Schneier on Security
A blog covering security and security technology.
« CATO Report on Data Mining and Terrorism |
| Cybercrime Hype Alert »
December 14, 2006
How good are the passwords people are choosing to protect their computers and online accounts?
It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.
The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.
MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.
Password Length: While 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long.
Specifically, the length distribution looks like this:
Yes, there's a 32-character password: "1ancheste23nite41ancheste23nite4." Other long passwords are "fool2thinkfool2thinkol2think" and "dokitty17darling7g7darling7."
Character Mix: While 81 percent of passwords are alphanumeric, 28 percent are just lowercase letters plus a single final digit -- and two-thirds of those have the single digit 1. Only 3.8 percent of passwords are a single dictionary word, and another 12 percent are a single dictionary word plus a final digit -- once again, two-thirds of the time that digit is 1.
|numbers only||1.3 percent|
|letters only||9.6 percent|
Only 0.34 percent of users have the user name portion of their e-mail address as their password.
Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey. (Different analysis here.)
The most common password, "password1," was used in 0.22 percent of all accounts. The frequency drops off pretty fast after that: "abc123" and "myspace1" were only used in 0.11 percent of all accounts, "soccer" in 0.04 percent and "monkey" in 0.02 percent.
For those who don't know, Blink 182 is a band. Presumably lots of people use the band's name because it has numbers in its name, and therefore it seems like a good password. The band Slipknot doesn't have any numbers in its name, which explains the 1. The password "jordan23" refers to basketball player Michael Jordan and his number. And, of course, "myspace" and "myspace1" are easy-to-remember passwords for a MySpace account. I don't know what the deal is with monkeys.
We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?
But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack (.gz) 24 percent of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long.
And in 1992 Gene Spafford cracked (.pdf) 20 percent of passwords with his dictionary, and found an average password length of 6.8 characters. (Both studied Unix passwords, with a maximum length at the time of 8 characters.) And they both reported a much greater percentage of all lowercase, and only upper- and lowercase, passwords than emerged in the MySpace data. The concept of choosing good passwords is getting through, at least a little.
On the other hand, the MySpace demographic is pretty young. Another password study (.pdf) in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.
None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable. AccessData's Password Recovery Toolkit -- at 200,000 guesses per second -- would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours.
Of course, this analysis assumes that the attacker can get his hands on the encrypted password file and work on it offline, at his leisure; i.e., that the same password was used to encrypt an e-mail, file or hard drive. Passwords can still work if you can prevent offline password-guessing attacks, and watch for online guessing. They're also fine in low-value security situations, or if you choose really complicated passwords and use something like Password Safe to store them. But otherwise, security by password alone is pretty risky.
This essay originally appeared on Wired.com.
Posted on December 14, 2006 at 7:39 AM
• 117 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
On the other hand, passwords are nowadays required everywhere. Having such a weak passwords might also give you deniability. "I didn't do it, your honour. This is my username and my password, but obviously someone else did it in my name. Obviously my password was too weak and easy to crack. At least that's what Mr. Schneier told me, and who am I to argue him?!"
I use a random password generator and have encountered the problem on some web sites of their accepting only alphanumeric characters with a password length of 8 characters or less.
It's difficult to set stronger passwords when the sites you visit don't have the capability of accepting them.
On the other hand, knowingly using a weak password might be constructed as (gross) negligence under some circumstances.
So be careful with that. It might not get you out of trouble (or, rather, into another kind of trouble).
Interesting analysis. I'd be curious to know if these password statistics are skewed in any way since all members of the sample pool are people who actually fell for a phishing attack.
It's also worth considering that users may not consider a MySpace profile to be worth high security... I use much better passwords for things like internet banking and Amazon than for posting through Google Groups. Then again, I don't use my real name for that, either - so if someone did guess my password and use my name, it wouldn't hurt me or my reputation; presumably that wouldn't be true for MySpace.
Bruce Schneier can crack your 64-character password in under 0.0043 seconds using only the fingers of one hand!
When I first signed up for MySpace, I'm pretty sure that I was forced to use a password that was 8 characters or less.
Also my ability to remember passwords decreases as I age. Or rather remember which of 10,000 I have used in the last 2 years is the one CURRENTLY active (if any) on the screen facing me at the time.
I don't even know my own passwords! All I need remember is the master PW set for AI Roboform (yes, I have its files well backed up...). My PWs are generally 12 characters or longer, with punctuation whenever permitted. A side note: my main bank has a max. of 8 characters and no punctuation - not a very wise policy for a financial institution!
"Better than 15 years ago, but not as good as MySpace users. Kids really are the future."
Yes, but the context is different. What passwords do MySpace "kids" use at work? And do we know for sure that the corporate employees were all older than the MySpace crowd - or rather that their mean, or median, age was higher, or significantly higher. Not all people in the workplace are old. Similarly, many MySpace users are said to be older than people assume MySpace users would be.
All of which is to say, this _might_ be down to age, but I can't see that that has been shown. It might be also be down to context. People may have more regard for their personal data's security than for their company's data. From what I've seen and heard I'd say that where companies have password policies they tend to be seen by employees as a nuisance. People like things to be easy, don't actually believe threats are tangible, and don't, in any case, care very deeply about corporate data.
CJ: exactly what I was going to say. I do have a myspace account, and because I don't think it represents a valuable object worth serious protection, I haven't bothered with a beefy password.
Also, who doesn't like monkeys?
'Monkeys' is probably a reference to 'Arctic Monkeys' one of the first bands to use MySpace and make it really big via 'word of mouth' without having a record label at the time.
@Nothing, spot on. I would agree that those that are duped by a phishing scam are more likely to chose a weaker password.
Possibly the numbers are worse than they really are. Users who fall for a phishing site are arguably less versed in security matters and might have worse than average passwords. Hard to tell without a control sample.
Time to once again plug Password Safe and its various multi-platform clones. They all come with random password generators.
(Although I'm sometimes frustrated when a service does not let me use a randomly generated password, just because the random blob happens to not contain a digit.)
Yeah, but when your password is 123456 and the judge is thinking to himself, "hey, that's the same combination as on my luggage." then he can't really say your negligent when he knows that he is just as negligent in every password he uses too, which is likely.
As far as corporate user passwords are concerned, the weakness of the distribution confirms anectdotal evidence of attitudes in one corporate IS shop that I'm aware of.
Many employees feel that the corporate firewall supplies all the necessary security, and that inside the fence strong passwords are a superfluous nuisance.
In this view they are bolstered by the necessity of configuring and cross-connecting third-party software that -- according to vendors -- can only operate correctly with elevated privileges, and which is incapable of secure authentication. The necessity (and convenience) of placing passwords for critical accounts in clear text in custom scripts encourages the attitude that security is a perimeter issue, and the responsibility of firewall admins. Hence the carefree choices of passwords.
MySpace requires a password of at least 6 characters, including at least a number or punctuation character.
I guess that the people who entered passwords shorter than 6 digits or not including numbers/punctuation were either trying to use their "standard" password (that does not meet MySpace's requirements) or had a typo.
I guess "password" is the most common (non-MySpace) password even among savvy kids...
This sample is representative of users *who fell for a phishing attack*; their passwords are likely to be weaker than more savvy users who avoided that trap.
The numerous passwords with a "1" tacked at the end is typical of a website that require alphanumeric passwords. The user first tried to register with his favorite password, and at his second try, he tacked a "1" at the end, therefore fulfilling the requirements.
Personally, I've found that password change policies have had a detrimental effect on the passwords I use at work. I used to use md5 segments of different lengths as passwords for everything. Now that I'm subjected to changing passwords on 10+ systems independently every 30-45 days, I've taken to using worse passwords, patterns, and writing down parts to help me remember the passwords.
I still have no problem remembering the random passwords I use on my home machines. Remembering a few 8+ character random strings for several months at a time is reasonable. Trying to keep track of several such passwords that will change regularly is hopeless.
It's unfortunate that we have no real choice on the security we take part in everyday. Username/password is always going to degrade when each person has to have hundreds of accounts. Whether they take to having them stored in one place (single point of failure/attack) or using the same ones over and over, the outcome is less security.
OK, the big question I have: The data "was cleaned of the small percentage of people who realized they were responding to a phishing attack."
Exactly how the heck was this done? Did someone actually log in to all 100K accounts to make sure the password worked?
I was somewhat amused: I recently created a myspace account, after which they helpfully sent me an e-mail of my account details, including my password in cleartext. That just strikes me as horribly wrong...
People just plain like monkeys. And I think monkey is a common affectionate nickname. I call my son "monkey" all the time.
Hmmm..... I wonder how crackable are passphrases that are (honestly) Diceware generated? Say 4- to 7-word phrases with a $RANDOM number of random characters substituted. (Where random means truly random. And where Dicewhere means: based on the Diceware wordlists, but with some words randomly substituted.)
Glad to see the kids are learning, though!
While Slipknot doesn't contain any numbers in its name, the official band website is www.slipknot1.com so that makes it even easier to remember.
"sent me an e-mail of my account details, including my password in cleartext."
Perhaps that's not ideal but for a new account you wouldn't really be risking much with a new account and you can change the password as soon as you get it (I presume).
I have my own little story which is much worse, in my opinon. While moving address, I had to get my ISP to reconfigure my mail account. I'm not sure why, but after the move, my email account needed updating in some way to get back in. I was amazed when the helpdesk staff told me email account password! It must be stored in plain text somewhere in their system.
I can set my password as strong as I like but I know there are people who can get to it.
Changing passwords ONLY becauase they are old is a bad idea. (If they're known to someone who has left the company that's a different case and less likely to apply to your individual passords.)
I had a user once who when I told him he had a weak password (because I'd cracked it) he told me his password was not weak.
Well it's "1", and if the password was strong I wouldn't know what it was.
But it's not weak - it's not a word!
Users are a disgrace - I laugh at them failing their SOX audits. (Hi David, Amit, Andrew!)
When I am confronted with 13 different logins and password, and the logins are all variations of my name (first.last, first.MI.last, lastfirstletter....) and passwords which are irrascable combinations like @F*&l89Qw its simply impossible to remember them. And when the system demands that I change them every so often, like every 90 days, I am forced to start writing them down. This defeats the whole purpose in a corporate environment.
I worked really hard to come up with such a kick ass 32 character password and you have to be such a h4t3r and post it to the whole world? Thanks a lot...
I read an article (maybe by you Bruce?) basically the author suggested that a user picks a good strong password and DOES write it down...and keep it in his/her wallet/purse. People protect their personal belongings and identity much better than company information and so it stands to reason that the wallet is one of the safest places to keep a password. (not as safe as ones brain obvously!) but it can incurrage strong passwords...which are reasonably safe.
I once worked at a NASA facility where the sysadmins rigorously policed password selection and forced password changing quarterly, but at the same time limited us to length 8 and a restricted character set so that every system would be compatible with the weakest system.
I suspect that institutional IT security will always be as dumb as its dumbest chief officer because budget decisions come down from the top.
People often post statistics like these, but what I'd be really interested in is the effective number of bits that passwords provide and the pdf and cdf of that information. For example a 6 character, all lower case password has about 28.2 bits worth of security. A six character password with upper case, lower case, and numbers has about 35.7 bits worth of security. This assumes that the data in each position is in fact random. Intelligent analysis that does what password cracking/checking software does to detect dictionary words and the instance of just one number mixed in the password would be nice. Doing some rough calculations, one of the more secure passwords I use is around 52 bits. A common password I use on the web is about 33. Maybe this isn't a great way to score passwords, but I can think in terms of bits since I have an idea of how much compute power it takes to brute force a given number of bits. Any takers? Bruce?
ObSpaceballs: 1-2-3-4-5-6? That's the same combination as my luggage!
I would guess that the passwords that are an obscenity listed under "most frequent" were not real passwords at all, but rather entries by people who knew this was phishing attack.
> I don't know what the deal is with monkeys.
The password is a key, mon!
Bah! Why go through all the trouble of buying a fast computer and writing software to figure out maybe 55% of passwords (if you can get the file)?
Just look under keyboards (or on monitors) for the sticky notes. If you feel you must actually spend money, hand out pens for a 90% success rate:
You should also consider that this is myspace. It likely has a significant percentage of users who don't care much about their account and aren't very interested in preventing others from breaking into it, so they pick minimally secure passwords that the system will accept, and just consider it an inconvenience.
It could be interesting to compare myspace stats with, say, ebay bid passwords, adjusting for age. If you could get such a large database of ebay bid passwords :)
I would sumise that the "fuckyou" passwords are ones that recognized they were inputting into a phishing web site.
Your data is skewed. Anyone who would fall for a phishing attack in the first place is not a savvy user.
I understand why you might want to give me multiple shots at getting it right. I understand strong passwords and dictionary attacks and what not.
What I question is whether my password is really the weak link in a system where you are allowed to throw endless attempts at the system before some piece of code calls the "this clown is not even trying" function and locks the account down in one way or another depending on the level of attack and the importance of security.
Considering most people use the same user name and password pair almost everywhere, I wonder how many other websites you could access if you made a dictionary out of those user names and passwords and started doing a dictionary attack on every web site you could find? I think that would be an interesting and frightening statistic.
My wife fell for the scam, even though she new it was happening and had feed in her username with false passwords to several phishers.
There was a problem with users being used to having to put their passwords in at random times while surfing myspace before the scam started.
Regarding obscene passwords, and the frequency of simple passwords:
I worked at a major internet retailer, and one of our security tools was to watch for repeat passwords, especially on successive accounts. It ended up that I and two other investigators had access to cleartext passwords to assist in our fraud prevention efforts. All other internal users never saw passwords.
A significant number of customers, probably higher than in the sample above, used "password1" as their password. An observable number of customers used obscenties or objectionable terms as their passwords.
Fraudsters rarely used such common words as passwords (in fact, I never saw a fraud account use password1). However, they had a very high tendency to reuse a particular password for all of their accounts. (This is what made having viewable passwords valuable as a fraud prevention tool.) Even a fraudster creating a "fire and forget" account to place fraudulent orders will wish to log back in to check order status; because they create a high number of accounts (to continue fraud as previous accounts become identified and shut down) they must use either repeated or easily recreateable passwords to maintain their staggering number of accounts. (Also, most of this fraud was coming from fraud "boiler rooms" where individuals were paid to place fraudulent orders; just like the lowest rung at most corporations, password scrutiny is weakest among such individuals). Even fraudsters using randomizers for their passwords were identifiable, if only because they were predominant among the few users who did not use regular names/phrases/words in their passwords; less than 1% of customers used passwords such as 25jrt7x6, and about 90% of such passwords came from fraudsters.
Ha. Must be a Manchester United fan.
I guess I don't understand why everyone doesn't move over to passphrases. A lowercase only 20+ char password is still impervious to bruteforce, and is easily remember-able.
>And when the system demands that I change them every so often, like every 90 days, I am forced to start writing them down. This defeats the whole purpose in a corporate environment.
Oh, man, tell me about it. The last place I worked had about 6 different systems, each with its own password requirements. (One you had to change every 30/31 days!) Most people either wrote down their passwords or just used a stable of 3 passwords they'd alternate between (for all the security, none of the systems remembered more than your last password).
I took to just writing them down and keeping the paper on my person at all times. Had to.
My favorite failed password was something like "f31bu9it1g4", which it told me was "vulnerable to dictionary attacks". Some experimentation revealed that "f31bu9iz1g4" didn't trip the warning, which is when I realized what it was: It saw the "it" in the middle of the password and assumed that since there was one dictionary word present in the password, the entire password was therefore flawed. I wound up having to resort to letter-number-letter-number passwords soon after because it was too easy to trip over "be" or "an" or "of" or any other two letter word.
Using a tool like ROBOFORM, (Unfortuantely it's not free but 30$ won't break anyone), allows me to give everything (i.e., site passwords, email accounts, some file names) a unique random string of alphameric characters that's as long as I like. I've even started using it on some email accounts to prevent alpha spammers from guessing my email id. Redirectors and such make it human friendly. There's no excuse for being lazy. I've even used it to generate a one time pad of passwords for the luddites in my family. ;-) Figure they'll just call me for support when their bad habits get them into trouble. So, I'll save myself some work.
> wonder how crackable are passphrases that are (honestly) Diceware generated?
Each Diceware word adds ~13 bits of entropy. So a 4-word diceware prhase has ~52 bits of entropy. With 5 diceware words, brute-forcing your password would be herder than brute-forcing the original DES encryption algorithm.
I would suggest a 5-word diceware passphrase, with each word separated by a non-aplha character. But that's a pain in the ass to type.
The bests password is definitely AARDVARK. No one could possibly try that one.. I could barely spell it right without looking it up in my dictionary. Good thing it's the first word on the first page.
English isn't the only language with password problems. Years ago a system administrator told me that the most common password in France was "bonjour".
@the person who said that those who had f-you as their password probably recognized the phishing site:
The vulnerability probably used for the phishing page allowed your password to be obtained without user interaction. See http://it.slashdot.org/article.pl?sid=06/11/21/... . If the phishing page was well-designed, which I have no doubt it was, the usernames and passwords would be automatically captured without the users even having a chance to recognize it as a phishing page. Unless those users weren't using IE or Firefox...
It looks like the old "Sex, God, Love" legend about paswords is not even close to the reality nowdays.
Internal company policies are one thing. The important point being missed here is that this was an attack on a typical B2C application. Doesn't matter if every user had picked a 55 character password, they were just as compromised as the 8 character password. Doesn't matter if they picked and typed it themselves or used an automated client. The point is that passwords alone are DEAD as a security mechanism. Want to delude yourself that user education will solve it? How can you stick with that argument in light of this type of attack? Only a system that prevents a user from exposing all of their credential to an attacker is worth considering going forward for internet application access.
I'd noticed for the past several weeks that whenever I tried to log on to americanexpress.com to check my charge card balance, the website would give me an "Our system is not responding" message.
After a few weeks of this I broke down and called their support department. My call was escalated to second tier where I was asked, "does your password contain any special characters?"
Well, my password included a punctuation symbol, which I suppose is a 'special character' so I said yes. I was then instructed to log on using my password, but *don't type the special character*.
I re-entered my username and password, omitting the punctuation symbol, and was allowed to log on to my account!
I am in shock over this. It clearly demonstrates that American Express stores user passwords in cleartext in their database, for one thing.
If anyone here has an AmEx card you might even be able to test this yourself: try changing your password so it has puctuation in it, then logging on.
Yeah...I agree, but the people are actually lazy to type lengthy passwords,saving them in the browser(Remember password option) is not a good thing to do.Certain scripts can take the password from the browser.So gota be careful
I just did a quick check of user passwords at my site, and it's pretty bad. For the 172k user accounts there are only 132k unique passwords. In at #10 is "monkey" with 120, with the name of my site barely beating it with 125. The average length is 8.3 chars.
I just changed my bank password as it was listed here!
They force you to use at least 8 characters but then limit you to no punctuation/special characters. Ive got no money anyway, so it probably want worth the effort.
Are really habits of users changing when they are choosing their passwords or are they just "forced to" in a way, because it is naturally evolving with their habit regarding login names ? As time goes, more and more people are using internet, registering on different websites and they become used to the fact that "simple" login names (like common word or word without a digit) aren't available anymore, most of the time… so on the web environment they are naturally going to more longer and complex login names, including digit (just like "superguy178). I think that this habit just defer on the way people instinctively choose their passords. It doesn't mean they are doing this choice for security reasons… Forgive my weird english, I am French…
The only reason why there's a lot of "something" then 1 is the stupid password policies enforced by stupid admins which is "users must have at least one non-letter symbol in the password". Users respond completely logically: "you want darned non-letter, here it is, 1". The guilt remains on all the "experts" who all around teach people that "password with a non-letter is much safer".
Instead, people should actually learn to make "diceware" passwords. They are easier to type and handle.
For some purposes, passwords are still the single possible authentication method. I wouldn't like to have some different device for every site I use.
Of course people should not try to remember every password. There are so many places where SOME password is needed. Each stupid web site demands user to "log in" (some pointy haired director, boss or programmer sells it as that loging in "gives" something to users!).
For "unimportant" things passwords must not be made to sustain any other than online attack.
Some unix systems that are STILL in use have a "maximum 8-character for password" limit. They are broken, but only for such broken systems should users be teached to make "complicated" passwords. Unfortuantelly exactly these rules then propagate through different texts and programs.
In my family, we write down long, important passwords, but we have a little "trick" that we use to keep the actual password safe. If someone finds the password in the wallet without knowing how to visually decode it, it wouldn't work for them.
That gives us the best of both worlds. A long, strong password that is difficult (even for us) to remember. And a written down password that still requires "cracking."
It's still possible to break, but if somebody is targeting you specifically, and really, really wants your password ... there's not much you can do.
Commenting on the passwords for online banking -- I am amazed how much of the US based banks are still password based (as opposed to having two-factor authentication).
"I guess I don't understand why everyone doesn't move over to passphrases. A lowercase only 20+ char password is still impervious to bruteforce, and is easily remember-able."
Because a lot of sites spit back passwords over 16 characters.
Like "nosotrosbailamos", which was identified with "passwords must be at least 8 characters long".
And "lekvarospalacsintaporcukorral" is an absolutely hopeless case :D
I just think that a unified password interface might still be the way to go. THe problem being everyone will want to monetize it and so no websites sign up for it. I get sick of creating accounts everywhere I go. Plus, it is myspace, so is it worth me coming up with something as hard to crack as my bank password? I imagine that a lot of these people don't use "password1" on their investment account page...
It doesn't help that most password generators aren't seamless (i.e. just right-click in the password field to create a password), and, even if they were, too many websites forbid you from saving them automatically, which means that for all the sites I might frequent, I would need to keep a list of passwords.
The problem is solvable, and it is not a technical challenge, rather it is political.
When I read your distribution of MySpace password lengths I went to MySpace to change my own password to a 32 character password (since it was a short 10 characters). What I found was the MySpace doesn't permit anyone to set a password longer than 10 characters.
Given that 11-32 character MySpace passwords are not permitted, how do you think that changes your analysis?
If you want a compromise between passphrase and password, one starting point might be pick a medium-length sentence and use a letter from each word. Results probably look random enough. A seasonal example: Uheoea4eho. ;)
I'm also fond of keyboard patterns - my first ever login password on a BBC B at school involved similar key-presses to ()9! (note the shift/unshift in left hand while the right did things - I did have a classroom of other kids likely to look over a shoulder at the time).
And yes, ecommerce and bank websites that don't permit punctuation suck.
From what I've heard, it's the length of the password and not the complexity that protects it from brute force hacking. Of course, having a long password that's easily guesssable isn't smart. I am continually amazed that people can't string 2 or more words together with a couple of numbers to create a password. I even had one user write his username down (composed of his first initial and last name) on the same piece of paper as his password and stick it in his laptop case with his laptop.
From practical experience with similar data from captured phishing servers, we know, that a reasonable amount of people are pretty aware, that the site is bogus.
A couple of those people are entering empty, trivial or complicated passwords,
very often also "dirty words".
(Your hitlist of passwords including trivias and "fuckyou" fits good to this observations).
Without positive proof of indeed correct passwords, there is no way for something as
"was cleaned of the small percentage of people who realized they were responding to a phishing attack".
And I cannot imagine, that you have done this positve check on all accounts ;-)
Sorry, but this study is more or less worthless for results of real password quality.
whilst it might be true that obscene passwords were from people who recognised what was going on, it's not a safe assumption. I find that so many places want passwords and, except for the places where a password is pointless, I do use different passwords for each. Given that I might be three months (or even almost a year for a conference submission engine) between logins I can't rely upon repeated usage to improve my recall of them, so I need something I'll remember. Basically because they tend to be scurrilous and because of the emotional charge associated with them, I tend to be better at remembering obscenties _exactly_ than other things. (The problem with something like "keyboard" is that I tend to remember the concept but fuzz the actual word: was it "keyboard", "keyboards", or maybe "piano"?)
Besides, the fact that it's an obscenty should be hashed before it leaves my machine makes it questionable whether it counts as obscene: if I don't mind and no-one else can possibly see it, then does it count as obscene any more? (Yeah, I know lots of places do actually store passwords somewhere.)
cheers, dave tweed
A typically entertaining article but it asks the wrong question. Security is a risk/cost trade off. Instead of asking "how good are passwords?" we should be asking "are passwords good enough?".
An attacker will always choose the easiest attack vector (e.g. the data here came from phishing). If an attacker has the shadow password file, then:
a) the attacker already has significant access.
b) password length is irrelevant (one of the thrusts of your argument).
A password is 'good enough' if its strength is tuned to the number of guesses possible without such access (e.g. the 3 attempts before account lockout).
As you say passwords are fine in certain situations, but lets keep them user-friendly. This means getting rid of complicated rules that irritate users while doing nothing to enhance security.
Interesting to see such a high percentage of alphanumeric passwords. I wonder how many of them are "133t-speak" that could easily be attacked with a slightly hipper dictionary.
So I must say, is it really some shmuck's fault for not using a reallyhard to remember PW. I mean, think about it, we have enough crap to remember already.
OK, now that that is out.
Password depth can be enforced by business, they just choose not to. So when they get hacked, is it the hackers fault, or GROSS negligence on the part of the company in question?
Someone above stated his bank required an 8digit alphanumeric PW. So when money comes up missing, shouldn't the bank be held responsible? YES!!!!
As far as PW's go, it's not that difficult to create truly secure PW's. I'd share my method, but then that would put me at risk. However, it's not my password I'm giving, it's a method. So here goes.
Think of a phrase that you can easily remember, but that no one would ever associate with you. I used a petname for a car I owned way back when. Then I spelled out the petname on my ubiqitous cell phone. I now have a number that I can easily remember, just by repeating the petname. Ok, a gimme.
When you develop software security methods, how about this:
If the first digit of the password is not correct, the second digit cannot be entered. Three strikes and you have to have a sysadmin unlock the account. Who cares if your employees don't like it. They can find another job. I've got a business to run, it takes precedence over ALL!!!
BTW, don't try to patent this method, as I've just shared it with everyone, and therefore give all rights to this patentable technology to all. Any attempts to patent this will surely result in your own fraud suit.
"Interesting to see such a high percentage of alphanumeric passwords. I wonder how many of them are "133t-speak" that could easily be attacked with a slightly hipper dictionary."
A bunch of them have that form. The Password Recovery Toolkit finds them eventually, because the substitutions are standard.
"From what I've heard, it's the length of the password and not the complexity that protects it from brute force hacking."
It's both. I think I'm going to write my next Wired column on this question.
"Given that 11-32 character MySpace passwords are not permitted, how do you think that changes your analysis?"
Near as I can tell, MySpace has had a bunch of different rules over the years, and old passwords are grandfathered. That would explain why there are so many letters-only passwords when the current rules don't allow them. And why there are so many longer-than-10-character passwords.
"it's the length of the password and not the complexity that protects it from brute force hacking"
interesting to see such a phrase. i would have expected that "complexity" and "brute force" would be self-evident if not common-sense opposites. after all length is an obvious form of complexity, no?
"'133t-speak' that could easily be attacked with a slightly hipper dictionary."
right. amazing how many people think that a system with keys, however obscure, will be less prone to abuse. replacing letters with numbers is, as bruce mentioned, "standard". mnemonics are a bit more sophisticated, especially when mixed with symbols, but still somewhat prone to standardization. for example:
on the flip side, the increased numbers of mobile devices with highly constrained keypads is putting a lot of pressure on logins to reduce complexity. so while the need for post-password solutions is clearly upon us, the call for simpler/easier password entry is also more present than ever.
@Mg$: "If the first digit of the password is not correct, the second digit cannot be entered. Three strikes and you have to have a sysadmin unlock the account. Who cares if your employees don't like it. They can find another job. I've got a business to run, it takes precedence over ALL!!!"
This technique actually makes it much easier to guess a password - you have immediate feedback about "success so far". Sure, the "three strikes" rule slows things down - but you just switch to a broadband attack: make two tries on everybody's passwords, record results, wait long enough for a reset, and try again. I don't even have to guess the password length, because this mechanism will automatically tell me when I'm done.
And there is such an easy solution to this. Learn people to use a pass"phrase". Something they can remember, has different words (either with or without a space), by preference has something random thrown in. This really works, that is until the password crackers catch up. But even then, even if the password crackers get more intelligent about sentences, the complexity goes up a notch or two.
Obviously, this assumes that people can use long passwords. I'm pretty frustrated with systems that allow passwords limited to 8 characters. Recent example, use 6 to 8 characters, must contain at least two non alfas, must start with an alfa. Just asking for martijn1, martijn2, martijn3. I'm pretty good at generating passwords that are virtually unguessable, but I need some length here!
Passphrases do work. Even an "I love (insert kids name)" is hard to guess for a password cracker and not to obvious for someone who knows all spouces names. Make that "1lovebarry23112002" and things get pretty bad for both the bruteforce attacker and the inside attacker.
I do agree that other security measures should be looked at, but often those are protected by a pin or a password. I don't agree that passwords have outlived their usefulness, we just need to educate the users better. And the best results are combining better passwords with better measures.
We are now in a password-governed sort of life. We use computers to do the work for us. I could not possibly run a sensible password scheme (different good-ish to good passwords for different sites) as my brain couldn't store that many.
I let the situation slide a bit until I found a piece of software called 1Passwd that runs beautifully with Firefox, Safari and lots of other browsers). It generates passwords to the max length of the slot when you first access and thereafter presents you with it whenever required (http://1passwd.com/). Data is stored securely in Apple's keychain.
I understand there is something similar called, I believe, Roboform, for users of obsolescent OSs.
Personally I think that a password management program such as 1Passwd should be a built-in part of every OS as it is honestly impossible to maintain a good password policy without computer assistance.
It seems MySpace users are far better educated about passwords than some large corporations. One company I know of handles benefits management through a web site on the public internet. When it came time for the annual benefits selections, they decided to simplify things for everybody by resetting all passwords - to the last four digits of the social security number. The login is the social security number itself.
the password reflects the fact that most of users come from english world. every nation has its habit to choose passwords. it's interesting.
"the password reflects the fact that most of users come from english world. every nation has its habit to choose passwords."
The AccessData software has language-specific dictionaries and phoneme generators.
> Personally I think that a password management program such as 1Passwd should be a built-in part of every OS as it is honestly impossible to maintain a good password policy without computer assistance.
Well, a pen, some sheets of paper and a dice can do it too ;-)
While it's true that it is not sufficient to let others but a cryptographically secure random number generator choose passwords it doesn't solve all of the problems on it's own. Some of these problems have been solved already like:
- memorizing odd passwords: write them down and guard that notes like gold (for example with some help from a tool like "Password Safe" offered here)
- one broken password is able to compromise the whole system: get rid of "root" (askemos, plan-9) or reduce it's influence (Trusted-Solaris, SE-Linux etc.)
Some are still problematic like the problem of how to distribute the carefully choosen passwords to the recipients especially if you can't trust the client system (you never can in praxi), the connections to the recipients are not constantly on (how do you make sure that a certain username/password combination doesn't already exist somewhere else? You can't, so you have to handle it in some way or another) and a lot of other smaller but nevertheless annoying little issues like:
- check the generated password against a dictionary (the dictionary must be encrypted because every password in use has to be added),
- a PRNG with a finite sequence (a truly random number generator has an infinite sequence, thus it will put an infinite sequence of the same elements out infinite times) and good uniformity (or you might get too long sequences of the same elements)
No, the whole password huddle is a big mess but as long as nobody invents something better ...
PS: the "check against dictionary" is the question "not in dictionary?" so it can be implemented with a bloomfilter and a cryptographically secure hash function. This could be used for parts of the distribution problem too like the "not always connected" if the hashes are keyed but I don't know if it's worth the hassle.
So this data is skewed by the fact that everyone who gave this password up fell for a phising attack. Let's even it out by putting a backdoor into Password Safe and getting all of those passwords and take an average? ;)
Adding a few (system-assigned) Passfaces to the above user-chosen passwords would increase the cracking times significantly. For example, adding four Passfaces would increase the number of guesses required by a factor of 6,561 (9exp4) - so it would take 136 days to crack 23% of the passwords above (rather than 30 minutes) and about 6 years to crack 55%. And, because Passfaces do not require memorization*, the extra password complexity does not require any special effort or skill on the part of the user.
Try Passfaces for yourself at www.passfaces.com/demo.
[*Passfaces is based on familiarization with, and recognition of, faces. These two skills are completely intuitive and universal. Everyone can do Passfaces - independent of age, language, culture or education.]
BTW: Passfaces are not susceptable to most types of phishing attack - including the one employed to gather these password statistics from MySpace users.
Hey, passwords can be too good at times. I forget if it was Thompson or Ritchie who nuked the Unix VAX each time they logged onto the system console. Logging on at any other terminal was fine. From what I hear it took a long time to figure out that the control-P in the password took out the console...
> They're also fine in low-value security situations, or if you choose
> really complicated passwords and use something like Password Safe to
> store them.
Adding to the problem, each website has its own standards for what
characters and string lengths are permitted, standards not always
stated before choosing a password. The end result is to train people
not to bother trying, say, 30 character random passwords using upper,
lower, digits, and punctuation, because the chances of the password
being accepted are small.
X the Unknown:
OK, you called me there. However, I still think that some form of this could work. In order to reset the lockout, PW would have to change. Therefore, all your efforts would then be meaningless. And a random number of tries could obfuscate things a little more as well.
As far as entering the first to get to the second, well, if the first isn't correct, forcing them to start over completely, by reloading all underlying code, forcing new connections, something, anything.
But again, as I said at the beginning of the post, the responsibility lies SQUARELY with the sysadmin. If password strength is not required, then the sysadmin should be held negligent. Just as if you knew a car was defective, and sold it anyway, and then someone dies because of the defect, you are held legally responsible. Well, fine, when hackers break in and still my info from your company, you should also be held legally responsible for your negligence.
We have become a nation of excuse-making, blame-laying, suit-happy morons.
There is NO excuse for being lazy. There is even LESS of an excuse for being STUPID!
Those who've had to endure hacks, spam, viruses, spyware, and other crap are just as responsible for the consequenses of their actions, or lack thereof.
Who's really to blame for the thief that walks into your unlocked house and robs you blind? The thief, of course, took advantage of the situation and committed a crime of opportunity. However, you also commit the crime of ignorance. It is not an excuse in a court of law, it is not an excuse anywhere else.
"I didn't know."
"WHY THE HELL NOT!?!"
I have become less and less accommodating of ignorant users. After the third time of reformatting someones harddrive cause they couldn't leave the PORN alone, I've decided to hell with them. I've got better things to do. Or better yet, I really bump up the price of repair. I like to teach users how to prevent this kind of junk, but if THEY persist, they don't deserve the break I've given them previously. The DO deserve the hassles of dealing with whatever crap they allowed onto their PC's. They DO deserve to be gouged out of their life savings to pay me to fix the problem. They DO deserve to have their identity stolen.
I know all this sounds really harsh. It is.
But sometimes, you just gotta get brutal with people, to make them understand the implications of their lack of action.
X the Unknown:
Enforcing a one strike your out policy, and forcing new passowrd on Account reset.
Enter the PW right the first time, OR ELSE.
I know it is more than most want, but again, I have a business to run. Adapt, or be left behind.
In the words of Darwin:
"Only the fittest survive."
I wonder if you are a troll...
Your support people are going to spend a tremendous amount of time fielding password reset calls. Your staff is going to spend a tremendous amount of time waiting for the password to be reset.
Bruce- What else can we do to enhance security (for web sites)? What can I do to identify a phishing screen? I noticed that yahoo lets you setup a "sign-in seal". What other techniques are available?
I use the following scheme to generate passwords:
I take a song lyric I know well, and use the first letter of each word in that lyric. For example, "oh say can you see" becomes "oscys" which is easy to remember but isn't a dictionary word.
If I need numbers or punctuation I just append something like "oscys1776" etc.
Does that kind of password seem strong? I've read someone else come up with a similar scheme.
I've got a 500-random character password on a CD. I go through a simple "authentication" step to change this into the "real" (509 character) password, which I then use to unlock my password manager. I don't know or care what my current password is, and I can change it as often as I like.
Whoops. Dedupe the data and you get different results. Two login attempts by same person are not two different passwords.
Thanks for the info - will print and post this information in our research group, so that members will pick *better* passwords.
I dont get it...do you guess off the top of your heads, or do you use some sort of cracking program to get you the password...?
i want to log on in my previous pass word
i have used the same one letter, multi number password for all my acounts for the passed two years, is that bad?
I forgot my computer login password. the hint the computer gives me is an old band but i dont remember what it is. can anyone help?
Should we really be scared of software that can make 200,000 guesses per second? Try asking myspace to serve you 200,000 login pages per second to see why I think not.
In the real world, any decently maintained server would baulk at the number of guesses needed to fall foul of a dictionary attack, and the ones that are not decently maintained would fall over under the strain.
I am very confused about the monkey password. I have used that password for several sites over the past few years. However, if you asked me why I chose it, I couldn't tell you. I don't particularly like monkeys, I don't really ever think about monkeys, I've never heard of the band on MySpace referred to earlier in the article, etc. What gives? Is there something in our collective conscience that causes people to use this word? I am confused and surprised. Incidentally, on my site, the dozen users we have have used the majority of those top 10 passwords. Strange.
yall need to unblock school computers and all privite websites please and thank you.
mr. schneier, if some has a 20,000 character password, how long would it take for the fastest computer on the planet today to crack it, assuming computer power increases by 100 billion? How many variations a 20,000 character password has?
The password can be thought of as:
French 'mon' = 'my'
English 'key' = 'key'
It comes from the days when passwords were not cracked by machines very often.
this is shelby my brother needs your help. someone haked his myspace i think it is tom and he is saying all the wrong things to his girlfriend he telling her that he is getting married so please help us
Interesting blog but, for me, loses a bit of credibility by talking about 2.1% of 200 passwords having a particular property.
your described situation in *NO* way indicates that Amex are storing passwords in plain text.
In fact, it might just indicate that the data-flow in their HTML forms is flawed (e.g. not properly url-encoding the stuff). Although you'd think the password would not be part of the request url, it is very common for a Web Application to treat the superset of form fields, query parameters and cookie-values (among others) the same. Also, even if the password would be 'encoded' in plain-text this would not constitute a privacy concern as long as the the connection is properly encrypted (SSL).
So what you may gather is that perhaps they have had a number of people mention the same problems, end resolving it by having their password reset to some known value. (No need to know the prior password). If the logon problems disappear, this would trigger perhaps the support personnel or even the client to think of the special character and discover the 'bug' in the handling of the password input.
If this goes on for some time, it makes a lot of sense that the question "Sir(Ma'am), do you perhaps use any funny characters in your password" will be put on the short checklist for common login problems.
I trust Amex with my details. Besides, I left them because I'm cheap. Besides, they have insurance
So... how do you know for certain that the "f---you" entries were actually passwords and not people who realized they were on a phishing site?
Bear in mind, these are MySpace passwords. The world does not exactly hang in the balance if they are compromised.
I'm a network administrator, so I've got about seventy passwords in my head, at least twenty of which were designed to be fairly strong (20+ characters including punctuation; they're not random, because that would be too hard to remember, but they invariably include nonsense that you won't find in any dictionary, however exhaustive it might be).
However, if I had a MySpace account, I would probably protect it with the same eight-character lowercase password I use on slashdot and about six dozen other unimportant websites. My Twitter password is a lowercase dictionary word with a single digit appended. Because it just doesn't matter that much.
The root password on the cgi server at work, though? Yeah, that one's more than twenty characters and includes something besides letters and numbers. Because I do not want to have to clean up an intrusion there if I can avoid it with the small hassle of a complex password.
In my experience, the vast majority of normal people have no conception of the importance of choosing a strong password - let alone knowing how to do it. Nor do they understand the risk of letting their computer remember their password(s) for them.
In my opinion if a site provider (phpbb, bank, myspace, whoever) wants their users to be safe, then it is for the site to impose strong password constraints. 99.9% of users will never do this on their own.
Personally I have a different password for every single site I visit. Each password changes frequently, is at least 16 characters long, and contains numbers, upper and lower case alpha, and special characters. Not one of my passwords is vulnerable to dictionary attack.
My passwords require no memorization or documentation. I use a mental algorithm to establish the password in the first place, and to renew each password on a frequent basis. I also use the same algorithm to "remember" what the current password is for a given site.
When a site limits my password length or character set, I have a second algorithm to calculate a shorter, weaker password.
Periodically I modify my algorithm, but the underlying principle has not changed since 1995 or earlier when I first started doing this. I have never used the same password for more than 3 months, or on two different sites. Yet I have never forgotten a single password...
Its now 2009, and many online retailers pop up a dialog from "RBS Secure" to help me keep my money safe. Except RBS Secure does not allow you to enter a strong password.
It would be nice to revisit this article Mr Schneier.
Quote: "AccessData's Password Recovery Toolkit -- at 200,000 guesses per second -- would have been able to crack 23 percent of the MySpace passwords in 30 minutes, 55 percent in 8 hours."
I have Accessdata's PRTK (version 6.4.2 build 289) running on my machine:
Windows 7 Ultimate 64bit
Intel(r) Core(TM)2Duo CPU
T6400 @ 2.00GHz
4.00GB installed memory
currently it states (while it is running) it is doing around 590,000 Passwords a second. The lowest the counter went was to about 490,000 and the highest I saw was about 608,000.
Typing in your password every single time you log into something can be less secure than having a browser remember the password for you. Unless the hacker is physically at your location the easiest way for them to get your password is to either phish or trick you into installing a keylogger. If the hacker is in my house I think he can find more valuable things than are accessible on my computer, and if he's online, then I'd rather not be potentially sending him my password every time I type it.
Why would anyone take the time to try and hack your password when it's obvious from this data that the complexity of your password is irrelevant if you can just fool them into giving it to you.
Looking back at this months later after someone mentioned another study of passwords.
Because of its connection to password hashing, brute-forcing, and entropy, I nominate "For Bruce Schneier, SHA-1 is merely a compression algorithm" as the official Bruce Schneier Quote of this thread.
I'm surprised nobody mentioned that blowfish, used to encrypt passwords, adds significant security over other hashes against password brute-forcing attacks. Written by Schneier himself, no less.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.