Comments

Andrew Gumbrell July 6, 2012 10:15 AM

… because, after all, when they become porn stars, that will be their professional name.

James Babcock July 6, 2012 10:24 AM

When sites ask me for a secret question, that’s just another 16-character randomly generated string provided by and stored in my password manager. Assuming that sites will treat secret questions as passwords is much easier than figuring out whether they will or not, and password management is an easier problem than figuring out how I answered secret questions in the past.

bcs July 6, 2012 11:12 AM

One option for answering secret questions would be to make the answer a function of the question and your private key. Sign, encrypt, base64, etc.

cassiel July 6, 2012 11:13 AM

In related news, children are being warned that they should make sure they’re born in a town whose name contains at least one punctuation character.

Northern Realist July 6, 2012 11:24 AM

I always tell people in my security presentations to provide any answer they want to the “what was your first pet’s name” / “mother’s maiden name” type questions, as long as they can remember what they answered. It’s funny how many times I’ve had people say “but what if they check to see if that was my pet’s real name?”….

Mel July 6, 2012 11:28 AM

Because, after all, once you’ve given over that security-checking info once or twice, it’s not secure any more, is it?

lazlo July 6, 2012 11:29 AM

Could be worse. With biometrics like facial recognition, your face could be your password, and we will be told that our faces should be like a password: Unique, hard to guess, and changed every 90 days.

Actually, plastic surgery jokes aside, it might be mildly effective, and definitely hilarious, to have a facial recognition system that required you to make a specific derp-face to log in, and perhaps required a periodic change to the derp-face.

Scott H July 6, 2012 11:29 AM

Actual pet names used by my family in the past:

Dammit (for a cat),
Drugs (the other cat),
Pusbucket (pretty sure it was a dog).

Not a lot of entropy there, but I’m sure they’d be a real hoot as the “phone password” for discussing things with a bank or such.

wondering July 6, 2012 11:29 AM

Perhaps just a little OT, but can someone clarify. EFF says 8 digit passwords no good because too short even with mixed random characters. EFF says better long passphrases, alphanumeric based on words and phrases. Question: what’s the status of longer random passwords based on the full keyboard–say 25 characters? Are they also out of security fashion, or do they pass muster. What’s the minimum practical length (assuming you can force yourself to memorize it)?

mcb July 6, 2012 11:33 AM

Glad this advice is only for kids. I’m already using my pet’s first name for my password. Yep, I sure miss Fluffy!@#…

fxl July 6, 2012 12:01 PM

I like the sites that let you define both the question and the answer. Extra points if they use it for talking to phone support.

Question: What are you wearing right now?

Answer: That is a very unprofessional, let me speak to your supervisor.

kingsnake July 6, 2012 12:25 PM

I name my pets like I pick passwords: I look around my office, see an object that strikes my fancy, and that is it.

No One July 6, 2012 12:29 PM

Lucky for me very few people know the answer to some of those common security questions and some would even guess wrong despite knowing a fair amount about me.

Unfortunately for me, some of those questions are rather trivial to answer.

Also, some children are advised that their maternal grandparents select a longer family name.

boog July 6, 2012 12:49 PM

What good is having a secure name for your first pet when it’s just written down on the pet’s ID tag and/or headstone?

Figureitout July 6, 2012 1:16 PM

The future’s gonna be a freaky place…

“But daddy, I wanna name my cat Sox. Dammit son, I said 8 characters, at least 1 number!”

@kingsnake

Would you really name your pet “Computerspeaker” or “Secretarycleavage”?

@boog

Exactly, like giving your place of birth or mom or dad’s maiden name. Both of which are secure/nonpublic information…

Isn’t it best to write your own unique question?

boog July 6, 2012 1:38 PM

@Figureitout:

Exactly, like giving your place of birth or mom or dad’s maiden name.

I was going for more of a “hard to remember so written on a post-it” direction with my comment where the post-it is the ID tag and/or headstone, but you are right.

As for my dad’s maiden name, when I asked him what it was he told me I wasn’t funny and thumped me on the head.

Chris W July 6, 2012 2:09 PM

No problem, I’ll name the first pet “bul1seye” and name the second whatever I like, perhaps Katty.

Muffin July 6, 2012 2:49 PM

@cassiel – guess that folks from ‘s-Hertogenbosch (in the Netherlands) got lucky, then! 😉

nonegiven July 6, 2012 5:22 PM

Are we the only family that gives it a little time until the pet finds a way to let us know its true name?

Figureitout July 6, 2012 6:10 PM

@boog

Ha, you know what I mean. Was unable to initially read story, and thought it was real, until I saw a story about dubstep and extraterrestrial communications. Putting the tongue back in the cheek…

pfogg July 6, 2012 7:12 PM

@nonegiven: Yes, it’s just you. But don’t worry, everyone knows who you are, and word has gone around that you should be treated as if you were a normal family. No need to feel self-conscious.

Dixon July 6, 2012 9:26 PM

@wondering

Check out Steve Gibson’s podcast Security Now Episode 303 Password Haystack. In sum, length trumps complexity. E.g., a short 8 charater dictionary word with twenty exclamation marks after it would be easy to remember but hard to crack.

bad Jim July 6, 2012 10:27 PM

We had some good pet names: Bark, Brunhilda, Guru, Yeti, Rojo, Perro (un gato, por supuesto). When my brother got his latest dog I suggested “W”, partly as a joke about our previous president, partly because we could call out “Here, WWW”.

As for the joke about not having a known birthplace, the next best choice would be a big city – what better place to hide a leaf than a forest?

Apologies for retelling an old story, but when the Princeton physics department decamped for the Manhattan project, they were cautioned to scatter their points of departure. Feynman cleverly elected to embark at Princeton, where the station personnel asked, “So, is all this equipment we’re shipping to Los Alamos just for you?”

Steven Hoober July 6, 2012 11:53 PM

Related:

Tonight, we retired my wife’s old whitebook (she got a new Macbook Pro) into the service of the kids’ room. Total wipe and clean install, create three new accounts and then the kids come to me in turn to pick passwords.

I want no silly BS about recovery, so I have them type them into a text file I later put into my Fairly Secure Folder of system setup info, so I know it.

Watching them (12 – 15 years old) pick the account passcodes is hilarious. At least one used mostly birthday, etc.

All I can think is: These are digital natives? Decades into the user/pass paradigm being overtly stupid, the kids who see warnings of this with every site they register on it pick /terrible/ passcodes.

More on topic: The recovery hint is “See Steven if you forget your password.”

Gary July 7, 2012 4:07 AM

Funny, my dad often referred to our dog as “that f$!^$~# animal”.

There’s one system at work that requires a password of exactly 8 characters, including uppercase, lowercase, digit and punctuation.
It’s a system I use less than once a month. Whenever I need to log in, I use the security question so it sends an email with a ‘reset password’ link. I enter a new password and promptly forget it.

wondering July 7, 2012 6:06 AM

@ Dixon:

(Moderator: previous post garbled, please delete)

Is there a crossover point length CP such that for length less than or equal to CP length trumps complexity but for length greater than CP complexity trumps length? If so where might that CP be?

Zmol July 7, 2012 9:04 PM

It’s not so hard if you adopt the right sort of naming scheme from the outset.

I love puppydog2 just as much as I loved puppydog1.

Perseids July 8, 2012 2:11 PM

@Dixon:
Don’t play practical jokes on people who won’t recognize it.
This “Password Haystack” is security by obscurity at it’s worst.

@Wondering:
That depends heavily on the use case.
If you’re doing encryption with the password you should choose a password with about 80 bit of entropy (assuming your application is using a weak key derivation function, which is usually the case). That would be 80/log2(25)=~=17 characters of your set of 25 characters or 80/log2(6^5)=~=6 diceware words.
If you’re only using that password to log in to websites you can use much shorter passwords as the number of login trials is usually very limited. 6 or 8 (really random*) characters should be enough.

  • If in doubt use dice. Conveniently 24 (chars) + 10 (numerals) = 6*6 (two dice rolls)

Russell Johnston July 8, 2012 5:48 PM

Related comment. I’m in the UK and use on-line banking with Cahoot, a UK on-line division of Santander. A few years back, my password , which comprised upper and lower case alphabetic characters, numbers and common symbols stopped working without warning. After a lot of pain talking to their helpline, it transpired that all “difficult” characters had been disallowed, so could I please choose a “simpler” password! So much for security!

Clive Robinson July 8, 2012 6:58 PM

@ Wondering,

Question: what’s the status of longer random passwords based on the full keyboard–say 25 characters? Are they also out of security fashion, or do they pass muster. What’s the minimum practical length (assuming you can force yourself to memorize it)?

The simple answer is nobody knows… but that’s not very helpful as an answer 😉

NIST have a Special Paper (800-63) which is still very much a work in progress and has some serious shortcomings in how it gets it’s answers.

However they do come up with some conservative advice on what might be deemed a first cut “best practice” for passwords.

The reason for the shortcomings are numerous but the main points to remember on this are that the model they use,

1, It’s based on English language statistics.
2, They argue backwards from effect to cause.
3, There is still insufficient password data to make realistic models.

To see this in action you need to take a look at their “calculator formulae”.

Overly simply (and perhaps unfairly) they give formulae for (96key keyboard charecter entry for) password strength on purely random passwords and their statistical model of english passwords.

In the random model each key counts as 6.6bits of entropy whilst in the other model the first key counts as only 4bits the next few as 2bits and thereafter 1bit or less.

If you think about it the first key values are at some variance (effectivly 96keys-v-16keys choice) and this is based on the assumptions of english passwords.

Have a look at,

http://lukenotricks.blogspot.co.uk/2008/03/nist-passwords-and-entropy.html

For a more detailed overview.

In it you will find links to the NIST report and importantly other more recent works which show up some of the failings of NIST’s assumptions etc.

wondering July 9, 2012 2:08 AM

@ Clive, Perseids et al

Thanks. First, a clarification. When I said ‘keyboard’ I meant the full keyboard, which is around 96 characters: this is UC & lc letters, numbers and special characters such as #$%^{[?. The reference to 25 characters was to the password length. But rereading your reply, Clive, I see that you understood that.

Next reading the Wikipedia article ‘key size’ (yes, I know, Wikipedia is the font of all truth) I saw that the US Govt has a standard to the effect that the entropy bit measure of a symmetric AES encryption key for Secret must be 112 to 192 bits, for Secret 192 to 256 bits. (For ‘Secret’ I am drawing an inference from the article, which is unclear on this point.)

The Wikipedia article ‘password strength’ has a table which indicates that for the 95 character keyboard (all printable ASCII characters), a truly random selection of characters must be 20 characters long to achieve 128 bits entropy and 30 characters long to achieve 192 bits entropy.

This appears to answer my question as to what length a truly random AES symmetric encryption key has to be to ‘make it’ in the big city.

However, since there are caveats as to how random the pseudo-random number generators are in the available password management packages, anyone have any comment on the quality of the PRNG in TrueCrypt (used to generate the master key for encryption)? Any comment on the quality of the PRNG in the various password management packages such as Password Safe?

Thanks very much.

wondering July 9, 2012 3:56 AM

typo in last post.

the entropy bit measure of a symmetric AES encryption key for Secret must be 112 to 192 bits, for Secret 192 to 256 bits.

S/B

the entropy bit measure of a symmetric AES encryption key for Secret must be 112 to 192 bits, for Top Secret 192 to 256 bits.

Clive Robinson July 9, 2012 6:54 AM

@ wonndering,

This appears to answer my question as to what ength a truly random AES symmetric encryption key has to be to ‘make it’ in the big city

Err no, it’s a best case baseline as it ignores some points where it can all go horribly wrong.

As noted AES has three basic key sizes 128/192/256 bits, if you actually want entropy to those values then you need to generate it to quite a bit in excess of that if you want it to be not just in any way human memorable but even easily typable from a “wallet cheat sheet” (such are the failings of humans).

So with a choice of 96 keys for each keypress you get in theory 6.6bits of entropy so the minimum for 128bits is, 128/6.6 = 19.3939keys as the minimum. But this is “theoretical” and not “actual”. In many cases theoretical is significantly insufficient due to the way you get from keyboard keys entered to AESkey bits and in some cases the anoyance of “line discipline” converting certain combinations of keys into a single key (think HTML %(ascii#) or \ conversion or MS-DOS IBM PC Key code conversion). Then there is the issue that the 96 key choices have issues in the probability of each bit being a one or zero in it’s normal binary representation, that is each bit has bias, generaly being worst in the higher bits. Then of course 96 does not map conveniently into 2^n representation as it’s 2^6+2^5 (64+32).

The usual way to do things (please note I’m not advocating this) is to have a “free text entry field” for a pass phrase, that you then hash in some way. So say take the ASCII string and run it through MD5 a number of times using cutting and splicing to try to get the best out of the entropy available.

So generating a “random password” can be seen as a series of transforms,

1, Get required number of bits of entropy.
2, Break into fixed size bit blocks.
3, Map block to one or more of the 96key choices.
4, Fixup any line discipline issues and format for humans.

Stages 3&4 waste entropy for a number of reasons so the required bits of entropy in stage 1 can be considerably larger than expected. Roughly 1.5-2 times larger, so for 128bits of AESkey entropy you are looking at 192-256 bits out of your entropy source. And depending on mapping, line discipline, and formating fix ups you could end up with a “free text” password likewise 1.5-2times bigger than the theoretical base line.

However there is another group of issues to consider which is how often you are going to change AESkeys and for how many systems and if you are going to use Master Keys, User Keys and Session Keys etc all tied up with two main issues,

1, Preventing “AESkey Re-use”.
2, Secure AESkey distribution.

Which is the “Devil’s Brew” of Key Managment systems. The first has various potential solutions that have been suggested. The second however is a real nightmare and depends on who your adversaries are (see Ross Andersons type 1 / 2 / 3 definitions). For instance with a type 3 adversary getting off an aircraft with KeyMat in printed or recognisable stored form (thumb drive etc) has a very high probability of being copied on your way to clearing air side (even if you have hidden it in your underware etc). Likewise with Post, Telegram, or any kind of Internet comms. So you have to consider how to make the capture/copy of KeyMat in transit usless to an adversary.

All of which has a significant effect on how much entropy you are going to need from your generator and just how good it needs to be. In most cases a single generator type is insufficient to fulfil even quite modest KeyMat requirments.

So hybrid systems are currently in vogue where you use the likes of a True Random Number Generator (TRNG) to make Master and User Keys and Seeds for determanistic but Cryptographic Secure Pesudo Random Number Generators (CSPRNG) like AES in CTR mode to limit key re-use.

Having had to go through the design process of TRNG’s and getting them “certified” as acceptable for requirement, I’m not that impressed with the majority of “supposed” TRNG’s running on PC’s. If you want to know why Bruce and Niels Ferguson have tried to design a couple of acceptable systems (Yarrow and Fortuna) and their published notes on their design and mitigation of issues should give you an idea of what’s involved. There are even “provably secure” CSPRNG’s such as Blum Blum Shub.

However they all have disadvantages in that their output rate may be way to low for many systems. So there is the idea of ‘spreading the goodness” of an entropy sorce across a determanistic process. One such is to use ARC4 as a rapidly evolving pool of deterministic numbers into which you stir the entropy from your source. there are a number of ways to do it one being to add the entropy into swap function (ie expand. Sary[Iptr + Jptr] to Sary[Iptr + Jptr + ent]) which is the same as the initial ARC4 key loading/update process (except the entropy replaces the stored key).

Back in the 1990’s I used a BBS generator to generate the “entropy” into an ARC4 type system where the Sary was actually 1024 values in size not 256 but the output was moded down from 10bits to 8 after it was post “whitened” by the output of a digital low pass filter applied to the output of a large Mitchell Moore generator (see Knuth for details on MMG). The result looked like the output of a CS-TRNG [1] under the tests then in use.

Which possibly says more about the state of the then tests than the quality of the generator.

[1] A CS-TRNG is a TRNG with it’s output modified to make it of use in crypto activities. This is because TRNG’s have some decidedly unhelpfull output possabilities in that an unbounded string of 1’s, 0’s or repeating pattern is to be expected as part of “normal operation” [2] all be it at a proportianatly low probability. That is you don’t need an OTP with excessive runs of 0’s as the plain text comes through. The usuall method is to use an “unbiasing” technique such as set some kind of limit and then drop further repeating output and flag an error for each drop [3].

[2] The “normal operation” of excessive run lengths might also be an indicator that there are issues with the generator such that it’s “noise source” is becoming faulty [4] or under external influence by some form of “fault injection” either directly or from a distance deliberatly or accidently (ie it’s not sufficiently screened to deal with the 1KW HF transmitter in the room next door who’s TX antenna is on the roof just above, which can be considered normal on “ship board” usage, or the fact that someone has put it directly ontop of an old CRT monitor etc etc).

[3] It’s important to flag errors as close to the noise source as possible and certainly prio to the addition of “magic pixie dust” hashing etc. The errors should be looked at both in real time and statisticaly over time as the analysis of the “drop” error flag frequency etc may reveal the type of issue if it’s not low probability “normal operation”.

[4] Noise sources used in TRNGs are notoriously fickle and very very susceptible to environmental conditions such as EM fields E and H components and even mechanical vibration or acoustic sources effecting components being picked up by components such as powersupply filtering and EMI components such as inductors.

Coyne Tibbets July 9, 2012 8:56 AM

I get the parody, but seriously: I think banks and other sites should give up asking those stupid security questions.

Really, those questions are an abdication of their security responsibility. They want something quick that you can answer online, so they don’t have to provide a person to vet you over the phone or via mail or some such.

Of course, they want the question to be something you can remember, and the things you are most likely to remember are real-world facts. Which are easily determined by anyone with a little detective work; not to mention the fact that (as someone noted below) after you have given the fact to a couple of dozen sites, it’s not a secret anymore.

We need to find another way…

Thog July 10, 2012 5:48 PM

EFF says 8 digit passwords no good because
too short even with mixed random characters.

EFF correct as pertains this issue. Thog not so sure 12 character password good these days. Recommend 20 character, perhaps more.

See here:
http://blog.gerv.net/2012/07/how-to-make-a-decent-password-strength-meter/
Read comment there. Jonadab explain how tell if password strong. Long story short: long password best, even if not random. Random password good, mixed-case password with punctuation okay, but longer password better.

Wael July 10, 2012 6:46 PM

You can name your pet this long, easy to remember, strong string:

, ` & #
$ @ | + . –
8 7 6 5 4
” * _
? ; ! AS;DOFB2

Which is read:

Comma tick ampersand hash,
Dollar at pipe plus dot dash.
Eight sev’n six five four,
Quote star underscore,
Question mark semi-colon bang MASH

I did not compose it, I often screw up the meter. Got it from here: http://pastebin.com/m6e3ae8ae

(I don’t get the “bang MASH” at the end)

You can try to memorize stronger passwords that way.

peter July 11, 2012 4:17 AM

Sorry, but stupid security within the British defence has this story beat. I had a random 12 character 2number password, and in addition to that had to choose three challenge questions and response. first school, pets name and so on. every answer i gave was rejected as it did not conform to the rule of 8 characters, number and special character.

Eric H July 15, 2012 8:50 PM

This explains why my father, who claimed to be a time traveller, thought that it was funny to name our pets Admin, Admin01, Admin02, ….

Neil August 16, 2012 9:27 AM

…and yet every company, including banks and big names let you bypass passwords by asking you what your mother’s maiden name is and what place you were born.

I bet none of these additional security question answers are encrypted. Nor is it easy to change your mother’s maiden name or your dob (yes, you can put a false one in, but that is no different than using the correct one)

You can find out these details in minutes too…..

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.