The other option for users when faced with a security overload on an application is that they will simply stop using it. If it's not necessary for work and it's too much hassle, forget it!
I like the idea of using an app as a second authenticating factor if it is offered as an alternative to a token. Cheaper to administer and one less thing to carry around for the customer, a win-win if ever there was one.
Give the choice of a seven-character case-sensitive or an eight-character case-less password (which I assume would be roughly the same security level), I would go for the eight-character every time. One character extra is no great hardship on a standard keyboard but the case-insensivity is a huge convenience on a smartphone touch screen.
Discussion on:
View:
Show:
Do I need a 16 character, upper, lower, number special character password to play a game? If my credit card number is attached, probably. If the biggest thing I would lose is my collection of weapons, probably not.
I have dropped online services because the password requirements were, in my mind, excessive.
Now, I really do have a problem with sites/services that have complex password requirements but don't tell you about them until the error message pops up. Some then pop a second one because the first error was "passwords must have at least one upper and one lower case letter" and the second error is "passwords must include a number." Dude, tell me ahead of time, your competitor does.
I have dropped online services because the password requirements were, in my mind, excessive.
Now, I really do have a problem with sites/services that have complex password requirements but don't tell you about them until the error message pops up. Some then pop a second one because the first error was "passwords must have at least one upper and one lower case letter" and the second error is "passwords must include a number." Dude, tell me ahead of time, your competitor does.
All external password can be crazy long/complex. My steam account.. crazy long and complex while completely convenient once installed. I assume WoW's client also stores credentails locally (let's hope in a hashed form though).
In my case, I've considered dropping services that imposed too weak a password. limited to eight or fewer characters, no symbols.. bah..
With a good password manager, you can have the best of both; convenience and security.
In my case, I've considered dropping services that imposed too weak a password. limited to eight or fewer characters, no symbols.. bah..
With a good password manager, you can have the best of both; convenience and security.
... since the "correct horse battery staple" comic was posted on xkcd.com. While I agree with the basic premise - a 25 character all-lowercase password is more ressistant to attack than an 8 character "fully complex" password - there is a flaw in the logic.
As in the xkcd example, humans tend to choose whole words instead of just random alpha characters. That significantly reduces the complexity. There are about 600,000 English words, but the typical native English speaker only learns about 20,000 (there are a lot of words like syzygy and medical terms). We only use about 2,000 unique words in the typical week. So...
1. Assume attacker suspects an all lowercase password may be in use.
2. Assume attacker has access to unsalted hash of the password (such as recent breaches at LinkedIn, eHarmony, Last.FM, etc) for offline attack.
3. Assume user selected 4 words, all lowercase.
4. Number of likely passwords = 2,000^4 = 16,000,000,000,000. At first glance, that looks suitably complex.
5. A password cracker like oclHashcat-Plus can run through over 3,263,000,000 SHA1 hashes per second on a PC with a single AMD hd6990 videocard.
6. That single PC could calculate every possible 4-word combination (assuming 2k different words) in about an hour and 22 minutes. Even if the list is expanded out to 20,000 words instead of 2,000 and attack is still possible because of...
7. Distributed computing. An attacker can split that workload over something like an EC2 cloud (using stolen credit cards to pay for it, no doubt) or a botnet. Lets assume a botnet of 40,000 computers (fairly small by botnet standards) that are on only 6 hours/day and have GPUs that on average are only 1/4 as efficient at cracking as the hd6990 (it may be a year and a half old, but the hd6990 is still a high-end card).
8. Check my math, but I'm calculating the hypothetical botnet could smash a SHA1 hash created from 4 common lowercase words picked from a 20,000 word dictionary in about 5hrs 30min. Those using just the most common 2k words would fall in under 2 seconds (not accounting for network latency, etc).
What am I trying to get at? Users should definitely increase password length, but patterns - ANY PREDICTABLE PATTERN - significantly decreases password entropy. If you're going to have patterns in there, compensate by making it long as hell. I understand I'm a paranoid bastard, but my domain admin passphrase is 30+ characters with some unlikely capitalization and numbers/symbols. You can't Google for it, it isn't grammatically correct, and it changes to something completely unrelated on a regular basis. I will admit to using some full words in it; I fully understand that entropy isn't ideal due to various tendancies (in English a "t" has a high probability of being followed by an "h", nouns commonly come before verbs) but with 30+ characters plus "some" complexity insertion brute force is no longer a viable tactic. The passphrase is mostly-comprendable, so I can type it pretty quickly - definitely faster than an 8-character randomly generated password. An attacker is much more likely to gain access from a keystroke logger, software vulnerability... or just whacking me repeatedly with a $5 wrench until I tell them the password. http://xkcd.com/538/
As in the xkcd example, humans tend to choose whole words instead of just random alpha characters. That significantly reduces the complexity. There are about 600,000 English words, but the typical native English speaker only learns about 20,000 (there are a lot of words like syzygy and medical terms). We only use about 2,000 unique words in the typical week. So...
1. Assume attacker suspects an all lowercase password may be in use.
2. Assume attacker has access to unsalted hash of the password (such as recent breaches at LinkedIn, eHarmony, Last.FM, etc) for offline attack.
3. Assume user selected 4 words, all lowercase.
4. Number of likely passwords = 2,000^4 = 16,000,000,000,000. At first glance, that looks suitably complex.
5. A password cracker like oclHashcat-Plus can run through over 3,263,000,000 SHA1 hashes per second on a PC with a single AMD hd6990 videocard.
6. That single PC could calculate every possible 4-word combination (assuming 2k different words) in about an hour and 22 minutes. Even if the list is expanded out to 20,000 words instead of 2,000 and attack is still possible because of...
7. Distributed computing. An attacker can split that workload over something like an EC2 cloud (using stolen credit cards to pay for it, no doubt) or a botnet. Lets assume a botnet of 40,000 computers (fairly small by botnet standards) that are on only 6 hours/day and have GPUs that on average are only 1/4 as efficient at cracking as the hd6990 (it may be a year and a half old, but the hd6990 is still a high-end card).
8. Check my math, but I'm calculating the hypothetical botnet could smash a SHA1 hash created from 4 common lowercase words picked from a 20,000 word dictionary in about 5hrs 30min. Those using just the most common 2k words would fall in under 2 seconds (not accounting for network latency, etc).
What am I trying to get at? Users should definitely increase password length, but patterns - ANY PREDICTABLE PATTERN - significantly decreases password entropy. If you're going to have patterns in there, compensate by making it long as hell. I understand I'm a paranoid bastard, but my domain admin passphrase is 30+ characters with some unlikely capitalization and numbers/symbols. You can't Google for it, it isn't grammatically correct, and it changes to something completely unrelated on a regular basis. I will admit to using some full words in it; I fully understand that entropy isn't ideal due to various tendancies (in English a "t" has a high probability of being followed by an "h", nouns commonly come before verbs) but with 30+ characters plus "some" complexity insertion brute force is no longer a viable tactic. The passphrase is mostly-comprendable, so I can type it pretty quickly - definitely faster than an 8-character randomly generated password. An attacker is much more likely to gain access from a keystroke logger, software vulnerability... or just whacking me repeatedly with a $5 wrench until I tell them the password. http://xkcd.com/538/
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
