Interesting stuff, thanks! I bet you could raise it to many more tries and still not particularly compromise the system's overall security.

My company recently set up some kind of password-reset application in order to reduce support calls due to locked accounts. After you opt in (I didn't), you can use some kind of identifying information (like the last 4 of your SSN) to unlock your account and reset your password. I'm curious what this system cost, when raising 3-strikes to 10-strikes would cost only a few minutes of one person's time and achieve the same reduction in support calls without undermining the company's security.

wg

Frankly, I don't think it's a big risk to use the same password across multiple consumer throw-away sites that I don't care about (e.g. Pandora), as long as you keep your email, work, banking, etc passwords totally distinctly different. I suppose if I thought the threat model for that contained significant risks, I might use PasswordSafe or something similar, but I am a bit distrustful of adding "one ring to rule them all" for my main passwords.

I thought someone was going to object that 8 characters were pretty vulnerable to rainbow tables and that's generally true, but that is why I put in the caveat "+odd char".

Just because we're talking about securing services that look after one's password properly doesn't mean that all of them do. Every week, another service is found to be storing passwords as plaintext (this week it's Pandora).

Yeah, but it gets cited all over the place in discussions about password creation.

So I'm glad the comic is cited in discussions about password creation. Hopefully the folks who invent goofy password policies will read it and realize all their silly rules don't actually help the situation.

Yes, you'll change the password, assuming you know the database is exposed before any damage is done.

@boog
Yeah, but it gets cited all over the place in discussions about password creation.

Generate them via an admittedly pseudorandom mechanism of your choosing, but permute/tweak that output in a way that varies each time by whim so that anyone intercepting or predicting the generator results can't use them against you.

Write your new odd password down (further encoded if paranoia dictates) and stick it in your wallet/purse and pull it out when you forget it during the first week... but you'll know it a week or even a few days later enough you can even (securely) discard or put your copy in a safer offline place.

You're not accounting for capitalization, punctuation, etc. For example:

• correcthorsebatterystaple
• correct;horse;battery;staple
• CoRrEcThOrSeBaTtErYsTaPlE
• cOrReCtHoRsEbAtTeRyStApLe
• CorrectHorseBatteryStaple
• correct,horse,battery,staple
• correct.horse.battery.staple
• ...and so forth

"Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about."

1. The part you quoted above.
2. Nobody claimed the scheme was bulletproof; Randall just used it to refute the idea that the password-guessing ability of computers correlates with complexity as perceived by humans, a common assumption as shown by many corporate password policies.
3. It's a freaking comic.

The comic does specifically address that first point:

"Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about."

You secure yourself against the first threat. The website secures itself against the second threat. If a password database is exposed, you don't think "Oh it's cool, my password has 160 bits of security, it'll never be cracked." You change your damn password.

Adding to your comments on the XKCD scheme:

1. The XKCD scheme assumes a really slow guessing rate of 1000 guesses/sec. Real world guessing rates are usually much faster (and getting faster):
http://hashcat.net/oclhashcat-plus/

2. The scheme doesn't provide a method for random generation of words. And are random words really as easy to remember as is suggested? It is maybe no surprise that people often use non-random phrases which are easily recovered e.g. http://securitynirvana.blogspot.co.uk/2012/06/...

3. Diceware does provide a method for random generation but their base entropy recommendations start at around 65 bits or a minimum of 5 of their dictionary words (and that part of their FAQ maybe needs updating...). For anything worth protecting a minimum of 6 or 7 words is more reasonable. So at best a user will end up with something 'memorable' like: algerklmcurryblondpuck or herasteamslopaimjoindel
http://world.std.com/~reinhold/...

If you assume a dictionary of 60000 words instead, you're still talking about less than 64 bits of entropy, which is better than most 8-12 character passwords but still well within the realm of brute force.

Maybe if you choose six to eight words instead, if would be decent, but if they are *random* words thats a lot of weird crap to remember. Any phrases with English-language correlation in them will have significantly less entropy.

I ordered a Yubikey a couple of months ago. I'm still experimenting with it but definitely worth the $25.

Google Authenticator is another cheap way to get password + OTP on Google and other services, like LastPass.

"You can compile Keepass yourself... BUT then you have to trust your compiler"

Well first I have to trust the source code.. Or have the ability & time to read thru the entire source for bugs/ trapdoors...

If you have a set of 1000 common words (he assumes 2000, but it sounds too high for me), using 4 of them would mean 100^4=10^12 options, that would give you 40 bits of entropy (44 according to Randy).

If you have a set of 10.000 uncommon words, and 8 common variations to it, plus two truly random characters, you'll have 8x10.000x64^2=327.680.000 options (about 28 bits of entropy).

@boog
Looks like yet another Rule-Of-Three example

@Bruce Clement
From my personal experience (with Chinese and other people) they tend to use standard character set (not every system can handle non-ASCII symbols correctly), however dictionary is somewhat larger due to romanization and "wrong keyboard layout" technique

@AC2
You can compile Keepass yourself... BUT then you have to trust your compiler.

What about this scheme (a bit like salting), you have just one strong password, say 'abcdefg' (NOT real example!)

And then for each site you set your password as follows (say for Gmail):

3rdTo13thChar(sha1('abcdefg@gmail.com'));

I'm a bit paranoid I guess as I don't trust Passwd Safe/ Keepass/ Lastpass etc.

People still use Crypt? Are there really that many Solaris 7 boxes still around?

If nothing else, it extends the time between DB compromise and attacks using cracked passwords, at least for users who made adequate password choices.

Owing to the conviction power of graphs and metaphors, it is XKCD's receipt that got my vote, but I am attracted by the elegance of yours just as much.

Thanks for your time and explanations!

Was wondering what you thought about LastPass. I like it since my passwords sync to all of my devices (they send everything in encrypted format and hash with a strong algorithm as well), but I know that this poses risks.

Still, I think that the security gained by having a different randomized long password for every web service that I use outweighs the risks of my hashed passwords being stored on LastPass' servers.

I'm not sure if you've looked at them carefully or not, but really want to know what you think.

Thanks,

Alex

With each character being a word, I would imagine that something akin to the XKCD password algorithm would work well for them, but would also be less secure if the most common characters are constantly chosen.

I'm guessing here, but wouldn't deliberate misspellings be very difficult to achieve?

What effects would all this have on password cracking?

Or D2uUPEhNPEUHQ>H_%X.TM#Wg6txQb}\S.

The simplest way to guarantee that passwords can't be cracked is to generate them randomly. Granted, this doesn't help when the back end quietly truncates to eight characters without notice, but there's nothing one can do about that aspect of things.

And no, I don't remember all these passwords. My password manager does that for me. I have to remember only one of them.

The big advantage to this, as opposed to an algorithm relating to site information, is that recovering from a compromised password is "easy". Generate new password, update password, done. Using an algorithm by site, on the other hand, is equivalent to building a new cipher for each message.

Obviously Moore's (misstated) Law will soon catch up even with 32-character passwords, but for the next few years at least it SHOULD be enough.

Sadly, my experience indicates otherwise, at least for things that matter (banks, credit cards, student loans, utilities, etc.). At my job, even Active Directory will lock me out after 3 failed attempts.

@Figureitout

I like to secure my accounts from myself. Otherwise I might successfully log in and be forced to engage in such excruciating activities as paying bills or doing work.

The "Schneier scheme" is incredibly useful, however, in providing answers to security questions that couldn't be found with a quick 10-minute search and look at my Facebook page. Something like "What was your first car?" could result in an answer of mFcWaC1995hA - "my first car was a crappy 1995 Honda Accord".

Note that neither of these are the exact scheme that I use, as it would be silly to give that away.

Ha, you know your pw is good when you lock yourself out of your acct.

Never underestimate the power of 3. :)

The thing that puzzles me: why 3? Seems like such an arbitrary number. Statistically-speaking, a password-guesser doesn't have that much better chance of guessing my password in 100 guesses than it does in 3. If it locked me out after 100 failed attempts, it wouldn't be any less secure. So how was 3 originally determined to be enough tries for a person to get their password right? Was it even devised intelligently, or was it selected because it "just seemed natural?" Like 3 wishes? 3 blind mice? 3 strikes and you're out? This isn't baseball.

One major insecurity occurs when a hacker gets access to the back end infrastructure at a site where all tyhepasswords can be pilfered from one place, even though they are hashed. An intruder can work offline to break the password and match the hash, and then gain authenticated access to the account, OR log into the users account at other sites because the user reused their password elsewhere.

Full reference:
R. Shay, P. Kelley, S. Komanduri, M. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin and L. Cranor. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. of the 8th Symposium on Usable Privacy and Security (SOUPS'12). Washington, DC. July 2012.

Paper: http://www.andrew.cmu.edu/user/nicolasc/...

This implementation uses a pool of 1949 words. Since there are four words, and they're chosen independently from each other, there are 1949⁴ = 14,429,369,557,201 possible passwords, which is slightly over 43 bits of security. (To get 44 bits you'd need to bump up to a 2048-word pool.) A computer brute-forcing at 100,000 passwords per second would take 4.5 years to crack this, which is more than secure enough for most users' needs.

If it's not secure enough for you, you can add a digit to the end (adds about 3.3 bits of security), randomly capitalize the first letters of the words (adds 4 bits), or just add a fifth word (adds almost 11 bits). Of course, you actually do have to have random words, generated by a computer. The first four words that pop into your head are very low entropy.

The best option, of course, is to use a program like Password Safe or KeePass to generate and store truly random passwords, and secure that with an XKCD-style password; that way you only have to remember one password while still using a different password for every site.

In these cases the attacker can mount an offline brute-force attack against those credentials to try to decrypt them at his leisure, bringing to bear all the computing power at his disposal.

It doesn't matter how fast the has function is, since you can make the actual algorithm as slow as you want by iterating it until you have achieved the desired duration.

If they need a rate-limiting feature, they would rather design that in as a sleep, during which they could serve other web pages rather than expensively hashing 'password1'

If the password or password hash database is stolen, it isn't the strength of the user's passwords that is the issue.

Good question. Web sites should be using key derivation functions or some type of strengthening that dramatically slows down the speed of an attack on a stolen password database. But most don't because most of the the people that build web sites understand design and not security. It's actually a wonder that they even bother to hash them.

Using HashCat and GPU to crack Sony salted SHA1 hashed password database:
http://www.troyhunt.com/2012/06/...

Whitepixel 8 GPU hash cracking machine:
http://blog.zorinaq.com/?e=42