How to Harvest Passwords

Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

For the record, here's how to choose a secure password:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Even something lower down on PRTK's dictionary list -- the seven-character phonetic pattern dictionary -- together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in.

EDITED TO ADD (12/5): Note that I am not actually accusing them of harvesting passwords, only pointing out that you could harvest passwords that way.

Posted on November 29, 2007 at 7:03 AM • 105 Comments

Comments

Clive RobinsonNovember 29, 2007 7:29 AM

When you follow the link and read some of the info about strong passwords virtualy the first thing that hit my eye was...

"It contains both small case and upper case characters. This doubles brute force attack time, because it needs to check both cases."

Oh dear Oh dear Oh dear,

It doubles for every character in a pure alpha password so for a ten character password it would increase the "Brute Force" time by a little over a thousand (2^10 = 1024).

Ho humm....

jananthaNovember 29, 2007 8:03 AM

Another really good way to create a pretty strong password is to make use of your first or secondary language. For e.g. sinhala,tamil,urdu.. and type it in english. I guess that will stay strong as english dictionary wont have it!

Angel oneNovember 29, 2007 8:09 AM

On the subject of substitution, I noticed a while ago that to make passwords "stronger" everyone simply did basic substitution - e turned to 3, o to 0, etc. While this may look stronger, what it means practically is that people have dropped letters like o, e, a, and l from their passwords and just replaced them with numbers. It would be wise when brute forcing passwords to start doing the same thing.

MichaelNovember 29, 2007 8:13 AM

And make sure, that you have another copy of your passwordsafe database in a secure place.

PatrickNovember 29, 2007 8:21 AM

Diceware is an excellent way to generate strong and truly random passphrases:

http://world.std.com/~reinhold/diceware.html

Simply choose 5 words at random from their list of 7776 words. To choose each word, you roll 5 dice (six-sided).

The resulting passphrase is very easy to remember, yet very strong. Guessing a 5-word passphrase is about like winning the lottery a million million times in a row.

Here is an automated demo:

https://loom.cc/?function=folder&new_folder=1

(Press the Random Passphrase button to try it.)

Here is a Perl script which does the job:

https://loom.cc/?function=view&hash=2bf1b7d8790e77b25da29b40a4165e4f708e211524c61f5f1edfa99be7ef454e

However, I recommend using real physical dice when security is paramount.

Some web sites do not accept these passphrases because they are too long or they don't have enough "special" characters. For cases like that, diceware does have a special page on how to create conforming passwords.


JohnNovember 29, 2007 8:48 AM

I distinguish between passwords that are nuisances and those that should provide security. For nuisance passwords I use simple words.

For secure passwords, I roll the dice. I have a plastic jar containing a number of dice. I also use a 6x6 table of 26 letters and the 10 digits. Each pair of dice give me row and column coordinates to select a character.

If upper and lower case is desired, I then flip a coin for each letter.

The common objection to my method is that random passwords are too hard to remember. I have not found that to be the case, and I've been using random generated passwords for years. It takes several uses, but after that my fingers remember which keys to strike even if I don't. I suppose it is because I used to play the flute.

NevoNovember 29, 2007 8:59 AM

My Windows password is an English sentence. No substitutions, easy to remember, and at 20+ characters, I'm fairly confident it will never be guessed.

GarickNovember 29, 2007 9:01 AM


I've always liked the diceware approach.

For systems where a password protects important data, I often use 64-128 bits of base85 encoded random data and pgp it for reference.

128 bits in base85 works out to 17 characters which is not bad for typing.


JohnNovember 29, 2007 9:03 AM

I've cracked many networks in my years as an auditor, and I must say that the easiest way has always been just to ask users for what you want. Someone usually trips up.

Passwords also need to be changed frequently enough that if they are compromised, their useful life is short.

GonoroNovember 29, 2007 9:22 AM

Substitution can be effective. Watch the transformation of this passphrase into line noise:

"i like cheese"
"I like cheese!"
"I l1k3 Ch3£Se!"

Easy-to-remember, there's a little rhythm in the shift key, it's statistically fairly tough to brute-force, and even if someone sees you typing it they're not likely to figure it out.

AGNovember 29, 2007 9:22 AM

I have to second Nevo's comment. As long as the application allows spaces, a full sentence with capitalization and punctuation is just as good against common brute force as randomly generated words. I tend to combine this with janantha's suggestion - the only problem (in remembering the passphrase) comes with transliteration inconsistencies. Of course I assume that, say, ISI agents trying to crack RAW systems use massive word lists of common variations of transliterated Indian-language words and phrases first.

timNovember 29, 2007 9:26 AM

@john
"Passwords also need to be changed frequently enough that if they are compromised"

You contradict your own statement. You say if you want a password ask for it. Therefor changing passwords frequently doesn't work.

Forcing people to change passwords frequently forces them to use passwords that are next to useless.

BrianNovember 29, 2007 9:39 AM

To bad it´s pretty easy to recover a Windows password ;)
@Thomas_P

And too bad it's pretty easy to get root access into a Mac.


RCNovember 29, 2007 9:43 AM

An easy way to choose a secure password is with password cards you print yourself.
http://www.webplaces.org/passwords/
Deal a password of whatever length you like. The cards include upper and lower case letters and numbers.

Make sure the cards do not spell out a word. If necessary, rearrange the cards.

JohnNovember 29, 2007 9:44 AM

@Tim: "You contradict your own statement. You say if you want a password ask for it. Therefor changing passwords frequently doesn't work."

Not really a contradiction. I understand your point, and I agree with most of it. If users freely give up their passwords, changes aren't effective.

The flip side is it increases the effort required to retain access by an unauthorized person. If the change interval is 30 days, on average a compromised password will be useful for 15 days. Then the unauthorized person must go through the motions again to regain access. This also increases the odds they will be caught if they have to call and BS people every month.

As with everything, it is a trade off.

Rich WilsonNovember 29, 2007 9:45 AM

I 2nd tim, frequent password changing has a very high cost that many 'experts' ignore. Another thing to be considered is that if you are assuming your passwords are being compromised and are mitigating that by making their lifetime 'short', how short is short enough? I've never met anyone who implemented a frequent password change policy who actually put real thought into the password period.

I like American Express's password policy. Your password must be at least 8, but no more than 10 letters or numbers. Case insensitive.

What's even better- if you try to create a longer password, it will accept it but silently chop it.

Anyone know the crack time of 36^10?

JohnNovember 29, 2007 9:50 AM

@Rich Wilson: "Anyone know the crack time of 36^10?"

Lots.

On the flip side, an unauthorized person would have to be very unfortunate to have to guess every single password.

I agree with you--we should not change passwords under the assumption of compromise. However, I do believe forcing unauthorized people to work more frequently to retain access increases the odds they will get caught.

John RidleyNovember 29, 2007 10:01 AM

One of my pet peeves is systems that put serious limits on password strength. I've seen many systems that only allow letters, or only letters and numbers, no spaces, no punctuation. Combine that with systems that limit you to something absurdly short like 8 or 10 chars and I usually just take my business elsewhere.

For most things, I use Password Safe to generate a random password. I usually use 16 chars; if it's random, there's no reason not to use lots of chars since I have to cut/paste it anyway.

For things I need to personally remember (like the password safe combination) I use acronyms of sentences with L337 substitutions in some places.

Erik NNovember 29, 2007 10:09 AM

My rule one is unfortunately not password strengthening: Use the character subset located equally on US and your native keyboard. It is so common that in single user mode keyboard is set to US and you have no idea where the characters are.

My rule two is better: Choose a pattern. I don't know what my password is, I just know how to type it - which is why I need rule one.

John WNovember 29, 2007 10:13 AM

I use password safe myself. I have an insane password for it, and I use the max length for everything else.

Ed HurstNovember 29, 2007 10:16 AM

Taking advantage of some limited musical talent, I don't find it hard to remember the key passphrase when using initial letters. I pick a song I know well and love, use the initial letters with sensible capitalization, keep the punctuation, and substitute a few numbers when it's too simple, and similar tricks. An old one: "Giictrl!" from the first line of a gospel song "God is in control!" In that case, I used the abbreviation for the CTRL key to replace the word.

Colin MNovember 29, 2007 10:24 AM

I know it's best to use punctuation and other funky characters in passwords, but I never use them for website logins. I've been bitten too many times by poorly programmed sites that do wrong things with escaping special characters (particularly +, ?, or %) and end up breaking in subtle ways or preventing me from logging in, sometimes months after I set the password.

J.D. AbolinsNovember 29, 2007 10:33 AM

@janantha's suggestion for using one's second language as a source for passwords.

Although using, say, Urdu or Tamil could hamper a dictionary attack using English, there are pw cracking dictionaries for other languages, jargon, fan interest terms (e.g.; Star Trek), and so on.

If the attacker knows a bit about the password user's background, he could avail of dictionaries for the second language.

Also if the non-English word is used solely with letters and numbers, a brute force attack may come across the non-English word.

Using "chat alphabets" for certain non-Latin character sets may not be all that helpful. (For an example of a chat alphabet, see http://en.wikipedia.org/wiki/...

Using other languages as *a part* of the password generation process can be helpful. Using single words or common phrases, even with some modification such as "l33ting", is not helpful.

NickNovember 29, 2007 10:34 AM

PasswordSafe is certainly an interesting app but it, like many other password storage apps has my "warning Will Robinson" alarm bells ringing. They idea of using a password to store a listing of passwords screams problems to me. Now an intruder only needs to crack a single password to access all server/services passwords. That is scary! I still like the, locked in safe technique. That way it introduces two fold security: Physical access to safe and safe combination.

BMurrayNovember 29, 2007 10:45 AM

If you're using something like Password Safe to store your passwords, doesn't it make a lot more sense to simply make them random? Why a clever password scheme to make a password you can't remember to store in a tool so you don't have to?

AnonymousNovember 29, 2007 11:02 AM

Why come up with your own passwords at all? If you use Password Safe or a similar tool, just use that one to generate passwords for you.

TomKNovember 29, 2007 11:18 AM

I play piano, so I just tap out a piano tune on the keyboard. On my (Dvorak) keyboard, the first 9 notes of fur Elise can be:

wtwtwxmbk
slslshntd

All you gotta do is remember a tune and where you started and it is pretty good. Then I sub a couple of the notes with punctuation or numbers:

wtwt4xmb&

Easy and secure.

canonbkrNovember 29, 2007 11:18 AM

Passwords... We don't need no stinking passwords...

... Remember, they can't hack me.

Besides No Guts, No Glory....

a Non e MouseNovember 29, 2007 11:25 AM

# Found on slashdot.org 3/26/1999
# Generates a random mixed password
#
dd if=/dev/random bs=6 count=1 2> /dev/null | uuencode -m - | head -2 | tail -1

wiredogNovember 29, 2007 11:32 AM

@john
"Passwords also need to be changed frequently enough that if they are compromised, their useful life is short. "

Which is why, on a piece of paper in my desk, I have the "base" password, plus modifications, written down. Becasue I can't remember a password that is at least 8 characters, uppercase and lowercase and numbers and special characters.

Sure, it's strong.

Until someone opens the desk drawer.

marcNovember 29, 2007 11:43 AM

"Anyone know the crack time of 36^10?"

The rule as posted was 8 Doesn't that make the needed crack time 36^10 - 36^8?

Another reason why I hate the "echo the number of characters in the password as stars when entered" that is so common.

Clive RobinsonNovember 29, 2007 11:47 AM

@wiredog

"Which is why, on a piece of paper in my desk, I have the "base" password, plus modifications, written down."

Put it in your wallet 8)

But seriously that is the problem with all passwords the more secure they are the more "management" is required to handle them, which opens up new avenues of attack.

For instance Password Safe is a good idea unless the user can only remember their bank card Pin number and they use that as the pass phrase. Even if they do use a better pass phrase if the attacker can copy your Safe then they can attack at their leisure and get all your passwords in one go. Do they care if some have change in the mean time one is usually all it requires.

An attacker will always find and go for the weakest link in the chain.

And these days the weakest link might just be the hard disk in your computer due to paging of memory...

Fred PNovember 29, 2007 11:54 AM

I flip coins.

I determine the space I want to use for each character, find the next greater power of two, and flip that many coins for each character. I translate the coin flips into binary, and discard any characters outside of the space I plan to use. As I deliberately try to produce more characters than needed, I rarely need to change this procedure due to length, but when I do, I just generate more characters through the same method.

pixelNovember 29, 2007 12:04 PM

I have a website that I created and I host that uses the domain name of the site I want to access (excluding A-records for sites that have register. and login.) and a constant 8-digit number of my choice. It uses these to generate a 20 character phrase that I use as the password.

It is highly unlikely that the person trying to hack into my bank/paypal/whatever account knows which site I use to generate the password, or my personal code. Plus, as it's online, it's always available. Obviously it's susceptible to key-loggers and viruses, but I run linux and physical security against key-loggers is a whole different ball-game.

EliNovember 29, 2007 12:11 PM

Simply typing:

echo "(secret phrase) websiteX.com" | md5sum | cut -c1-8

at my bash prompt gives me a unique 8 digit password for each web site without any need to remember what it is or use special password storage software.

PaulNovember 29, 2007 12:12 PM

Clive makes a good point that is too often forgotten when it comes to choosing passwords:

"An attacker will always find and go for the weakest link in the chain."

Picking strong strong passwords is a good idea because it protects you from untargeted, brute force attacks. But by no means does it mean that you are immune from attack! A general strengthening of passwords will only cause attackers to find another way. Personally I am not worried about my passwords falling under brute force attack, but a well chosen password does nothing against a keylogger or an effective phishing attack. People are usually the weakest link.

SparkyNovember 29, 2007 12:23 PM

@Marc: I think you are almost correct; it should ofcourse be 36^10 - 36^7, because the password length is 8-10 inclusive.Not that it really makes a difference:

36^10 ~= 3.6 * 10^15
36^7 ~= 78 * 10^9
36^8 ~= 2.8 * 10^12

It's just a rounding error...

DaleNovember 29, 2007 12:42 PM

I use long phrases from poems, songs, drinking ditties etc. My current password is approximately 24 chars long and I change it once a month.

Good luck cracking that, let alone in a timely fashion.

JackNovember 29, 2007 12:54 PM

@Brian:
And too bad it's pretty easy to get root access into a Mac.

Same with any machine, once you have physical access, right?

DanielNovember 29, 2007 1:56 PM

I have to agree with the other posters on using a sentence. Just pick something that's easy to remember in the context of where the password is being used. For example here:

IlikeBruceSchneier!

Who would guess that one? Upper case, lower case, punctuation, and it's long. Use spaces or don't, just always use a sentence.

John WNovember 29, 2007 1:59 PM

@Alan

Thank you for that link. Good food for thought.

I want to be clear that I do agree that password changes alone are not adequate to address the array of risks facing passwords.

I do believe a reasonable change interval helps for some reasons beyond merely protecting the password and limiting the useful timeframe of a password.

One reason is simple detection. If a password never changes, once someone has a password, they have it. But if they have to work to get it more often, there is more of a change they will get caught. You may dupe a few people into giving a password over the phone, but the more often you have to call people, and the more people you have to call, the greater the odds one will get caught. Same with crackers.

But I agree, there is a much wider array of risks that must be considered.

PashaNovember 29, 2007 2:14 PM

A friend of mine worked for NASA/Ames for a while, and described the password scheme there, which I rather liked. They print out a card, once a month, with the new, randomly generated passwords, and hand them out to everyone.

So, your password card looks like "x#v*Yu7" on the card, which you can keep in your wallet.

And they also tell you, "this months conversion is: Subtract 2 modulo 10 from all digits, add a $ after all capital digits."

So, your password is actually "x#v*Y$u5", and all you have to remember is this months simple algorithm, and if your wallet is stolen, your passwords are still secure.

I've been trying to figure out how to implement this in an automated fashion for things like my banking, etc. Even if they were all the same password, or a couple of different ones (Banks, Credit Cards, Insurance, VPN, Personal) I could do it monthly with minor problem. Right now, I just have to do it manually every few months, but it's rather a pain in the butt.

Blaise PascalNovember 29, 2007 2:20 PM

I came up with a great way to get my random but easy-to-remember passphrase: I decided to run 'head -20' on a text file on my system and use the initial letter on each line. All I have to remember is the text file I used, and I can recreate it anytime. For convenience, I decided to use a file common on lots of Unix systems -- /usr/dict/words.

Seriously, 25 years ago I ran into a BBS which assigned passwords (and wouldn't let you change it). The password it assigned me is between 6 and 10 characters long, consists of both letters and digits, and does not resemble a word in any language. It is still one of the principle passwords I've used, and has never failed a decent test for a "strong" password.

When I needed another "strong" password, I wanted something easy to remember, yet hard to guess. My monitor at the time had printed on it a model number consisting of a string of letters, numbers, and punctuation between 6 and 10 characters long. Not only was it strong, it was "hidden in plain sight" making it easy to remember. The monitor in question is probably in a landfill somewhere, so even the written-down form of it is no longer associated with me.

RandallNovember 29, 2007 2:36 PM

Some themes in the comments:

1) Generated passwords are good.

2) There's lots of bad advice out there about how to choose passwords.

3) The typical scheme of short unpronounceable passwords doesn't line up with what people are good at remembering. For example, you can probably memorize more entropy in the form of a phrase or pronounceable gibberish than as random letters and numbers.

4) Passwords are inherently easy to lose control of.

Earl MardleNovember 29, 2007 2:57 PM

On a lighter note, and writing as a non-techie, this paragraph is either very funny or not at all.

"So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle."

Which tells us a lot about how our minds work.

OK, so I laughed.

AnonymousNovember 29, 2007 3:30 PM

I make some of mine using two or more dialects, of different languages even, with odd spelling, and adding in the middle random things that have a meaning in any sense only for me... the words in dialects aren't in hte dictionary. Even when there is a dictionary for one of these dialects...

andyinsdcaNovember 29, 2007 3:56 PM

Passwords: Just one more easy way to get into a system. Can we PLEASE, for the love of the FSM get past memorized passwords, especially for normal users? The more complex the password, the more likely it is a normal user will simply write it down on a piece of paper and stick it under their keyboard. More passwords=more likely they'll write them down. At my last job, I had no less than 20 different passwords I needed (corp travel, corp expense, customer systems, ticketing, production & testing SAP, the domain, bla bla bla) and even *I* kept a password database. This is not practical for a normal user.

There are much better authentication systems out there that do not require memorization (either on a piece of paper, a database or in the brain) for a brazillion passwords.

andyinsdcaNovember 29, 2007 3:59 PM

I forgot to add in password rotation- one password changes every 30, another every 60, another every 90, one says no repeated characters, another says at least 2 characters must be different, one retains the last 10, another the last 3, etc. etc. etc.

Add in that complexity and you wind up with password.txt.

AnonymousNovember 29, 2007 4:03 PM

Anon - No, it's stars here, it's just not starred out 'cause it's *YOUR* password...

michaelNovember 29, 2007 4:22 PM

I haven't read all the comments but just in case no one noticed before ... the form has no action atribute set ... so the data entered is sent no where ...

a lot of fuss here about a simple example of javascript ...

Terry ClothNovember 29, 2007 5:04 PM

I always thought displaying an asterisk for each character of a password was a weakness. Any shoulder-surfer now knows the length of your password. (It's a lot easier than counting keyclicks.)

I pine for the days of Unix command-line passwords. No echo, and the only forbidden characters were, roughly, ^H (backspace), ^U (kill the entry and start over), and ^M (end of password entry). A judiciously-placed control character or two always gave me a warm feeling.

Now I'm using some memorable phrase, and stick a few digits from a PRNG into the middle somewhere. It doesn't take long for the digits to become habit.

mozNovember 29, 2007 5:49 PM

@Non e Mouse

I think using uuencode will introduce bias. I use a more wasteful form

dd if=/dev/random bs=100 count=1 | tr -cd 'A-Za-z1-9!@#%^&&'

This is neat because you can simply tune the character set to match the password system you are using and, given that /dev/random is meant to give an even output distribution, it should have an even chance of choosing each possible characater. If you want a fixed length you can use something like

dd if=/dev/random bs=100 count=1 | tr -cd 'A-Za-z1-9!@#%^&' | head -c 8

comments?

AnonymousNovember 29, 2007 10:37 PM

I'd never trust any program to save a password for me, no matter what it's called, be it open source or closed source.

AnonymousNovember 30, 2007 12:29 AM

@Clive, @BMurray:

PasswordSafe isn't the weak link in the chain. Yes, if someone had physical access to your PC, and could guess your PasswordSafe password, they could get all your other passwords. But if they have physical access to your PC, you're probably screwed anyway.

For your average home user, using random passwords stored in PasswordSafe is still safer than trying to create and remember random passwords.

What bothers me more is how many websites (online shops, particularly) who store your password and email it to you on request! Not only does it show that they can access it, it's also been exposed by having been emailed. I wish developers would stop thinking of encrypting passwords and start hashing them instead.

CodeAssemblyNovember 30, 2007 1:42 AM

Please verify your accusations before posting your opinions.

I removed the submit button because of the accusation that I harvest passwords and emails using this example
http://codeassembly.com/examples/...

I wonder why should I do that ? for spam ?
I think there are better ways to do that, not by waisting time for writing an entire post on how to do a password strength meter and waiting for some people to hit submit on the example page. Disclaimer: I don't gather any personal information on my blog, except email addresses when adding a comment on a post. Thank you.

XokeNovember 30, 2007 1:47 AM

@eli: so your passwords are always 8 digits? Sounds pretty easy to brute force that.

@Bruce (and anyone else interested): Steve Gibson recently spoke and released his 'Perfect Paper Passwords' which he (and other people who have checked) believe is a perfect system. One time use password, four characters that are hashed up to a huge actual password. Info here: https://www.grc.com/ppp.htm
He also mentions it in a few podcasts of his own. Which reminds me - when are you going to do a podcast Bruce?

King Diamond And The Fires of HellNovember 30, 2007 2:03 AM

"I wish developers would stop thinking of encrypting passwords and start hashing them instead."

I wish people would stop storing passwords on their computers unencrypted, really it's a stupid practice. Storing passwords at all in/on any medium is stupid, encrypted or not, electronic or not.

GusNovember 30, 2007 2:18 AM

PasswordSafe provides some security by locking all passwords behind a master password.

So, the fear is that someone will find that password and then have access to them all.

Well, PasswordSafe requires something that "I know". The master password.

If I now store the PasswordSafe 'database' on my USB key, then I have also met the "something I have". Cause I bring the USB key with me when leaving work, etc.

Using a PC, Mac or most 'ordinary' computer systems, there's still no way to provide "something I am", but two out of three isn't that bad while using a computer interface.

Gus

CJNovember 30, 2007 2:34 AM

@Gus:

True, but by putting PasswordSafe on a usb drive, you're putting it somewhere that can be lost. That 'something I have' becomes 'something I don't have', and then all anyone needs to access your passwords is the 'something I know', which brings us back to where you started.

Still, I think it's better than the alternatives.

PranavNovember 30, 2007 4:08 AM

Password safe or Key pass also allows for using long keys. I will need to check if they can be stored on removal media but they seem to be preferable to using passwords.

Mr KiplingNovember 30, 2007 11:02 AM

@Eli

> echo "(secret phrase) websiteX.com" | md5sum | cut -c1-8

Indeed. Given the sort of people who read this blog, you would’ve thought that more people would’ve cottoned onto the fact that *long* hexadecimals make exceedingly good passwords.

AlbatrossNovember 30, 2007 12:53 PM

Oh yeah!? Well YOUR password schemes STINK! Here's how I make up MY password! First I...

Wait a minute... wait JUST a minute here...

gloNovember 30, 2007 1:54 PM

Password generator.
Copy a suitably sized string from the generated results. Paste it in to your password vault, then into where ever it's going.

BTW: this is my own work. I release it to the public domain. Do with it what you will.


#!/bin/bash
#
# pwgen.sh -- generate a passphrase
#
# summary: pwgen
#
# pwgen.sh writes to stdout a string of 64 random characters.
#
# $Id: pwgen.sh 188 2007-11-17 22:27:44Z larry $
# --------------------------------------------
#
outstring=""
charstring="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
stringlen=${#charstring}
randstring=`dd if=/dev/urandom bs=1 count=64 2>/dev/null | od -t u1 -w1024 -v`
#
# remove front and last displacement tokens, an artifact of od
# Note! if you change the count argument to dd, you'll have to change
# the second displacement token
#
randstring=${randstring/"0000000"/""}
randstring=${randstring/"0000100"/""}
#
# emit random string
#
for rindex in $randstring
do
((stringindex=rindex%stringlen))
outstring+=${charstring:((stringindex)):1}
done
echo ${outstring}

John WNovember 30, 2007 2:32 PM

@CJ: "True, but by putting PasswordSafe on a usb drive, you're putting it somewhere that can be lost. That 'something I have' becomes 'something I don't have', and then all anyone needs to access your passwords is the 'something I know', which brings us back to where you started."

Good point. But my solution is this--Insane password, USB key in my possession at all times, and a backup locked up in a safe location. If my key was lost, I would use my backup and immediately change every password, hopefully completing before they cracked password safe (unlikely they can crack my password any time soon).

Not perfect. But nothing is. If it were for a more critical function, more would need to be done. It works well for my purposes when balance the burden and overhead with the threats.

andyinsdcaNovember 30, 2007 2:48 PM

I keep seeing posting about the best way to generate a password, where it should be stored, etc. without anyone (besides me!) asking whether or not we should still be using passwords.

The short answer is NO.

John WNovember 30, 2007 3:06 PM

@andyinsda: I keep seeing posting about the best way to generate a password, where it should be stored, etc. without anyone (besides me!) asking whether or not we should still be using passwords.

The short answer is NO.
_______________

I'll say it. Particularly for very sensitive or critical systems, passwords have outlived their useful life as an authentication tool.

Having said they, they will likely persist for a number of reasons:
* people understand them, even if they don't know how to best use them.
* perception of cost-effectiveness (try convincing management to change to something else in most circumstances)
* Simple economics. How much business would an electronic commerce site generate if they required something besides passwords for their customers? They would be likely to take their business elsewhere.
* Legacy. Unfortunately, passwords have become such a part of the infrastructure that migration is no small feat.

I agree with you that passwords are not the best means. However, realistically, we're going to be stuck with them for a while, so we should encourage the best usage possible.

Best regards,
John

andyinsdcaNovember 30, 2007 3:19 PM

Best usage doesn't force people to keep a metric assload of passwords that change on a (seemingly) random schedule, with a bunch of different passwords for different systems. See my first post/rant about this. In a large/corp environment, it's easy to wind up with way too many passwords for a normal user to remember. And having all sorts of gizmos and doohickeys like USB drives, password keepers, and whatnot are beyond the skillset of the average user. Do you really expect the average user to know how to handle basic software like that when they can barely turn on the monitor without killing themselves? And many places specifically disable the use of the USB ports for anything other than a keyboard/mouse as a security precaution.

It's time to END it. Not MEND it.

Observer EffectNovember 30, 2007 8:17 PM

This is pretty funny IMO:

The form obviously had a 'submit' button, but the author of the tutorial is taking Bruce's post personally. Whether it was intended that way or not. So now he has this text at the bottom of the demo form, with a link pointing back to Bruce's post:

There is no submit button, just fill in a password to check it's strength. I removed the submit button because of the accusation that I harvest passwords and emails.
I wonder why should I do that ? for spam ? I think there are better ways to do that, not by waisting time for writing an entire post on how to do a password strength meter and waiting for some people to hit submit on the example page. Disclaimer: I don't gather any personal information on this website, except email addresses when adding a comment on a post. Thank you.

Interesting how content evolves over the network, no?

JackG'tNovember 30, 2007 10:16 PM

There should be laws prohibiting public libraries and other public agencies from limiting a PIN to four digits. It should be even be illegal for librarians or other public employees to advise anyone to use a four-digit password in systems that allow passwords stronger than four-digit PINs.

I read somewhere on the web that “PIN��? was introduced because “password��? taken literally would not allow numeric characters. Semantics, semantics. Conveniently, not admitting that a PIN is a password allows administrators to pretend that all the cautionary literature concerning passwords does not apply to PINs. And there's the hope that library patrons will think of library account PINs as being no more of a security problem than are ATM PINs.

I admit I'm no security expert, but it seems to me that, if in possession of a patron's library card number, a mischievious person could conceivably blunt force a four-digit PIN quickly. With there being only 10,000 possible solutions, and with some numeric ranges more likely than others to contain a PIN, it might not take all that long to crack a four-digit PIN even by simple trial and error. Moreover, if library card numbers run sequentially, perhaps it would be possible to start with one library card number and proceed to crack the PINs of all the patrons in a library system.

FutilityDecember 1, 2007 12:00 AM

My preferred method of generating passwords (that I need to remember, like the password for Password Safe or my computer login, for everything else I use random passwords of length > 12 generated with Password Safe) is to take a poem and use the first letter of every word to make up the password. They are easy to remember and can be quite long. For extra security one can combine them to form even longer passwords and do the usual special character transformations.

Some other remark: Really annoying are web sites that restrict the length of passwords, especially online banking services that limit it to 6 characters! Incredibly stupid.

TuxGirlDecember 1, 2007 10:06 AM

just making people register for something is a much better way to get a collection of user-names and passwords. Most people only have one username/password set that they use everywhere. Given that, you've now got a username and password that you know go together.

JackG'tDecember 1, 2007 1:02 PM

In my comment above, using “blunt force��? for “brute force��? must have come from my hearing and reading “blunt force trauma.��? Both are bad if you're on the receiving end.

Speaking of brute force attacks, I have no idea how attackers deal with site restrictions of log-in attempts to three or so per session.

Christoph ZurniedenDecember 1, 2007 2:13 PM

@Xoke Steve Gibson recently spoke and released his 'Perfect Paper Passwords' which he (and other people who have checked) believe is a perfect system. One time use password, four characters that are hashed up to a huge actual password. Info here: https://www.grc.com/ppp.htm

That's a typical implementation of a TAN-system (_T_rans_a_ction_n_umber) with all its pros and cons, only the description differs. Nothing new here.
Some of the wording at the site seem to try to hide that fact, but I don't think it would qualify for the doghouse: it actually works and gives an extra level of security, even if it is not very much.
I would say: not worth the hassle.
It's also a solution for a different set of problems; there's a good reason that it's called "transaction-number" and not "login-number"! You can restrict some database-commands for example. It is probably a good idea to secure the deleting of tables or even whole databases with an extra lock, especially one with a limited number of key turns (no fear of shoulder surfing while the DBA types in a TAN instead of the admin-password).
OK, not a very good example but I hope at least somebody gets the point ;-)

CZ

BTW: both C-Implementations I checked (SHA1(ppp-c.zip)= 265b0a04e2bae78a33e6973c7410a507e9f64335
SHA1(ppp_source.zip)= 4ab6b7954deab9aadae6538d0edf8778496333d5
RIPEMD160(ppp-c.zip)= c9baf84629016386e1eb5fe54e34ad8ec4daada6
RIPEMD160(ppp_source.zip)= fe195253076b2b496b098dfff8105569ccc8f1f0) have a needlesly restricted entropy gathering. The code quality is average at best and thus insufficient for a cryptographic tool.

PatrickDecember 2, 2007 1:01 PM

andyinsdca wrote:

@It's time to END it. Not MEND it.

What are you proposing? A PGP-signature gadget you carry around? Something like the "Perfect Paper Passwords":

http://www.grc.com/ppp/design.htm

What?

I am wary of gadget-based solutions because it leaves me with NO low-tech method of access if the gadget is lost, broken, or just too expensive or complicated to use.

PPP is a promising approach because you could use a single string to identify yourself on all web sites you use, but your one-time password on each site would vary.

If you used a lot of sites it would mean carrying a lot of cards though.

I am technically competent to handle a PGP challenge from a web site after entering a personal identification string. But how do you propose to bring that sort of authentication within reach of the masses?

You'd need some kind of built-in software accessory for Windows that could auto-sign a challenge from a web site, yadda yadda.

What sort of thing do you propose?

I use ssh all the time, and I really love the public/private key method it uses. Plus I can add my private key one time with ssh-add, and then log into a variety of different servers with NO further action on my part. You can even chain authentication from one server to the next.

But how those ssh concepts translate into web browsing by ordinary users is another story altogether.

For my purposes, I developed a content management system where you can kind of "log into anything", e.g. you can establish any kind of web object floating in space (static, dynamic, or whatever), and then do authentication to that object as a complete after-thought, without the object itself supporting authentication or knowing anything about it.

The session cookie is used as a key to decrypt a single encrypted leg of the full path to that object.

That session cookie value is normally _established_ through a log-in screen asking for a simple password, but that need not be the only way or even the preferred way.

If the session cookie could be established by other more universal means, not involving a password, I would welcome the change. None of my existing content management plug-ins would need to change at all.

Pat CahalanDecember 2, 2007 2:07 PM

My first password snafu was as a sophomore in college; back then the rule was, "Passwords are only reset at the systems administrator's office between 1:00pm and 3:00pm on Friday" - tough on you if your assignment is due on Tuesday.

The first time you get a zero on an assignment that drops your highest possible grade to a B+, you by God will establish a good personal password policy. Nowadays there are very few actual consequences to bad personal password policies, so people don't take care of them. Why should they? For the last 10 years, they've been provided "click here to reset your password" buttons - industry has quite simply *trained* people to be horrible password managers.

Lots of people have commented that passwords "aren't good enough", but outside of context this isn't a complete answer.

Identifying and authenticating people authoritatively is hard, period. Using strong auth has management implications. Using biometrics has not only management implications, but revocation problems and privacy implications. Identity management costs money and time, whatever solution you use. None of these problems are going to go away, and making a system more complex without taking into account all of the implications simply for the sake of "passwords aren't good enough" isn't good security practice.

I had a grad student once ask me why I didn't provide smart card access for login, so that we wouldn't have to worry so much about the problem of compromised passwords. Egads, I know a guy who has a *full-time job* maintaining RSA tokens for one organization (largely because the sole consequence for "losing your RSA token" is "call this guy").

If you are lacking a well-thought out security policy, which takes into account the structure of your organization (and all the political and legal ramifications thereof), you're just taking a huge money sink onto your IT budget for very little actual real security advantage.

matt21811December 2, 2007 7:10 PM

As a hacker, I especially like it when organisations have a requirement to change passwords often. That way, if my dictionary attack of common passwords doesnt work this month I get another shot at it next month.

NTKDecember 2, 2007 8:24 PM

matt21811: "As a hacker, I especially like it when organisations have a requirement to change passwords often. That way, if my dictionary attack of common passwords doesnt work this month I get another shot at it next month."

Haha! Where I work, a "security audit" was recently completed. This resulted in a "password policy" that demanded frequent changes, minimal requirements, and a suggestion that good passwords can be formed by keyboard patterns like "zse4rfv".

I tried to explain to the person who drafted the policy the problem with the latter suggestion, but it was clear this was somewhat beyond his ken. Most of the other requirements are just feel-good crap that force people to add "!"'s and ","'s to there otherwise normal passwords. Big f-in' deal.

Pat Cahalan: "I had a grad student once ask me why I didn't provide smart card access for login, so that we wouldn't have to worry so much about the problem of compromised passwords. Egads, I know a guy who has a *full-time job* maintaining RSA tokens for one organization (largely because the sole consequence for "losing your RSA token" is "call this guy")."

Huh? I can't imagine it taking more than a few minutes to initialize one of these tokens. Let's say 10/hour -- gotta web-surf and pee every now and then -- and we hit on the order of 100/day. Now maybe I'm weird, but I've lost my wallet twice in my entire life. Let's say once every 10 years, or 3650 days. At this rate of loss, this organization would need some 365,000 people to fully employ one person in this job as token-rebinder. According to Wikipedia, Citigroup is the largest company in the world, and has 332,000 people working for it.

Have I blown his cover? ;-)

Probably not. I would guess that if he is being hassled alot for loss of token, he is hassled even more for revocation (people quiting/fired) and initial binding (people hired), which would be much more frequent events. (This reduces the population he is managing by a factor of, say, 10.)

But would not most large organizations divvy the work up at a fairly low level in the corporate hierarchy? A tree-of-trust instead of that radical, anarchic web/graph-of-trust stuff. It seems natural and easy to do. Could even be automated to a large degree.

Christoph ZurniedenDecember 2, 2007 8:48 PM

@NTK
> I can't imagine it taking more than a few minutes to initialize one of these tokens.

Let me make a wild guess: every "lost" token results in at least 3 different forms to fill out, each with three carbon copies, several signatures from several different people who are scattered all over the building/town/state/globe, a sacrifice of a live chicken (must be black without one white feather!) and the initialization of the new token too.
Let me make another wild guess: you never worked in a very large company?

CZ

NTKDecember 2, 2007 9:07 PM

CZ: "you never worked in a very large company?"

I will neither confirm or deny. Nyah!

However, I can say that the last time I lost my wallet, it took about five minutes -- once I had presented myself to the teller -- to obtain a new, working, access token. Ditto for the "driving access token" (although they only gave me a paper one - the real one came in the mail a few days later). In both cases I recall forms, and even carbon copies. If there was a black chicken, I unfortunately missed it.

CodeAssembly AttorneyDecember 3, 2007 12:28 AM

If I were CodeAssembly, I would sue you for this, Bruce. You at least owe them an apology. Or are you big enough for that?

Bruce's LawyerDecember 3, 2007 3:20 PM

If I were Bruce, I would sue CodeAssembly and their lawyer for libel libel.

Anyone think of a recursive acronym for libel^n?

David ADecember 3, 2007 3:44 PM

@CodeAssambly
I understand it feels bad to be unfairly accused, and I think you have no bad intentions.

However, as a rule, people must learn not to type their password nowhere else than the app it was intended for. No exceptions! (Someone said he typed his password into google. Bad idea!) No matter how good you are, you must accept users are discouraged from using any online password meter, including yours.

Futher more, I don't think Bruce was accusing you directly, but pointed at the page as an example of what a villain *could* do. (The villain's page could in fact look exactly like that page, same disclaimers and all.)

It's not you, it's me.

CJ CaseyDecember 5, 2007 9:24 AM

I've heard of the password strength meter con before, which works like the 'Captcha' con (set up a porn site with a captcha linked from a site you want to hack... client resolves captcha, and your bot runs with it.) Personally, I always just play keyboard games for my passwords... one that I used last year was "a's;dlfk &*(" which may look unintelligible until you type it out. They're pretty easy to lengthen (and remember) as well.

Annie MussDecember 6, 2007 5:40 AM

A good password is one you don't forget, and one I can't crack. So, as sysadmin, you get to keep your password till I crack it - running the usual suspects. As Mary Poppins says, "In ev'ry job that must be done
There is an element of fun -
you find the fun and snap!
The job's a game"

lucaDecember 21, 2007 8:13 PM

Great, I just found out that the passwords for logging in to my bank's website are NOT case-sensitive.

Never thought that that was even possible in 2007. I found out by chance, trying to change the pwd and getting an error message claiming that you can't have the new pwd be the same as the old one (they were not).

Mind you, this is a major North-American bank, not a mom-and-pa operation...
What would you do? For now I wrote to them asking whether they're pwd are case-sensitive. :-)

PratheepAugust 2, 2008 8:35 PM

A six-character password consisting only of lowercase letters?

A six-character password consisting of only upper- and lowercase letters?

An eight-character password consisting only of lowercase letters?

An eight-character password consisting of only upper- and lowercase letters?

An eight-character password consisting of upper- and lowercase letters and at least one numeric digit (0–9)?

A ten-character password consisting of upper- and lowercase letters and at least one numeric digit (0–9)?

AnonDecember 16, 2009 12:49 PM

Wow... You don't have to hit submit. WIth a little javascript magick, I can recover any of your passwords that are saved in your browser and unlocked...

*sigh* Like the man mentioned, there are much easier ways to farm usernames/passwords then devoting the time to a long post about the subject.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..