The Virtues and Vicissitudes of Passwords

[Vanadium 50]

, because most people will only add a "!" at the end of their password.

Something like 40% of all passwords are of the form a capital letter, 5 lower case letters, the number 1, and an exclamation point. I suspect many of them are 5 or 6 character dictionary words as well.

There have been complaints about password managers and attacks (which did not cause a leak) but when the alternative is Password1! , which probably takes a millisecond to crack, what is the better strategy?

 

[anorlunda]

Good thread after separation from Chromebooks. I've learned useful things, and it made me think through the problem more, especially the secondary aspects of the security. Here is my summary. I tagged quotes from others; everything else is my opinion.

1. Never reuse a password you care about. -- Bruce Scheiner
a. If you have N online accounts, you need N secure passwords.
b. You must remember which password goes with which site.
c. A corollary: Never reuse the same email address for password recovery. If you have N online accounts, you need N password recovery email addresses and N email passwords.
i. An alternative is to use something other than email address as the account name. Then someone stealing your account name does not simultaneously get your recovery email address.
1. Some sites mandate a valid email address as the account name.
d. I tried and failed to delete old unused accounts. Many sites have no function for account deletion. Therefore, I have to forever remember the login information I used on those sites, in order to avoid reusing them.
i. When service providers go bankrupt, their assets including digital assets are sometimes sold to the highest bigger. Obviously, all provider security becomes moot. For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.
2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action
a. That pretty much mandates a pseudo-random software pw generator. No human method or algorithm can be secure enough.
i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.
3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner
a. Obvious corollary: If you do think your password may be compromised, change it immediately.
4. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. -- Bruce Scheiner
5. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper. -- Bruce Scheiner
a. Unless your handwriting skills are exceptional, writing it down means printing it. A transcription error can be almost as damaging as password theft.
i. Since transcription errors are so easy, your paper list must be tested by trying to log in using the information on the paper.
b. Don’t forget to include both the password and the account name and the site on the paper.
c. You might die. Your house can burn down. Make sure your loved ones have access to a copy of that paper list, or access to the password manager.
i. Every time you change a password, you need to regenerate the list and distribute copies to your loved ones.
ii. If you use porn or other sites that you don’t want your loved ones to know about, you need a separate security system for those.
iii. Make sure that your loved ones secure their copy of the paper.
d. I can’t trust myself to do all that stuff on paper. For me, a password manager is the only practical solution. .
6. One more piece of advice: if a site offers two-factor authentication [or MFA], seriously consider using it. It’s almost certainly a security improvement. -- Bruce Scheiner

Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.

Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.

 

[FactChecker]

Any conceivable combination of 8 letters and numbers will have some kind of pattern.

Of course, the issue is the security of keyboard position patterns. The pattern 'qwerty' is probably the worst example. A password strength checker rates qwerty as "an open door" even though it would appear fairly random if you ignore keyboard positions.

 

[vela]

2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action

I think Scheiner's claim is just a little bit over the top. You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware. Most password managers, I expect, allow the user to generate such a password as well.

i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.

You may never need to type in a password on your computer, but if you need to enter one on another device, you will quickly appreciate the benefits of a shorter, easier to enter password.

There are also places, for reasons I don't understand, that don't allow you to autofill a password or paste a password in. You're pretty much forced to type in those passwords. Personally, I wouldn't want to type in a 256-character password consisting of random characters.

3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner

I think this advice is a holdover from the days before password managers. When people were forced to change their password, say, every six months, supposedly to increase security, they instead made things worse because users would opt for weak, easier-to-remember passwords.

Nowadays, a password manager may eliminate the problem of weak passwords, but changing your passwords frequently strikes me as a waste of time.

Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.

Websites use cookies to keep you logged in. They can't access the passwords stored by a browser. That would be a gigantic security hole.

One vulnerability currently is that your login credentials are stored by the website, so you might follow the best practices, but the website may be compromised due to circumstances outside of your control.

Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.

Me too. Microsoft, Google, and Apple recently committed to support the FIDO standard for password-less authentication, which relies on public and private keys and MFA. I hope this standard gets adopted quickly by sites once it rolls out.

 

[Vanadium 50]

For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.

Can you point me to this? It sounds like a pretty egregious HIPAA violation.

While I don't disagree with anything on the list, it does fail to put things in perspective. Think of security as a parallel network of resistors. Increasing the resistance of an alreday-high resistor doesn't change the network resistance. Similarly, changing your password from "password" to "Z!n33%DA" is more helpful than changing it from Z!n33%DA to Z!n33%DA1iQ@7w5Rnkr0d9mrDp.

 

[anorlunda]

Can you point me to this? It sounds like a pretty egregious HIPAA violation.

It happened in the 80s, so no link, and it predates HIPAA. But HIPAA, applies only to health care providers. Non providers who come into possession of confidential information by any means are not restricted by HIPAA. If the NY Times gets protected info, Congress shall pass no law prohibiting them from publishing it.

https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent.

Life insurance companies ask you to sign a waiver giving them access to your medical records. But HIPAA can't restrict what they do with the information thereafter because they are not covered entities.

 

[jack action]

You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware.

The keyword in your statement is "random". This means you take whatever the Diceware gives you on your first attempt.

The mistake to avoid is not to be tempted to generate another password until you find one set of words you find easier to remember. In such a case - even though all passwords were randomly generated - the selected one does follow some rules you made up to easily remember it.

 

[Vanadium 50]

This is a classic case of trying to improve an already very-secure part of the system.

 

[Vanadium 50]

ind a pattern in ANY ONE of these and I'll give you a prize:

nS3dQu4u

Oddly, this has the same cadence as I've Got A Gal In Kalamazoo.

"Hi there Tex, how's your new ro-mance"
"N S 3, d Q u 4 u"

 

[Vanadium 50]

Many, many years ago, when IBM 3278 terminals roamed the earth...

I worked in a shop where every so often (14 days?) we were assigned new passwords. Assigned. We didn't get to pick them. Security, you see. You'd log in and it would tell you "your new password is"...sorry, it was the olden days.."YOUR NEW PASSWORD IS" and then seven random characters.

People were expected to memorize this in a few seconds, and of course each system had a different password .Security, you see.

Fortunately, we all had notepads on our desk, so we could quickly write down the new passsword before it faded from view, and conveniently, the 3278 had a little hinged cubbyhole for pens, paperclips, and little slips of paper.

Security, you see.

 

[pbuk]

No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer. There is a huge difference between "cdewq7sxz" and "maga2020!" Anyone who would use the latter is a moron.

Now you are arguing against yourself. Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!", in fact "sw234rfd" appears to be associated with at least 38 password leaks!

 

[Algr]

That is not what I meant. By obeying a set of rules (for example choosing letters based on their position on a keyboard), you are excluding a lot of passwords that a hacker doesn't need to try.

Ugg! I just told you that I accounted for that. There are 16 keys that don't border any edge on the keyboard. So that is 4 bits. Then there are eight keys surrounding those 16. That is 3 bits per key. So: 7x3+4 = 25 bits. 2^25 = 33,554,432 possible passwords using the adjacent key tactic. And that ignores the salt.

But doing so - for someone who assumes you used this rule - you drop from 209 billion possibilities (= 26^8) to 207 million possibilities (= (20 X 6)^4)

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

Yes there is a huge difference between "cdewq7sxz" and "maga2020!", but there is not a huge difference between "sw234rfd" and "maga2020!",

"cdewq7sxz" is my tactic with salt as I originally described.

 

[pbuk]

Five chances out of 207 million before the account locks up? That is NOT how the hackers are getting through.

No it isn't. You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts. To find out more about where these lists have come from see https://www.troyhunt.com/password-r...other-1-billion-records-in-have-i-been-pwned/

 

[Algr]

You have repeatedly been told how the "hackers are getting through" - they are using matched lists of passwords and email accounts.

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

 

[pbuk]

No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes. Choose an obvious password like the ones you suggest and you are vulnerable to a dictionary attack.

That's interesting. I've been trying to verify that, but no luck.

One source for partial verification is https://haveibeenpwned.com/PwnedWebsites.

This lists 628 data breaches, with "plain text" mentioned 87 times, "MD5" (an insecure method of password hashing) 186 times and "SHA" (a less insecure method of password hashing but still useless for insufficiently complex passwords) 66 times.

Not very scientific, but as you say we should be careful not to over-analyse data which is by its very nature intended to be shared covertly.

 

[pbuk]

Then why aren't you acknowledging the obvious consequence of this. Your password could be a billion digits long, but it won't make any difference if the hackers already have it.

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

 

[Algr]

SOCIAL ENGINEERING:​

The most successful tool for hackers is not guessing passwords, but social engineering. The PEOPLE using your system are as vital a part of it as any software or hardware. The hackers know this. If your IT department doesn't understand PEOPLE, they are a bad IT department. Overloading your people with excessive burdens is just as much IT's fault as any other hardware failure:

Random passwords generated every two weeks? That is TERRIBLE security because HUMANS don't work that way. As Vanadium 50 and others have mentioned before, excessively burdensome passwords inevitably result in the above pic.

SECURITY = the DIFFERENCE between the difficulty of a legitimate user logging in, and the difficulty of a hacker logging in.​

If you bury a hard drive in cement, it isn't secure, it is useless. The hacker will probably have the best tools to get it out, while legitimate users are stuck.

This is why there are so many security failures in major corporations. IT is so busy keeping out the hackers that they make legitimate users their enemy, who have no choice but to undermine security in order to get any work done.

 

[Algr]

Of course it wont, but if a password is insufficiently complex, is easy to guess, or was used on a service that has suffered a plain text or poorly hashed password leak such as the Adobe leak of 153 million accounts you can pretty much guarantee that the hackers already have it.

A sufficiently complex, hard to guess password, is only vulnerable if it has been leaked in plain text.

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password. It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

 

[pbuk]

Technically true, but you are WAY past the point of diminishing returns if you are saying that anything that can be memorized is a bad password.

I have not said that. I have said that anything that is based on a keyboard pattern is a bad password.

 

[Algr]

I have said that anything that is based on a keyboard pattern is a bad password.

And I've got 33 million passwords that say you are wrong.

 

[pbuk]

And I've got 33 million passwords that say you are wrong.

werfvcxs - pwned 67 times
234rfdsw - pwned 43 times
uiol.,mj - pwned 1 time

How many more of the 33 million would you like to try?

 

[Algr]

What does "pwned" mean? One recorded use of the password that was not guessed, but found on a leaked list? What good does that do for the hacker once they try to hack someone else? I have over 300 passwords. How many lines of gibberish can you remember?

 

[Algr]

I didn't know that "Vissitude" was a real word. I only know it from World of Darkness, where it is something not good. Even my spell check doesn't know the word.

 

[pbuk]

What does "pwned" mean?

https://haveibeenpwned.com/

One recorded use of the password that was not guessed, but found on a leaked list?

"pwned 43 times" means that the password has been found 43 times on lists of matching email addresses and passwords submitted to HIBP (link above). If you go to the HIBP site it will tell you where the data came from.

What good does that do for the hacker once they try to hack someone else?

None at all. Hackers don't need to attack everybody so they only try easy targets: those they have cracked hash passwords for. If you have an easy password then it is likely that it has been cracked, you can lessen the odds by increasing the complexity.

I have over 300 passwords. How many lines of gibberish can you remember?

I can only reliably remember 5 passwords, for which I have mnemonics. I don't need to remember any others, I use a password manager.

 

[Algr]

:: Hacks pbuk's password manager using a keystroke monitor, or similar exploit. ::

 

[Vanadium 50]

You don't really mean that, do you? Because on can use a keylogger to crack secure passwords, it's OK to use insecure ones?

Do you believe that because your front door can be dynamited open, there is no need for a lock?

 

[Algr]

It's like mopping the deck on a sinking ship - it may superficially look like it helps, but it is completely failing to recognize what the problem really is. As I showed in the previous post, making passwords too burdensome results in LESS security, not more.

If you can see the guy outside with the dynamite, choosing that moment to install a lock does seem rather silly.

 

[Algr]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that? What is the risk?

BTW, here is the lock on your front door. How many different keys would you say are possible based on what you see here?
I get 1024.

 

[pbuk]

If the hacker has your password, and also your account name, then it makes no difference how long or complex you password was.

Nobody is disputing that, there is no point in repeating that obvious point. And neither is anyone suggesting that you should have excessively long and complex passwords.

What everyone is saying is that you should have sufficiently complex passwords: you are suggesting that 25 bits of entropy is enough and this is not correct.

If the hacker has a list of 33 million passwords and one of them happens to be yours, then how does he make use of that?

I don't know how I can explain this so you can understand, but I will try yet again: every time there is a leak of credentials (emails linked to password hashes), he checks each password hash against each of the 33 million passwords. If one of those password hashes is yours and your email is included in the leak then he can log into your account on that server. He can also try those credentials on thousands of other servers because people who choose weak passwords are also likely to use them more than once.

 

[pbuk]

I didn't know that "Vissitude" was a real word.

It isn't. The correct spelling is vicissitude.