stronger is wasted, according to a trio of researchers from Microsoft in the USA and Carleton University in Ottawa, Canada.
The researchers, Dinei Florêncio, Cormac Herley and Paul C. van Oorschot, said in a recent paper that there are two vast “don’t care” regions where energy spent on strengthening passwords is simply wasted.
The chasm
The first “don’t care” region is an online-offline chasm. The chasm represents the gap between the number of guesses a password might have to withstand in an online attack and how many it might face in an offline attack (you can read more about it in my article Do we really need strong passwords?).
To withstand a determined online attack using a website’s login screen your password might have to withstand 1 million guesses. To survive an offline attack by an attacker with specialist hardware, direct access to the password database and plenty of time the figure is eight orders of magnitude greater: 100 trillion guesses.
If passwords sit between these two thresholds then they’re more than good enough to withstand an online attack, but not good enough to handle an offline attack.
Any effort to strengthen passwords in the chasm that falls short of pushing them out of it is therefore wasted.
The saturation threshold
The second “don’t care” region is the threshold at which an attacker stops trying to crack passwords because they’ve already thoroughly compromised the system they’re attacking.
…for an enterprise network a compromised account almost certainly has snowballing effects … The first credential gives initial access to the network, the second, third and fourth solidify the beachhead, but the benefit brought by each additional credential decreases steadily.
So an attacker doesn’t need to crack all of a system’s passwords: in fact they can probably leave most of them untouched.
The point of saturation varies from one network or system to another but the researchers set themselves an upper bound for the saturation point at just 10% of passwords, with the caveat that “saturation likely occurs at much lower values”.
Efforts to strengthen the passwords above the saturation point yield little if any additional security.
Focusing where it matters
On any given system a huge number of passwords are likely to sit in one of the two “don’t care” regions.
If you’re an end user you’ll never know how your passwords are stored or which side of the saturation point they sit, so you should shoot for the strongest passwords you can muster.
If you’re a system administrator charged with keeping your network safe and you don’t have infinite time and resources, the “don’t care” regions can help shape your approach to passwords.
…many policy and education mechanisms are unfocused, in the sense that they cannot be targeted at the specific part of the cumulative distribution where they make most difference (and away from the “don’t care” region where they make none).
How then should you make sure that your efforts to strengthen users’ passwords actually make a difference?
Don’t waste time on composition policies
Perhaps the least popular approach is password composition policies.
These are sets of rules such as “your password should be at least eight characters long and contain at least one uppercase letter, one number and one special character”. They’re popular because the rules are easy to check and they increase the entropy of your password (which can be important but isn’t the same thing as password strength).
However, the case against these rules is compelling: they’re annoying (to everyone, even people choosing really strong passwords); they measure something that isn’t password strength and they restricting the pool of possible passwords (the “password space”), which is a helping hand to password crackers.
Microsoft Research has come up with another reason to ditch those policies, which is that even if they do help to make passwords stronger, they fall into the “don’t care” region where it makes no difference:
…the evidence strongly suggests that none of the password composition policies in common use or seriously proposed can help … enterprises that impose stringent password composition policies on their users suffer the same fate as those that do not
Do block common passwords
Instead of using password composition policies organisations should simply stop users from choosing anything that might appear on SplashData’s annual worst password lists.
Attackers know what the most popular passwords are and any attacker worth their salt will be sure to try them first.
Password blocklists work just where you want them to: below the saturation point for online guessing. Sure, blocklists can be annoying, but they only annoy people choosing poor passwords.
Microsoft and Twitter are both mentioned as sites that use blocklists of hundreds of passwords, but the authors suggest going much further and blocking not just the worst few hundred, but the worst million passwords.
They also suggest that you might use zxcvbn on your website, a password strength meter that actually tries to measure password strength.
Throttle passwords
Limiting the number of times a user can try a wrong password can reduce the vulnerability of passwords below the saturation threshold. Attacks against rate-limited interfaces take a long time and attackers have to be far more circumspect about the guesses they make.
If you’re in any doubt about just how inconvenient rate-limiting can be, just ask the FBI.
The best bang-for-buck guesses for attackers are the the most common passwords, so password blocklists and throttling make a potent combination:
Together with password blocklisting … throttling may almost completely shut down generic online guessing attacks.
NIST (the National Institute of Standards and Technology) now recommends that users be allowed no more than 100 consecutive incorrect guesses in any 30-day period.
Note that whilst sysadmins looking to shepherd flocks of dodgy passwords can feel good about blocklists and throttling, it’s not an excuse for individuals to back off on their password discipline. Recent research showed that if attackers (or more likely their software) target you personally then even the NIST limit of 100 guesses might not be enough to keep you safe.
Enforce two-factor authentication
The paper is tightly focused on passwords and doesn’t cover things like 2FA (two-factor authentication) so I’m going to give it an honorable mention.
Two-factor authentication forces users to provide two pieces of information – typically their password and a code provided by a token, an SMS message or an app.
It protects systems from attackers with stolen passwords, because passwords aren’t enough by themselves to gain access, and it makes guessing passwords online very hard indeed.
Store passwords correctly
Throttling and blocklists are great for fending off online attacks but if a hacker makes off with your password database they can’t help. After a password database has been stolen the password hashes stored inside it are at the mercy of whatever time and hardware the attacker can afford.
How the stolen passwords have been stored makes a huge difference to how big the chasm is.
Passwords should be stored as hashes that have been salted and stretched (for an exhaustive examination of why read How to store your users’ passwords safely).
“Stretching” means repeating the salting and hashing process over and over, typically thousands and thousands of times, in an effort to make password hashing much more computationally expensive.
Moore’s law sees to it that the hardware used for password cracking is always getting faster. Stretching gives system administrators an easy way to keep up – as computers get faster they can simply increase the number of salting and hashing iterations passwords are passed through before being stored.
The upper limit on the number of iterations is determined by what users will stand because they have to wait for their passwords to pass through the salt, hash, stretch process to be authenticated.
The slower the hash the longer that both users and password crackers have to wait:
If 10ms is a tolerable delay an attacker with access to 1000 GPUs can compute a total of … 1012 guesses in four months. Directing this effort at 100 accounts would mean that each would have to withstand a minimum of T1 = 1010 guesses. Since these are conservative assumptions, it appears challenging to decrease [the chasm] below this point.
1010 guesses reduces the online-offline “don’t care” region considerably but it still leaves us four orders of magnitude adrift of the chasm’s leading edge. But what about other ways of storing passwords?
Administrators can eliminate the online-offline chasm completely by removing the possibility of stolen hash databases, and one way to do that is by using an HSM (Hardware Security Module). An attacker who steals the password database without the HSM has nothing more than a useless list of Message Authentication Codes.
What it all means
The conclusions of the research have the world’s sysadmins in mind. If your job involves looking after users’ passwords and your time is limited then its conclusions can help you focus your energy where it matters – on actually improving security.
If you’re an end-user however, you can’t relax. You’ll never know how your passwords are stored or whether yours sits above or below the saturation point. The measures that sites use to defeat online guessing may be more obvious to you but you’ll still have no control over them, aside from adopting 2FA if it’s available.
Make sure that every password you choose is unique and strong enough to withstand an offline guessing attack. Make each password a random collection of at least 14 letters, numbers and wacky characters and (if you don’t have a photographic memory) use a password manager to keep them safe.
Even folks with photographic memory should use a password vault, if only for the vault’s ability to quickly auto-generate random passwords for you. After all, you want a different password for every site, in case one of those sites leaks your password or a very easy way to calculate it, such as Adobe’s infamous plain-text password hint (plus simple block cipher) leak..
It’s easy to see why users are suffering from “security fatigue”. It’s important to use the available tools to keep up with the workload. The average person can’t afford to spend the effort of a full-time job on their internet security. Automate that noise.
Having never used a password manager I can’t comment on why some folks favor them, however, they’re better than leaving post-it notes stuck on a monitor. But if the password manager system is cracked, surely all stored accounts are vulnerable. Given I don’t have an eidetic memory, I prefer to use a sentence mnemonic to generate a password that I can recall.
You had me right up to “password manager”. I hate the idea.
I agree. I hate the idea because malware will get through your defences eventually, before Sophos has detected it and defended it, and then all your pass words are out there. Besides, if your iMac crashes, it may take months to restore everything from Time Machine or your back-up program to get your password vault working correctly again. After all it is secured. I speak from personal experience (twice) this past year. So what do I do? I keep an address book on my desk with all my passwords written in in the old-fashioned way. What’s the chance of someone getting my password address book? Only if someone breaks in, ransacks my house and steals it. Chances are they will go after the 65 inch TV and all region DVD player first, then leave. And if they do, I can call all my credit card companies and report a theft, most likely before the vandals think of looking at the book and what it means, even if they did take it. P.S. When I go away for a vacation I put the book in my safe where I have my rare stamp and coin collection. It’s too heavy to snatch and grab.
I’ve nothing against notebooks, I even recommended them in an article a couple of years ago, but the picture isn’t as black and white as you make out.
If malware gets on to your computer then you have to assume you’ll be subject to keylogging and your passwords will be stolen as you type them regardless of how they’re stored.
If your home is broken into and your password book and computer are stolen then an attacker can retrieve your passwords from the notebook but, assuming you’ve chosen a strong password, will find it incredibly difficult to crack your password manager’s master password. And that’s without full disk encryption.
Your solution is one way, but for those of us with laptops who move between work, home and other places of business, it doesn’t work – you have to carry the password notebook around with you, which is kind of risky, not to mention incovenient and hard to back up safely.
Also, part of your objection to pasword managers is that it might take “months to restore everything […] to get your password vault working correctly again.” if that’s true, then as far as backup is concerned, you’re doing something wrong.
Lastly, another part of your objection is that “malware will get you in the end anyway”. If that’s the case, then your solution is no better than a password manager. The malware will steal your passwords when you type them in from your notebook, just the same as it would when you typed or pasted them in from your password manager.
It also makes little difference how your password is created or stored when it can be access by simply using a spoofed authentication call.
Would it be too much to ask to give credit to the authors, who you cite abundantly, by naming them?
Done.
I also clarified their affiliations: two are from Microsoft and the third is from Carlton University in Canada.
(If there are multiple authors it can look a bit weird to include all their names, so we don’t always do it. We do link to the paper, where all the details can be found.)
One thing I think you left out is asking “What happens if this password is compromised?”. Passwords to The Weather Channel, AARP, CA Lottery site are hardy at risk of anything. They are merely tracking ID/Password uses. Who cares?
Even if you don’t reuse your passwords from one site to another just knowing about other passwords you’ve chosen can help attackers. You can read more about so-called ‘sister passwords’ here: https://nakedsecurity.sophos.com/2016/11/09/would-your-password-withstand-100-guesses-from-a-hacker/
The authors of the paper cited in the article wrote another one a few years ago in which they said much the same as you are – all accounts are not equally valuable so focus your efforts on the ones that are. I respectfully disagree with them on two counts:
1) It’s impossible to know how valuable a password is. The recommendation to focus on important accounts was made before the research into sister passwords I mentioned above was published. It shows that your passwords and PII can be used to seed attacks on more valuable accounts with surprising success. Since we don’t know what we’ll discover in six months or a year it’s better to assume your passwords are more valuable than you think IMO.
2) Password managers make the process of creating and remembering truly random passwords trivial so you have the option to create bomb-proof passwords for every account for no extra effort. It’s for each individual to decide if the trade-offs inherent in password managers are worth it but we think they are and we’re happy to recommend them.
I use and teach the following: I only access accounts from one (1) computer/device. In my case my home desktop. I know this inconvenient, and I do have a work e-mail account that I access from work. I don’t shop at work. I use a password manager to create passwords that I store on my home desktop and on a USB drive that remains at home. Finally, before I click on a URL link I look at the preview bar to see where it will take me.
Interesting to note, though, that even zxcvbn doesn’t have the kind of dictionaries you remind us that criminals can use. In particular it reports that ifyouarethedealerimoutofthegame will take centuries to crack at 10B/second.
Not if you know you’re hacking a Leonard Cohen fan it won’t.
regarding “Do block common passwords” isn’t that what composition policies address? Wo why “Don’t waste time on composition policies”. None of the bad passwords would have passed a composition policy (not that I like them or anything, I just think the statements are contradictory).
Composition policies don’t block the worst passwords specifically, they attempt to do so by identifying characteristics found in poor passwords. In reality password policies are an example of doing something because it’s easy to measure and placing the burden of work on the user. In the words of the research itself: “enterprises that impose stringent password composition policies on their users suffer the same fate as those that do not”.
If your intention is, specifically, to stop people choosing passwords from a list of passwords you know that an attacker will try first then policies are an unnecessary abstraction, just block the list.
Password policy rules can also help attackers – if you know that the passwords you’re trying to crack have to include at least one uppercase letter then you can rule out a lot of guesses you’d otherwise have had to make.
Password crackers also understand human nature and they know that if you tell somebody to add numbers to their passwords they’ll likely add them at the end. Likewise if you tell people to use uppercase letters they tend to add just one and it’s normally at the beginning or the end. The order of password guesses in an attack will reflect that.
P@55w0rd uses upper-case, lower-case letters, plus numbers and special characters. It’s an awful password though 😛
One of the biggest restrictions with online password security is the one(s) set by vendors. Many limit passwords to a minimally secure character length and they and others often restrict some, if not all of the extended characters, limiting to upper/lower case and numbers. They need to take a greater responsibility for password security also.