>Better advice: Use a long password rather than a random password.
facepalm. You can't use both? I do. This is horrible advice if taken on face value. To be fair, the author mentions things like KeePass. Use that. Make very long, random passwords.
>See, when it comes to a brute force attack, entropy makes no difference at all, because a brute force attack is a sequential attempt at every possible password, starting with the shortest first.
I think this is the biggest misconception regarding passwords. If we're using the phrase "brute force" literally, then yes. But if I were to write a cracker, I wouldn't be limited to that. The first thing it would do is grab the low hanging fruit. Examples:
1. Regarding the post, check all variations of a single digit repeating (say up to 100 times) in 1000 attempts. That's faster than I could check all variations of 2 character alphabetic passwords.
2. Check the same thing, but with all common keys on a keyboard layout (e.g. $$$$$$): < 10,000 attempts
3. Check common words in english dictionary: ~100,000 attempts
4. Check 10,000 most commonly used passwords: 10,000 attempts
Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters. To put it another way, I could grab all that low hanging fruit in a billionth the time it would take to grab all the passwords in the "weak" format (8 random characters) given by the author.
What I have come up with above is my armchair ramblings. For some people, it is THEIR JOB to break your password. Please don't think you're going to create a good password by being clever. And please stop dismissing the issue by repeating the words "brute force"
The way I see it, the author oversimplified the password examples to make a point. When it comes to the password length he first made the assumption that your password wasn't in the dictionary. Then he gives us two password examples, the first one is predictable but long, the other one is unpredictable but short, and then he goes on to tell us that the first one is safer which, assuming you are up against a brute force attack, is true.
But the examples are oversimplified and might lead to worse password if a certain group of people come across the post.
P.S. My favourite tip for passwords is not to only have a password that is as random as you can memorize and never, ever, no matter what happens, write it down anywhere.
> facepalm. You can't use both? I do. This is horrible advice if taken on face value.
Of course you can!
I think you are taking many of my statements much too literally and misinterpreting the perspective of this article. Of course a long, completely random password made up of multiple character sets will always be the strongest password, but that really isn't the point of this article and it really isn't the most practical advice for most users.
There is a big difference between addressing where we need to be and moving away from where we actually are. Short passwords are not strong enough no matter how random they are. Therefore, I personally would rather see users out there focus on making longer passwords rather than focusing on random passwords. The typical user is much more likely to memorize a less random but longer password than trying to memorize an 8-character random password. I didn't mean to imply that randomness is bad, and I thought that most people got that from my article.
> Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters.
These are all valid points and I could have gone into great detail on all the different ways our passwords could be cracked, but that just isn't the point of the article. I also didn't cover other things such as avoiding password reuse, regularly changing passwords, etc., but that doesn't make them any less valid and I cover them regularly through my other blog posts.
> And please stop dismissing the issue by repeating the words "brute force"
Not really sure what you mean by this or what issue you think I have dismissed by mentioning brute force. Brute force attacks are by n o means dismissing anything as they have become increasingly effective with ever-increasing computing power. Nevertheless, if an attacker has to assume that you will be using all character sets, the effort to crack your password grows exponentially with the length of your password.
Yes,thank you. Exactly what I was thinking. Anything you can think of as an algorithm, someone else can think of too, and then they can test that instead of going through billions of combinations.
There's only two good pieces of password advice:
Use long, randomly generated passwords (16+ characters).
Don't use the same password on more than one site.
This can be accomplished with KeePass, LastPass, and there such utilities.
Not so sure about #3 (random password generator).
This might be true in the case of a true brute force where each attempt is almost free, such as somebody getting your password from a database secured by a single round of md5.
In reality, most brute force attacks are attempted remotely where there is a bottleneck in terms of bandwidth and many services are rate limited.
In such a case it would always make sense to try the most common passwords first.
The problem with letting people choose their own passwords is that most people just aren't that good at it and will choose stuff like p4ssw0rd1982, because people's minds are somewhat similar they will tend to converge on similar "good" passwords.
I ran an IMAP service for a time. We would constantly get bots attempting to brute force email accounts, we had fail2ban set to ban them after 5 attempts but they could get more guesses simply by having a lot of IP addresses.
When I looked at the sort of passwords they would try they didn't start with aaaa and move on from there, they would start with stuff that looked like it had been pulled from a common password list.
About once every 3 months we got a call from somebody who's email had been hacked. They all insisted that they were using strong passwords that nobody could have possibly guessed, however when I enforced a strong password policy on the server and offered a random password generator these problems went away.
When I looked at the sort of passwords they would try they didn't start with aaaa and move on from there, they would start with stuff that looked like it had been pulled from a common password list.
That's because they were. I'm sure that in the "underground" community of crackers there circulate lists of passwords that have been successfully cracked, because a) people tend to use the same passwords for everything, so if it worked for one account it will probably work for others, and b) the point you mande in your third paragraph.
These lists are continually updated and used as input to the "brute force" cracking tools.
There is certainly some truth to this post, especially right at this moment in time. But it's the most exuberant example I've yet seen in a new category of bad password advice, to ignore everything but length.
A truly random eight character password containing upper and lowercase letters and digits is a keyspace of size 2x10^14. A four word passphrase containing random words selected from a 5000 word dictionary is a keyspace of size 6x10^14. They are comparable.
Right now, since almost everyone uses short passwords, length gives you amazing protection, because attacks are geared to find the common short password. But to the extent that the tech elite convinces the world to move to longer passphrases, that will quickly stop being true. It's no harder to program a brute force attack to try phrases of very common words, or very long, very low entropy phrases of other sorts (to be or not to be), than it is to try variations of dictionary words.
To the extent that we are giving people advice on security, it should be advice that is robust against the possibility of its own success.
While this list is not unhelpful, the most likely risk is that your password will be captured when a single site that you've signed up to is compromised.
This means that the most important password choice you can make is to have a completely different password on every site.
I disagree with his "First Letters from a Phrase" point. I find mnemonic passwords very useful and keeps me from having to open up KeePass every time I want to log in to a system because I can't remember the random password.
I agree that longer passwords are better, which is why I use very long phrases to generate my mnemonic passwords (typically 20-26 characters in length).
I find "first letters from a phrase" harder to type than the phrase itself, because it doesn't behave like the rest of the typing I do. Given that it also has less entropy (necessarily, because of collisions), why not just type the whole phrase?
I'm a human: I'm too dumb to rememer more than some passwords (even worst if they must be 16 letters long). And I'm too lazy to use a software to manage my passwords. And worst of all, now, I've my bad habits with passwords.
I've used the same 6/8 char passwords (no symbols or caps) where possible for the past 20 years or so with no discernible problems. I'm not sure what to make of this post beyond relief that I don't make myself miserable trying follow such guidance.
And sure, let's say in 90% of cases using the same 6 char password for everything is okay. But let's take a not unlikely scenario - one website that you frequent is compromised and an attacker gets an unsalted hash of your password. Because your password is so commonplace, they can easily get it as well as a lot of other users' passwords.
Now for every password and email combo they have, they try to log onto a google account or bank account with the same information. Since you use the same password everywhere, they succeed. You're essentially now screwed and the attackers could do all kinds of devastating things.
Perhaps you say the scenario is unlikely - I'd say it happens more often then you would think. And this is the case where you're not even being individually targeted.
Overall - a little preventative action is hardly a burden and goes a long way to securing yourself online.
That's another common misconception as that advice is only true for brute force attacks, which are usually only the last resort for password crackers. Dictionary attacks are pretty sophisticated these days so I really wouldn't gamble on a short list of common words being secure these days.
It's a subjective impression, but it seems that most password compromise comes from phishing not brute force cracking. Maybe those are just the ones that make it into the media.
The worst password tip is using a password-protected system in the first place.
Passwords are neither theoretically or practically reliable.
They off-load security to the user, who is the weakest part of all the scheme obviously. Who is obviously uncapable of remembering by heart dozens of long passwords of random gibberish.
Not if anyone knows that's what you're doing (or can guess because others are doing similar). It would be slightly better than the bare string in terms of crackability, because running the hash would take some time if they're doing it live, but only slightly.
[+] [-] jere|13 years ago|reply
facepalm. You can't use both? I do. This is horrible advice if taken on face value. To be fair, the author mentions things like KeePass. Use that. Make very long, random passwords.
>See, when it comes to a brute force attack, entropy makes no difference at all, because a brute force attack is a sequential attempt at every possible password, starting with the shortest first.
I think this is the biggest misconception regarding passwords. If we're using the phrase "brute force" literally, then yes. But if I were to write a cracker, I wouldn't be limited to that. The first thing it would do is grab the low hanging fruit. Examples:
1. Regarding the post, check all variations of a single digit repeating (say up to 100 times) in 1000 attempts. That's faster than I could check all variations of 2 character alphabetic passwords.
2. Check the same thing, but with all common keys on a keyboard layout (e.g. $$$$$$): < 10,000 attempts
3. Check common words in english dictionary: ~100,000 attempts
4. Check 10,000 most commonly used passwords: 10,000 attempts
Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters. To put it another way, I could grab all that low hanging fruit in a billionth the time it would take to grab all the passwords in the "weak" format (8 random characters) given by the author.
What I have come up with above is my armchair ramblings. For some people, it is THEIR JOB to break your password. Please don't think you're going to create a good password by being clever. And please stop dismissing the issue by repeating the words "brute force"
[+] [-] grysh|13 years ago|reply
But the examples are oversimplified and might lead to worse password if a certain group of people come across the post.
P.S. My favourite tip for passwords is not to only have a password that is as random as you can memorize and never, ever, no matter what happens, write it down anywhere.
[+] [-] m8urn|13 years ago|reply
Of course you can!
I think you are taking many of my statements much too literally and misinterpreting the perspective of this article. Of course a long, completely random password made up of multiple character sets will always be the strongest password, but that really isn't the point of this article and it really isn't the most practical advice for most users.
There is a big difference between addressing where we need to be and moving away from where we actually are. Short passwords are not strong enough no matter how random they are. Therefore, I personally would rather see users out there focus on making longer passwords rather than focusing on random passwords. The typical user is much more likely to memorize a less random but longer password than trying to memorize an 8-character random password. I didn't mean to imply that randomness is bad, and I thought that most people got that from my article.
> Let me stop here and say that I can check ALL of the above in less time than it would take to check all variations of 3 characters using alpha, numeric, and common special characters.
These are all valid points and I could have gone into great detail on all the different ways our passwords could be cracked, but that just isn't the point of the article. I also didn't cover other things such as avoiding password reuse, regularly changing passwords, etc., but that doesn't make them any less valid and I cover them regularly through my other blog posts.
> And please stop dismissing the issue by repeating the words "brute force"
Not really sure what you mean by this or what issue you think I have dismissed by mentioning brute force. Brute force attacks are by n o means dismissing anything as they have become increasingly effective with ever-increasing computing power. Nevertheless, if an attacker has to assume that you will be using all character sets, the effort to crack your password grows exponentially with the length of your password.
[+] [-] NateDad|13 years ago|reply
There's only two good pieces of password advice:
Use long, randomly generated passwords (16+ characters). Don't use the same password on more than one site.
This can be accomplished with KeePass, LastPass, and there such utilities.
[+] [-] jiggy2011|13 years ago|reply
In reality, most brute force attacks are attempted remotely where there is a bottleneck in terms of bandwidth and many services are rate limited. In such a case it would always make sense to try the most common passwords first.
The problem with letting people choose their own passwords is that most people just aren't that good at it and will choose stuff like p4ssw0rd1982, because people's minds are somewhat similar they will tend to converge on similar "good" passwords.
I ran an IMAP service for a time. We would constantly get bots attempting to brute force email accounts, we had fail2ban set to ban them after 5 attempts but they could get more guesses simply by having a lot of IP addresses.
When I looked at the sort of passwords they would try they didn't start with aaaa and move on from there, they would start with stuff that looked like it had been pulled from a common password list.
About once every 3 months we got a call from somebody who's email had been hacked. They all insisted that they were using strong passwords that nobody could have possibly guessed, however when I enforced a strong password policy on the server and offered a random password generator these problems went away.
[+] [-] rquantz|13 years ago|reply
[+] [-] ams6110|13 years ago|reply
That's because they were. I'm sure that in the "underground" community of crackers there circulate lists of passwords that have been successfully cracked, because a) people tend to use the same passwords for everything, so if it worked for one account it will probably work for others, and b) the point you mande in your third paragraph.
These lists are continually updated and used as input to the "brute force" cracking tools.
[+] [-] casca|13 years ago|reply
* Simple Substitution < Add a whole word
* First Letters from a Phrase < Take the 3-4 words from a common phrase, add some punctuation
* Random Password Generators < longer password
* Personal Algorithms < longer passwords
[+] [-] aetherson|13 years ago|reply
A truly random eight character password containing upper and lowercase letters and digits is a keyspace of size 2x10^14. A four word passphrase containing random words selected from a 5000 word dictionary is a keyspace of size 6x10^14. They are comparable.
Right now, since almost everyone uses short passwords, length gives you amazing protection, because attacks are geared to find the common short password. But to the extent that the tech elite convinces the world to move to longer passphrases, that will quickly stop being true. It's no harder to program a brute force attack to try phrases of very common words, or very long, very low entropy phrases of other sorts (to be or not to be), than it is to try variations of dictionary words.
To the extent that we are giving people advice on security, it should be advice that is robust against the possibility of its own success.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] casca|13 years ago|reply
This means that the most important password choice you can make is to have a completely different password on every site.
[+] [-] undantag|13 years ago|reply
Some prefer stuff like keepass that let's them store everything - i'm happier to rely on an algorithm.
Key point is to make using different passwords in different places really simple, so that people do it.
[+] [-] jiggy2011|13 years ago|reply
[+] [-] Bloodwine|13 years ago|reply
I agree that longer passwords are better, which is why I use very long phrases to generate my mnemonic passwords (typically 20-26 characters in length).
[+] [-] dllthomas|13 years ago|reply
[+] [-] drucken|13 years ago|reply
1. Use a different password for every application, especially every site.
2. Use a strong random password generator, typically software, to generate your passwords.
The first tip, which is not mentioned at all by the article, is particularly critical.
[+] [-] olivier1664|13 years ago|reply
The password problem is here to stay...
[+] [-] pbreit|13 years ago|reply
[+] [-] freditup|13 years ago|reply
Now for every password and email combo they have, they try to log onto a google account or bank account with the same information. Since you use the same password everywhere, they succeed. You're essentially now screwed and the attackers could do all kinds of devastating things.
Perhaps you say the scenario is unlikely - I'd say it happens more often then you would think. And this is the case where you're not even being individually targeted.
Overall - a little preventative action is hardly a burden and goes a long way to securing yourself online.
[+] [-] Samuel_Michon|13 years ago|reply
[+] [-] redacted|13 years ago|reply
[+] [-] laumars|13 years ago|reply
[+] [-] kingkawn|13 years ago|reply
[+] [-] tete|13 years ago|reply
[+] [-] guard-of-terra|13 years ago|reply
Passwords are neither theoretically or practically reliable. They off-load security to the user, who is the weakest part of all the scheme obviously. Who is obviously uncapable of remembering by heart dozens of long passwords of random gibberish.
We should know better than use passwords.
[+] [-] simonbrown|13 years ago|reply
[+] [-] bizarref00l|13 years ago|reply
[+] [-] dllthomas|13 years ago|reply