Monday, April 14, 2014

Password strength

I disagree with a lot of "password strength" measures.  Most measures want you to include upper and lower case, digits, special characters, etc.  I don't feel they are necessary, and don't give you as much "security" as you might think (like substituting zero for the letter "o").

Then along came Randall Munroe with an XKCD cartoon which does a much better job of explaining it than I ever could:

Password Strength

Most of the password strength "meters" that you see on sites are based on the idea that digits, special characters, and mixed-case are the magic elixir for strong passwords.  I was quite dismayed to discover that most of them consider "P@ssw0rd" to be very secure, which is absurd.  Then I found zxcvbn:

Finally, a password strength meter which knows that "P@ssw0rd" is low security (score=0 of 4, crack time 0 seconds)!  Whereas "correcthorsebatterystaple" is very secure (score=4 of 4, crack time 65 years).

Another password method that I've heard hyped which I disagree with is the haystack approach.  According to this author, the password "D0g....................." (21 dots) is very strong.  This is ONLY true for brute-force password cracking, which is NOT how serious crackers work.  They do dictionary and repeated character analysis.  According to zxcvbn, "D0g....................." is weak (score=0, crack time 84 seconds).  YES!

One fly in all this ointment: many systems limit your password length, sometimes to as few as 8 characters.  This makes it very hard to use 4 random words, meaning that you probably need to go the random route.  For the 8 random character password "0ZhyUQ63", zxcvbn rates it 4 of 4, with centuries required to crack it.  Whereas "saytroll" is weak, with 22-second crack time.  (Note that "S@yTr0ll" is still weak, with a 7-minute crack time - so much for magic elixirs.)

BTW, my wiki has a somewhat longer article on password strength.


ericb said...

Whether or not a password is "strong enough" depends an awful lot on who the supposed attacker is, what their motivations are, how valuable the thing being protected by the password is, how the password is stored, etc. There are many such factors, some of which are under your control (the choice of password to some extent, and the choice of which services to use) and some of which are not (does a web app store your password as a hash with no salt, making it easy pickings for offline rainbow table-based tools like l0phtcrack, or does it use a modern key stretching tool like scrypt?).

Unless an attacker is interested in you, personally (and if they are, remember that keyloggers are largely indifferent to your choice of password), you're probably fine with pragmatic password strength: come up with a password, give l0phtcrack five minutes on a single modern Intel desktop machine to guess it, and if it doesn't guess it in five minutes, you're fine. If you're a criminal, there are plenty of other phish in the sea and unlocked houses to burgle.

Steve Ford said...

Very true.

The bigger danger is in using the same password across many web sites. Maybe nobody cares about being able to hack my blog. But if I accidentally give that password to a phisher, and I use the same password for amazon, it could be easy pickings.

Not long ago, my sister was caught by a phisher (a fake google doc), and she re-used that password. And she is among the more computer-savvy civilians. It can happen. (Fortunately, she did NOT use that password for any financially-sensitive accounts.)