Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile


Username: Google ; Password: 2bon2btitq

Passwords are hip again; but can we please just get past the "word" aspect?

Article comments

Google are (in partnership with Citizens Advice Bureau) running a campaign about how to stay safe online, and to this end adverts are appearing in London tube trains explaining how to create longer, more memorable passwords, using an example from Hamlet:

"To be, or not to be, that is the question" becomes "2bon2btitq"

Jolly good. Except it could be better. In fact the actual Google page is much better, but you have to dig to find the more detailed advice.

But it's still not good enough.

The Single Sign-On and Identity brigades may bray that passwords are evil and instead the world should adopt whatever XML-flavoured lunacy is in fashion with them this week, since people surely cannot be trusted to go around interacting with the web unless some higher authority is on hand to validate their existence - and to make them pay for that privilege.

But passwords do work; for all the damage I've done to password systems, I do really still like them; they are a technology of the net - you don't need a central authority to disburse them, they cost nothing, and so long as you're wise enough not to reuse them from place to place, they provide very good security and very little identity-linkage at very low cost.

With password-management software like 1Password and PasswordSafe (to name but two) on hand, especially when properly integrated with your browser, there is no longer any excuse for using passwords that are less than 16 characters of random crap, and even more importantly to use different passwords per web account or other form of login.

But when you can't cope with 16 character passwords, or where you lack access to your password database - eg: when booting your laptop - what should you do? Randall Munroe's XKCD comic nails it - you use a passphrase:

correct horse battery staple

...which is much harder to break via brute-force than something short-but-full-of-punctuation; yet if you can remember to mix in some extra variety into the phrase, so much the better...

Google's posters are teaching people password-selection technique which is one generation out of date; a 10-character lowercase-alphanumeric password like 2bon2btitq is only one of 3,656,158,440,062,976 such passwords, which sounds like a lot but depending on how it's been hashed those 3.66 quadrillion passwords can be ripped-through at a rate of over 10 billion guesses per second, meaning that the password can definitely be cracked in about 4 days of effort.

Use of an even more obscenely pimped-out password cracking rig (PDF) would reduce this figure to hours, perhaps minutes. Nowadays if somebody wants your password and if it's less than (about) 12 utterly random characters long, they will have it quite soon; and if you've reused both your username and password at multiple sites then they will have all of those accounts too.

Google's longer advice is better - although why is it always the first character of each word of your favourite phrase? - but I'd rather that Google told people about tools like password managers too; plus they tragically miss out the entire concept of passphrases. Why use 2bon2btitq when you can use:

Hamlet was a mad, bad, depressive Dane!

...instead?

So, Google: if you're into providing blunt rules, let's add a few for you to promote to the developers out there:

  1. If any part of your user interface or code truncates password plaintext input at a length of less than 255 characters, it's a bug.

  2. If you can't cope with password plaintexts that contain SPACE and TAB characters, it's a bug.

  3. If your passwords are not hashed, it's a bug.

  4. If you're hashing your passwords with anything other than Bcrypt, it's a bug; bcrypt() maxes out at 72 character passwords, but that's not your fault...

  5. If you allow people to use a password of less than 12 characters, it's a bug.

  6. If you do not encourage people to select a unique password for your service, it's a bug.

  7. If you do not encourage people to use passphrases, it's a bug.

Yes, those rules are opinionated. They are even biased and make sweeping assumptions. They don't even address issues like UNICODE. But if you address these seven points in every application in the world, you'll make password cracking a phenomenally tougher job.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

Email this to a friend

* indicates mandatory field






ComputerWorldUK Webcast

ComputerworldUK
Share
x
Open