DailyDirt: How Many Passwords Do You Know?
from the urls-we-dig-up dept
If you’ve been online for more than a few years, you’ve probably collected a fairly sizable number of logins for various things. When the next cool social network you discover asks you to register with an email and password, a surprisingly large number of people choose “123456”, “p@ssw0rd” or something easy to remember (and use that same password for multiple services). That’s not a good idea, especially as more services are being broken into due to bad (or no!) password hashing. Password attackers aren’t usually doing trial-and-error to guess your password; they’re scraping password databases and doing the brute-force cracking offline, based on all the hints that can be gleaned from a huge pool of passwords that likely have duplicate passwords or passwords susceptible to dictionary-attacks. If you have some time, turn on two-factor authentication and peruse the following links.
- Some password systems allow for convenient variable-length passwords, so users can choose if they want an 8-character password that requires special characters, numbers and an upper/lowercase mix or if they would prefer an all lowercase 20-character password. Allowing for really long passwords makes it possible for people to pick strings like “correct battery horse staple” (which is probably a very insecure password now). [url]
- If you have a gazillion passwords in a plaintext file somewhere, you might want to try a password manager. But if you’re not that paranoid about your passwords, you probably can’t be bothered to set up a password manager, either. [url]
- Ultimately, humans probably should not be choosing their own passwords for the best security. There really isn’t anything preventing people from choosing bad passwords, and longer passwords don’t necessarily make for better ones. (eg. facebookpasswordmyname) [url]
If you’d like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.
Filed Under: breach, hashing, login, password manager, passwords, salting, security, two factor authentication
Comments on “DailyDirt: How Many Passwords Do You Know?”
Keepass + BtSync FTW.
Longer Is Better Than More Characters
8 random characters, uppercase only → 37.6 bits of entropy
8 random characters, uppercase + lowercase + digits → 47.6 bits
10 random characters, uppercase only → 47.0 bits
12 random characters, uppercase only → 56.4 bits
In other words, don’t sweat the special characters, go for password length.
Re: Longer Is Better Than More Characters
I don’t understand this rainbow tables and entropy. If I can have a password that’s 8 character mixed case alphanumeric with specials, how is having an 8 character all lowercase password faster to crack?
I really only understand brute force. The only reason lower case is faster to brute force is because lower case is usually tried first.
Re: Re: Longer Is Better Than More Characters
You run the pure wordlist before you add the fuzz
“sex” is a password you check before “s3x”
Re: Re: Re: Longer Is Better Than More Characters
So this rainbow tables and entropy stuff doesn’t mean crap? We just have to social engineer our passwords.
If “sex” is checked first because it’s a real word then “s3x” because it’s a real word with a number replacing a letter, then “kmk” would be more secure because it will be checked last since it’s just random lettering.
Re: Re: Re:2 Longer Is Better Than More Characters
But “kmk” is a keyboard walk, at least on a QWERTY keyboard. The “k” key is diagonally-adjacent to the “m” key. Not good.
On the plus side, you did include a repeated character. I notice that people attempting to create random sequences tend to include fewer repeats than expected from a uniform distribution. That is, they pick some random character, and then feel biased against it. Indeed, I’m always slightly surprised at the number of repeated characters I find in sequences drawn from a flat distribution.
Bits of entropy
but only if your “Entropic” character string isn’t in a dictionary. Twelve characters in a dictionary is not the same as twelve non-word characters — in any language. Dump a dictionary in English and then next four most used languages into your rainbow tables and you’re still more successful than not.
Re: Bits of entropy
I did say “random”, didn’t I?
Less so than you'd think
“correct battery horse staple” (which is probably a very insecure password now)
Amusingly that was supposed to be easy to remember.
2 Factor Authenticate or Bust
Best list I’ve found of sites that support 2-factor authentication. If you aren’t using 2-factor for your sensitive accounts… your stupid.
Re: 2 Factor Authenticate or Bust
and for all that you’re worth, do not reinstall the software that controls your second factor. I had to spend half an hour on the phone with Blizzard after I factory wiped my phone thinking that it was all controlled by hardware address, not a random install code.
Re: Re: 2 Factor Authenticate or Bust
If you’re worried about that you can always save a screenshot of the QR code or print it out. As long as you keep it safe (encrypted volume or locked cabinet) the risks to your security are minimal.
Re: 2 Factor Authenticate or Bust
The problem with 2 factor authentication is that you need to trust a third party with some sort of sensitive information. That’s a no-go for me.
My preferred method is to use randomly generated passwords that get changed very frequently and to use a password keeper to keep track of them.
Secret decoder ring
Myself, I like passwords from 2000 year dead languages that are only relevant to myself, unguessable, and seeded with non-alphabetic characters. The chances of them being broken in a period shorter than that via a brute-force attack is unlikely. However, they are easy for me to remember, and the only way that they can be captured is if my system has had a key-logger installed that I don’t know about. Given that all of my systems are not Windows-based, and have serious major anti-malware software and LAN hardware firewalls installed, the chances of that is pretty low…
Re: Secret decoder ring
Since I’m using LastPass, even a keylogger wouldn’t get my passwords. I don’t even know any of them, I just let LastPass generate as long a password as they’ll let me with as many character classes as possible, then I move on with my life knowing I won’t have to remember it.
Re: Re: Secret decoder ring
God bless LastPass indeed. I even log into computers I don’t trust with those one use master passwords! And it has multi-factor authentication too. I’m using Google Authenticator and I’m thinking of getting a Yubikey too. Password issues are a problem of the past.
Re: Secret decoder ring
Either you can calculate a min entropy, or you can’t.
No need to remember anything
Re: No need to remember anything
Did you notice that the card can be “regenerated” from a 16-hexadecimal digit identifier?
Further, the sample card has 8 rows and 29 columns. Then there are four cardinal and four intercardinal directions from any starting position.
Re: No need to remember anything
Good lord, that thing seems like the worst of all worlds.
Re: Re: No need to remember anything
Well, on the surface, the (16*2^4) identifier space indicates that the sequences on the card are generated by some rule.
How would you backdoor the card-generation rule so that the 8 row * 29 column starting position loses some of its surprisal?
Since I always forget my password, I write it in my notepad with date.
with your social security number and signature, too ? ? ?
hee hee hee
i’ll mention again my ‘system’ for NON-CRITICAL passwords:
make a prefix (say, 3f) make a suffix (say, u9), then take the website ‘name’ (or organization, or whatever) and append those…
so, if this were for techdirt “3ftechdirtu9″…
works for me…
(AGAIN, NON-CRITICAL sites, for ‘real’ important sites, i use the random type stuff that is written down in my little black book…)
I have an index card for each site I have a password for (a real paper one, not digital). I store them in a most unlikely place. Where they’re stored is written in a letter and kept with my will. That’s for my 2 girls (hopefully, long into the future).
Unfortunately, it does mean I have to remember them but then, I don’t have passwords for hundreds of sites either. I have only a dozen sites I use regularly where I need a password.
I don’t sign up for membership and a lot of random sites. If you can’t read or visit a site without signing up, I’ll find somewhere else to get the information I need.
When it gets to the point that I can’t remember a dozen or so passwords, I’ll turn in my computer.
I tend to use a handful for the serious stuff. For banks I use a generated high entropy password of maximum allowable length. Really, I’d prefer it if my bank account could be set to operate on public private key pairs SSH-style.
My bank recently introduced fingerprints for physical use (ie: ATMs) and it has a google auth style authentication method for online banking. I can use an independent code generator, my phone or receive a sms with the code. I’m not quite comfortable with fingerprints though, the palm scanner another bank introduced seems much more secure for physical interactions.
Too many sites where security is not necessary
Bank, Professional society, the place I post my original writing: Strong password required.
The huge number of websites where I need a password login to read articles or download a technical manual: Nope.
We talk so frequently about password strength and a requirement for uniqueness. We never seem to address the proliferation of useless security. I really don’t care if someone guesses my password and uses it to download extra copies of a technical manual. Most of those login systems are only in place to ensure the vendor has an email address for solicitation purposes anyway.
Re: Too many sites where security is not necessary
You’re correct that tech manual sites shouldn’t need a name and password, but this is exactly where security fails. Too many people will simply use their usual password so they don’t have to remember yet another password for yet another site.
Then hackers get into the tech manual site because it’s not very secure- come on, who would want to break into a tech manual site? They don’t even store people’s credit card information.
Yet once the hackers have the password, they can try it against the larger sites like Facebook, Amazon, or iTunes. And if any of the passwords match, the hackers have completely control of the account.
I admit, I do have my passwords in a text document. The document is itself protected by a password and is not stored on my computer. It is instead stored on an old smartphone that is permanently disconnected from Wifi and is charged by a USB cable that plugs only into a charge socket, not into a computing device. The phone itself is encrypted.
that’s pretty damn secure … and not a little paranoid!
Check out Steve Gibsons article on generating passwords that are memorable and hard to guess https://www.grc.com/haystack.htm
my password manager password shows the following results for “crackability” using his tool and it’s easy to remember, a pain in the ass to type, but easy to remember.
Couple with your approach to storing pass words with his approach to generating memorable passwords and you’re almost unhackable.
Re: Re: Re:
Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 26 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password’s length) 2,663,234,997,260,162,
Search Space Size (as a power of 10): 2.66 x 1051
Time Required to Exhaustively Search this Password’s Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries
Re: Re: Re: Re:
When is it acceptable to calculate statistics for one distribution—and then to assume that those statistics are meaningful for a different distribution?
Extra credit: When is min entropy less than Shannon entropy?
And make sure that the page you are entering your password on is https. Up until about 3 years ago, Facebook’s login page wasn’t.
And make sure that the TLS certificate that your browser accepts is the expected one—chaining up to a trusted root CA.
Dilbert: Tour of Accounting
xkcd: Random Number