What makes a password secure?
This from Bruce Schneier's Crypto-gram discussion of the 100,000 or so passwords harvested in a recent phishing attack on MySpace:
". . . passwords are getting better. I'm impressed that less than 4% were dictionary words and that the great majority were at least alphanumeric. Writing in 1989, Daniel Klein was able to crack 24% of his sample passwords with a small dictionary of just 63,000 words, and found that the average password was 6.4 characters long."This goes along with the conventional wisdom that longer, harder to guess passwords are more secure. But Schneier admits:
"Of course, this analysis assumes that the attacker can get his hands on the encrypted password file and work on it offline, at his leisure . . ."How often does that happen, and when it does, will an alpha-numeric password not based on a dictionary word really help you? Does it make any difference to the victim if a computer took 30 minutes or 8 hours to crack his password? Either way, the damage is likely to have been done by the next time he logs in. If an attacker can gain access to the password file, it's because he's already beaten the security. It's too late to hope that whatever you had behind those primitive defenses is still safe simply because you have asterisks and ampersands in your password.
The real security behind a password has nothing to do with how easy it is for a computer to guess. It's secure because it's relationship to the account or the account holder can be known only to those aquainted with him and process he used to arrive at the password he created. The broader the set of possible influences used in it's creation, the more secure it is. The key, then, is to keep that set as broad and non-repeating as possible, without compromising your ability to remember what you chose. I propose a truly random seed generation system for coming up with the ideas, i.e., words or small groups of words, which may be used in selecting a strong password for any situation: Life.
Let me explain by way of example: I got my first credit card as a sophomore in college, just before leaving on a trip with some friends. I was a couple of months into my new job, and was thinking more and more about getting a credit card. What finally decided it for me was the trip with my friends, and the convenience it would provide me in arranging travel, etc. That's what I had on my mind when I created my online account. So the password is associated with that trip, in a way that is ridiculously easy for me to remember, but will never be guessed by anyone not familiar with what I was doing or planning those years ago when I got the account. I now have 7 credit cards, all with distinct passwords that have nothing to do with each other, and which I do not use anywhere else. This works well because whether you are creating a MySpace account or aligning yourself with an online stock broker, chances are pretty good that something motivated you to do it then, instead of a year ago, or waiting until next month. From these motivations it is not difficult to chose one that is associated with the account in a way only you will recognize. Such momentary and fleeting associations are a very secure "seed" for you password, because they occur at the rate of several per day and rarely repeat, being as they are, tied both to happenings in your life, and to your quite personal and evolving responses to those happenings.
But now what happens when you are required to change you password, "for security reasons"? Chances are that on the particular day when you password expired your reasons for logging in were quite ordinary; if you were to chose a password in the same way as you had originally, it would be tied to that particular day and circumstance. But would you remember it? Perhaps for a little while. But while it's easy to remember the first time you did something, it's much harder to remember the 20th or 100th time. So the password will come to be associated in your mind with that particular day that you changed it, but NOT with the account. If it's one you log into rarely, you'll soon find that staring at the login screen doesn't help you remember the events, thoughts and feelings associated with the 153rd time you logged in. You've forgotten the password.
There is a characterisic response to this dilemma. After a person forgets a few passwords, his strategy is usually a combination of three things:
- Write the password down
- Use the same password across multiple accounts
- Construct the password from elements that you can remember OUTSIDE the context of the particular account
Worse yet is what happens when he refuses to succumb to the one-size-fits-all solution. He decides that if he cannot tell his passwords apart by context, he must associate them with the account, also in a context-free way. Thus the third most common password harvested in the above mentioned MySpace attack is 'myspace1'
Those in favor of such intrusive password policies as mandatory periodic expiration argue that it increases the random nature of the password, since you soon run out of easy-to-remember possibilities. But what is random to an attacker is not necessarily random to me, and what seems random to me may not be to a computer. Using a simple phrase or a pair of words from the ever-changing context of your life and the circumstances surrounding the account you are protecting will not make your password unbreakable. But it will prevent it from being guessed. Let's look at some numbers. Going back to Scheier's article:
AccessData's Password Recovery Toolkit -- at 200,000 guesses per second -- would have been able to crack 23% of the MySpace passwords in 30 minutes, 55% in 8 hours.The implication is that if your password was in those first 23%, you are at risk. Is that so? Let's assume the attacker is using a brute-force login attack, whereby his computer attempts to authenticate to, let's say, you bank's secure website. Due to the server-side delay in verifying your credentials and informing your web browser whether you have been recognized, you can only do this every second or so. Let's assume the ideal blackguard's online banking system, where there is no limit to the number of failed logins before lockout, and no indication given to the Administrators or e-mail notification to the customer of an inordinate number of failed logins (a more realistic scenario would allow only a few attempts before the server responded by allowing only one attempt every 3 seconds, then only one attempt every 10 seconds, then every 1 minute, etc.). Let's assume your password is at the tail end of those 23%, i.e., that it could've been cracked in 30 minutes. 200,000 guesses per second by 1800 seconds is 360,000,000 guesses. So at one per second, on our ideal server, it would take more than 11 years to crack. If anyone wants my account information that badly, I say let him have it. Patience is a virtue, they say.
Now lets consider what happens if he can eliminate some possibilities from the get-go. Instead of starting with 63,000 words (modern dictionaries are larger), let's say you narrow it down to those words which are associated with the target. Names and stars of sports teams, movies and actors names, names and birth-dates of family members, hometowns, hobbies, vacation spots, pets. This will work better on an experienced professional, one who has been forced to change his password(s) so many times that he has long since given up trying to be creative with them.
You now have about 100 words. Of course, the password won't be any of these words. Those who rely on such obvious clues for security do so on the assumption that small changes and/or combinations/mis-spellings will foil an attacker.
It won't. Any password cracker worth the hard-drive space it sits on will mix and match letters with their corresponding numbers and special characters (replacing e's with 3's or #'s, e.g. trying 'l@@k' for the word 'look'), add numbers and random characters at the end ('julie23!' for 'julie'), permute the case ('HOWDY' and 'hOwDy' may be tried for 'howdy') and combine all these tactics.
So the final guess list will not be 100, but as an upper bound, we'll compare it to a small dictionary and say it's 63,000/100 = 630 times smaller than the corresponding list for passwords which are not limited in scope (In reality, it would be smaller than this, because the variations above apply not only to individual words, but to groups of words, which scale exponentially as the word list grows).
With these assumptions, cracking time has gone from 11 years to less than 7 days.
The vulnerability has nothing to do with how you mangle the word(s), or how random the characters may seem to you. It's a function of your "word space", the set of all possible words you might use in the construction of the password. The larger the word space, the more secure the password.
Now if you're thinking that choosing a few words at random out out of a dictionary is a good way to go, you're wrong. It will substantially increase your word space, but at the cost of being easy for you to remember. Then you are back to the first two options above, which will more than compensate for the added security of a broader word space.
None of this is new. Credit card companies take security very seriously. They are responsible, by law, for all but the first $50 in losses due to fraud or "identity theft". But they never require you to change your password. They know security and they practice it. Such pseudo-security practices as "password policies" are left for the two-bit IT department at your place of work, or the student Systems Administrator at the local university, or the bureaucracy you must wade through when dealing with the government. In these places, security is measured not by the obstacles it presents to the attacker, but by the inconveniences with which it encumbers the authorized user.
Don't expect things to change anytime soon. TSA will continue to strip-search old ladies at the airport, elections will continue to be decided by voting machines which leave no audit trail, and your local sys-admin will still be deaf to all cries of frustration as he requires you to change your password every 45 days. If you're like me you have 60-70 accounts to keep track of, after a few years of changing all those passwords, the very mention of a password policy will fill you with feelings not spoken of in polite society.
Maybe that explains why the 7th most popular password harvested in the MySpace phishing scandal was "fuckyou".
