Passwords: Before I write my article about this, can someone explain its "logic"?

[Darat]

Thanks! I think I'm gonna try that. Though I wouldn't be surprised if the *********** site still didn't accept it. I tell you, it just makes no sense. I'm doing exactly everything they require and they still don't accept my passwords. I seriously think their system is broken.

The site is not going to check your password against all the criteria it lists! It will check a handful of them, such as length and does it include a special character.

 

[Darat]

...snip...

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

...snip...

This is part of the reason why NIST suggestions for passwords have changed.

 

[Babbylonian]

I think that is what NIST is getting at. Without restrictions, I could have a password like "gold ponydog" that would be easy to remember and type but would be pretty hard to hack given that I could have chosen anything. But with the restrictions in the OP, I would probably have to go with something like D3vil17! that looks like a "strong" password but that could actually be rather easy to guess.

Good sites/services, fortunately, have long ago done away with the arbitrary password requirements. Unfortunately, in my job I access up to 10 hospital systems a day, and I expect it to be many years more of changing my short, confusing passwords every 3-6 months. Such a bummer.

 

[fagin]

I need to access a dozen or so sites regularly for work. I got so fed up with them needing to change all the time (with regular emails from IT about keeping **** safe, including how to use some sort of online 'password safe') that I have a little notebook on my desk that I update them in.

I've written, in big letters on the cover, 'PASSWORD SAFE - KEEP OUT'.

Might not be the most secure system (although I have asked people to KEEP OUT) but it does come in handy so colleagues can access things when I'm away.

For my personal stuff I just use the Google remember this password thingy.

 

[paulhutch]

Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.

Yes they are, I can't find the articel now but this year a security company published a paper showing how they succeeded in cracking very long passphrases rapidly using a new algorithm.

It was done in response to this,

xkcd has this covered

(I once did something similar to generate passwords in Unix systems - take the first 4 letters from each of a pair of random words of > 4 letters, and plug them together. So green light would become the password greeligh. All the user had to do was remember "green light" and the way the system worked)

[qimg]https://imgs.xkcd.com/comics/password_strength.png[/qimg]

and pointed out that by basing your password on words in the English language dictionary is no longer safe due to advanced password cracking algorithms and cheap high performance computing (IIRC, the researcher used relatively cheap GPU clusters). Responding to the article Randall Munroe pointed out that he is absolutely not a cryptography expert and his XKCD strip was only meant to illustrate a mathematical property that proves that no matter how random looking the password is, if it is short it can be cracked quickly.

If you want the passwords to be very secure you should use a password vault program and generate a unique very long random sequence password for every login you have.

 

[Belz...]

But why???

A lot of "rules" about passwords are ridiculous. As a computer programmer I think that the most important things about a password is:

1) That no one can guess the password just by knowing you.
2) That you can easily remember it, especially considering how many passwords we need nowadays.
3) That the system locks the account after a set number of attempts, avoiding brute force attacks.

So "Banana" would probably be a pretty great password, first because it won't be within people's first few attempts, and because it has nothing to do with you unless you work in the banana industry, in which case it's stupid. In addition, it's easy for you to remember, so you don't have to write it down, potentially helping people to find it.

 

[elgarak]

I read some time ago that a random sentence from a book is a better password than all that rule stuff.

It is. At least, with the current way hackers try to hack passwords: For short-ish passwords the crack programs that are commonly used try to use dictionary approaches, standard character replacements (! instead of 1, 4 instead of A, etc.) and such, but with a longer passwords, somewhere longer than 12 or 16 characters, they default to brute force. An easy to remember and to type long password is a random sentence. Even if they try to add dictionary approaches, you can throw obstacles by using nonsense sentences with words that are not usually combined. Last, the space character is treated as a special character by most password checkers and crackers... but since people assume a password to be a single word, it's one of the seldom used special characters. Another thing is that hackers often use just the user names and hash tag lists obtained from some service sites (not containing the actual passwords, just their hash tag) and then try to guess a password that fits the hash. Any user in there with a long password is essentially shielded by the mass of other suckers users that use short passwords that are easier to crack by hash.

So yes, a very good and safe approach to password security would be to allow people simply long passwords that do not follow easy to guess rules (such as strings of the same letter or series like abcd or 1234). Random sentences would work for that, unless everyone does that, and uses always the same popular sentences (but that should be easy to defeat, with mentioned recommendations of using nonsense sentences or character replacements, but keeping that as RECOMMENDATIONS, not REQUIREMENTS; leave the complexity of the whole set of passwords with the users).

Doesn't help if you get a site like the OP describes. Which essentially tries to do the right thing, but frustrates the user so much that they resort to unsafe practices. What really grinds my gears are sites that use such a complex set of rules ... AND LIMITS THE LENGTH... AAARGH...

 

[Jack by the hedge]

I used to think I was clever using vertical runs down the keyboard as passwords. Fits the rules, looks random, super easy to remember.

But then I read an article about the top 10 most commonly used passwords and right there was "1qaz2wsx". D'oh.

 

[elgarak]

A lot of "rules" about passwords are ridiculous. As a computer programmer I think that the most important things about a password is:

1) That no one can guess the password just by knowing you.
2) That you can easily remember it, especially considering how many passwords we need nowadays.
3) That the system locks the account after a set number of attempts, avoiding brute force attacks.

So "Banana" would probably be a pretty great password, first because it won't be within people's first few attempts, and because it has nothing to do with you unless you work in the banana industry, in which case it's stupid. In addition, it's easy for you to remember, so you don't have to write it down, potentially helping people to find it.

Re. (3): As I understand, the primary way to hack passwords (say, for web services) is not via the normal login process. It's getting a list of user names and the password hash numbers, and then try to find passwords fitting the hash number. That can be done at your leisure. It's just running using data on the hacker/cracker's own machine. After that, the hacker/cracker has only a very limited set of passwords to try in the login, assuming the login process DOES actually use the full passwords. Some services just use the hash numbers alone.

Another really problematic practice some services use is allowing long passwords with little requirements ... but not actually using the full password, but cutting it off at 12 characters or so. So a user thinks he's using a safe long password but in fact is not.

 

[Belz...]

Re. (3): As I understand, the primary way to hack passwords (say, for web services) is not via the normal login process. It's getting a list of user names and the password hash numbers, and then try to find passwords fitting the hash number. That can be done at your leisure. It's just running using data on the hacker/cracker's own machine.

Yeah but that's a security problem with the server, not the password or its handling. And they're going to get the PWs this way at some point regardless of what they are.

 

[Ron_Tomkins]

Maybe. Or maybe not. Mathematically, all those restrictions limit the number of possible permutations. Just cycling through all possible permutations, a great many could be eliminated without testing because they don’t meet the password criteria. There would still be a lot, though.

On the other hand, if there are no restrictions it may be easy to guess the password. The restrictions eliminate many passwords that would be easy to guess.

On yet the other hand, the restrictions can make the password somewhat easier to guess. Because it restricts what the user can choose for a password, it can become easier to make certain assumptions about likely passwords.

For example, the password is likely to be based on a set of alphabetic characters. That series of letters is probably 5-7 (or maybe 8) characters so that it is long enough to meet the password length requirement but not too long to be cumbersome. The letters may be based on the first letters of a common phrase (as is commonly suggested). That can narrow down the possible base of the password quite a bit. Or the letters may be a word. If dictionary words are not allowed, it probably has a l33t transformation.

Because many passwords require a capital letter, it is likely that the first letter in the alphabetic series is upper case and the rest of the letters are lower case.

The special character is probably the last character, unless a special character is used in the l33t transformation. If it at the end, it is probably ! or $ because those are easy to remember and are almost always allowed (in passwords that specify specific special characters that must be used) so it makes it convenient when using the same password for multiple sites.

The number requirement may be fulfilled by a l33t transformation if the base word is toward the longer side. Otherwise, the numbers are probably 1 or 2 numbers following the base word, or that the very end or very beginning of the password. If two numbers are likely, a good guess would be the current year (17) or the person’s birth year or other significant number. Repeated numbers are likely when they are filler to meet the number and length requirements, of if repeated characters are not allow then they are probably consecutive numbers like 12 or 56.

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

Of course there is a benefit in having a minimum password length and not allowing things like “password” or “1234”. But increasing those restrictions has diminishing returns, and can eventually even turn back and become less beneficial.

Spoken like a true Devil's Advocate

 

[Beerina]

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

Oooh, so if I was a fan of the new Wonder Woman, Gal Gadot, would Iw2hswgg! work? Or maybe Allison Brie from GLOW, Iw2fthsooab! ?

 

[elgarak]

Yes they are, I can't find the articel now but this year a security company published a paper showing how they succeeded in cracking very long passphrases rapidly using a new algorithm.

It was done in response to this,



and pointed out that by basing your password on words in the English language dictionary is no longer safe due to advanced password cracking algorithms and cheap high performance computing (IIRC, the researcher used relatively cheap GPU clusters). Responding to the article Randall Munroe pointed out that he is absolutely not a cryptography expert and his XKCD strip was only meant to illustrate a mathematical property that proves that no matter how random looking the password is, if it is short it can be cracked quickly.

If you want the passwords to be very secure you should use a password vault program and generate a unique very long random sequence password for every login you have.

Not knowing the actual paper, I'm somewhat sceptical. Because, how can the cracker know that dictionary words are used, how they are separated, and does he need to know that certain words follow each other (as they do in actual sentences) etc.?

Alone by combining words one can add a huge complexity. And one can add additional complexity by intentionally NOT following rules of actual language. Such as using nonsense sentences, made-up words, not using space as word separator between every word...

A lot of papers I know differentiate between "passwords" and "pass phrases". And actually following these names gives information about the pass information. If you say "pass phrase", and actually use a pass phrase, you tell the cracker that he's looking at a series of words...

As I was saying: "Password" implies using a single word. And people actually use only a single word. They do not use space, because that's the usual character used to separate words. So a great deal of online password strength checkers indicate a stronger password just by using space. I don't know if this actually increases the strength against currently used techniques. It could be, because, why try to use space if you know that the vast majority of users don't use it? Of course, that might change once everyone tries to use sentences as passwords. But, would this ever happen, given how prevalent unsafe passwords like "password", "12345678", "qwerty" still are?

(One online password strength checker I tried, which does indicate problems if you use common words, conks out noticeably if you use four common words. "Steve eats candy" was only a medium safe password, "Steve eats candy often" a super safe one.)

 

[Ron_Tomkins]

The site is not going to check your password against all the criteria it lists! It will check a handful of them, such as length and does it include a special character.

So you're saying they bothered to create a whole Bible of criteria, and they don't even check to see if my password meets all of them? If this is true, the level of nonsensical ridiculousness has really trascended. Why would they create a list of requirements if they're not gonna check to see if you meet all of them? This sounds more and more like whoever creates these requirements, just made them up out of boredom.

I imagine some stupid code programmer sitting at his desk going like:

"Lets see..... Password must not rhyme with the word Red!

Hmmm.... oh, Password must not remind me of my grandma

Yeah. That should do. That's enough requirem..... Oh wait! Lets also add: Password must not be an anagram of the word Elevator!"

 

[elgarak]

Yeah but that's a security problem with the server, not the password or its handling. And they're going to get the PWs this way at some point regardless of what they are.

That's kinda the whole point, isn't it? The security of the data on the server is only as good as the weakest element.

 

[Beerina]

Not sure exactly what the battle they're trying to fight is. The days when you could pepper a login process over and over, not worrying about a multiple-failure lockout, are long gone.

Getting a hold of a big list of login IDs and trying each one 3 times then moving on to the next one and hoping for the inevitable success? (Assuming this doesn't also have failure lockouts looking for this sort of thing from a single internet address.)

Getting the encrypted password file and trying to decrypt it using intelligent guesses as to things that are probably in it?

 

[Belz...]

That's kinda the whole point, isn't it? The security of the data on the server is only as good as the weakest element.

How in blazes do people get their hands on the hash data, anyway?

 

[Modified]

Not sure exactly what the battle they're trying to fight is. The days when you could pepper a login process over and over, not worrying about a multiple-failure lockout, are long gone.

Getting a hold of a big list of login IDs and trying each one 3 times then moving on to the next one and hoping for the inevitable success? (Assuming this doesn't also have failure lockouts looking for this sort of thing from a single internet address.)

Getting the encrypted password file and trying to decrypt it using intelligent guesses as to things that are probably in it?

Primarily the last one. Getting as many passwords as quickly as possible from the encrypted data.

 

[CORed]

How in blazes do people get their hands on the hash data, anyway?

A lot of successful cracks actually seem to be social engineering based anyway. Call up several employees of the organization you're trying to hack, say, "This is Ralph from IT. We're updating the turbo-ecabulation database, and we need your user ID and password." If that doesn't work, there's always bribery, or holding their cat hostage.

 

[blutoski]

So, basically, I am unable to access my existing account at Copyright.gov, nor to create a new account, due to its insufferable, extreme list of requirements for password creation:



Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?

Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??

Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.


But aside from the fact that this one site is being a real bitch with the whole password creation, most of the sites where you create accounts have a list of requirements for your password.

But why???

The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM. Some services such as gmail allow (at least for now) for you to create whatever the hell you wanna create as a password, so we know this is not universal to all sites/services.

Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.


Since recently I was looking for ideas to write a new article on my blog, it goes without saying that this subject has infuriated me so much, and for such a long time, that I'm gonna make this my new subject. However, before I start writing an article complaining about this, I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.

Most of those criteria are trying to eliminate passwords that can be guessed from personal information. I'm not a security expert by any means, but I have been able to guess my friends' bank card PINs pretty reliably.

In this world of Facebook disclosures, I know a lot of peoples' unlock information as well. Mother's maiden names. City they were born. Favourite pet name.

They're also trying to create unique criteria that other sites don't use, which protects the user in a different way, by preventing the user from having one password for a hundred sites. Once crackers find your favourite password they can log in everywhere. It's a disaster.

So, I don't blame companies for trying to coach users on how to reduce their exposure, but I also don't like the idea of passphrases.

I use a password generator (a unix crypt based app on my mac) and a vault (a text file on same mac). It reliably follows any site's rules by virtue of being totally random characters. The one exception is the password for the computer itself, where the vault is stored, which has a passphrase that I rotate monthly. The Mac's drive is encrypted, so if it's stolen, there's no way for anybody to read the password vault file.


ETA: on the topic of card PINs... "Well the year was 1690..."