Schneier on secure password requirements

Discussion in 'privacy technology' started by Gullible Jones, Aug 21, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

    Note though that the assumption here is that the hashes have been stolen, which will make things hugely faster for the attacker.
     
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I've never met anyone in person who understood that computer passwords aren't just for guarding against a living breathing person guessing it. All the attackers really need is a common pet name dictionary.

    "buddy07"

    But I'm glad to see my 08 inkling to set my password manager's master password is still holding up. (the whole "uTVM,TPw55:utvm,tpwstillsecure" type examples)
     
  3. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    @Veeshush

    For any account I value I use the Schneier Password Safe, set paramaters to 29 digits with alpha-numeric and symbols turned on. IMO if a password isn't generated and protected by some type of password safe the account in question is vulnerable.
     
  4. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Faster than what?
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It doesn't matter if password crackers are onto this trick if you're using something like Diceware to generate the words.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Trying to crack a login prompt. With the hashes, there is nothing to slow the attacker down.
     
  7. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    I still prefer passwords I can actually remember.
    XKCD advice is good but needs to be taken farther. Use words from specialized areas of study that are familiar to you to expand the pool needed to guess your password.
    For me a possible list would be:
    misspence - A rarely used word
    dacapo - Sometimes found on sheet music
    fugacity - From physical chemistry
    nonce - An element used in cryptography
    zwitterion - Chemistry

    Add some punctuation and misspell at least one word. Not as strong as 29 symbol passwords but strong enough that 99% of hackers will give up long before the guessing software hits it.
     
  8. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Try them on here: https://howsecureismypassword.net/

    Not that that site is perfect, but it'll give you an idea.

    edit

    I thought for a second you meant only using "rare" words. I still think you're better just throwing in some "XHT4vFWH6i+H^S" for good measure regardless.
     
    Last edited: Aug 22, 2014
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I just tested "Fsasyaofbfotcann,cil,adttptamace."

    The site reports:
    If I forgot it, I could just check http://en.wikipedia.org/wiki/Gettysburg_Address ;)
     
  10. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Anyone trying to crack a login prompt is only going to even have a chance of being successful if A) you know something about a specific person/account you're trying to get into and that's the only account you care about, or B) the website itself is still stuck in 1996.

    In other words, no one is trying to break into accounts through a login prompt.


    Of course there is. That's precisely what hashes are for. If the passwords were stored in plaintext (which some sites still idiotically do, unfortunately), then there'd be "nothing to slow the attacker down." They could get into any account.

    Password hashing is specifically implemented to "slow the attacker down." Cryptographic hashes recommended for password storage are engineered specifically to be slow.

    Since you started this with an old Bruce Schneier post, here's a newer one:

    https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html

    Notice the recurring complaint is that the hash is MD5...an algorithm which is not only generally considered not secure, it's not very slow either. So these results are not as impressive as they sound. Any site hashing passwords with MD5 is basically a half step away from storing in plaintext (as this experiment shows.)

    As more than one commenter said: "If the website in the Ars Technica article had used a properly salted bcrypt, scrypt, or PBKDF2, there probably wouldn't have been an article."
     
  11. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  12. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
  13. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    It says bewaretheidesofmarch will take 9 years.
     
  14. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Yeah there's only so much of a dictionary they can put into a simple javascript app. But the writeup covers it. It's still the most accurate I've seen. If anyone's got a better one I'd definitely love to test it.
     
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I would never recommend people to follow XKBD's so called "advice" on passwords.
    'correcthorsebatterystaple' is as insecure as any 4-5 words strung together. I explained it several months ago in Arch's Forums:

    https://bbs.archlinux.org/viewtopic.php?pid=1375311#p1375311

    Which makes you a vulnerable target.

    No it's not.
    Like ditching it completely? Sure.
    Using words that are not commonly used isn't going to increase the pool size by any significant number. Using only words is the worse you can do to secure your password, specially one single word. Unless the "cracker" is your 8 years old nephew. Also, adding some numbers and symbols to words won't help you either (like "h0us3ofd3@th", for example) if you keep valuable data on the drive.

    Still doesn't matter in a cracking scenario, they're all just words and all the attacker would have to do is pull off a dictionary attack.

    Words are not safe for password, doesn't matter if they're less used than other words.

    Again, not as strong, you just read an article demonstrating how these examples fail and still you're trying to convince yourself that they somehow work? Have you actually read the article?

    The best way to create a secure passphrase is using a large number of ***RANDOM*** characters. NOT words; NOT words with symbols; NOT words less used; NOT 4 words together; NOT anything related to words with modifications.

    I change my cryptographic passwords every 2 or 3 months, so here's a password I used to encrypt my drive:

    davU@krZ2o*lv*Z5DQ-5$z#DsaDZmQYrd;jg2,*[V}iDt#E4b2J}y}({tr7lgS_b

    This password is probably safe enough to guard Government secrets, and since I'm not such a valuable target I decided to reduce it's lenght to 32 random characters, but with an iter time of 5000, meaning an attacker would have to wait 10 seconds between each attempt.

    The command I use to do so on Linux is:

    Code:
    # cryptsetup -c twofish-xts-plain64 -y -s 512 --iter-time-5000 luksFormat /dev/sda2
    This, in combination with a 32 random character password is, to me, enough to keep my data safe from any form of brute-force attack known today. For most people, though, I'd recomend a 16 character long. All this assuming he/she has valuable data that some attacker would be interested in; if that's not the case than drive encryption isn't necessary.

    Keep in mind that I'm talking about offline privacy as I don't see why anyone would store valuable information online, it's a fool's (I'm being polite) practice. For online safety such as online banking there's the password siting in the same bench as other security measures such as not having any pirated software installed or running, using good antivirus protection, using a good firewall protection, also not having any unknown software (from unknown publishers) installed. Or just simply running Linux with fewer security measures (I'm not getting to deep into that right now).
     
    Last edited: Aug 25, 2014
  16. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    I am glad some people can remember 32 random characters. I have at least 12 accounts and encrypted volumes between work and personal use. I Can't remember unique random 16 char passwords for each (making sure they are all changed 3-4 times a year). I could use a password vault but, that adds another layer of complexity. I just don't find vaults sustainable. Where to store backup copies? How to keep backups synchronized, etc. Bottom line is that a password scheme needs to be manageable and adjusted according to threat model.

    The article states that the hackers will feed the guessing algorithm all sorts of personal data to make the guessing pool target specific. Really? They will look up my college transcripts to see what subjects I have studied? Look up my online resumes to see what industries and job roles I have worked in? Maybe the NSA will do all that but they will more likely put a keylogger on my system and bypass the guessing altogether.

    Most likely threat for me is password hash database theft. In this case, the hacker runs the stolen hashes through guessing software until satisfied with the number of found passwords. Password thieves are mostly interested in quick turnaround. Why would they keep running the guessing program for 6 months when they get 90% of the passwords within a couple of weeks?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    OK, so what's the weakness in my "initial letters of words in sentences" method? There are many sentences in many works. A rainbow table for all 32-character ASCII passwords would be humongous. Limiting that to those generated by my method, based on commonly known literature, would be computationally difficult. And, by combining multiple sentences from different works, I can easily remember many 100-character ASCII passwords.
     
  18. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    To respond to this I would as you the same question amarildojr did: "you just read an article demonstrating how these examples fail and still you're trying to convince yourself that they somehow work? Have you actually read the article?"

    Have a look again at some of the passwords that were cracked in an hour:

    Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.

    "The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."

    What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

    As I mentioned earlier, this is a bit overly generous on the side of the crackers because of the use of MD5, but still. These attacks are there.

    And I forgot where I read about one cracker finding something like a 65 character phrase from the Koran or some other book...because it appeared in a Wikipedia article.

    The moral is, it doesn't matter how "rare" you think your phrase is. If it's actual words (including leetspeak), it's no good. And if it's a phrase that you didn't make up yourself, it's no good.

    If you absolutely cannot remember random strings, Schneier's recommendation seems to be the best: Combine a personally memorable sentence (that you made up), some personal memorable tricks to modify that sentence into a password, and create a long-length password. Like this:

    Iw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
    Wow...doestcst::amazon.cccooommm = Wow, does that couch smell terrible.
    Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
    uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
     
  19. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I'm actually not aware of any notable software that would allow 100-character passwords. Even TrueCrypt is limited to 65.

    But anything requiring a password these days should be salting...so you shouldn't have to worry about rainbow tables anyway.

    Even still, anything in a book seems too risky to me.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here is a method for remembering random letter passwords.
     
  21. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    Why?
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I was thinking of LUKS. The maximum passphrase length is 512 characters.
    Speaking as one who has forgotten LUKS passphrases, I like having a backup. For anything important, I combine strings derived from sentences in three books. They're not otherwise recorded anywhere. At most, for ones that I won't use again for months, I keep cryptic reminders.
     
  23. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Clinical paranoia :)
    For the software I use and the measures I take, I don't really need to change them. But try telling that to a crazy man.
     
  24. Dick99999

    Dick99999 Registered Member

    Joined:
    Aug 3, 2012
    Posts:
    14
    Location:
    Netherlands
    That is indeed a very different one. Nice features I think. 2 remarks:
    • zxcvbn knows the plain text and thus can analyze the scheme that is applicable or has been followed. If the attacker does not know the scheme, then you have to add the strength of all the schemes tried before to the strength of the scheme that actually will work. And it's not an the average that mist be added, but the exhaustive search strength or time.
    • I think my tool SimThrow http://itura.nl/simthrow.html does a better job in estimating actual recovery time. It is dedicated to passphrases though (including generation of a random phrase) with some limited support for testing passwords. The difference is that it does estimate recovery time for various applications, like use a s a WiFi key, or Windows password (NTLM), or 7ZIp etc. And it includes in the estimate the use of various recovery hardware options like 'Home' 4 GPUs, 'Professional' 25 GPUs.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...