This excellent talk by Hoyt Kesterson at the RSA 2013 conference deserves a lot more views than it has received.
ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.
For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,
Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.
“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.
Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,
If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.
I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.
If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.
I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.
But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.
So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.
Bruce Schneier looks at password cracking on his blog and he and his commenters have some interesting insights into password cracking and how to minimize the odds of getting cracked and hacked.
The post is in reference to an Ars Technica’s experiment where they gave three “cracking experts” a list of 16,449 passwords hashed using MD5. The least successful cracker was able to figure out 62 percent of the passwords and one of the crackers was able to obtain 90 percent of the passwords.
Essentially all three were doing sophisticated dictionary attacks to get at obvious passwords, but also to crack passwords that people think are secure for some reason, such as “k1araj0hns0n”. From my experience, the practice of sites requiring people to use at least one number or at least one special character, etc., is counterproductive in that it leads people to think that “Pass$1w0rd” becomes magically secure with the addition of the special characters, capitalization and numbers.
Schneier still endorses his scheme of using the first letters from uncommon sentences to create passwords that are secure but easy to remember,
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
That would certainly work, but I have about 90 accounts I access regularly which would mean remembering 90 sentences or variants therein. And at this point you really do want to ensure every account you use has a different password. Given the rash of hacks of prominent web sites, you just need to assume that at some point a) one of the sites you use regularly is going to get hacked, b) they’re not going to have implemented effective security to protect your password, and c) hackers are quickly going to distribute your password and attempt to use it to access other accounts you control.
I prefer the following method which I think strikes a nice balance of protecting my logins while at the same time recognizing I have a life to live and want to spend as little time as possible managing passwords:
1. Use a password manager. I use LastPass, but I’ve also used other password managers. Whatever password manager you use, do make sure to read reviews to ascertain that its security is acceptable. Personally, I’m satisfied that while LastPass’s security isn’t impregnable, it is good enough and effectively balances my security and usability concerns.
2. Generate passwords with DiceWare. It sounds a bit goofy, but essentially you’re using dice as random number generators to create a list of words that you string together into a longer passphrase. A DiceWare-generated passphrase might look like “cleftcamsynodlacyyr”.
There are two advantages to using DiceWare rather than using something like LastPass to autogenerate random passwords. First, the passwords generated with DiceWare have a great deal of entropy and are not going to fall to a dictionary attack even if the attacker knows you used DiceWare to create them. Second, DiceWare passwords are much easier to type or memorize than typical randomly generated passwords in those situations where you need to manually enter the password.
3. Generate a separate password per account. I generally create a few dozen DiceWare passwords at a time and securely store the list, then grab one of the passwords as I create a new account.
For the most part, I think criticisms of WordPress security are largely overblown. When you look at some of the more prominent hacks against WordPress-powered blogs, they tend to be due to common security problems, such as poor security models on virtual hosting servers or people who do not keep their WordPress install and plugins updated.
But occasionally I do shake my head at some WordPress practices. Take, for example, the Limit Login Attempts plugin that I use on this site. The plugin is straightforward–if someone tries to login with an account and gets the password wrong four times in a row, that account will be locked for 20 minutes.
It is probably overkill for me because no one’s going to brute force my admin account password–it is far too long and random to guess even with days worth of trying. Still, it’s just a good idea if only to shoo away potential hackers.
What pisses me off, though, is that I have to go download a plugin in order to accomplish this. For the love of all that is nerdy, why the hell is rate limiting login attempts not a feature in the WordPress core already (and one that should be turned on by default IMO)? That is an elementary security tool and it is mind boggling that this something that a vanilla WordPress install lacks.
I’ve been using AirVPN for a couple years now, and there are two basic forms of privacy I’m trying to achieve.
First, I do not want people who have access to the networks I’m using have the capability of monitoring what I amdoing. For example, I regularly connect my laptop to WiFi networks that I do not control, and want to ensure that no other users (including the operators of those networks) are able to see or record my activity.
Second, I do not want entities on the other end able to directly track my activity back to my actual IP address.
So for my case the most important thing was finding a VPN that doesn’t do any logging. As Pearson points out, a number of popular VPNs based in the United States — VyprVPN, HideMyNet, StrongVPN, etc. — actually keep logs of all activity through their systems so they can respond to DMCA requests. Pearson makes the case that not only is this the height of stupidity for a VPN, but that it is not even remotely required by US law.
The next most important thing, in my opinion, is to avoid any VPN based in the United States. With a lot of services, that option just isn’t there. With VPNs, many of them are based outside of the US and Europe, and the more obscure the jurisdiction the better.
Pearson raises a third use case for VPNs — avoiding monitoring by law enforcement.
So what happens if a law enforcement agency approaches a VPN, serves a subpoena, and demands a the company trace an individual, based on the timestamp and the IP address of one of their servers? VPN services, like all businesses, are compelled to abide by the law. However, there is no way of complying with the authorities if the data they require does not exist.
One of the few ways law enforcement could identify an individual using a privacy service, without logs, is if they served the owners a gag order and demanded they start logging the traffic on a particular server they know their suspect is using. We would shut down our business before co-operating with such an order and any VPN serious about privacy would do the same. So unless law enforcement were to arrest the VPN owners on the spot, and recover their keys and password before they could react, your privacy would be protected.
While I appreciate Pearson’s activism, I wouldn’t count on that sort of activist mentality to shield me from law enforcement. If law enforcement monitoring were a serious concern, I’d use multiple VPNs, switch servers within those VPNs regularly, and cycle through the VPNs I was using on a regular basis (as well as use TOR and other anti-monitoring countermeasures)
Even then, there are ways beyond direct logging for a persistent-enough law enforcement agency to track Internet activity back to specific users given enough time.
Nice talk from 28C3 on methods that arms race between governments and Tor developers.