SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
We've all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they're basically useless. He is also very sorry.
[The 2003 NIST guidance has been replaced by a new version of NIST Special Publication 800-63A, "Digital Identity Guidelines: Enrollment and Identity Proofing Requirements." which is basically a 180° reversal from the original. - Ed.]
Source: http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
Additional Coverage at The Wall Street Journal[paywalled]
This discussion has been archived.
No new comments can be posted.
The Guy Who Invented Those Annoying Password Rules Now Regrets It
|
Log In/Create an Account
| Top
| 24 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Wow! Look!! A stray meatball!! Let's interview it!
(Score: 5, Funny) by kaszz on Friday August 18 2017, @10:42AM (7 children)
On password strength..
https://xkcd.com/936/ [xkcd.com]
(Score: 2) by AthanasiusKircher on Friday August 18 2017, @10:51AM
Obviously this is on-point, but I'd just note that this XKCD cartoon is literally pasted in the source Gizmodo article, taking up roughly 20% of the length.
(Score: 3, Interesting) by DannyB on Friday August 18 2017, @03:13PM (5 children)
I'll give you a Funny mod, but on a Serious note . . .
That example is an 11 character password. I'll assume it is from, lets say a 64 character alphabet. So 64 ^ 11 is something x 10 ^ 19 possible passwords.
Now suppose you use only a simple alphabet of 26 lowercase characters, but have 25 characters like "correcthorsebatterystaple", that is 26 ^ 25 which is something x 10 ^ 35.
I'm sure you'll agree that 10 ^ 35 possibilities is slightly more than 10 ^ 19 possible passwords.
(forgive me for using such rough numbers like 10 ^ 35 instead of the kind of precision Mr. Spock would use.)
So using a simpler alphabet, but longer passwords makes sense. As long as you are sure you can re-type those longer passwords.
That said, introducing a slightly larger alphabet doesn't hurt security. But password length seems more important. The attacker cannot know what alphabet you're using, so even one uppercase character in a lowercase password, doubles the possible alphabet size the dictionary attack must consider.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by stormwyrm on Friday August 18 2017, @04:30PM (4 children)
Yes, introducing a slightly larger alphabet doesn't hurt security, but it hurts memorability. Adding one uppercase character in a lowercase password will not double the entropy of the password. Say we have a 12-character password made up of lowercase letters. That has an entropy of 56 bits, or about 1016 possible passwords. If your opponent for some reason knows that you only capitalised one of them, they would only need to guess which one is capitalised, which means only 12 times the original number of passwords. That gives the new password an entropy of 59 bits. You would need to randomly use both capital and small letters to get the 5212 (68 bits of entropy, or about 1020 passwords), and that is definitely harder to remember. On the other hand, if you increased the password length to 15 characters, you'd have 2615 (70 bits of entropy, or about 1021 passwords). For me anyhow, 15 random all lowercase characters is easier to remember than 12 random mixed-case characters. What would you feel is easier to reliably remember? Something like 'muYcIRJRpWoT' or something like 'snwzycvyvxuximg'? I'd argue that the former imposes a bigger load on a person than the latter. Same goes for adding punctuation, though perhaps adding numerals might not be as painful and might be something that can be profitably done.
Password generation rules and policies really need to think of the people who have to memorise and use these passwords. It's a lot like designing chairs: people doing that have to spend a lot of time thinking about the human butts that have to sit in them. In the same way a sane password generation rule has take into account the weaknesses and leverage the strengths in the mechanisms of human memory to be as effective as possible. XKCD 936's suggestion is a step in the right direction as it leverages the human mind's ability to make memorable stories, but it does have its drawbacks, and fairly serious ones in certain use cases, such as for mobile devices with awkward character input methods. This is a problem that I don't think has really been considered as carefully as it deserves given its importance. Effective security is usable.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by DannyB on Friday August 18 2017, @04:51PM
Good points.
Throwing in a wild character somewhere may or may not hurt memorability, depending on the person and the password.
23WildInsaneMonkeyTantrums
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @05:05PM (2 children)
If your long password uses all "findable in a dictionary" word combinations, then you should be able to feed them to your password guessing algorithm first, then move on to random character brute force later. This is one reason why I think you need to add a bit of "h4x0r153d" changes to your password. For me, I often take a phrase I know (maybe a line from a movie say) and then modify it a bit. For example "Go ahead, make my day" is pretty easy to remember and modifying it slightly (like maybe use 2 spaces between one of the words or put numbers in one of them or etc) seems like a better idea. What I REALLY like about the new recommendations is the idea of not forcing people to come up with new passwords on a regular basis. If someone takes the time to make-up a really good password, then forcing them to keep coming up with new ones just forces them to find a way to store it somewhere other than their brain!
(Score: 2) by curunir_wolf on Friday August 18 2017, @05:26PM
In the document, the recommendation is to REMOVE multiple sequential spaces so that there is only one space. So for systems that implement those recommendations you won't get a better password by adding multiple spaces between words...
I am a crackpot
(Score: 0) by Anonymous Coward on Monday August 21 2017, @04:28AM
Well, do think of what brute forcing a "findable in a dictionary" word combinations password would entail though. If I had a six word password, and I used a known set of 2048 common words as suggested in XKCD 936, choosing each of the six words by a strong random number generator, brute forcing that would require searching through a key space of 20486 or about 7.37ยท1019 possible passwords. That's roughly the same as attempting to break a 66-bit symmetric key. If a hacker managed to steal the hashed and salted passwords and set up some system capable of computing ten trillion hashes per second (something like the power of a respectable Bitcoin mining ASIC worth a few thousand dollars), it would still take nearly three months to crack, so presumably then you'd want to change your password at least every two months. Adding a seventh word would increase the cracking time for the same hashing rig to 480 years, which gives you a bit of security even against a well-funded adversary with the resources of a medium to large corporation. You'd need 12 words (132 bits of entropy) to get to the point where not even intelligence agencies would be able to break it, assuming you are using a true, strong random number generator with no back doors to choose your words.
And yes, while adding a bit of "h4x0r153d" changes can't hurt security, it will make the password harder to remember, and if you do wind up forgetting it thanks to these changes, it means fuck all that you've made your password more secure since you then can't remember it!