Schneier on Security
A blog covering security and security technology.
« Balancing Security and Usability in Authentication |
| The "Broken Windows" Theory of Crimefighting »
February 20, 2009
Another Password Analysis
Here's an analysis of 30,000 passwords from phpbb.com, similar to my analysis of 34,000 MySpace passwords:
The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to the ends of their passwords. The phpbb site has no such restrictions—the passwords are shorter and rarely contain anything more than a dictionary word.
Seems like we still can't choose good passwords. Conficker.B exploits this, trying about 200 common passwords to help spread itself.
Posted on February 20, 2009 at 7:31 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Who uses their real password for a web-based BBS? I don't care about security on a chat system, so I deliberately use an old, irrelevant, easily remembered and very weak password. I do it partly for convenience, and partly to remind myself that phpBB is an insecure system to start with, at least in most implementations it is. Why bother with a strong password on something that easily hacked?
I'd agree with Brad. A good proof of this is the choice of "dontcare" or such passwords in the list. Really, if I choose not to input any private or valuable information, my account is merely a convenience, which I could not care less if somebody grabbed. Not until I believe I have something to lose will I start thinking of harder passwords.
I have a "don't care" password that isn't a dictionary word (but doesn't involve numbers or punctuation). I use this for pretty much everything I do online socially. The worst someone could do is impersonate me on a few blogs for a few hours.
I have a few other passwords I use for stronger things.
Then there's this one web forum... Apparently sick of accounts getting compromised, they instituted the most draconian password policy I've ever dealt with. I can't even tell you what it is, but it's the longest, most complex password I've ever used, and none of my other passwords, even the most secure one I normally use, actually passes validation.
And you know what? I have no idea what my password is. I can only log into that forum from home because my browser remembers the password; I do not. And, of course, their password reset system is equally difficult and complex.
I don't store valuables in my toolshed, but it still has a decent lock.
Even if you don't care about others hacking your BBS account it's a fallacy to say "I don't care, so I'll choose a password that's easy to crack". That may sound like a valid defense, but it makes no sense, because 'not caring' is not a reason to make yourself vulnerable to attack. Hard to crack passwords are not at all harder to remember if you use mnemonics or an MPF.
Better safe than sorry.
That brings another interesting tidbit. Web browsers remember your passwords. Some (Firefox) will let you recover it, while others (IE) will not. Of course, you /can/ recover them... after all IE can. But this is not part of the interface, and forces you to install a password recovery tool (and I am not sure I can trust any freeware developer that would provide such a feature).
You presumably still store tools in your toolshed,those have some value. I would be willing to bet you have a lower limit under which you would stop protecting "things", whatever that means. I typically use trivial passwords on things where I would not want to open an account in the first place if I were given the opportunity to browse without (I would, e.g. do that here if I could not post without an account).
More importantly, I do not believe that hard to crack passwords are not at all harder to remember. I would love to see anything proving that point.
Just out of curiosity, would it be worthwhile to obtain one of these lists of 30,000 common passwords and blacklist them? It would probably help against the most basic of dictionary attacks and may even educate a user or two.
One thought: there are passwords in that list like 'test'. Consider how many times you've maybe been browsing a forum, wanted to download a file attached to a post and had to quickly sign up to download it - you're never going to use the account again, so any password will do.
I'd be more curious as to the correlation between often used accounts and bad passwords instead - could be an interesting study.
Now that I am in the habit of using PasswordSafe, all of my passwords are strong and unique, whether they protect my bank accounts or some silly social networking account (or a toolshed, for that matter).
I think that's a key point... stop using "favorite" or "don't care" passwords depending on the value of the site. Just keep 'em in the safe and let it remember them for you.
And then give your PasswordSafe passphrase to your wife (or store it some place safe), in case you get hit by a bus.
Yes, there is a limit, but considering that in my opinions the costs for 'simple' and 'hard' passwords are equal I'd rather not think about where that threshold lies.
Moreover, especially in the case of internet sites and social media, your evaluation of where a certain account lies relative to this hypothetical limit may change (from 'nobody talks to me on this forum anyway' to 'all my friends are there') over the course of use. Do you switch at some point? Where is that limit? How do you keep track of all these shifting evaluations?
Choose the easy way out: use better passwords all of the time.
I long ago stopped trying to remember passwords I give to web sites, accounts, encryption systems, etc.
I generate random unique password each time I need a new one and store them in encrypted files which are accessed using a strong but unique password. That and a practical search system within the file is all I need. Add automatic off-site backup and synchronization of the file, complete with version history and I'm good.
@Lukas, I think you missed my point (I did not clearly make it either): I use weak passwords when I refuse to burn my memory. Yes, I heard Alan and Bruce, PasswordSafe is probably a better answer.
I also refuse to expose how I build passwords to websites I do not trust (e.g. a website that can email my own password in cleartext). What's the point of using a password construction mechanism that can be reversed engineered if the password itself is compromised?
I understand that you may think you do not need a strong password for that particular service now, but what if you change your mind?
"What's the point of using a password construction mechanism that can be reversed engineered if the password itself is compromised?"
Of course the same can be said of using the same password twice, ever. If your MPF can be reverse engineered so easily from one single exposure you're doin' it wrong.
Lukas, thanks for posting that link. I've been pretty lax with passwords of late so will try the formula method from now on. Looks like a winner.
I always wonder how long it'll be till my old employer gets their client accounts hacked. Password security was truly non-existent and as far as I've heard they haven't changed since I left. Just as well they're under pretty much anyone's radar.
All systems should have protection against multiple tries with false passwords. That protects against attacks from the outside. If an attacker can only try 3 passwords a day without a lockout, why do you need a strong password that protects against gazillions of attempts?
That leaves attacks from someone who has access to the system's password database itself. Frankly, if someone get's access to Facebook's password database and starts using it to discover passwords, there are bigger problems than having your account hacked.
Why were there passwords stored to begin with? Why did they just recently upgrade to "newer salted passwords"? I thought everyone new by now 1) Take a password. 2) Generate a salt. 3) Hash them and store the salt and hash. No need to store the password in any form, clear text or encrypted. Of course if your password is "P@ssw0rd" it still wouldn't take long to figure it out if you have the hash/salt files. I know most of these passwords were weak, but so was the security at this sight apparently.
Julian, it would be a mistake to assume that your biggest threats always come from outside. That said, limiting the number of failed attempts is just adding another layer, but if that layer fails, you don't want to have a weak password as your remaining layer of security.
My experience with phpBB is that it can be described as a cluster of security holes, hacks, kludges and insecurities in close formation which as a minor sideline also masquerades as a bulletin board at times. Quite frankly it is a security nightmare, not helped by the developers pulling such wonderful stunts like releasing a security fix a few days before Christmas (meaning that on a large university website you spend most of the festive season expecting some bored kid to hack the thing out of boredom).
The versioning system it uses is frankly rubbish; the version is a single line in the back-end database (I cobbled together a perl-based identification system which guesses the version based on the internal version numbers in the phpBB files) which can be easily faked by devious users, and overall the whole thing is little better.
I use the same user ID and password on many sites - facebook, myspace, google, yahoo, etc. My User ID is always dMan (or dMan83 if I need 6 characters) and my password is !DC-1983#. (Pretty strong, so I am not concerned.)
I don't understand how people can pick easy passwords and feel safe about it.
"And then give your PasswordSafe passphrase to your wife"
But my encrypted collection of porn is about the only thing I want to keep secret. And my wife is the only person I want to keep it secret from.
It amazes me every time I hear of web sites storing plaintext passwords. Or for that matter using MD5 hashes of passwords as security tokens/cookies.
But what amazes me more is that on the "web" we still have "fixed text" passwords at all...
It's nearly 20 years since a picture/photo based system was first suggested and there are fairly simple and secure ways to implement them without the need for SSH or other crypto system.
Most phpBB sites let anyone sign up for free, so the value of guessing my password for such a site is fairly low. Unless I'm an admin on such a site (in which I'd choose a better password), the worst the person could do is make a bunch of posts claiming to be me. Since this is easy enough in SMTP and the damage level is low (a "oops, someone guessed my password" apology post), I don't really care for a strong password in such a case.
@Dr Dan H:
That's because it's written in php, which can be described as a cluster of security holes, hacks, kludges and insecurities in close formation which as a minor sideline also masquerades as a programming language at times.
Julian, I don't like lockouts. Why not? Because sometimes I forget a password, and need to try more than 3 times to remember it. A better system than the "lock-out-for-5 minutes after 5 tries" type thing is to simply make each attempt take a minute. Even a few seconds is enough.
KeePass Password safe does this. The database (actually the master key that your password unlocks to decrypt the database...) is encrypted multiple times with AES. Since you can't precompute the effects of multiple encryptions it takes a bit more time to try each password. Make the number a few thousand or million (or more) times, and the difficulty of brute-forcing the password goes up without increasing user annoyance much. Waiting one minute is much easier than waiting 5 or ten because of a typo.
@Jullian: "If an attacker can only try 3 passwords a day without a lockout, why do you need a strong password that protects against gazillions of attempts?"
An individual account may not be at a significant risk, which is why users aren't as concerned, but an organization will be at a greater risk, which is why management should be concerned.
I've broken many networks with 3-5 guess lockouts. I may not get the account I want, but if you have, say 1,000 users, that is 3,000 - 5,000 guesses per day. The odds of "password1" "secret1" and another common password working for at least 1 of those guesses is in a hacker's favor.
I have a variety of passwords. Length is usually the biggest factor, and increases with the increased security need. My forum passwords are the smallest.
Roboticus and Clive are on the ball here. What was taken were hashed passwords. Apparently version 2 of phpBB just used MD5, while version 3 uses something stronger.
Therefore, it should be obvious (and the Dark Reading article should have stated so) that the list of recovered passwords will all be on dictionary lists or simple variations thereof. The stronger passwords couldn't be recovered from their hashes!
To quantify, phpBB currently claims 342,000 users. If only 20,000 passwords were recovered, that's only 6%. Still far higher than it should be, but we need to recognize that the population analyzed in this article is not representative of the full population of passwords in use.
The whole idea of people thinking up passwords themselves is flawed, I think - you'll always end up using just a tiny fraction of the password space that way.
If you're an individual user, the best *and* only way to solve this problem is to use autogenerated passwords, as produced by e.g. PasswordSafe. If you're a site trying to ensure that users won't have weak passwords... then I'm honestly not sure what can be done, other than running cracking tools like John the Ripper to catch weak ones (but for sites with millions of users, this would probably be too expensive in terms of CPU time etc. required).
It's not necessarily too expensive; after all, the people running the site have one piece of information the crackers don't have, which is when the user is attempting to change their password. For the most part, the cracking tools only need to be run on the new passwords to verify that they're good enough.
That does, of course, assume that the checking tools were put into place before most of the millions of people signed on, and that the cracking tools don't change their lists too often. The first requires implementing security at the beginning, which isn't always an option for already-existing sites.
The second I believe to be mostly valid: most of the changes I've seen to password cracking databases involve adding new languages, though some involve new construction methods, such as how password suffixes are added. Also the fact that the 200 common passwords listed above still work suggests you don't need all that big of a database to protect from many attacks...
If a digit is *required*, that actually makes the password
easier to guess and less secure. Consider case-sensitive
passwords and disregard punctuation for the moment to
simplify the argument. (Although it applies for *required*
punctuation as well.)
One character password:
No digit required: 62 possibilities
Digit required: 10 possibilities
Two character password:
No digit required: 62*62 = 62^2 possibilities
Digit required: (10*62)+(10*62) = (20*62^1) possibilities
Three character password:
No digit required: 62*62*62 = 62^3 possibilities
Digit required: 30*(62^2) possibilities
*Requiring* a digit reduces the number of possible passwords.
And does MySpace limit passwords to ten characters (or less)?
Tsk, tsk! Longer passwords should be permitted.
Again, this is a great place to use the technique of delaying
an invalid login for a few seconds to slow down guess-the-password
There is no valid reason to use weak passwords anywhere for any reason.
It is very easy to think of a "password creation algorithm/template" which you use to generate easily remembered, strong passwords for any login you need to create. Get creative in thinking of your own particular algorithm and have fun with easily remembered strong passwords!
@Anon Y. Mouse:
Yes, if you truly use random letters, a password of only letters will be stronger than a same length password requiring a number.
However, people don't use random letters, they do things that make sense to them. Wikipedia lists the entropy of the English language at 1.5bits/letter tops. While a password choice will be, in general, much better than that, it is still going to top out pretty fast unless you rely on tricks like neumonics.
A digit is virtually guaranteed to have about 3.5bits/digit, as long as its not 1 (which is just used so often I wouldn't trust it).
One problem I have had with strong passwords is weak ass systems that wont let you use the full keyboard. My "safe" password generator includes a symbol... often that's against the rules. I've also had to manipulate it to deal with stupid things such as "must be EXACTLY 8 characters" remembering which variant the site demanded is a pain
Ten characters all upper case letters, random, from a one time pad. There's really no need to ever use a week password. Need a number? Add 1 to the end.
There are plenty of valid reasons for weak passwords. For instance: Weak passwords are faster and less trouble to type.
If that doesn't work for you, consider this analogy: my apartment would be more physically secure if the front door had five deadbolt locks each made by a different manufacturer. But in fact, I don't even use the one deadbolt I have and often I deliberately leave the door entirely unlocked when I go down the hall to the laundry or the garbage chute or know that I'll be back soon. Why? Partly because it's faster and more convenient to open the door when it's unlocked but mostly because the risk times the expected cost of accidentally locking myself out of my apartment far exceeds the risk times the expected cost of somebody breaking in.
If I use a password like "123456" for 90% of the sites I'm on, I have a much lower risk of accidentally locking myself out of those sites than if I use a stronger site-specific password.
I have been using computers with login IDs for over 20 years. In all that time, I have never lost even a single dollar or a single minute of my time as a result of somebody *else* stealing my (often pretty weak) password. But if you add it all up I've definitely lost multiple hours of my life trying to remember or recover lost passwords, creating new accounts because I couldn't log into the old one, or trying to find workarounds when security restrictions prevented me from using the account I want or the password I want.
The cost of a "weak" password is for most people most of the time entirely hypothetical while the benefit of it is tangible and pays regular dividends.
In my workplace we need to deal with several passworded systems (sound familiar?) all restricted in some form or fashion by S-OX. And heaven help you if you misremembered the password (resetting PW not easy).
Since changing these PW often was a given, it was helpful that most of the time you could give these systems a more-or-less common password.
Except that each system had its own, mutually incompatible rule system, and if the word doesn't work change it to one that does NOW ( or be late signing on on the clock ). The best way to make sure these passwords get remembered is to quickly write them down, so you don't forget what it was after a hectic day, and possibly a weekend.
Hey, I'm not telling you anything you don't already know.
Password Safe would not be allowed since we were (still are) not allowed to place anything on our workstation PC.
A LOT of slips of paper with PW on them roam the carrels.
@MKotS: password safe is a small executable that does not require installation. You could do what I do and keep the executable database on a portable thumb drive. As a bonus, you can encrypt the thumb-drive with TrueCrypt (which can also operate directly from the USB drive) to add an extra layer of security should you ever lose it.
I had the students in my cryptology course program a dictionary attack this semester. Each one had to encrypt a phrase with just a dictionary word, and then one with a number on front, behind, or replacing a letter.
Lazy students used a list for the dictionary and needed 40 minutes to crack the single word ones, didn't make any of the "harder" ones.
Smart students used a hash table and then swallowed hard - in about 20 seconds they could crack each of the dictionary password encryptions, with about an hour they even got some of the ones with numbers in them. (We agreed on an encryption method so everyone was using the same one.)
Many reported changing their passwords after this exercise, especially on MySpace.....
We should be promoting the use of cross-platform cross-browser tools like LastPass which can generate hard passwords and then remember the passwords for the users.
TrueCrypt needs admin rights if it isn't already installed.
Some organizations "monitor" USB Mass storage devices (USB drives/flash/sticks), so plugging one into the computer would be grounds for dismissal.
I acknowledge that it's a valuable resource for such analyses, but I wonder why the passwords are stored in plaintext in these websites in the first place!
I've been thinking about using Password Safe... but am actually quite glad that I haven't gotten around to setting it up.
My house was robbed last week and I lost my computer *and* my backup device. Yes, it's stupid keeping the backup device and the computer in the same place, but I'm a slow learner... and if I was using a USB key to store the safe that wouldn't have been very far away, either.
As it is, I can remember (and change, if I care) my weak-ish passwords on various sites, and I can change the passwords that have value to me... which strangely enough doesn't include any forums. If anyone posts something as me, then that's their problem. If I was relying on some external system, then I would be locked out of everything for an unknown period of time.
What worked for the WANK worm still works today. Amazing.
Over years I have developed my own system of making new passwords that is easy to remember and I can use different passes for different sites. Complex but easy to remember system of letters, numbers and special characters.
Single factor authentication must go the way of the dodo! Across the board!!!
It is the biggest joke of all jokes and the 900 pound gorilla standing on the huge indian elephant in the room!!
I agree with some of the others above. When it comes to forum passwords, I don't care at all about how secure they are. If someone were to crack my forum password, so what? They can post as me for a day, big whoop. I always assume that forum administrators are not honest and forums are easy to hack and that any password I use there might be revealed and give clues about my stronger, more important passwords. Thus, I'm better off using a simple throwaway password.
From the referenced article:
"I'm interested why "dragon," "master," and "killer" made the list. They appear prominently in other password lists, too. I have no explanation for their popularity."
From the above, we learn that Robert Graham doesn't play MMORPGs, CRPGs, RPGs or similar games :-)
I find some of the comments above on passwords interesting. My weak passwords are the nth (usually first or last) letters of each word in a fairly long passphrase (often with punctuation, numbers, etc). My strong ones are as random as I can make them (hand-flipped coins, converted into binary numbers into an Ascii chart, invalid values eliminated).
The main reason I use "weak" passwords at all is that the strong passwords take more time to create. I don't note any difference in how easy they are to memorize - that seems to have to do with the length and the alphabet size.
As a side-comment on alphabet size, I wish that more password entries allowed unicode. I could make some really neat passwords using logographs and syllabaries.
I mean, just think of the possibilities of using a kanji dictionary alone. With a 20-sided die, 12 rolls, and about 6 characters, you could create a very easily-memorized password (assuming that you can read kanji) randomly selected from over 4 quadrilion possibilities. With 18 rolls, keeping with a minimal Kaji dictionary size (say 2,000 characters), you can get 64 quintillion - still at 6 characters. You could do even better in 6 characters with a full hanzi dictionary (over 4 hexillion, assuming a large, 40,000 character dictionary).
@Anon Y. Mouse: I am a webmaster and while I stipulate that your arithmetic is correct and requiring numbers or special characters (I require both with a minimum length of 10 chars) decreases the THEORETICAL security of the system, in actuality it INCREASES security for >90% of users because it prevents them from using a simple bare dictionary word; this in turn increases the average password security of the site.
Bob: sites that require me to use a "strong" password for purposes I don't regard as sensitive tend to lose my business. The problem with having such severe and unique constraints that I need to construct a special password variant JUST FOR YOUR SITE is that I'm more likely to forget it. I might have to write it down or store it in a text file or make heavy use of your "reset password" feature. If your site isn't of especially high value to me, I'm likely to decide it's just not worth dealing with.
If you want to prohibit a "simple bare dictionary word", then run a check for that explicitly; what you're demanding sounds like serious overkill for most purposes. Heck, my *banks* are less strict than that...
People not using a secure password on a random BB is comparable to this blog, where you can't even prove you are you, because there are no passwords at all. A bunch of us post here repeatedly using the same thing in the "name" field, but there's no guarantee I'm the same "Nick S." that has posted previously or may post in the future. This site would be in the doghouse more than phpBB if we really cared.
-----BEGIN PGP SIGNED MESSAGE-----
More likely is that if Bruce cared, the site would not use the current system and therefore still wouldn't be in the doghouse.
If you want to prove that you're the same Nick S each time, you can do it without help from Bruce or the site software.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
In my experience, the vast majority of normal people have no conception of the importance of choosing a strong password - let alone knowing how to do it. Nor do they understand the risk of letting their computer remember their password(s) for them.
In my opinion if a site provider (phpbb, bank, myspace, whoever) wants their users to be safe, then it is for the site to impose strong password constraints. 99.9% of users will never do this on their own.
Personally I have a different password for every single site I visit. Each password changes frequently, is at least 16 characters long, and contains numbers, upper and lower case alpha, and special characters. Not one of my passwords is vulnerable to dictionary attack.
My passwords require no memorization or documentation. I use a mental algorithm to establish the password in the first place, and to renew each password on a frequent basis. I also use the same algorithm to "remember" what the current password is for a given site.
When a site limits my password length or character set, I have a second algorithm to calculate a shorter, weaker password.
Periodically I modify my algorithm, but the underlying principle has not changed since 1995 or earlier when I first started doing this. I have never used the same password for more than 3 months, or on two different sites. Yet I have never forgotten a single password...
An alternative to weak passwords could be this password manager, which we developed with focus on visual password recognition - www.passwordstar.com
I use just https://www.pwdhash.com with a version downloaded on my PC. What has always been a puzzle to me in discussions on Passwords, is that they can only work if the user/account name is also known, so why does no one ever discuss the need to choose a user/account name with just as much care as a password?
Most online services also use a person's email address as the user/account name, so if the email address is used for general communication and therefore widely known, this could be a key weakness. If the email account itself, is only protected by a weak password, then this coould give indirect access to lots more passwords, as they often contain passwords for lots more services or act as the mechanism to receive passwords via lost password functions on websites, which are usually based on entering an email address...and the website often confirms it 'knows' of the email address inputted, thereby giving away information.
I therefore always use a unique email address, that I don't share or use other than for a particular online service.
I also use email services that allow for Alias email addresses to be forwarded to my main account. I then never share the actual 'real' email address to anyone.
In short a password always needs to be combined with other user data to gain access to something (online) so I would like to hear any thoughts on how to protect the other data akin to the ways of creating passwords.
I tried reading all the threads here but I have an auditor on my back asking me about passwords. Question for you?
I maintain that a password with a minimum length of between 6 to 8 characters is MORE secure than a password where the minimum and maximum is 8. Is there any validity in this? (assuming alphanumeric complexity). This is for an old RACF mainframe site.
"I maintain that a password with a minimum length of between 6 to 8 characters is MORE secure than a password where the minimum and maximum is 8. Is there any validity in this? "
At best, the increase in the password search space is not enough to worry about. In practice, users will choose six-character passwords and the security will be significantly less.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.