You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Interesting analysis of password choice and susceptibility to cracking etc...
Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.
Because here’s the thing: When it comes to composition and length, your password (mostly) doesn’t matter.
To understand why, let’s look at what the major attacks on passwords are and how the password itself factors into the equation for an attacker. Remember that all your attacker cares about is stealing passwords so they, or others, can access accounts. That’s a key difference between hypothetical and practical security – your attacker will only do really wacky, creative stuff you hear about at conferences (or wherever) when there’s no easier way and the target of the attack justifies the extra effort.
It's an interesting article, but the headline seems somewhat at odds with the discussion.
In the case password spray attack, which is listed as being very high frequency, if you happen to pick a password on the list of stupid passwords the attacker is trying, then your account is vulnerable. So clearly the password matters a lot here.
Similarly, in the case of the brute force attack the password matters a lot, too. And, yes, the frequency of this is listed as being low, but it's not as if there are not reasonably regular db breaches from large websites such as e.g. LinkedIn -- and the article says as much.
So really it's not so much that your password doesn't matter, but more that it doesn't matter until it does, and if you want a more secure system overall you're better off looking at MFA than more betterer passwords.
I can see why my version wouldn't make for a snappy headline though.
'If your password is shit it'll be cracked'
There that's better.
It's the changing of passwords that pisses me off. If someone knows your password, they know it. They're not going to hang on for 30 days and then use it! "Oh shit they've changed it!"
‘If your password is shit it’ll be cracked’
‘If your password isn't shit it’ll probably still be cracked’ is closer to what the article says. I read it a little while ago, it makes some interesting points. I keep meaning to distil it into something a bit more user-friendly that I can use to batter IT users with.
Passwords, really, aren't fit for purpose and arguably never have been. In isolation they're a terrible method of security. 2FA is much, much better.
if you happen to pick a password on the list of stupid passwords the attacker is trying,
It doesn't even have to be a "stupid" password. I've got a copy of one of the more recent breaches, it's something like half a million passwords long. Good luck coming up with something that isn't on the list, your challenge is basically "think of a password no-one else has ever thought of". Dedicated cracking rigs aside, with a modest VM I could iterate through that list in the order of minutes.
It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”
Yeah, but, there may be some delay here. The goal of the attacker might not be to use your credentials but rather to sell them on.
I agree in principle though, changing it at set periods causes more problems than it solves. If I've got someone's password, it's "Arsenal27", I try it and it doesn't work, I'm reasonably certain that I can guess what it's been changed to.
Another example: one of the most common passwords recently was "Summer2019!". This might not be immediately obvious as to why, but think about the password requirements of a Windows domain network. Mix of uppercase / lowercase / numbers / symbols (pick any three), minimum of 8 characters long (IIRC), and expires every 90 days. What else expires every 90 days? Boom, you've got a genius, memorable password scheme that you can iterate through until the heat death of the universe! The only problem is loads of other people have thought of the same scheme as a direct result of Windows' default password-change policy so you're on the list. Pwned. Sorry.
They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”
Wrong. Many times over.
But the answer isn’t playing the game of forcing users to change their password super often.
More generally, password only authentication is useless these days, where you genuinely want any level to security. You need at least one other factor, or you might as well not bother.
MFA usually depends on a password as one factor so passwords remain however as part of MFA many of the attacks listed in the MSFT article are prevented. Complexity requirements are there to introduce variance however are often overzealously used to the detriment of overall security. Organisations are getting better at protecting stored passwords through hashing and salting and therefore I expect for the most prevalent stuffing and spray attacks (whilst I've not researched it), the average age of a pwned (see HIBP) password is probably increasing and therefore its value is decreasing.
Wrong. Many times over.
Cool, great explanation there.
I prefer this one [url= https://www.cnet.com/news/microsoft-admits-expiring-password-rules-are-useless/ ]First Google result[/url]
Wrong. Many times over.
The other cheek of this arse is that credentials stolen aren't always then used on the systems breached - in fact, that's probably a rare occurrence. Rather, most people reuse credentials.
If I want to hack your email account (and I do, because it that falls then I have "I forgot my password, please email me a reset link" access to everything else you have), that's probably going to be challenging. Gmail, Outlook etc are mature products, they're going to be pretty secure*. So rather, I'd go for lower-hanging fruit like, say, a popular mountain-biking website running Wordpress. If I can breach that, then I potentially have a big long list of credentials that by law of averages some of which will be the same as their email logins.
This is where password changing could mitigate a problem (though as Kelvin says, it's not the best solution). The breached accounts could be quite old - my Yahoo credentials were breached and I haven't logged in to Yahoo in maybe a decade.
At work we monitor for compromised corporate email accounts. In the vast majority of cases the accounts are for people who are no longer with the company.
(* - in theory)
Jeez! why am I discussing work related bollox on STW?! 😆
Cool, great explanation there.
I prefer this one First Google result
The point really isn't that password expiration isn't inherently useless in isolation, rather that it's the wrong solution to the problem.
User education - don't reuse passwords, don't use corporate accounts for personal websites, for the love of pete ensure that if nothing else your email and bank passwords are unique - 2FA, password managers etc are all better ways to mitigate these risks.
Good luck coming up with something that isn’t on the list,
I use Apple's password generator I believe it's 15 characters long. Why yes it's never going to be perfect it'll take a lot of work and I'll only lose one if they breach a database.
It's probably time to post this again.
The email account I use for website logins has been in ELEVEN different data breaches. Don't reuse passwords, kiddies.
I use Apple’s password generator I believe it’s 15 characters long. Why yes it’s never going to be perfect it’ll take a lot of work and I’ll only lose one if they breach a database.
Yup. See also, LastPass, KeePass, and a supporting cast of thousands. Half of my passwords, I don't even know what they are.
a valuable point here is also passwords are vastly useless with integration of functioms now...once there in ..that's it they have easy access to most of it..
This is where password changing could mitigate a problem
Agreed. Most of the big boys were using 12 month expiration, while they waited for all (most) of their users to move onto MFA. It was mandatory monthly changes that Microsoft were ringing the death bell for in the PR behind that link, I assume… I only read the headline.
Yup. See also, LastPass, KeePass, and a supporting cast of thousands. Half of my passwords, I don’t even know what they are.
Yup used those in the past. I know maybe 2 or 3 at most.
I’m reasonably certain that I can guess what it’s been changed to.
I'm not so sure you can - password modifications are notorious for being forgotten quickly (and still remaining simple enough for dict attacks).
Why do companies like NSI put a 20 character length limit and disallow a high proportion of characters from their passwords? I thought the more complex and longer was better?
I thought the more complex and longer was better?
No neccesarily. Long complex passwords are hard to think up and remember for users. This leads them to using the same one for multiple accounts, writing them down, and recycling them by changing one or two digits.
A lot of my passwords are on the cracked lists, but I only use them for sites where I don't really care if it gets hacked eg no personal / financial info at stake.
Long complex passwords are hard to think up and remember for users.
Probably time to post this one:
Long, simple passwords can be both strong and easy to remember.
Some of the "no"s in that article are pretty disingenuous. The first row should be "yes - it absolutely matters that you don't re-use your password." Similarly for "password spray".
On the XKCD thing,
A common suggestion is to use passphrases instead of passwords. This is solid advice, but falls into the same problem as the breached password lists above. Ie, if it's common, it will probably have been done. "Somewhere over the rainbow" might look secure at a glance but is highly likely to be in a wordlist. "Where trouble melts like lemon drops" perhaps not so much. "My uncle Norbert's performing gerbils" better yet.
Also, L33tsp34k - fooling nobody, sorry. We've been wise to that little trick for a long time.
Erm, they have, I mean. Obviously.
I was more asking the question in the context of arbitrary length limits and character limitations. We're told to complexify our passwords and make them long and to take advantage of password managers only to find a 20 character length limit and not allowed to most of the non-alphanumeric chracters on a standard keyboard.
Don't get me started on special characters and logging into systems without a UK keyboard/region set and spending an hour pulling your hair out
Password systems that enforce use of special characters are evil. Insisting on a minimum length is fair enough. And the “four random words” approach is great, any one can remember those (and of not, keep them out of your system)… so low maximum length is also evil. But still, ultimately you need more than a password anyway… that is still the main takeaway. Turn on multi factor for everything.
I was more asking the question in the context of arbitrary length limits and character limitations.
Yeah, it's just bad coding, there's no reason for it other than a fear of not being able to sanitise inputs correctly (or a database built in 1985). There's an XKCD about this too:
Blocking characters like ' and " is a lazy (and not wholly effective) way of mitigating this sort of vulnerability.
Passwords should never be stored in a database anyway.
Don’t get me started on special characters and logging into systems without a UK keyboard/region set and spending an hour pulling your hair out
Oh yeah, I once got bitten by this building a HP server. They have an 'assisted install' wizard where you feed in usernames, passwords, licence keys etc into an interface at the start, then it installs Windows and feeds in all the info you've provided post-install. Except, the wizard is US-only keyboard and it didn't make this overly clear (and of course, you can't see what you're typing in a password box). Then the system comes up and.. your password doesn't work. Cue much wailing and gnashing of teeth.
Take-away from this, do not use [@] symbols in passwords...!
Yeah, it’s just bad coding, there’s no reason for it other than a fear of not being able to sanitise inputs correctly (or a database built in 1985).
Only this morning I was asked to purge <> from a dB dump as the customer's dB input parser coudln't handle it! And yes, their own employees had entered them into a text field somewhere.
Most of the arguments above only relate to password only systems. That's the whole point of the OP article. Passwords alone should not be relied upon.
Take your bank card for instance, it is secured by a 4 digit pin. So that's a simple 4 digit passcode + something only you have. That's what make it secure. No bank ever has required you to have a 10 digit pin that contains special characters and then force you to change it every 3 months. Why, because with MFA complex passwords are not necessary.
Passwords should never be stored in a database anyway.
Unencrypted passwords shouldn't.
https://plaintextoffenders.com/
Unencrypted passwords shouldn’t.
Let alone unencrypted raw biometric data!
Quite possibly the worst designed security system ever devised, as used by multiple Government agencies....
No salting, no hashing, no encryption, just all the raw personal user biometric data up for grabs to anyone who wants it...
Long complex passwords are hard to think up and remember for users.
Probably time to post this one:
But with the developments in quantum computing, and the real prospect of quantum supremacy in the next few years, then there will be computers that can make millions or billions of guesses per second and suddenly your 44 years can be cracked down to workable timescales; the only security against quantum computer based hacking will be codes that are also designed by quantum computers.
(not that password hacking would be the way that QC would hack into accounts anyway)
I keep a list of captcha codes and assemble passwords from them.
Or DO I?
Let alone unencrypted raw biometric data!
Well, that's a whole other tin container of annelids. Muggers rocking up to take your wallet, equipped with a pair of secateurs?
Moreover, "sorry, our database has been breached. Please immediately change all your... uh... fingerprints and retinas." I'm quite a fan of biometrics, but it's so very, very hard to revoke. At best you've got ten fingerprint resets before you're shit out of luck (unless you're from St Helens).
But again, here we are back at 2FA / MFA.
then there will be computers that can make millions or billions of guesses per second
And when they can they'll still be stymied by any system that limits the number of login attempts over a set time period, that's why current attacks tend to the "low and slow" approach where quantum would offer no advantage. The security threat from QC will be to non-QC encrypted data, not passwords per se (although non-QC hashing will obviously be vulnerable where passwords are stolen).
But yes, MFA. And preferably not one-time codes over bloody SMS please! That's you, Amazon, Paypal et al...
Why do companies like NSI put a 20 character length limit and disallow a high proportion of characters from their passwords?
Ooooh think I can answer my own question here! Because telephone. Because symbols you can't pronounce or know name of. Because words for characters are sub-optimal for transmission in speech.
"here we are back at 2FA"
2FA is really hard though. If you use a phone or a phone app for the second factor you can't guarantee that the user isn't using that phone as the first. And you still have the lost second factor reset problem (LastPass users, try the 2FA reset process and then ask yourself if 2FA gives you any real security at all).
Old-style RSA keys/Yubikeys and those calculator things that banks issue work but they're expensive.
And when they can they’ll still be stymied by any system that limits the number of login attempts
Absolutely, unless you've already got a local copy of the database in which case all best are off.
2FA is really hard though. If you use a phone or a phone app for the second factor you can’t guarantee that the user isn’t using that phone as the first.
It's not perfect, sure. But it's orders of magnitude better than a password alone.
(LastPass users, try the 2FA reset process and then ask yourself if 2FA gives you any real security at all).
Well, I don't know what you're referring to specifically but that's presumably a flaw of LastPass rather than 2FA? (I should probably look into that...)
If you use a phone or a phone app for the second factor you can’t guarantee that the user isn’t using that phone as the first
How do you mean? I don't recall seeing a secure app where the phone alone is the primary authentication, they've always needed a password or fingerprint. Though I agree that if someone has that first layer and the actual phone then something like Google Authenticator is already compromised. It's still a worthwhile security measure in that it can prevent access from an unknown device though.
In the end it's all about limiting surfaces, but if it comes down to it not many people will resist the classic $5 wrench attack.
I despair at this stuff. I can only actually remember 2-3 passwords. The rest are between 20 and 50 random characters (thanks password manager).
I use lastpass both for work and home. I've a yubikey for work and I use Google authenticator for home (weaker I admit). I still turn on 2FA for important accounts.
Most people are completely clueless when it comes to computer security. Until they get burned.
How do you mean? I don’t recall seeing a secure app where the phone alone is the primary authentication, they’ve always needed a password or fingerprint.
Like trying to make a payment and the OTC comes over text. If you have the device the 2FA is compromised.
Would you like to remember that password?
the only security against quantum computer based hacking will be codes that are also designed by quantum computers
Not true, there's plenty of work already well underway, not using quantum computers, that are developing new quantum computing resistant algorithms. It's also pretty trivial to increase the key length of existing algorithms (for symmetric encryption at least) to negate much of the advantage of quantum computing.
Like trying to make a payment and the OTC comes over text. If you have the device the 2FA is compromised.
Well, that's a 2nd factor rather than the primary since you're already in the app but yes, supplying OTCs by SMS is not ideal. There are plenty of examples where mobile numbers have been hijacked so the OTC goes to the villain's phone so they don't even need the original device. That's usually been used to engineer password resets though AFAIK.
Re 2FA, bit of an exception, but we were in Swaledale the other week and the village has no cellular coverage. I can get some texts (iMessage etc) and make calls over Wifi but I couldn't do any bank stuff as 2FA SMS messages couldn't get through....
and xkcd forums have been breached.....
https://nakedsecurity.sophos.com/2019/09/03/xkcd-forums-breached/
One of the companies i contract for has introduced a ridiculously complex system for passwords, because they were worried about peoples laptops being breached. Thing is, there are pretty much likely situations for laptops, and none of the measures introduced actually help in either case:
1) accidntally lost laptop (left on train) Fair enough, this happens (a lot) . However, if someone finds a lost laptop on a train, and is not honest enough to hand it in to lost property, what do they do with it? I'm going to suggest that 999,999 out of a million they are just going to sell in on ebay or in the local pub for a quick buck. In that case, any basic password means it'll just get wiped and re-installed, or even if they crack the p/w, they aren't going to spend more than a few sec looking at the hard drive for top secret info, they'll just delete the user stuff.
2) Arch villans steal critical laptop at knife/gun point to get critical company info. In this case, they'll just put a knife to the throat of the laptop owner and say "password or you're dead" which means any password is irrelevant
So I've just tried a password manager for the first time (1Password). From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to "change your password" in that website, open the password manager app, navigate to "generate a password", copy the resulting long, secure, password generated in the app and paste it into the website, then associate/ save the password in the app. Then repeat 200+ times. Sounds like a lot of hassle to me? Not sure what I was expecting, but something a bit more automated 😕
Could I just generate my own random passwords (by smearing my finger across the keyboard) and asking Chrome / Google to remember the password (a prompt to do this usually appears) and ditch the app?
Not sure what I was expecting, but something a bit more automated
Visit website click change password ask iCloud to generate password. Done.
Then repeat 200+ times.
I just waited until I needed to access a site then did it with Lastpass setting the password values so yes 200+ times but not all in one go.
then forgot my Lastpass password and failed the re-authentication so I now have very secure passwords on lots of sites but no access to find out what they are...
From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to “change your password” in that website, open the password manager app, navigate to “generate a password”, copy the resulting long, secure, password generated in the app and paste it into the website
Chrome does this really well.
@Roger_Mellie I would be checking the have I been pwned site and changing any accounts that show up there first. Then on an as you need basis until it's done.
You may also be able to thin out the number of passwords by deleting those you no longer use.
Chrome does this really well.
Yup I’m not sure there’s such a need for 3rd partly ones now.
Cool, thanks folks for the replies. I was being a bit dramatic there. I'll stick with chrome and do a bit of website / password husbandry.
It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”
Yeah, we have to do this with the phones and tablets we use at work. Thing is, none are used for anything financial or for any kind of personal reasons, the data is purely concerned with the condition and location on site of cars that we are repairing or storing. All of those cars are easily visible from the road, and anyone can get apps that will give all of the history of a car just from its registration, so having to keep changing the password is pointless, because, as has been pointed out, everyone just thinks of a word and adds a number sequence to the end.
This is possibly the geekiest thread I’ve seen on STW for a while.
Love it, it’s the reading version of listening to the shipping forecast to me. Keep it up!
I would be checking the have I been pwned site and changing any accounts that show up there first.
... and anywhere else where you've used the same credentials.
Microsoft's security baseline take on things is interesting (they've recently dropped any recommendation to expire them, this is in a domain setting).
Why are we removing password-expiration policies?
First, to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity.
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines
I like the not-so-subtle dig at users being the weakest link :p
The biggest argument I can see in favour of password expiration is online shopping sites (which rarely do it).
If I have to set up an account somewhere to shop that account is, in effect, 'live' for ever - if the password is stolen then it's available to use in perpetuity.
I'd rather if I didn't shop somewhere for 6 weeks or whatever that they expired the password and I had to reset it to shop again.
There's probably little 'harm' that could come from an account I used once and never used again being compromised and if I'm worried about the password being stolen I should use a unique one for each site but the thought of their being possibly hundreds of active accounts that I've setup in the past 20 years and rarely if ever use does worry me a little - as much because changes may occur in future that gives value to access to such accounts by third parties.
I like the not-so-subtle dig at users being the weakest link
I particularly like the subtle dig at auditors, who IME when I did this sort of thing were complicit in preventing more risk-appropriate password policies from being adopted.
they’ve recently dropped any recommendation to expire them
... in line with current NCSC guidelines.
https://www.infosecurity-magazine.com/blogs/password-requirements-from-ncsc-1/
The other thing to think about is validation questions - mother’s maiden name, that kind of thing. I always make a point of defining the place I was born as ‘correcthorsebatterystaple’ and my favourite colour as ‘ketchupthecortina’ - or words to that effect...
I wonder how many people's favourite colour is 'What'?