Overzealous password checkers

[ArcaneSaint]

- be between 8 and 14 characters long

Okay, this always scares me when I see it. Why would they limit a password to X characters? If they're properly hashing and securing the password before storing it then limiting length doesn't serve any purpose, right? The only reason I can see why they would put a size limit on passwords is if they're storing them in plain text, and have a size limit on the 'password' column in their database. Unless there's some other reason why some sites limit their password lengths to ridiculously short ones like 12 or 16 characters?

 

[evilneko]

Wrong/misinformed.

It assumes a particular attack method; brute force using all possible characters (valid ASCII values).

In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.

These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).

This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).

Dictionary attacks use word lists, correct. They do not, however, use multiple words and here's why:

As the OED is cited as containing 171,476 words, a dictionary attack using this list would take a maximum of 171,476 guesses. A two word phrase, using words taken from this list would take a maximum of 171,476^2 guesses. Hmm, that's a lot more.

The CHBS password (indeed, any four word passphrase) would take a maximum of 171,476^4 guesses. 8.645963084×10²⁰, my calculator tells me. Which at the same 1,000 guesses per second rate would take 27,416,169,089 years to exhaust the search space. So the brute force attack would actually by faster than the dictionary attack.

You're assuming an extremely low guess rate and a very basic style of attack. In reality the guess rate would be at least 6-7 orders of magnitude higher, the wordlist would be optimized and the attack more intelligent.

- be between 8 and 14 characters long

Okay, this always scares me when I see it. Why would they limit a password to X characters? If they're properly hashing and securing the password before storing it then limiting length doesn't serve any purpose, right? The only reason I can see why they would put a size limit on passwords is if they're storing them in plain text, and have a size limit on the 'password' column in their database. Unless there's some other reason why some sites limit their password lengths to ridiculously short ones like 12 or 16 characters?

Length limits have multiple causes, from poor application design to stupid decisions on the part of management. It's also pretty common for passwords to be stored as plain, unsalted MD5 hashes, which might as well be plain text with today's cracking capabilities. Your password's essentially only as good as the method used to store it.

 

[rdaleric]

I was told full stops make a password more secure...

Anyway OT at work we have much the same, except we can just add a non sequential number on the end, which makes remembering it simpler

 

[ForumSafari]

Those password restrictions are there to stop you being an idiot, not to necessarily create a strong password. By maximising the number of subsets of characters they make a brute force attack harder but the real purpose of it is to make it as hard as possible to use a real life phrase as your password, in short they're there to fight your natural inclination to make your password something of emotional significance to you.

Otherwise known as the things you post about on Facebook. That's incidentally how most Facebook profiles get 'hacked'; either by a dictionary attack or by someone that knows the person entering personally significant phrases.

Also remember you can generate random passwords and store them with a keyring so it's not really all that odious.

 

[meelooteen]

I find http://generator.designeus.net/ helpful in these situations. It generates a password that meets the standards, and makes it "pronouncable"

 

[Fdzzaigl]

I have no real problem with difficult passwords, however I do have a problem with systems that keep switching around usernames. At my college, to login to the main courses you just use a username, to login to the central digital platform you use your specific college mail adress as a username, to login to the mail server you use your username followed by @.......... which is different from your regular mail adress and is rediculously long and tedious to type out (yes it's stupid) whereafter you wait to be redirected.

Furthermore, it is not enough to log into the central platform to access all these funtions, instead you need to type those different usernames with your password 3 times for each function, while all three also time out relatively quickly.

To make matters EVEN worse, all these pages take forever to load. On one occasion my session in one of the platforms had timed out while I was waiting for the other two to load.

--

For some absurd reason they decided to put that in this year under the guise of making things clearer and more transparent, with extra functionality like forums to discuss courses etc.

Guess how the previous system worked? Log in once and BLAM, access to everything. They just had to fuck it up.

 

[TomWiley]

I think what many don't realize how smart those bots that bruteforce passwords are. They will try combinations of words in existing encyclopedias and databases with phrases.

So I wouldn't call that password-checker overzealous. Rather, most password-checkers aren't strict enough.

 

[Klaflefalumpf]

I used to work for the good 'ole British government and didn't have to go through that much bother for the password.

Not to say it wasn't a fanny on, minimum length and you had to change it every 3 months to something you hadn't used in the last 2 years.

Strangely when I first started we were given a choice of three randomly generated passwords. The one I chose I remember to this day, seven years on.

 

[4RM3D]

I am far more annoyed by the overzealous username checkers.

- Can't start your name with a number?
- Must have a minimum of 6 characters?

Why? Stupid rules.

It is also the reason why I didn't make an account for Gmail, until I could no longer postpone it. Because Gmail also has a silly e-mail username checker.

Then again The Escapist is the exact opposite. Almost everything is allowed.

 

[DrOswald]

Wrong/misinformed.

It assumes a particular attack method; brute force using all possible characters (valid ASCII values).

In practice most attacks use a number of methods, first trying to find 'simple' passwords, before resorting to brute force.

These methods (for simple passwords) include 'dictionary' attacks, which is to try a list of words and common passwords (12345 is the most common).

This means that the password in the second example would be found with methods used much earlier in the attack (than the method required to find the password in the first example).

Dictionary attacks use word lists, correct. They do not, however, use multiple words and here's why:

As the OED is cited as containing 171,476 words, a dictionary attack using this list would take a maximum of 171,476 guesses. A two word phrase, using words taken from this list would take a maximum of 171,476^2 guesses. Hmm, that's a lot more.

The CHBS password (indeed, any four word passphrase) would take a maximum of 171,476^4 guesses. 8.645963084×10²⁰, my calculator tells me. Which at the same 1,000 guesses per second rate would take 27,416,169,089 years to exhaust the search space. So the brute force attack would actually by faster than the dictionary attack.

You're assuming an extremely low guess rate and a very basic style of attack. In reality the guess rate would be at least 6-7 orders of magnitude higher, the wordlist would be optimized and the attack more intelligent.

But the guess rate would not matter when comparing these two types of passwords. The arbitrarily chosen 1000/second is just there to illustrate a point. If the guess rate is 100000x that number that makes both methods equally less secure. So guess rate has no effect on which is more secure.

The true question here is would 4 random words be less secure than, lets say, 10 random characters? Maybe. But only from the standpoint of a guessing algorithm. it would not be hard to use 4 nearly random words. With just a quick internet search I can find a random word generator (english, with 90,000 entries) The first 4 words I get:

Topographer
Renumerate
Torrid
Botanizer

So my password is topographerrenumeratetorridbotanizer. Despite the length that is a pretty easy password to remember. Which makes it significantly more secure than any randomly generated 10 character string because no one can remember those passwords and they will get written down.

And this is the problem. A decent security system will prevent more than, lets say, 10 guesses per second (if it even allows that.) Which means in an actual secure system both password methods would be equally impossible to guess in a reasonable amount of time. This means the greatest threat to security is the attacker somehow getting the password written down somewhere, such as in a google doc. This is an extremely common practice since no one can remember their passwords because they are so complicated. Even worse, passwords are commonly sent though IM and email because it is very difficult to communicate these random passwords. And don't even get me started on "security questions" which are only needed because we use such hard to remember passwords. Could anything be less secure than having all your bank information locked behind your mother's maiden name?

By making the password a complicated random mess of characters we are virtually guaranteeing that our users will break all the really big security rules. They will write it down. They will send it though IM. Or they will use a stupid and insecure password because they don't want to deal with the shit of a random character string. When you create a security system you have to design it with how people will use it in mind.

 

[evilneko]

But the guess rate would not matter when comparing these two types of passwords. The arbitrarily chosen 1000/second is just there to illustrate a point. If the guess rate is 100000x that number that makes both methods equally less secure. So guess rate has no effect on which is more secure.

I didn't want anyone thinking they'd be safe with a simple string of dictionary words. Given a list of passwords, it really depends on just what the attacker does first which ones will fall first.

The true question here is would 4 random words be less secure than, lets say, 10 random characters? Maybe. But only from the standpoint of a guessing algorithm. it would not be hard to use 4 nearly random words. With just a quick internet search I can find a random word generator (english, with 90,000 entries) The first 4 words I get:

Topographer
Renumerate
Torrid
Botanizer

So my password is topographerrenumeratetorridbotanizer. Despite the length that is a pretty easy password to remember. Which makes it significantly more secure than any randomly generated 10 character string because no one can remember those passwords and they will get written down.

I suppose you could say it depends on the order in which the attacker applies his attacks, and which ones he uses. Bottom line, a given password's real-world strengh depends more on the attacker than the user. Your diceware passphrase could be one of the first to fall, or it could be the last, but if an attacker gets hold of that database, it's practically a foregone conclusion that it will.

Also, people won't even use simple tools like PasswordSafe or KeePass. Are they really going to use a random word generator?

And this is the problem. A decent security system will prevent more than, lets say, 10 guesses per second (if it even allows that.) Which means in an actual secure system both password methods would be equally impossible to guess in a reasonable amount of time.

As if anyone did online attacks. Even a legacy standard like 8 alphanumeric characters is fine so long as no attacker ever swipes your database and you have a reasonable lockout policy.

This means the greatest threat to security is the attacker somehow getting the password written down somewhere, such as in a google doc.

I donno, I don't think anyone's ever managed to nick Google's db. A Google Doc might not be such a bad thing. A local document would be better. A piece of paper in your wallet, or at home, better still, especially if it doesn't have any context as to what it's for, and I say this as someone who's had their home broken into. Now, sticky-note on the monitor saying "My GMail Password," yeah that's bad, but some random shit on an index card? Better than an unencrypted file, at least.

This is an extremely common practice since no one can remember their passwords because they are so complicated. Even worse, passwords are commonly sent though IM and email because it is very difficult to communicate these random passwords.

Well, the idea is for the user to change these passwords after receiving them via email... >.>

And don't even get me started on "security questions" which are only needed because we use such hard to remember passwords. Could anything be less secure than having all your bank information locked behind your mother's maiden name?

Agreed. This is why I've got the answers to my security questions stored in KeePass: I made shit up on them.

 

[DrOswald]

But the guess rate would not matter when comparing these two types of passwords. The arbitrarily chosen 1000/second is just there to illustrate a point. If the guess rate is 100000x that number that makes both methods equally less secure. So guess rate has no effect on which is more secure.

I didn't want anyone thinking they'd be safe with a simple string of dictionary words. Given a list of passwords, it really depends on just what the attacker does first which ones will fall first.

But in almost all the ways that count it is no less secure for the average individual to use a random word string than a random character string.

The true question here is would 4 random words be less secure than, lets say, 10 random characters? Maybe. But only from the standpoint of a guessing algorithm. it would not be hard to use 4 nearly random words. With just a quick internet search I can find a random word generator (english, with 90,000 entries) The first 4 words I get:

Topographer
Renumerate
Torrid
Botanizer

So my password is topographerrenumeratetorridbotanizer. Despite the length that is a pretty easy password to remember. Which makes it significantly more secure than any randomly generated 10 character string because no one can remember those passwords and they will get written down.

I suppose you could say it depends on the order in which the attacker applies his attacks, and which ones he uses. Bottom line, a given password's real-world strengh depends more on the attacker than the user. Your diceware passphrase could be one of the first to fall, or it could be the last, but if an attacker gets hold of that database, it's practically a foregone conclusion that it will.

Also, people won't even use simple tools like PasswordSafe or KeePass. Are they really going to use a random word generator?

I don't see why not. It can't be harder than convincing everyone using leet speak makes a secure password, which is all we have managed so far.

The random English word password is easily as secure as a random string password. The math puts a 4 word random at about the same difficulty as a 10 character random string. Adding a single word (bringing it up to 5 words) would be similar to a 12 character string. 6 words is a 14 or 15 character string. And a 6 word password is a whole lot easier to remember than the 14-15 character password. We could even make the password more secure by including proper nouns and slang in the list.

If it is a forgone conclusion that the random word password will be broken, then it is also forgone that the random character password will be broken. Unless you use passwords so long than no person can remember them. Which means they must be written down. Which is a huge security problem.

And this is the problem. A decent security system will prevent more than, lets say, 10 guesses per second (if it even allows that.) Which means in an actual secure system both password methods would be equally impossible to guess in a reasonable amount of time.

As if anyone did online attacks. Even a legacy standard like 8 alphanumeric characters is fine so long as no attacker ever swipes your database and you have a reasonable lockout policy.

Actually, online attacks are common. No one brute forces over the internet. They take advantage of bad password practices (like insecure passwords, rummaging though trash to find disposed of password lists, etc) to gain initial access. Once they are in they can then do a ton of damage. The greatest threats to security are not hackers with highly sophisticated tools, they are people who compromise their own system with poor security practices. Which is why the random character passwords are so bad. Because it encourages poor security practices.

This means the greatest threat to security is the attacker somehow getting the password written down somewhere, such as in a google doc.

I donno, I don't think anyone's ever managed to nick Google's db. A Google Doc might not be such a bad thing. A local document would be better. A piece of paper in your wallet, or at home, better still, especially if it doesn't have any context as to what it's for, and I say this as someone who's had their home broken into. Now, sticky-note on the monitor saying "My GMail Password," yeah that's bad, but some random shit on an index card? Better than an unencrypted file, at least.

People don't need to get Google's database. All they need is your email password and they are into your google doc with all the passwords listed.

And a physical, zero context lists can be just as bad, especially in a corporate setting.

This is an extremely common practice since no one can remember their passwords because they are so complicated. Even worse, passwords are commonly sent though IM and email because it is very difficult to communicate these random passwords.

Well, the idea is for the user to change these passwords after receiving them via email... >.>

You do not understand. People are sending these passwords not for authentication but because they need the info to do something. For example, a person might send the 10 character random string through IM so someone else can use the password. I have 5 years experience trying to keep a medium scale organization secure (just under 100 individuals.) People do this kind of thing all the time. People make lists that they leave on their desk. People do all kinds of stupid things and can we blame them when we have implemented a system that makes it literally impossible to remember everything?

Basically, if you do everything right then yes, random characters are better than random words. But 99% of the people out there are not going to do that. Better to promote a system that will discourage poor practices that is just as secure if not more so than what people are doing anyway.