Security

The great debate on strong passwords: xkcd weighs in

The xkcd web comic offers a humorous snapshot of the value of security advice about password strength over the years. This might be a good one to pin up in your office.

Getting users to use strong passwords or password managers is like pulling teeth, and then as security admins, you have to deal with the other side, which is users wanting to write their passwords down and store them insecurely or forget them and request resets continually.

The arguments about how best to deal with password selection have been debated thoroughly in these forums, with Chad Perrin insisting on the need for strong, unique passwords despite some calls from other security researchers who take the counter-intuitive stand that since users often reject burdensome security advice, it will only weaken security -- as in a report described by Michael Kassner.

This cartoon from xkcd really does a good job of illustrating the conundrum:

Debating password strength

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

42 comments
oldbaritone
oldbaritone

How about "Mr. John Doe, Executive VP, The ABC Company Inc., 123 Main St., Anytown, AK, 99876, U.S.A. (800) 555-1212" Guessable is only so-so, because of the combinations of punctuation, special characters and spaces, and includes consecutive punctuation characters. Easy to remember? Shouldn't be a problem. It's a 125-character string. Have a ball trying to crack that, and a dictionary attack won't help.

dave the IT guy
dave the IT guy

We are all geeks sitting around talking about algorithms and rainbow tables while the users that we all support have not even the slightest clue what we are talking about. Most of the users that most of us spend time supporting could NOT CARE LESS about creating 16 character mixed-cased alphanumeric passwords that include special characters. The point of the cartoon is that we (sys admins) are constantly pushing people to use more complex and difficult passwords that are harder and harder for people to use. It forces people to write their passwords down on sticky notes that the put under their keyboards or worse - attach to the frames of their monitors. We need to find a way to secure our systems without alienating our users. I think that the best option like uaamf@... said is a fixed number time out. Once a password has been tried X number of times, the account becomes locked and even the correct password will no longer work. Most places do this with corporate domain accounts anyway.

uaamf
uaamf

So if the passwords are so easily cracked, then why not have 6 failure time out? A simple math problem before each log in would also make the cracking process take too long to bother with. How am I wrong about this?

Dr_Zinj
Dr_Zinj

those who have been hacked, and those who are going to be hacked. Back up your data, frequently and regularly. Test your restores. Make workable plans for when, not if, you are hacked. And do a live test of those plans once a year minimum.

BandwidthBandit
BandwidthBandit

We are evaluating a password system that is being used by several banks now. It presents you with a grid of different types of pictures. You choose your password as four different types of pictures (space, dogs, food, etc.) Each time you login it presents different pictures in these categories with a different corresponding letter each time you login. The password letters you enter change each time you login, as do the pictures that are presented. It is not possible to keylog or shoulder surf. Check http://www.supersatellite.com/2008/01/30/secure-openid-with-myvidoop/ for a better description of how it works. Because it is picture based, people don't forget their passwords, which is the main reason we are looking into it. Dealing with forgotten passwords costs a lot of money.

acmp
acmp

Is the threat to you domain admin password the people in your organisation who want to mess with their computer and gain extra access? In this case you are vulnerable to 'shoulder surfing' where they simply watch you type in your password. Any real word, even with a bit of substitution is easy to remember, even if it isn't seen in it's entirety. In this situation it may be best to use psudo pronounceable non words, almost random collections of letters, with substitutions that can be spoken but aren't words. Bat1po!e for example. Because of how we see words it is easy to say and remember this password, but if you see it typed your brain will look for the pattern match to a word it already knows, and there isn't one so you can't remember it. There are plenty of code examples on how to generate these, I have a web page on my intranet that genrates them of varying lengths as required.

Vitreketren
Vitreketren

While I agree that length does add to complexity, it is still capable of being brute-forced. Rainbow tables are your friends, as are dictionary programs. This also applies to other languages. I think that the better method may come from using an easy to remember set of words, that include special characters and upper and lower case words. For example the phrase QuietlyPack5BatteriesLeftoverature! complies to the password requirements and also is simple to remember and harder for an attacker to gain access to.

paul
paul

Steve Gibson, the writer of 'SpinRite' has a comprehensive article on passwords posted on the Gibson Research Corporation website at https://www.grc.com/haystack.htm This totally changed my password generation methodology and I now use strong passwords that are different for every site visited, totally different each time, and EASY to remember!

mhaley1156
mhaley1156

Who needs to remember anything. Set 'em up and let Keypass knock 'em down. Free, easy to use and highly secure.

bboyd
bboyd

Even with dictionary tuning brute force is not your worry. First running overnight on a single PC CPU randomly guessing is not how its done except by the most rudimentary attackers. Using parallel optimized graphics card processing and precomputed rainbow tables is several orders of magnitude faster and unless you generate long and complex passwords they will fail if the attacker can get access via a method that allows remote extraction. The next step up uses distributed processing to share out the attack load on many computers, all still using method far better than simple CPU driven brute force. This can also be used to mitigate the limited attempts defense especially if the attacker does not care which account he compromises. I'll quote a security company... "password auditing tool includes pre-computed password tables containing trillions of password hashes that have been computed in advance of the password auditing and recovery process. Trillions. Thats right, Trillions. A strong, humanly generated 8 character password consisting of a few upper and lower case letters, a couple of numbers and a special character or two approaches approximately only 100 billion combinations. Simply put, running a password auditing tool to decode a humanly generated passwords hash is as fast and automated an exercise as spell checking an email."

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

One that works for me is a password based on a vulgarism in either German, Spanish, or Russian. This gets rid of the dictionary approach, or at least increases the difficulty level. Then I'll substitute characters, like "5" for "S", and vary the capitalization. This gives me pretty strong passwords, which are also easy to remember -- at least for me.

PurpleSkys
PurpleSkys

where i work, we have to change our passwords every 3 months. I stick the same rule of thumb that my sys.admin. husband taught me...a combination of letters, capital letter, numbers and special characters. One day, just to test our passwords, he "aquired" a password crack program and ran it on our machines...he let it run over night and into the next day before he just gave up and turned it off. Needless to say, it didn't break our passwords.

AmandaJCorbett
AmandaJCorbett

We and some of our clients are using 2FA to access remote systems, which almost makes this argument moot, because it contains a password that is easy to remember for a user, followed by a string of 7 random characters which changes at each log on.

dragon1947
dragon1947

I use 10 numbers and letters mix, some sites you are limited to what you can use. I use a pas work keeper which is a life saver, I have see people use pets names childrens names, and so on. hard to get people to us a good strong password.

Animal13
Animal13

I've had my password hacked a couple of times but it has not been because someone guessed it but more likely that I entered it into a phishing site. The difficulty I run into is that everyone from the government to my supermarket requires a password. I figure I have on the order of 150 places I visit from the apple store to my ISP that have a username that's my email address and a password. Although I have a fairly strong password, I enter it dozens of times a day so am very susceptible to key loggers, etc. The first sign that there is a problem is that my friends get emails pointing them to porn sites. Then I rush out and change my password everywhere. I think the whole system is suspect untill someone invents a pocket biometric device that I can plug into any computer I use that verifies my identity and logs me in to wherever.

Spitfire_Sysop
Spitfire_Sysop

First I want to point out that you are sometimes limited by the system you type this password in to and you may not be readily aware of it's limitation due to different possible configurations. You may be limited to 8 characters so you type in "correct horse battery staple" but the password is actually saved as "correct ". Some systems are limited to 12, 14, 26, 28 or 32. Using a 28 character password is great but I have been told not to use dictionary words like this. The calculation for entropy here is should be based on the number of possibilities for one character times 28 and a computer character has an entropy of about 6+/-. So the entropy of a 28 character password should be 168. If the cracker throws the dictionary at you then we are talking about the number of english word combinations that fit within 28 characters which would be harder to calculate but let's say it's much less, maybe 44? Except the cracker doesn't know how long your password is, unless there is a known limit to your system. Ex: every password under 32 characters. In the end, we should stop having this discussion and use more secure systems. A maximum number of attempts makes this agrument null. If the cracker gets your hash then he can run it through a super computer equipped with rainbow tables and it doesn't really matter what your password is. Pick something strange. Change it often. You only have control over certain things. Try not to worry so much.

Spitfire_Sysop
Spitfire_Sysop

It's a good idea if: A) You aren't actually using your own address and B) That the application can accept a password that long.

Neon Samurai
Neon Samurai

Since this is a password that could be in use anywhere, we can say that limited attempt policies are already in place. Your work machine should lock you out after so many failed attempts until you call your IT support folks. Another method is to insert a delay on a wrong password; an extra ten seconds per failed password makes brute force take much longer (more time to recognize it in the system logs). They problem comes up when systems don't provide a limit or when the authentication system is cercomvented. If you've enough users, you'll have user lockouts and will now spend time resetting accounts. For a big business, this can be costly. For a popular website, the number of visitors may dwarf the staff headcount in a big business. Worse still, what do you do when the authentication isn't in the mix; nothing limiting the password attempts. It's not just about what an attacker guesses at the login prompt but what they can get out of the password file once back in there own lab. Sadly, the real problem is the password itself. It remains the most flexible, affordable and accurate authentication method even with all it's other short-comings. We may well be stuck until we replace it with a different one or two part method that doesn't involve human known passwords at all. Until then.. the password manager is really what most people should be looking at.

Spitfire_Sysop
Spitfire_Sysop

but not the end. You certainly need to limit input. However, if I capture some packets of you logging on to something (say, over wifi) then I have the hash of your password. Unless the hash itself is encrypted further I could potentially perform an offline brute-force attack. I calculate hashes until the outcome matches your communication. This is where things like IPSEC, SSL and salt come in. Certainly we want to avoid the possiblity of an offline attack so that we can effectively limit the number of guesses.

Neon Samurai
Neon Samurai

Those who understand binary and those who don't.

Neon Samurai
Neon Samurai

I like to check the currently available rainbow table sets for available lenth/complexity. if I can download or buy my complexity and length, one of those variables needs to increase. Last I looked, rainbow tables in upper/lower/num/sym are in the 1-8 character length but it's almost about time to look again. Remember if it's a salted password, our attacker is going to have to generate custom rainbow tables agains the correct salt value. "Administrator" is out there already but non-standard user names should be good. Thankfully, generating rainbow tables is not simply a "select the pulldown option you want and press the start button".

DT2
DT2

How does a password management system work when you access systems using multiple client devices, ie., PC, laptop, iPad, iPhone, Android?

Spitfire_Sysop
Spitfire_Sysop

This was my point. When using English words the time it takes to crack could be significantly faster than the theoretical math most people use to describe security. Even if it was random characters it could be cracked. This is why we must protect the hash and limit input. Once the hash is out you must change your password while they are cracking it. One-time passwords are good in this respect.

Neon Samurai
Neon Samurai

You may want to reconsider your letter/number substitutions. All the common one's are known and will be tried in a cracking attempt. S/5, 0/O, 1/l/I, 3/e.. a hybrid attack will test them. the character substatution does help though if you can come up with memorable uncommon substitutions.

Neon Samurai
Neon Samurai

There are lots of lagitimate reasons to use password cracking software especially testing one's own owned systems so no worries about "obtaining" from unknown sources.. er.. unless it was something that interesting.. :D 90 days seems to be the standard when finding balance between memorizing new passwords and when they change. Personally I prefer to use cracking speeds as a basis; if takes 30 days to crack my current min password policy then the "time to change" becomes 30 rather than 90 days. But, try telling an office full of users to choose and remember a new password every month.. not going to happen though it's probably a better method than the "best practice" agreement of 90 days. In either case.. good on you.. one can't know what to improve if they don't break into there own system to test.

NZJester
NZJester

@PurpleSkys As computer are getting faster and faster it is getting easier and easier to crack passwords. They need to add more two step login processes to most sites to help protect you. There are apparently password crackers that take advantage of the power of the new more powerful GPU chips in most computer to crack in a few hours what would take a few days on a CPU.

learn4ever
learn4ever

You work in IT and you were hoaxed into entering a password into a phishing site? I've been using computers since 1987 and have NEVER had a password hacked. I'm no brainiak, just cautious. And I do have about a dozen passwords I use regularly.

spdragoo
spdragoo

Take, for example, the password combination used in the cartoon. Assuming the hacker manages to figure out which 4 words make up the password, he still has to try 24 separate combinations, since "correcthorsebatterystaple" is *not* the same as "horsebatterycorrectstaple"; the same 4 words are used in the password, but changing their order produces a new, unique combination. And again, the 24 attempts requires the hacker to know the exact words involved *and* the number of words that were combined into the password. Even if the hacker knew that some users created passwords by combining dictionary words, he'd have to: 1) Determine if the passworld field has a minimum & maximum, or is of a fixed length; 2) Generate a list of the thousands, if not millions, of words in the dictionary that eliminates words longer than the maximum password field length; 3) *Guess* at how many separate words were combined into the password, and determine the minimum and maximum word sizes that will fit the criteria. For example, if the password field has a maximum size of 28 characters, then you can eliminate any words longer than 26 characters (since the 2nd word can have no more than 2 characters in it)... at least for 2-word combinations. For 3-word combinations, however, the maximum size per word may decrease to 24 characters, but the possible order placement for each word increased from 2 to 3 spots. From a sample perspective, ignoring any limitations on field size, & assuming that each list of potential word candidates from the dictionary was limited to 100 words, the total possible combinations for all permutations of 1-word to 14-word combinations comes to just over 1.0101e28 combinations. At xkcd's estimate of 1,000 attempts per second, that would take 320,081.695 trillion years to run through all of them... or a whole lot more time than we have before the Sun will die.

wendygoerl
wendygoerl

OK, so you may blunder once or twice stumbling around the keyboard before you get your password right. Some people will try a password five or even ten times before considering they might have the wrong one. I doubt anyone will sit and try, say, 100 times before asking somebody why they can't get in. Given that they've probably slowed down after the first five attempts and are now typing k.e.y..b.y..k.e.y, 100 attempts would be 10-30 minutes. A user's probably going to ask for help before that, and probably not even realize a time-out exists. It's a ridiculously large number for legitimate user attempts, but challengingly small for a brute force attempt.

Neon Samurai
Neon Samurai

.. so that's one person that doesn't understand binary. :D

Neon Samurai
Neon Samurai

I'm simply suggesting one not put too much faith in password strength because they've used four words instead of four characters. If running bruteforce by character, "ABCD" is a four character password. If running bruteforce by word, "thebrowndog" is a three character password. This is a method that feels more safe than the actual safety it provides. I think this is a much more interesting aproach which remains memorable while increasing length while remaining completely customized to the user: https://www.grc.com/haystack.htm Though, I'd be interested in the other infosec nerd's peer review of haystacks.

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

I do avoid the common substitutions, at least most of the time. I've found that my mind links things in odd ways, so what seems a logical link or substitution to me is out in left field to others. The big problem with using Russian is that most password functions won't let you use Cyrillic characters.

PurpleSkys
PurpleSkys

on our home computers..believe me, these are not your average computers. The ones we have at home out-weigh the one either of us has at work. He keeps on top of whats new in the world of pc security, I have faith. :)

Neon Samurai
Neon Samurai

ABCY, correcthorsebatterystaple; both are four character passwords. In the first case, you are trying by character. In the second case, the word is the character. You ened an alphabet in the first case and a word dictionary file in the second. Otherwise, not really any difference. But, the comic does a fantastic job of illustrating how we've over-comlpicated passwords to the point that they can actually detract from the effectiveness of password authentication. It's not meant to be accurate in every technical detail but accurate in it's social commentary.

jos.paglia
jos.paglia

...there are 10 types of people in the word. ;)

Neon Samurai
Neon Samurai

Banks. If you really want me to follow you down this unrelated tangent. They limit password length to foolishly short (mitigated only through attempt limit lockouts). But.. that's not the point. I'm not saying Bob down the street uses a five character password. I'm saying that brute force of a five letter password by character is not significantly different from brute force of a five word password by word. The comic's example of "correcthorsebatterystaple". To go right back to the beginning of the topic; "ABCD", a four character password (1 "character" = 1 letter), is not significantly different than "correcthorsebatterystaple", a four character password (1 "character" = 1 word). My post was focusing on the "character" length of the password and suggestion that one not put too much trust in what is essentailly a limited "character" unmixed case password. It was simply this; five characters and five words are the same length when compared to a character and word based dictionary. If you go back to the beggining, I start from the commic's suggestion that "correcthorsestaplebattery" is any more complex than "chsb". If the hash can be obtained than login atempt limits become irrelevant so I'd absolutely agree that attempt limits are required as is focus on protecting the hash values. However, these both fall outside the user's control; as a customer, I can't go re-code my bank's website for them. Password selection is within the control of the end user though. With how hosted services have been shown to store passwords and managing authentication. It really is up to the user to become responsible about password selection; what if login limits are negated and hash values are publicly accessible.. what does the user do? Oh.. I know.. pick something stronger than a four word-character password or better yet, use a password manager so they can remember one good strong password accessing multiple good strong and unmemorable pass-codes. (I'd love to see the rainbow table with 95 character set by 1-20 character length sets generated.) Offhand, what are your thoughts on the password haystack method I dropped links for twice above? Increased entropy with minimized complexity still achieving high strenght far as I can tell but I'm curious if other's see weaknesses in the aproach.

Spitfire_Sysop
Spitfire_Sysop

Who uses a five character password besides your straw man? I don't remember that ever coming up in this discussion. Your reply also has nothing to do with my post which was about protecting the hash, limiting input and one-time passwords. If you put these things together then password strength becomes largely irrelevant.

AnsuGisalas
AnsuGisalas

"suckonthisscriptkiddies" is a bad password too? How about "4dumbl1ttl3scr1ptk1dd13sw3ntt0m4rk3t"?

seanferd
seanferd

consider the givens of the post to which Neon is replying. Assuming the hacker manages to figure out which 4 words make up the password, he still has to try 24 separate combinations, since "correcthorsebatterystaple" is *not* the same as "horsebatterycorrectstaple"; the same 4 words are used in the password, but changing their order produces a new, unique combination.

bboyd
bboyd

Yes its more complex than ABCD but in an algorithmic sense the computation is not nearly as deep. 4 uppercase letters 26^4 = 4.6E+05 12 uppercase letters 26^12 =9.5E+16 Dictionary 30,000^4 = 1.6E+17

Spitfire_Sysop
Spitfire_Sysop

There are 26 possibilities for a letter and less than 128 possible characters that most systems will accept as input. You are comparing four characters to the number of words in a dictionary that fit within 28 characters? Perhaps I misunderstood you because this makes no sense at all.