This excellent talk by Hoyt Kesterson at the RSA 2013 conference deserves a lot more views than it has received.
ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.
For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,
Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.
“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.
Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,
If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.
I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.
If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.
I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.
But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.
So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.
The other day I came across a blog post by someone lamenting a common problem we all have these days–password management. The blog linked to an article extolling the virtues of using biometrics either as a complete substitute for passwords altogether, or as part of a two-factor authentication system.
It sounds like an awesome, appropriately futuristic idea–instead of having to remember some long password, I’ll just look into my webcam and use a retinal scan instead of a password to prove I am really who I say I am. In fact, this would be a disaster.
Consider how passwords work today. A system asks you to create a password and you dutifully tell it to use “password”. The system on the other end then creates a hash of that password. A cryptographic hash is a one-way function that transforms “password” into “7!aceldfg”. Because it is a one-way function even if I have the hash, I cannot easily determine that “7!aceldfg” is the has for “password.”
In reality, hashing is vulnerable to some attacks and so a smart website will salt the password hash. All this means is that when you type in “password” when creating an account, the website adds additional pseudo-random data to your password. So a website might convert “password” to “password12345” and then hash that. The website then stores both the hash and the salt value.
The benefit of doing this is that it increases the amount of work that an attacker is going to need to do if they compromise the website and gain access to the password file.
So imagine you create a username and password for your bank account, and the attackers gain access to the files containing the usernames and passwords of all the bank’s customers. Maybe the bank had very good security and they encrypted the password files in addition to hashing and salting the passwords.
You know what, though…just to be on the safe side the bank is going to ask you to change your password anyway. And you are once again reminded why you should never use the same password on multiple sites. Maybe you were reusing the same passwords and now you go and finally fix that so you’ve got different, secure passwords on all your accounts.
Now imagine the bank instead uses a retina or fingerprint scan. You swipe your finger or stare into a webcam, and data gets sent back to the bank which compares it to the hashed, salted version of the data it has on file for your eye or finger and then you get access to your account.
Until today when hackers managed to penetrate the bank’s security and access the user and authentication data. Now, your fingerprint or retinal scan data has been compromised. How do you propose to alter those?
As one biometrics news site sums it up,
Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual’s biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.
Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.
The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.
Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.
Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.
I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:
1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.
2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.
There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.
3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.
Hash It! is an Android app that replicates — and is compatible with — the Password Hasher extensions for Google Chrome and Firefox. Create a master password key, and Hash It! generates a password for each site you visit based on the master password and the URL of the site.
An interesting approach to password management, though I’m sticking with Diceware plus KeePass.
KeeFox is an add-on in development for Firefox that uses the open source KeePass password manager to manage website passwords in Firefox. That’s just several shades of awesome — can’t wait for the 1.0 release. of this.