Also: quit the "security questions" thing. I can't count the number of times I've been locked out of my account because I couldn't remember the precise answer I gave to a security question.
I bought a house last month, and the biggest thorn in my side throughout all of the financial arrangements was security questions (I'm not even joking). Here's a Facebook status update I posted (I had already been complaining about security questions a bunch):
"Just got challenged with a security question, which was "Thank you for your loan application." Wtf, that is not a question. And I've never filled out any security questions for this website, so I have no idea what it's expecting me to enter.
Plus, you should never answer security questions honestly. Your favorite pet or the street you grew up on or your mother's maiden name are all not secret information. Many of my friends and family know the answers to all of these. So, when faced with a security question, I try to pick a random (but false) security answer, which I then write down in an encrypted file. This is a terrible solution, but it feels foolish to answer the questions honestly.
Why would that be the case? It just seems stupid to do so. A security answer is pretty much functionally identical to a password. Doesn't make sense not to hash it(there are no uses of the answer where you would need it in non-hashed form)
They're often used by support agents as a workaround for giving them your password (which the entire world has been diligently trained not to do, right?). They're also often case-insensitive and ignore punctuation, and while it's quite easy to handle that in a hashed scenario, they're usually implemented by programmers that don't get security.
Of course, the same apps with security questions are probably the ones not hashing your actual password in the first place.
Yeah it is stupid, probably because security answers are needed to trigger some system on the server side (not to decrypt anything) and if an attacker has access to the DB, probably can already trigger the process. But actually they are even more sensible to reuse than passwords, so they should be hashed.
I'm not sure about all security questions, but I have noticed many credit card support lines ask me for my mother's maiden name, and the answer I give is long and not easily spelled but they always confirm -- instantly -- "that's it" and and proceed.
Think about last names, as well... there's huge variety in length, spelling, etc. -- it's poor customer service to force the customer to spell it out letter by letter -- so it's necessarily just displayed there on their screen.
Yep, I always simply generate another random password and save it in my KeePass along with the actuall password, together with the question (custom or whatever was choosable).
I make up additional weird randomness (but stuff which would be hilarious but not incredibly offensive to say to a CSR) and save it in my password manager for each account.
I use it as password hint if I can (e.g. make it show the first character of my password, I'll remember it then). As answer I enter like 50 random characters which I don't write down or remember or anything, since I should simply know the password or use my recovery e-mail.
The problem is that most sites won't let you set your own question. More about my idea on security questions: http://lucb1e.com/!65
Security questions are usually just used to decide whether to send you an email with a password reset link (or more annoyingly, a new password), aren't they? I've never seen a system where being able to answer the security question(s) is equivalent to knowing your password. Anyone who knows my mother's maiden name probably also knows my email address and could more easily spam me directly than using a website to send me password reset links.
Paypal's two-factor authentication, a hardware token in my case, has a screen to enter the security code but a link that says 'i dont have my token with me'. Clicking on that link prompts for the answers to two 'security questions'. Answer them correctly and you're in!
Gmail, at least as of two years ago, let you choose a new password after correctly answering the security question. I once tried to answer the security questions to all of my close friends' accounts. I then sent the ones the I succeeded on (and was presented with a choose your new password screen which I then closed) and email suggesting that they change their security questions to something more secure.
I don't worry too much about someone trying to know the name of my first pet (I'm pretty sure anyone who knows what my answer would be to this question is dead). I do worry that there are a bunch of other organizations that I have told that information. If someone hacks one of those they can get access to my other accounts.
One of the worst sites I saw demanded that I select my security question from a list. Sweet gosh, I have absolutely no idea which of your brain-addled security choices I selected.
A long time ago I was unable to answer the security question for my AOL account. The account had been hacked and used for mass spamming. AOL would not close the account, or help me change the password (or stop the spamming) until I answered the question.
"...but the account is being used for malicious purposes." - me
"Sorry, sir but until you tell me what you named your first dog I cannot stop it." - AOL
I use pwdhash for all my primary web passwords, but I have a secondary password that I use as my response to all security questions. I think this is a decent solution, but some services (I believe Apple is one example) requires multiple security questions and requires the responses to all be distinct.
Ashamed to admit but I used to "hack" my classmates (girls) hotmail accounts like that when I was young. I tried to recover their password and if I didn't know the answer to their security question (I often did) I just asked... I was curious if they write something about me in their emails, never did...
Depending on the jurisdiction, it's entirely possible that a statute of limitations makes this irrelevant (in a legal sense). Obviously you still don't want future employers etc. to find this post.
Go ahead... hotmail by the way still let's you take over someones account by only knowing email address and answer to security question which is often maiden middle name, name of first pet, best childhood friend etc... you can find that information freely from facebook for an example. Or just ask :)
Forward all your "friends" one of those "50 Things You Didn't Know About Me: Fill In Your Answers and Forward!" question lists that includes the security questions you're targeting.
> You should submit this together with a security issue report to Facebook and Hotmail and whoever else uses security questions.
Google, too. I suggest you run through the recovery process yourself (on a dummy account, or your own) to see the kinds of questions asked. Questions like "when did you last access the account?" are easily answered; as is "name 5 regular contacts"; and so on. I could (but would not) perform the recovery process (and gain access to) acquaintances accounts, given how simple the questions are.
The key is just knowing "enough" in aggregate to pass their bar.
This may not have helped your specific case, but I recently bought 1Password, and updated all my security questions with randomly generated 16 character string answers, and just put those strings in the "notes" section of a website. So when they do challenge me I can just copy/paste them in. It's been awesome!
I've used 1Password generated passwords for years. You're right, it is awesome, but only until you have to relay one of those generated strings to a support person over the phone:
"...left curly brace. No, it's like the parenthesis, but squiggly. Are you using a regular keyboard? Hold shift and type the left square bracket. The square one. It's to the right of the P..."
I can't imagine the horror of having to recite any password to an actual human being. What kind of company asks you to tell them your password by phone?
"No, the backslash. The one that leans backwards, no, I mean, to the left. Above the Enter key." Surprise, the backslash is not above the Enter key on Canadian bilingual keyboards.
1Password gladly generates "pronounceable" passwords (e.g. "thax-lers-ponc-werv"). I usually think a bit about whether digits or symbols are required (some services and websites - Skype notably) don't like them.
A 20-char passphrase with spaces, dashes, or character-based (e.g. "S") word-boundary delimiter is often good enough to provide excellent (80+ bits) entropy.
Or how about everybody that uses these fucking inane rules just do something sensible - like lock an account out if there are more than 5 failed logins in a row. Using a setup like that even "4321" is probably secure enough. Obviously use a secure hash on the backend as well.
That's the trouble... the "sensible" options aren't so sensible when you really sit down and think about how they can be dodged, broken or abused.
Imagine I'm trying to crack into your site, and you lock any account after 5 failed logins in a row.
If I have access to (or can guess) a few thousand usernames, I can try the 4 most common passwords on all of those with no problems. I'll probably get some hits, no?
Or heck, I can try the 5 most common passwords, and not only will I have a few hits, I'll also have plenty of time to dig around without any attention from you, because you'll be struggling with a massive customer service nightmare, as thousands of your customers find themselves all locked out the same morning.
Even better is to generate real words. I took a "1000 most common english words" list and reduced it manually to 256 that don't rhyme with other common words and now use that to generate pass-phrases. It's my best solution for English since phonetic spelling isn't a feature of English.
Heh, yeah luckily I haven't had to do that, but I have chosen some obscene answers to them, and then later had to recite, and spell them out to a horrified Indian call center worker.
Well, the implied ethnicity of the poster is non-Indian, so in addition to the embarrassment of having to spell out obscene words, there's the cultural gap as well. The poster can't judge how offended the call center worker was, and probably feels like he's poorly representing his culture. I've had many similar experiences, especially since I've been living in Korea recently, and it's very uncomfortable not knowing exactly how big of a faux pas you committed.
Well he was, and that's part of the story. I wasn't passing judgement on him as a person, or stating that because of that one characteristic he was Evil.
Edit: see my response to shard. No offense intended, and I hope none was taken :)
I use LastPass, but also use generated passwords to answer security questions. For these questions, one can enable the options for only using alphanumeric, unambiguous characters.
Agreed. Shame to see so many reputable companies not give a rat's ass about security when they seriously prompt for security questions like "Where was your honeymoon?" or "What was your first car?" -- I've even seen "Where did you graduate High School?"
My favorite thing is when the answer to the security question is allowed to be remembered by the browser, meaning anyone who gets my password can saunter up to any computer I've used in the past and bypass the stupid security question.
Yes, but security questions are designed to protect against untargeted phishing. There is little than can be done to automatically help protect against targeted spearphishing attacks against a particular person.
Of those ten rules, nearly half of them hurt password strength. The others make it harder for users to remember their passwords which will lead them to frustration and, ultimately, bad passwords.
Austin#1 is a perfectly valid password according to those rules. zxcvbn says it'd take 2.508 seconds to crack that.
WOW. I was expecting something dumb but this is next level dumb. You're basically forcing a 7 character password since I already know one of them is one of those three special characters. Then you've just given me like 5 more rules that limit what the password can be.
Any password cracking service would crack this in hours. IT people should understand the basics about security before they are allowed to set policy.
> You're basically forcing a 7 character password since I already know one of them is one of those three special characters.
Not exactly, because you don't know where the special character is. If the allowed characters are k, the number of 8-character passwords would be k^8. With this rule, even assuming that only one special character is used the number becomes 7^k * (3 * 8) = 7^k * 24, so if k ~= 60 the entropy is reduced by roughly 1 bit.
Yeah, it's equivalent to reducing k to 24 for a specific character, not reducing it to 1. For k=65 it reduces the search space by about 64%, or 1.43 bits entropy (ln (65/24)/ ln 2).
Though we know the first and last characters aren't special, so it's actually equivalent to reducing k to 18 for a single character, or 1.85 bits entropy lost by this rule and its interactions with the other rules.
... then the rule that the first and last characters can't be special reduces k from 65 to 62 for them, and the rule that no sets are allowed reduces k by 1 for every character after the first, and so on.
But really, I think the bigger concern is that all of these rules mean the password will end up on a post-it note stuck to the monitor.
I don't know whether this is cool or sad. Fallout 3 passwords were trivially easy to infer from a single guess. They took extra time to reduce the ambiguity and make it easy once you understood the principle.
I think it's probably more on the side of "sad", considering the way I did it. No mods. I wrote a little android app that you could put the words and number of correct letters each try into and it would shorten the list each time you did.
After a while I figured out "the trick" and could do them in my head and didn't need the program anymore. It was a fun little programming exercise, though.
Everyone's making fun of this, and it is dumb. But really this is just an example about how passwords are a stupid form of authentication. Not just this site, all passworded sites. We really need something better.
I favor OpenID or something like it. Single strong form of authentication, delegate login authority from that to non-critical sites like Hacker News. OpenID has enough of a bad reputation now it's probably a non-starter. BrowserID has some promise: https://browserid.org/
The last time I changed a password for a service I set it to a phrase that I can easily remember but which no human or current machine will easily guess. I'd say that the only good rule is "Make it at least 9 characters" (which is at least long enough to disallow "password").
Not really. If X is the number of characters your password can be made up of, there are 8^X possible passwords that are 8 characters long, and 8^X-1 possible passwords that are less than 8 characters long. Even here, right on the border, you've only lost 1 bit of entropy (half banned, half allowed), and you win big the moment someone makes it even one character longer than the minimum who wouldn't have otherwise.
I wrote a small script to generate passwords after reading that comic [1]. Using a good wordlist one can easily produce memorable and secure passwords.
Unfortunately, many sites enforce rules that preclude this password style (e.g., must contain a number).
> Single strong form of authentication, delegate login authority from that to non-critical sites
How does that solve the problem of internet banking passwords? Banks are not "non-critical sites", so whatever form of authentication I use for my Reddit account is unlikely to be suitable for my bank. As a matter of fact, I don't trust LastPass with my banking passwords.
This reminds me of an anecdote from "The Codebook" from Simon Singh (highly recommended book btw.).
One of the reasons, why the British could crack the Enigma code, was that German officers introduced rules on how to use the system. For the Enigma machines they had to choose three out of five cylinders in different positions. The officers thought it would be more secure if they impose a rule "never use the same cylinder in the same position the next day".
Yeah. As someone who prefers passwords in the 12-24 character length I get really annoyed when a site comes back and tells me my password isn't good enough because it doesn't follow various rules. Oh you really think someone is going to brute force $MILKAndDailyCheeseRe because it doesn't have a number in it?
Even worse is when they limit to 12 characters, but don't enforce it in the UI. I couldn't login once because the bank website truncated my password silently to 12 characters. On a whim, i tried the first 12 characters and i was able to login.
Ironically, each of these restrictions reduces the space of possible passwords for a brute-force attack, which is already pretty small given the inane 8-characters-exactly requirement.
I have pointed this out to people before too. It doesn't seem to deter their slavish adherence to what they declare to be "best practices", which seems to correspond to something they read in some magazine or blog.
Or the digital (secure) equivalent: a password manager.
Seriously, any decently sized organization should strongly recommend or mandate usage of such - they are also great when a transition needs to be made - known external credentials can be exported or passed during knowledge transfer and passwords reset.
I've worked with rules like this, and it's even worse when it's some domain password used across multiple crappy systems. Often a 3rd party system that has integrated with this password doesn't accept the $, or has to be 7 characters or something. So the IT folks tell you to follow the rules, but if you use the accounting system, make sure not to put $ in there. #facepalm
The sub-password "similarity" rules (#8) mean that it is incredibly unlikely that the system is storing the password history hashed, and basically impossible that they're storing it salted. What could possibly go wrong?
You don't need unhashed password storage to enforce similarity rules. Presumably, the user has to type in their current password when they set a new password. When processing that request, you have all the information you need to do the similarity check.
I get annoyed when I can't use spaces, because my general password strategy is to click my link bar shortcut to Random Wikipedia Page, pick five or six words and use that as my password. Easy to remember, hard to guess, even harder to brute force. Thanks XKCD!
I use Keepass to store passwords for the various things I use, and even though my hive is stored on a web server (uses SSL and requires a password, of course) for convenience, it has a well chosen, rotated password and a key file that I carry on a USB stick with my keys. I keep a backup of the key file in a safe physical location.
No two passwords are the same and none is less than 16 characters. One nice thing about Keepass is that you can also store URLs and other arbitrary information in the hive. Should anything ever happen to me, my wife will automatically receive instructions on how to locate and access the hive. (automatic email, dead man switch) Keepass also lets you set reminders so you can regularly change passwords.
This is a terrible way to choose passwords, and in no way equivalent to the XKCD method. It's not equivalent because additional length in your password is very predictable rather than random.
To brute force your password, all somebody has to do is choose a starting word in Wikipedia and some number of consecutive words. This is log2(size of Wikipedia) + log2(entropy of your "5 or 6" distribution). This is less than 32 bits of entropy, or about a six character password in a 64 character alphabet, i.e. it's trivial to brute force this password if you have the hash.
If you had to create a list(or non-list) of requirements a password must pass what would it be? (Ex. Case sensitivity, length, cannot be the same as username etc etc) The bare minimum with the least frustration for the user? I was very surprised by the news-piece that blizzard was using case-insensitive passwords and that got me thinking...
What if we started saying 'passphrase' instead of 'password' and made the minimum be 4 words and 18+ characters.
It wouldn't be overwhelming to new users if they had examples of what a memorable passphrase is. You'd likely need to disallow specifically using the example passphrase but other than that, I'd be curious to see how well non-technical users respond to an interface asking them for a phrase.
We also need to get rid of the stupid habit of blanking out the password on the screen as it's typed, which imposes a time penalty exponential in the password length, or at least make it optional and disabled by default.
Re: this. Just have an option to 'display password' on the field itself somewhere, like you get when entering your WiFi password, or passwords on your phone.
Re: GP. Attackers would just switch to brute-forcing with common phrases. Song lyrics, expressions, etc. Then your passphrase rules will change to accommodate that, and be even more confusing. "The quick brown fox jumps over the lazy dog" and other long, memorable phrases, will be as insecure as "password123".
Really interesting article and absolutely a fair point, but from the article itself, pass phrases are still better. Just not a cure all. The title ("... only marginally better ...") does not match the body ("... vast improvement ...")
>>
The "30 bits of security" means the chances of a single guess cracking a four-word passphrase would be one in 230. What's more, the two-word phrases cracked in the study provided just 220.8 (or 20,656/0.0113) bits of security. Another way of expressing the same finding is that a dictionary of slightly less than 21,000 phrases is enough to guess the login credentials that slightly more than 1 percent of people in the real world will use.
To be sure, that's a vast improvement over the security of normal passwords. Analyses of compromised passwords leaked onto the 'Net, including a corpus of 32 million plaintext codes dumped following the 2009 hack of online games provider RockYou, show that it's trivial to crack a sizable proportion of real-world codes. A dictionary of just two of the most common passwords—123456 and 12345 respectively—typically guess 1 percent of login credentials.
I wouldn't, I would apply something like this http://www.passwordmeter.com/ and show the user how secure or insecure their password is. Depending on the service they are using maybe only allow passwords at Strong or better but base that off the complexity of the passwords. %09(0m is stronger than minneapolisminnesota
Doesn't the strength of a password also depend on the cardinality of the underlying alphabet? So your example makes only sense when you also say something about the used alphabet or am I missing something here?
Sort of. The strength of a password, at the most basic level, is based on the number of passwords it could have been. That is to say, the number of live possibilities in your password-generating algorithm.
In theory, large alphabets and long passwords lead to increased password strength because they mean your password could have been many other things. In practice, the vast majority of those other things were never live possibilities, so the password is not that strong even if it is long or the symbol set is large.
For example, suppose you choose to base your password on your dog's name, Rover. This is one of maybe half a dozen likely choices for you, so is not a strong password. If you modify it for length and symbol set into Fetch4meRover!, this is still one of maybe a dozen things you would have chosen to do with the name, so is still not that strong in spite of the length and character set.
In general, you should not trust yourself to generate random information, and particularly passwords. Use a script to randomly generate a password -- a script with a known large number of live possibilities. This is the only way to ensure those possibilities -- the ones that make a password secure -- were ever actually live.
Of course this is totally ridiculous, and shoots their entropy with a shotgun. But my heart goes out to whoever was logging into the child support page at the texas attorney general website.
Is there any reasoning at all behind the thinking that requires passwords such as this?
These sorts of rules are so commonplace that there must be some reasoning for it?
Stupid password rules is probably the leading source of consternation for this internets user.
Has anyone ever analysed if password rules help at all? Aren't most compromises social-based or otherwise accidental? No one breaks in by slamming millions of login attempts at a server, do they?
Banking passwords are always fun. Mine has to be changed every 30 days, cannot be same as last 3, must contain at least one number, special character, capital, lowercase. I essentially end up where i have to store password in plain text (!) in a password protected file. ridiculous but there is no way around it. People really have go understand that such things don't help at all, they increase user frustration if anything.
I have never understood the number/uppercase requirement, if someone somehow put a key logger it won't matter or if some one is using brute force, it wont matter either.
Second, the mixed case alphanumeric definitely aids against brute force attacks, particularly in the case of an online attack (for an offline attack, there are probably hundreds of thousands of attempts per second so the only effective protection is a slow hashing function that limits attack speed)
Except whereas those rules sound like they would enhance your personal security, following these rules work against it ("must be exactly 8 characters"?!)
What I want to know is whether there is a subset of passwords that will be valid against almost all password rules. Like if I make a password that has 12 characters, one symbol and one number, will that fit in 99.9% of cases?
Having overly restrictive password rules like this, combined with requiring a new password every x months, just leads to more users writing down the passwords on notes stuck to their monitor.
" Characters in the first, second, and third positions cannot be identical. "
Any reason for that? Using pretty similar passwords with minor differences is how I manage to remember passwords for all those fifty different services I have to know password for...
This demonstrates what is wrong with what the world expects a password policy to be, very few of these even increase password cracking complexity. They are just dumb rules to annoy your users. Sigh!
I wonder how many possible variation of passwords with these rules there can be... 8 chars, no same letters next to each other etc.. brute force hacking might be fun..
"Unfortunately time and again we have come to observe the inability of employees to follow simple rules during password creation. For example, despite our warnings, employees often create a password containing more than one consecutive non-numeral; other employees attempt to createa a password consisting only of numbers, only of letters, or an insecure mix of numbers and letters - e.g. 5:1 - with no special characters.
This is unacceptable.
Henceforth, new passwords must be one of the following five possibilities, as described below:
s$sVC!{IV{wG:|9 (Employees with last name beginning with A-F)
bE#40,$&T@V}266 (Employees with last name beginning with G-L)
U>~7nw*,55{][%H (Employees with last name beginning with M-R)
EL8$v{4#L8482 5 (Employees with last name beginning with S-X)
or
1^_4s"x&T3pB,%% (All other employees).
You may not use a password you have ever used previously. In two weeks, the new possibilities will be posted to the web site, and you must change your password immediately to one of the new possibilities.
You have brought this on yourselves, and if you begin to show an ability to use secure passwords, you may get to pick your own in the future. Until then, they will be assigned to you.
This is probably the root cause of bad passwords. In the case of Average Joe, he is now having to choose something memorable which is 8 characters long. 'PassworD'
Sorry, "PassworD" doesn't validate. You're missing a symbol, and you have a character repeated. Try "P@s5w0rd" instead. Or, better yet, "abc#1234" as suggested in the examples.
We've moved on to a fictitious setup. I was so disgusted with my bank and their password policies and authentication measures. They too restrict to 8 characters, but they happen to also offer a SecurID token. This token can be used in conjunction with the initial authentication. I would happily switch to any bank where I can know my data is secure. How do we trust them?
I have a student loan that is limited to 8 character passwords. Thing is, when you go to set your password the first time it will happily take the password and use it, good luck getting in though because the next time you go to enter your password the web form truncates it for you (using JavaScript upon submitting)!
Then when you go to reset your password they keep telling you that your password doesn't meet the requirements (the form allows you to type as much as you want) but doesn't tell you about the 8 character password rule. Then when you finally get one that works and you are logged in (12345678 is not a secure password, but apparently that is fine) you go to change your password and this time they will tell you that 8 characters are all that is allowed, but the web form is set to only accept 7 characters, so you have to use the Safari Inspector to change the form to accept 8 characters and submit.
And unfortunately I can't leave them because it is a loan and not just a checking account. Thing is, even I don't know my password anymore, so it is as secure as it can be :P
I had this problem with Windows 8 and creating a Microsoft Account. When creating the account, they had a hard limit of something like 15 characters. (My passwords are pretty long.) Which got automatically truncated. So when I rebooted my computer running Windows 8 Preview, I couldn't log in with the password I had used, until I figured out that I should only type the first 15 characters of it. Terrible web form design.
If I could get the same interest rate or lower I would do it, but as of right now I would get lucky if I could find one that gave me 3x the interest let alone higher...
moreover, at 8 characters, it doesn't really matter what password they choose; 8 characters is simply too short to matter. Even 9 or 10 is a significant improvement at this level.
I bought a house last month, and the biggest thorn in my side throughout all of the financial arrangements was security questions (I'm not even joking). Here's a Facebook status update I posted (I had already been complaining about security questions a bunch):
"Just got challenged with a security question, which was "Thank you for your loan application." Wtf, that is not a question. And I've never filled out any security questions for this website, so I have no idea what it's expecting me to enter.
"I swear, security questions are out to get me."