Think your password is secure? Think again

by Lee Hopkins on September 26, 2007 · 13 comments

in Uncategorized

secur3 passw0rds can be hard 2 cr3at3

Chilling yet fantastic advice from security expert Bruce Schneier on passwords (with hat tip to Bert):

“Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it’s attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.”

Well, there goes my assumption that my simple eight-character password will suffice. And don’t think that using a crypto program like my beloved PGP is going to help:

“The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse — well over a million guesses per second for version 7.0 — but with version 9.0, the cryptosystem’s ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second.”

The whole article is brilliant reading. Go read it. Now.

Equally illuminating are some of the comments, and the replies by Bruce, to wit:

“Of course longer is better. If you have a 32-character password, no software cracker is going to find it.”

“A useful class of memorable passwords that are difficult to cast as a PRTK-style stereotype is equations.

For the physically or mathematically-minded, they can be very easy to remember. They also make it easy to involve symbols (memorably). And since the notation for terms can have a very broad variation, they are probably not easy to search efficiently. And, there are a lot of them, many of which are quite obscure.

An example from classical mechanics: Hamiltonian evolution with Poisson Bracket notation might yield a password like

dy/dt={H,y}

Considering the possible variations (ydot instead of dy/dt, Heisenberg evolution with commutators, replace y by a Greek letter like Psi, subtract the RHS from both sides, many more) it seems like a losing game to try to create a stereotype search for these. And in this case, obscurity does aid security.”

“Interestingly, it sounds to me like a combination of two (reasonably long) dictionary words with a small non-alpha infix would survive this attacker fairly well.”

“Seems like a shift in the root is all you need to be less predictable. The progression I often have experienced in terms of user password maturity:
1) simple root (password)
2) simple root with appendages (password123)
3) root with character-shift and appendages (p@ssW0rd123!)
4) phrase with character-shift and appendages (e.g. I wish I had a dollar for every star = iW1h@$4e*)
5) random digits generated by a program and stored securely with a level 4 password”

“I found this slide-deck on a method to create passwords interesting:

http://druid.caughq.org/presentations/Mnemonic-Password-Formulas.pdf

I wonder how well something like PRTK would be in recovering the formula used to generate the password if it had multiple passwords to compare.”

“@Simon: “how does Password Safe help?”

It helps in two ways: First, it allows you to choose different passwords for different services. Not many among us can remember 40 distinct passwords; we either have to write them down or re-use the same passwords over and over again, which becomes a nightmare with the different password choice and lifetime policies out there.

Second, it allows you to generate random passwords. Myself, I use different, random 12 character passwords for each service. In cases where I don’t care about identity, I even use a randomly generated user name.

“When away from my computer I’d not know the passwords.”

There’s not many services that I want to use when I’m away from my computer, so it’s not much of an issue for me.

Password Safe and its clones can also be installed on a USB stick, along with the password database. Although I would somewhat hesitate to trust a public computer.”

@Squyd
That just sounds like a LOT of work. Why bother? Use a password manager with a password generator built in. Done.

There are plenty out there, both traditional, and online:
http://passpack.wordpress.com/2007/01/29/online-vs-offline-password-managers/

Me, I use Password Master myself (from the excellent team at Dreameesoft) so I can use it on my pda, but they are all much of a much-ness.

I’m now going through all of my different passworded accounts and randomising them with Password Master rather than relying on my old 8-character password which is the same one I use on multiple sites (very dangerous and stupid, I know, but I’m lazy!)

Currently listening to: Brian Eno – On Land – Dunwich Beach, Autumn, 1960

  • https://www.passpack.com/ Tara Kelly (PassPack)

    Hi, glad to hear you’ve decided to change to lots of unique, long passwords. You’ll surely sleep better at night.

    On being lazy – i can completely understand. Does Password master have an automatic login feature? That really helps.

    Cheers,
    Tara

  • https://www.passpack.com Tara Kelly (PassPack)

    Hi, glad to hear you’ve decided to change to lots of unique, long passwords. You’ll surely sleep better at night.

    On being lazy – i can completely understand. Does Password master have an automatic login feature? That really helps.

    Cheers,
    Tara

  • http://leehopkins.net/ Lee Hopkins

    G’day Tara!

    All of the various password softwares have one problem – cross-platform.

    For instance, my tool of choice (because of my pda) is Password Master. But it won’t work on a U3 drive.

    Something that works on a U3 drive won’t work on my pc AND my windows mobile pda.

    And so it goes on…

    Password Master is no different (better or worse) than any of the others, but it does have one bad habit: it DOMINATES my cpu. If it’s running, even in the background, I can forget about doing some resource-intensive stuff like creating sound files or working with Illustrator or Photoshop.

    One day there will be a tool that will work across all platforms… [sigh]

  • http://leehopkins.net Lee Hopkins

    G’day Tara!

    All of the various password softwares have one problem – cross-platform.

    For instance, my tool of choice (because of my pda) is Password Master. But it won’t work on a U3 drive.

    Something that works on a U3 drive won’t work on my pc AND my windows mobile pda.

    And so it goes on…

    Password Master is no different (better or worse) than any of the others, but it does have one bad habit: it DOMINATES my cpu. If it’s running, even in the background, I can forget about doing some resource-intensive stuff like creating sound files or working with Illustrator or Photoshop.

    One day there will be a tool that will work across all platforms… [sigh]

  • http://leehopkins.net/ Lee Hopkins

    As for the automatic login feature — no. I know that some of the programs for the U3 drive do, but they don’t work on my pda…

    It’s a real bugger!

  • http://leehopkins.net Lee Hopkins

    As for the automatic login feature — no. I know that some of the programs for the U3 drive do, but they don’t work on my pda…

    It’s a real bugger!

  • https://www.passpack.com/ Tara Kelly (PassPack)

    I was going to suggest trying PassPack for the cross-platform problem (I’m a founder). It’s an online service, so all you need is an internet connection and you can access your stuff from any computer.

    Alas, we don’t have a version optimized for mobile screens quite yet. So it wouldn’t solve your PDA compatibility problem.

    Lost of people choke on the idea of storing passwords online. But actually, your data is encrypted on-the-fly before leaving your browser – so once your passwords reach our server, they are fully encrypted and can’t be read by anyone (not PassPack, not hackers, not spying governments).

    It’s free if you want to try it.
    http://www.passpack.com

    If you do give it a go, let me know what you think – I’m always open to feedback.

    Cheers,
    Tara

  • https://www.passpack.com Tara Kelly (PassPack)

    I was going to suggest trying PassPack for the cross-platform problem (I’m a founder). It’s an online service, so all you need is an internet connection and you can access your stuff from any computer.

    Alas, we don’t have a version optimized for mobile screens quite yet. So it wouldn’t solve your PDA compatibility problem.

    Lost of people choke on the idea of storing passwords online. But actually, your data is encrypted on-the-fly before leaving your browser – so once your passwords reach our server, they are fully encrypted and can’t be read by anyone (not PassPack, not hackers, not spying governments).

    It’s free if you want to try it.
    http://www.passpack.com

    If you do give it a go, let me know what you think – I’m always open to feedback.

    Cheers,
    Tara

  • http://www.leehopkins.net/ Lee Hopkins

    Thanks for that offer, Tara.

    I’d take you up on it but for one small problem: several of my clients don’t allow net access from their computers, but I still need to remember a stack of passwords to access various parts of their internal worlds, hence the beauty of a pda password store.

    I guess I’ll just have to keep searching and praying… {smile}

  • http://www.leehopkins.net Lee Hopkins

    Thanks for that offer, Tara.

    I’d take you up on it but for one small problem: several of my clients don’t allow net access from their computers, but I still need to remember a stack of passwords to access various parts of their internal worlds, hence the beauty of a pda password store.

    I guess I’ll just have to keep searching and praying… {smile}

  • https://www.passpack.com/ Tara Kelly (PassPack)

    Wow. No net access. I think I’d pull my hair out!

    Good luck to you.

    Password managers have just begun a new evolution cycle. I’m sure the product you’re looking for is right around the corner.

    Cheers,
    Tara

  • https://www.passpack.com Tara Kelly (PassPack)

    Wow. No net access. I think I’d pull my hair out!

    Good luck to you.

    Password managers have just begun a new evolution cycle. I’m sure the product you’re looking for is right around the corner.

    Cheers,
    Tara

  • Pingback: Better Communication Results

Previous post:

Next post: