August 11, 2005
The article Passwords: The Weakest Link references a 25 year old research work on the efficacy of passwords:
In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that a third of users' passwords could be broken in less than five minutes.
This article was written in 2002, and the password security picture hasn't improved at all in the intervening 23 years:
When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look.
Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file.
"Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords."
When there's no measurable improvement in password security between 1979 and 2005, clearly we aren't dealing with a technology problem. We're dealing with a people problem. Passwords are fundamentally broken because they aren't compatible with typical human behavior :
The only defense is to make passwords nearly impossible to guess, but such strength requires that the password be selected in a totally random fashion. That's a tall order for humans, said David Evans, an assistant professor of computer science at the University of Virginia.
"When humans make passwords, (they) are not very good at making up randomness," he said. Furthermore, because people usually have several passwords to keep track of, locking user accounts with random, but difficult-to-remember, strings of characters such as "wX%95qd!" is a recipe for a support headache. "The idea is to make something that is easy to remember but that will make up a good password," he said.
Many security administrators focus their efforts on teaching users how to use various mnemonics to create strong, but memorable, passwords. A common technique takes the first or last letter of each word in a saying or phrase familiar to the user. For example, by using random capitalization and substituting some punctuation marks and digits for letters, "Friends don't let friends give tech advice" might become "fD!Fg7a."
The education doesn't seem to be sticking, and the password problem is getting worse as the percentage of less-tech-savvy computer users increases.
I don't have a solution to the password problem, but there is one thing we can do to improve the usability and security of passwords dramatically.
We have to encourage users to stop thinking of passwords as single words, and start thinking of them as pass phrases. The worst imaginable pass phrase (eg, "this is my secret password") is many times more secure than an average single word password (eg, "god123"). And it's easier to remember.*
As a developer, you need to do your part, too:
- Absolutely, positively make sure your applications support a password field length of at least 128 unicode characters.
- In the user interface for defining the password, remind the user that password doesn't literally mean a word. Give several examples of pass phrases directly alongside the entry field. It's absolutely imperative that we educate the users-- how else will they know there's some other way to deal with that input box?
The greatest long term security threat isn't hackers. It's the perpetuation of the braindead 8-16 character password length limitation, and the idea that passwords are single words.
* unfortunately, not easier to type, but neither is "X74@&z3!". What are you gonna do?
Posted by Jeff Atwood
Good point, but be careful what you wish for g. When Laymen users start using sentences (aka passpharases) they pull from an active vocabulary of about 400 words. Constructing a grammatical dictionary attack seems quite feasible. It has been said before in one of the blogs (much more detailed and eloquent than my comment here - so credit to them), unfortunatly I don't recall where.
The tagline anyway is right: Passwords are broken.
Constructing a grammatical dictionary attack seems quite feasible
I don't agree that this is feasible at all, for a phrase of more than trivial length (eg, 5+ words).
However bad the phrase will be, it can't be as bad as the same user picking a single word password, even with forced restrictions on things like word length and having a number/character in it.
Passwords are a fundamentally bad choice for security. I mean, what were they originally invented for, back in the mists of time? A few selected men spying on Caesar's enemies, or fetching gold bars from the safe, or something like that.
Now we expect every Joe and Mary to remember 26 different passwords for their completely mundane computer work? That's just ridiculous. Of course this won't work, how could it ever? Typical example of taking the first and simplest solution that fits the computer, no matter how badly it fits the users.
We need to get away from this ancient, cumbersome, unsafe "technology" and move on to something sensible like biometrics, or at least a unified computerized security token. Microsoft Passport wasn't a bad idea, really -- if only it hadn't been made by Microsoft (so everyone opposed it)!
move on to something sensible like biometrics
Biometrics is only slightly more secure than a password:
Scroll down or find to..
"The UareU scanner is optical and probably wouldn't know the difference, but I nonetheless decided to see if I could fool it with a gummi finger."
"Ugly and bubble-y the jelly thumb was, but the UareU scanner loved it. It thought the jelly finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it'd be trivially easy to log in with a thing like this, even with people watching. Trim the jelly so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers."
"Earlier this year, German tech mag c't tested nine fingerprint scanners (six capacitive, two optical and one thermal), plus Panasonic's Authenticam iris scanner, and Cognitec Systems' FaceVACS-Logon face recognition system. All of the widgets tested were current models, and all came with impressive marketing claims.
And all of them, in layman's terms, sucked, if used as the only source of identification."
We need to switch to a physical key device that can't be easily duplicated. I should be able to put my "key" into the "lock" on my computer and "open" it. Pretty much just a USB-looking device with a long security key burnt into it should do. The biggest issue is with people losing keys. But this can be taken care of by having layers of administration. This would work best for enterprises.
In the military they use their CAC card in a smart card reader. Since the CAC (Common Access Card) card is also your id, you're less likely to lose it. Then again, most enterprises don't check your id 4 or 5 times before you get to sit down and use your computer to log in, so it's unclear to me if this is the real solution we're looking for.
Close. Something more like a built in RFID reader and cheap RFID password cards. The computer manufacturer would send you a stack of them when you buy the computer or you can go buy a stack of 10 at Best Buy for about $5. You simply swipe/pass the card through/near the computer and you are in. You would keep your administrator card hidden somewhere in your house and use your card for the limited user login on a regular basis. The cards would also have the password number (say... 30+ random characters) printed on it so that it can be hand entered if the card goes bad.
It's all very easy to imagine and what you have posted is very similar in concept. It just needs wider acceptance and needs to be much cheaper.
I wish more people read this.
Even the web access at my bank account doesn't allow for more than 8 chars !
And if you look, most services on the web take 6 or 7 chars.
(Withoput event considering encryption...)
What are we supposed to do with that ?
The nice thing about single keys is that one only needs to steal the single key to gain access to everything.
The nice thing about it being a hardware key is that it's a lot easier to steal.
The nice thing about a biometric key is that once it's stolen, you can never change it.
Not to mention the question of how you'd want to link verification at your personal workstation to verification online without security, secrecy and privacy risks.
Old and primitive as the text password may be, atleast it's hidden inside your head. It eliminates the avenue of "hacking" the key at the source.
OpenID is great for centralized authentication to things like MySpace and Facebook, but it was never meant as a high-security auth-scheme for banks. For this, two-factor authentication is required. Banks just *think* what they are implementing today is two-factor, when it is really multiple single-factor (e.g. Bank of America's SiteKey crap). And, it certainly doesn't do anything to squash phishing.
Single Keys - Hopefully, when a hardware key is used, it is used in conjunction with something you know (2-factor auth). So, if it is stolen, who cares. A better solution is the key FOBs that generate a number that has to be entered in conjunction with your password. PayPal and eBay are doing this today for cheap ($5 for a FOB).
Biometrics - Not true. Biometric keys are stored as hashes and I believe they are different each time they are generated. So, if it was stolen somehow, you'd just need to re-generate the key. Otherwise, this form of identity verification would have been thrown away a long time ago. Again, multi-factor auth solves this problem as you'd use biometrics (something you are) with a password (something you know).
Passwords in head - Um.. passwords are not just in your head. They are stored somewhere electronically which is why brute forcing exists. Said hacker gains access to a system somehow, steals the password database, uses tools to hack it. Actually, if a person has elevated access in a company and decides to turn evil, it's easier than you think.
Just use a USB key with a bunch of randomly generated passwords. Back it up on a hard drive at home or two, and you're good to go. Works well with firefox portable.
I use password generator that creates 32-character passwords... and they don't work most of the time! Web apps tend to have stupid limits like 16, 18 or 24 characters and of course those MySQL-based won't complain (and it's really scary to see how many websites don't hash passwords).
When you're hashing passwords, there really isn't a limitation on password length, because it is stored in the database as 32 (or 40, for SHA1) characters anyways. That way, your "password" can be up to several thousand characters with no sweat.
What about patterns on the keyboard? Seems like you just need a mnemonic to remember it and the result is very random since it's very large - larger at least than the English vocabulary.
For instance, I start my banking pswd with the name of the company's first letter then go from there. If I use a geometric pattern from that starting point (even linked to their logo :), then the issue becomes simply remembering the initial cue (the shape) rather than a long string past short-term memory limits (+/- 7).
The problem isn't one of computation. It's human memory. You have to solve it with memory chunking features.
Good idea, but the name pass phrase is already taken. That is the "password" for your ssh key, since the ssh key itself is the real password. The pass phrase just unlocks the password.
For the web, I use SuperGenPass. It's a bookmarklet that generates a hash from the current domain+secret. Just click on the bookmarklet, enter your master password and never forget the "once visited" website's password. http://labs.zarate.org/passwd_new/
Another interesting identification way are visual passwords like asking the user to draw a symbol. This domain is still new and needs more investigation. I didn't find any implementation yet.
My friend gave me a neat approach to passwords. In setting up a web server for me, he used the first letter of each word in part of a song we wrote together. (I guarantee you've never heard it.)
Maybe you don't know a song nobody else does, but you could pick some of your favorite song lyrics and get something like ehmhibaiaithog (every house must have its builder, and I awoke in the house of God). I imagine that would be pretty hard to guess, but still fairly easy to remember.
I am a proponent of long passwords but only recently. Most applications will not allow it in my experience - so you are exactly right.
For reference I checked my Writing Secure Code 2nd edition; Howard Lipner and note that Versions of Windows prior to Windows 2000 allowed 14-character passwords. Windows 2000 and later supports passwords up to 256 characters long.
So from a Windows world, one can guess where the habit of short passwords came from.
RFID is broken :P
Google it. It's a radio signal. Easy to pickup and duplicate :P
How many websites have you seen that only support letters and numbers for passwords? Too many in my book.
My password for everything is orange :O
How about the security dongles that randomly generate a 7-9 digit code every 5 minutes. The dongle relates to a server in real time and only the holder of the dongle would have access to the password. Even if you try to brute force it, 5 minutes go by and you start back at square one.
It is quite effective...until you lose your dongle. I have losing my dongle. :)
There is no excuse to not at least allow pass-phrases. The password text box on a form should be set to the maximum length. Then of course since you're not storing the password in plain text, you create a hash from your encryption algorithm of choice. This will create a fixed length digest of the password which will not create any length issues in the database you are storing this possibly very long pass-phrase.
Now the next point you make is a very good one. User education of the security benefits of pass-phrases would be the only other thing needed in your application.
As for biometric verification, I think if this ever became a commonly used verification technique, it would actually end up being LESS secure than passwords. I think at the moment, the only commercially viable biometric verification is fingerprint scanning. Now think about how you would leave the equivalent of a post-it note with your password on it with every object you touch throughout the day. If the use was ever widespread, the materials you would need to lift fingerprints would probably become widely available, thus allowing anyone to use your prints for accessing your sensitive information just by taking your coffee cup out of the trash.
"How many websites have you seen that only support letters and numbers for passwords? Too many in my book."
Very true, though this is generally to prevent XSS or SQL injections. If you didn't allow the keys ' " = < and > then you're potentially confusing users with what they can and cant have in their passwords, thus why some sites only allow alpha-numeric passwords
As for first work from a song or mnemonics, I quite like the idea and may start using them!
Very interesting post!