Announcement

Collapse
No announcement yet.

Conventional wisdom on password security is wrong.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Conventional wisdom on password security is wrong.

    I'm sure you've all heard it, and even get tired of hearing it: Password needs to be at least 8 characters, must have at least one number, mixed case, and a symbol.

    This isn't a bad practice, but isn't a good one either. If you're like me, you get annoyed with hearing this, and in fact want simpler passwords for convenience (it's a pain to use the shift key and numbers in such short sequence repeatedly each day, isn't it?)

    Well you can have your cake and eat it too. Some say passwords shouldn't be easy to memorize, but they're wrong. There is a better way. First, let me point you to this:

    xkcd: Password Strength

    Now I'm going to elaborate on why.

    I've heard an argument that all one has to do is throw dictionary words at it. Well, some estimates put the English language at 1 million words. (Source: Number of Words in the English Language: 1,013,913 | The Global Language Monitor ) But, let's say you reduced that down to the 10,000 most common words, and you used four of them. That is 10,000^4, or 100 pentillion. Let's put that into perspective:

    I did a test on my machine using my GPU (Radeon 7850 OC) to crack AES128 keys. It was able to go through roughly 5,000 iterations per second. Let's suppose that the NSA had some super advanced computer that could do 10,000 times what mine can do (a compute cluster of that capability doesn't exist to my knowledge, but let's suppose it does anyways) so say 50 million passwords per second.

    100 pentillion divided by 50 million is 200 million seconds. Divide that by 60, by 60 again, then by 24, then by 365. That means it would take 6 years to break your password with a compute cluster that at this point is only theoretical. By the time 6 years passes by, the information they wanted to glean from you could very well be useless, meanwhile that compute cluster could have gone towards something more important.

    Now that is a very optimistic number, by the way. What if you used a less common word? Or used deliberate bad grammar or bad spelling? Or used a fifth word? That suddenly goes from 6 years to potentially billions of years. If the latest theory about the higgs boson is correct, the universe would end before the US department of homeland security, with its vast resources, would be able to crack your password.

    Then of course, there's always brute forcing your way by iterating through the letters of the alphabet in sequence. Well, assuming you used at least say 15 letters or so, that would take a lot longer. When I was testing this password cracking tool, I looked at the readme and one of the first things it said was that if the password has more than 7 or 8 unknown characters, you may as well forget about it unless you've got some serious money and time on your hands. Set it to 20 characters (my everyday use passwords are longer than that) and there's basically no chance.

    Just keep this in mind, and then at least your password won't be the weakest link:

    xkcd: Security
    Last edited by Cavalry; March 20, 2013, 07:01 PM.

  • #2
    Excellent analysis; since a lot of people speak at least two languages what about when you combine them??? something to take in consideration

    Comment


    • #3
      Exactly. There are a lot of things you can do that can make a password easy to memorize, easy to type, yet harder to crack.

      My hope is that one day more people will learn this, and web admins will start requiring longer passwords rather than complex ones. Length is by far the most important factor that you need to determine when it comes to password cracking.

      If you ever do end up becoming a site admin, keep these in mind: RSA1024 assymetric cipher, AES128 block cipher, SHA256 hash with a good salt. These are all proven industry standards. It shouldn't need to be said, but I've seen very high profile sites omit these, and when they are broken into the results are disastrous. Linkedin used unsalted SHA-1 for its password database, so hundreds of thousands of their users had their passwords exposed. Had they at least salted them, or had their users used longer passwords, there wouldn't be much cause for concern.
      Last edited by Cavalry; March 20, 2013, 07:08 PM.

      Comment


      • #4
        How to choose a strong password - simple tips for better security - YouTube

        Comment


        • #5
          The DHS would just request whatever they wanted from the service provider on which your account is located. Subpeona, court order, etc. In some cases they don't even need that to get the information.
          I find the password requirements have made things way more insecure. Because 1) I can't remember what I choose, and 2) I cannot type that shit easily on an iPhone.

          I use lastpass which is great, but doesn't work too well on iPhone (I tried the amazon kindle version and it sucked royally. Could not get it to work).
          I usually setup all my iPhone passwords when I'm on my laptop and can see in LastPass what I used. Hopefully I won't have to be required to type them again away from my laptop.

          I also keep a password list on my local harddrive for critical stuff. This is the insecure part that is an unintended consequence of sites requiring complex passwords.

          Comment


          • #6
            Having different passwords for every place is a good idea too. If one place gets compromised the others still remain secure.

            Comment


            • #7
              I love posts like this. Great info. I personally use an 18 character password that modifies based on a simple mathematical equation I run in my head based off the name of the site.

              So every website has a unique password, but I'm not forced to remember 100 different passes. I just know my base password and the equation to get the rest.

              As long as you set your process up right you'll en d up with a long password, with numbers and symbols, caps and lowercase and enough characters to ensure it will work everywhere and be very secure.

              Comment


              • #8
                nice post
                i use software to randomly generate and save a password for me, then i can have a different password for each site while only having to remember 1 password for the software. so far its done me good except when my database corrupt and was left not knowing a single password....it took ages backtracking trying to find out each password one by one:-S now i always back it up just in case it happens again!

                Comment


                • #9
                  2 words: Kee Pass. A program where you can save all your passwords (it's risky, yeah, I know, but to open your database you'll need a password, a file and/or a Windows account). You can create random passkeys with several numbers, symbols and letters, and when you want to log in a site, you just have to copy the password you saved and it's done!

                  I use it, because it's really easy to manage it. But if you accidentally delete it, you're going to have a bad time =P

                  Comment


                  • #10
                    A nice and relatively useless article.

                    When people have their online [whatever] hacked, it's rarely due to brute force cracking. Your password is more likely to be sniffed, whether it be local or on some router somewhere in cyberspace, or you're more likely to fall victim to a security hole of the site in question, or some related service provider to that site. Of course if you have an admin level account, that's a different ballpark all together.

                    When dealing with password security, the basics are:

                    #1: Avoid the most common passwords. Eg. password, 1234 and so on.
                    #2: Avoid words that are found in hacker dictionaries (most commonly used words in passwords)
                    #3 Use more than just words. Add numbers and characters if you insist on using a short password
                    #4 Use a long password. If you're worried about brute force hacking, just use a long, long, long password. That way it'll take more time for the massive collection of hacked zombie computers to brute force your password.

                    Comment


                    • #11
                      I use Last Pass for this. You can have a password for your chosen length (default is 12), use letters, numbers and symbols (you have to select this option in advanced settings) generated and saved with your user ID. On most occasions it will enter your ID and pass automatically, there are times it won't do this but they're few and far between. You even have the ability to order your sites into categories in your "vault". Not necessary to do this but it may come in handy.

                      Comment


                      • #12
                        Originally posted by utuxia View Post
                        The DHS would just request whatever they wanted from the service provider on which your account is located. Subpeona, court order, etc. In some cases they don't even need that to get the information.
                        I find the password requirements have made things way more insecure. Because 1) I can't remember what I choose, and 2) I cannot type that shit easily on an iPhone.

                        I use lastpass which is great, but doesn't work too well on iPhone (I tried the amazon kindle version and it sucked royally. Could not get it to work).
                        I usually setup all my iPhone passwords when I'm on my laptop and can see in LastPass what I used. Hopefully I won't have to be required to type them again away from my laptop.

                        I also keep a password list on my local harddrive for critical stuff. This is the insecure part that is an unintended consequence of sites requiring complex passwords.
                        I have to say that Lastpass is the best out there in my opinion, but I know it can get clingy on the Iphone, another option for IOS is KeyGrinder; is a free app that you can use to grind your password so lets say your usual password is pass123, if you put that in keygrinder and create the new password, you will get nrH9ZcVvG and is always going to be that pass when you put pass123 on the app. Just another option

                        Comment


                        • #13
                          Originally posted by utuxia View Post
                          The DHS would just request whatever they wanted from the service provider on which your account is located. Subpeona, court order, etc. In some cases they don't even need that to get the information.
                          This is absolutely true. There are a few ways to mitigate if not eliminate that entirely though. Take cloud storage for example; you can encrypt that data prior to it ever arriving on the cloud servers. Mega.co.nz does this in the most seamless way possible, namely because the ecmascript code that runs in your browser encrypts prior to sending to them. They never at any point ever have your password.

                          Also, certain US based VPN providers take advantage of the fact that in the US, there are no data retention laws, and I don't believe there ever will be any time soon because it would conflict with the constitution, unlike say Europe where data retention laws are common. One of these VPN providers is privateinternetaccess.

                          ---------- Post added at 04:59 PM ---------- Previous post was at 04:33 PM ----------

                          Originally posted by Wonder56901 View Post
                          A nice and relatively useless article.

                          When people have their online [whatever] hacked, it's rarely due to brute force cracking. Your password is more likely to be sniffed, whether it be local or on some router somewhere in
                          That would only happen if you fail to use SSL or use a dated application like telnet instead of SSH, ftp instead of sftp, etc. These use industry standard asymmetric encryption algorithms which are not vulnerable to man in the middle attacks.

                          However, if brute force attacks were never used, then there would be no purpose in using MD5/SHA1, AES, or 3DES. We may as well just stick to old school DES and CRC32.

                          Originally posted by Wonder56901 View Post
                          cyberspace, or you're more likely to fall victim to a security hole of the site in question, or some related service provider to that site. Of course if you have an admin level account, that's a different ballpark all together.
                          A breach of the service provider won't effect anything if you are using end to end encryption as I described above. This is the intent of asymmetric cryptography; we work under the assumption that anybody is able to monitor our traffic, and them being able to do so doesn't help them in any way. Now if they use an older style asymmetric encryption, say diffie hellman, that is susceptible to man in the middle, but not sniffing. However RSA and PGP are not susceptible to either of these attacks.

                          Now as far as a breach in the database, longer passwords will indeed go a long ways towards protecting you. If you recall when linkedin was broken into a few months ago, the database of all user credentials was leaked. Those credentials included usernames and SHA1 hashes of the passwords. Those who used weak passwords had their accounts exposed entirely, mainly through the use of rainbow tables. However those who used longer style passwords were completely immune to rainbow tables.

                          If you aren't familiar with the term, a rainbow table is a list of SHA1 hashes and their brute force generated source passwords. Rainbow tables are only going to be so large though due to the cost involved in storing them, so most rainbow tables won't hold any passwords longer than say 10 characters or so. If you use a 20 character password, chances are no rainbow table will ever hold it. There just aren't enough hard disks in the world to store that much data (the amount of data would be 26^20(160/8) or almost 300 trillion terabytes.) Naturally, those with longer passwords weren't susceptible to the linkedin breach. Still, linkedin could have done better by salting the passwords.

                          Originally posted by Wonder56901 View Post
                          When dealing with password security, the basics are:

                          #1: Avoid the most common passwords. Eg. password, 1234 and so on.
                          #2: Avoid words that are found in hacker dictionaries (most commonly used words in passwords)
                          #3 Use more than just words. Add numbers and characters if you insist on using a short password
                          A short password with numbers, cases, and symbols mixed in won't help much, if at all (in the case where a rainbow table is used, it offers zero protection.) As I said, password length is THE HIGHEST consideration in password cracking. Refer to the example I gave above. If I dedicated a month to brute force attacks against either an AES128 block or a SHA1 hash, I would be able to find your password. Sniffing your traffic would be sufficient to capturing AES encrypted data for use in doing a brute force attack against your password if you used symmetric cryptography.

                          DHS can and DOES get warrants to wiretap your internet connection, and it takes them much less time to crack passwords than it takes me. ICE therefore has that capability as well, and if you were a high profile target, they would do exactly that. NEVER assume that your traffic isn't sniffed. The assumption you are making above that you are only vulnerable if your traffic is sniffed is a very bad one to make. This is especially true if you are using wifi, public or not. Wifi is promiscuous in all modes. Even if you are on secure wifi, if somebody else is on the same network or vwlan as you, they can see anything you send across the network.

                          Originally posted by Wonder56901 View Post
                          #4 Use a long password. If you're worried about brute force hacking, just use a long, long, long password. That way it'll take more time for the massive collection of hacked zombie computers to brute force your password.
                          This is pretty much what I said, except I'm saying ONLY use long passwords.

                          In any scenario imaginable, your privacy protection is only as strong as its weakest link. What I'm explaining to you here is how to prevent your password from being that weakest link. Yes, there are always ways other than keys to break into things. However, I don't think a bank would have much credibility if it locked its vault with a piece of gum and said the security was good enough because they have an armed guard standing outside.
                          Last edited by Cavalry; March 21, 2013, 10:57 PM.

                          Comment


                          • #14
                            Avast has a program that creates passwords and secure them for you
                            sigpic

                            Raum shadowbuild extJSDB(For VIP) Copper TankGirl IguessNot KevinTrevor
                            Cafe gblaze ghost6945
                            Hyoksang
                            pejiotoPatriotlion GPaX HunTer666 MadafakinBATMAN
                            WhiteLie (For signature) MichaelJenkinsSportsFan23
                            and all the other members and friends (omg too many to add to list)

                            Comment


                            • #15
                              That would only happen if you fail to use SSL or use a dated application like telnet instead of SSH, ftp instead of sftp, etc. These use industry standard asymmetric encryption algorithms which are not vulnerable to man in the middle attacks.
                              In a perfect world, that may be true, however it's not always that simple. First, your computer may be the source of the problem, with having a virus or a trojan installed. Encryption isn't going to help you in this case. Second, with load balancing used more and more frequently in websites these days, and websites spanning larger areas, you can be vulnerable within the websites own infrastructure for man in the middle attacks. You don't have control over the destinations security.

                              However, if brute force attacks were never used, then there would be no purpose in using MD5/SHA1, AES, or 3DES. We may as well just stick to old school DES and CRC32.
                              I'm not saying they're not used, I'm saying that's the minority of breaches.

                              In any scenario imaginable, your privacy protection is only as strong as its weakest link.
                              Maybe I didn't explain it well enough. Passwords and your encryption is only part of the solution. Unfortunately, you don't have that much control to ensure you're protected.

                              I'll try to be clear here: Most security breaches aren't due to poor password choices. Most are due to other factors. Lacking protection on your local machine is how most bank accounts are cracked wide open. The passwords are obtained through nefarious programs sniffing on the local machine. Not through brute force cracking. In that situation, no amount of password length or complexity is going to help you. The other type of breach is at the server end, through hackers finding security breaches in web sites, protocols or associated services.

                              Keeping secure passwords is more for the false sense of security that you've done whatever you can do yourself.

                              That all said, I applaud you for writing this guide for password security.

                              Comment

                              Working...
                              X