Your "Strong" Password May Be Weaker Than You Think

Discussion in 'privacy technology' started by ronjor, Mar 28, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    http://readwrite.com/2015/03/27/password-strength-weaker-than-you-think
     
  2. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    good to know that Keepass meter works well. It's the one I use for benchmarking my passwords.
     
  3. legolard

    legolard Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    10
    Location:
    Toronto
    Disappointed to read this news. Might have to rethink my choice of opting for 1Password over KeePass.
     
  4. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    password: WhtttbsetamacettaebtCwcuRtataLLatpoH
    entropy: 130.064
    crack time (seconds): 7.113331373418745e+34
    crack time (display): centuries
    score from 0 to 4: 4
    calculation time (ms): 2

    But then, this tool isn't smart enough to know all published text, or even the US Declaration of Independence ;)
     
  6. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Keepass' behavior is normal, because as far as I know they compute the actual entropy (using the definition). They do not try to measure how easy or hard it is to actually crack a password.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    And worse, password crackers can be fed all the personal information on your drive as seed data if a weak client's been compromised.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Well, I'm hosed anyway if that's accessible via FDE OPSEC failure ;)

    Also, "WhtttbsetamacettaebtCwcuRtataLLatpoH" is just one of the words in my scheme, not the whole password.
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Well this is really interesting. We have two threads going covering the same topic. I'm really impressed with the system and math Yuki2718 uses. I use math too but it is far simpler. It is obscure math but not too difficult to do mental calculations in. About the same as adding up a grocery bill.

    Long obscure phrases from obscure literature in obscure languages can make a good password by themselves but they would be much better used as keys in a cryptographic system so the resulting password would be a randomized hash with extreme entropy that could be easily reconstructed if the key, seed and algorithm were known.

    I have a lot of passwords and some are much better than others but none to the point of Mirimir's example. Reading all of this makes me realize I could do much better without too much work.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Just so it doesn't get lost, the point of my example is that I don't need to remember the string, just that it's constructed from the second sentence of the US Declaration of Independence, and how (preserving case, but not punctuation or spaces). If used frequently, I'll remember it, and will learn to type it very quickly. But it's not problematic if I forget.
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Another approach I use is for throwaway accounts on sites that that I want to access but I want to remain completely anonymous on and don't care if the account credentials are lost. I always use a VPN for such sites and first create a user name based on a disposable email account's random letters. Then I just bang keys randomly to create a password. Both user name and password have lots of entropy but they are used on accounts that don't need it in any way. No need to remember anything because these are not accounts I intend to maintain long. Sometimes just one browser session, sometimes a few days or weeks. I use a browser's built in password manager for longer stays which is something I would never do for any accounts that were important to me.
     
  12. Kiebler

    Kiebler Registered Member

    Joined:
    Feb 3, 2015
    Posts:
    15
    As for keeping passwords I normally use NoteCipher from the Guardian Project. It seems pretty safe but I may be wrong.

    https://github.com/guardianproject/notecipher


    OT. : I have been lurking this place from my job for 3months now but now their IT dept. deems this site as "Suspucious". So freaking mad right now..
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Although I'm a mathematics guy, exactly speaking I don't use math for my password, it's rather word game.:D
    But some ppl may use math for their password (don't know actual case tho), or I know a person who hash his password (is it math...maybe not).
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    With a little bit of math, you can note down a short number and do a few processes on it and have a much longer number. When you enter the password, you use the full number, when you write it down, you use the short one. That way you can keep a written copy that isn't the actual password. Just one example. I use language and linguistics more than math for passwords too but both can be combined. The same sort of transformations can be applied to words using grammatical rules. Grammatical and mathematical processes can be combined.

    Here's a real world example. I file an annual report online for a small organization with an agency of the federal government. This year, when I filed, I was greeted with a message that the agency's database had been compromised and a new password was required. I came up with long secure password but it was rejected because passwords were limited to 14 characters. I did the best I could but I couldn't do the sort of password I normally do for such a site. No wonder they were hacked.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    The combinations of strings that I use as passwords, or rather the underlying words, are in fact incantations. Each one helps to put me in the mindspace for the persona at hand. It's also a mnemonic device.
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Of course, what we are doing when attempting to accommodate the deficiencies of website passwords, having to remember strong ones at all, is making up for their terribly weak security and lack of TFA. There is no reason at all we should be wasting remembered strong passwords when we are using a machine to authenticate to another machine. To the extent you can trust the client (not much), you should be able to trust it to manage some TFA with the destination.

    But the reality is that commercial sites get away with terribly weak security.
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for valuable example and suggestion. That's feasible! I may consider employ some math in my next scheme, but probably I won't use text note.
    I can relate to it, but in my case incantation is user name and/or email address.
     
  18. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Put a punctuation symbol somewhere in that and a number and you increase the strength exponentially. Or alternatively, a much shorter password with just a single number and punctuation symbol in it would be equally as strong and much easier to type in.
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I could include punctuation, but that makes the method more obvious. I don't substitute any characters, because then I'd need to remember that.
     
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    The dice ware scheme sounds good but in practice it falls down a lot of the time because there is no standard for password length or what chars it may contain.
    The result is password chaos where some sites/apps have a 16 char limit, some have even have an 8 char limit. Some insist you use at least one number some insist at least one number and one symbol. This really makes it difficult to come up with a universal password scheme that will work everywhere.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I was thinking of LUKS passphrases. Doh :oops:

    For accounts, I generate random strings with ...
    Code:
    tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1
    .. or ...
    Code:
    tr -cd '[:print:]' < /dev/urandom | fold -w30 | head -n1
    ... adjusting length as needed. And I use KeePass for storing them.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The diceware scheme uses all lower-case characters, no special characters, which is a big advantage when it comes to keyboard variants/cultures. There are quite reasonable discussions for entropy and the number of words that should be used, for example, for good assurance with at-rest encryption (where you need very strong passwords), 7 words will do the trick. I really like that the entropy is predictably calculable, it's not a guesstimate. I personally find the absence of special tweaks (uppercase and special characters) blissful, because I got confused with my own clever tweaks before, and couldn't remember which version I was using. I also find it faster to type, even though it's longer, because it's regular.

    It's also the case that password crackers already "know" some of the standard tweaks such as putting caps or { or something to start every other word, all that kind of rule.

    I have no intention whatsoever of "wasting" those strong remembered passwords on websites (they are only for FDE, account passwords, sensitive data). As you point out, some sites have restrictions on password length, or demand what they deem to be password complexity. But that's why I've got Lastpass and Password Safe (both with TFA) - they can remember the rubbish for the rubbishy websites which I don't trust anyway, there is NO password chaos for me, I don't have to remember that many. What I want from the websites is decent TFA, which even appears beyond the scope of most banking and huge e-commerce sites. Pathetic.
     
  23. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I know what you mean about clever tweaks I have shot myself in the foot by doing that too.
     
Loading...