Submitted via IRC for Bytram
We've all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they're basically useless. He is also very sorry.
[The 2003 NIST guidance has been replaced by a new version of NIST Special Publication 800-63A, "Digital Identity Guidelines: Enrollment and Identity Proofing Requirements." which is basically a 180° reversal from the original. - Ed.]
Source: http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
Additional Coverage at The Wall Street Journal[paywalled]
This discussion has been archived.
No new comments can be posted.
The Guy Who Invented Those Annoying Password Rules Now Regrets It
|
Log In/Create an Account
| Top
| 24 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 0) by Anonymous Coward on Friday August 18 2017, @10:32AM
I remember recently reading Somewhere Online(TM) that the rules were not intended for normal usage in the first place, but only for systems requiring the highest level of security. Say, for a missile control system, yes; for a MySpace account or w/e, major overkill.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @10:36AM
https://xkcd.com/82/ [xkcd.com]
(Score: 5, Funny) by kaszz on Friday August 18 2017, @10:42AM (7 children)
On password strength..
https://xkcd.com/936/ [xkcd.com]
(Score: 2) by AthanasiusKircher on Friday August 18 2017, @10:51AM
Obviously this is on-point, but I'd just note that this XKCD cartoon is literally pasted in the source Gizmodo article, taking up roughly 20% of the length.
(Score: 3, Interesting) by DannyB on Friday August 18 2017, @03:13PM (5 children)
I'll give you a Funny mod, but on a Serious note . . .
That example is an 11 character password. I'll assume it is from, lets say a 64 character alphabet. So 64 ^ 11 is something x 10 ^ 19 possible passwords.
Now suppose you use only a simple alphabet of 26 lowercase characters, but have 25 characters like "correcthorsebatterystaple", that is 26 ^ 25 which is something x 10 ^ 35.
I'm sure you'll agree that 10 ^ 35 possibilities is slightly more than 10 ^ 19 possible passwords.
(forgive me for using such rough numbers like 10 ^ 35 instead of the kind of precision Mr. Spock would use.)
So using a simpler alphabet, but longer passwords makes sense. As long as you are sure you can re-type those longer passwords.
That said, introducing a slightly larger alphabet doesn't hurt security. But password length seems more important. The attacker cannot know what alphabet you're using, so even one uppercase character in a lowercase password, doubles the possible alphabet size the dictionary attack must consider.
The lower I set my standards the more accomplishments I have.
(Score: 2) by stormwyrm on Friday August 18 2017, @04:30PM (4 children)
Yes, introducing a slightly larger alphabet doesn't hurt security, but it hurts memorability. Adding one uppercase character in a lowercase password will not double the entropy of the password. Say we have a 12-character password made up of lowercase letters. That has an entropy of 56 bits, or about 1016 possible passwords. If your opponent for some reason knows that you only capitalised one of them, they would only need to guess which one is capitalised, which means only 12 times the original number of passwords. That gives the new password an entropy of 59 bits. You would need to randomly use both capital and small letters to get the 5212 (68 bits of entropy, or about 1020 passwords), and that is definitely harder to remember. On the other hand, if you increased the password length to 15 characters, you'd have 2615 (70 bits of entropy, or about 1021 passwords). For me anyhow, 15 random all lowercase characters is easier to remember than 12 random mixed-case characters. What would you feel is easier to reliably remember? Something like 'muYcIRJRpWoT' or something like 'snwzycvyvxuximg'? I'd argue that the former imposes a bigger load on a person than the latter. Same goes for adding punctuation, though perhaps adding numerals might not be as painful and might be something that can be profitably done.
Password generation rules and policies really need to think of the people who have to memorise and use these passwords. It's a lot like designing chairs: people doing that have to spend a lot of time thinking about the human butts that have to sit in them. In the same way a sane password generation rule has take into account the weaknesses and leverage the strengths in the mechanisms of human memory to be as effective as possible. XKCD 936's suggestion is a step in the right direction as it leverages the human mind's ability to make memorable stories, but it does have its drawbacks, and fairly serious ones in certain use cases, such as for mobile devices with awkward character input methods. This is a problem that I don't think has really been considered as carefully as it deserves given its importance. Effective security is usable.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by DannyB on Friday August 18 2017, @04:51PM
Good points.
Throwing in a wild character somewhere may or may not hurt memorability, depending on the person and the password.
23WildInsaneMonkeyTantrums
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @05:05PM (2 children)
If your long password uses all "findable in a dictionary" word combinations, then you should be able to feed them to your password guessing algorithm first, then move on to random character brute force later. This is one reason why I think you need to add a bit of "h4x0r153d" changes to your password. For me, I often take a phrase I know (maybe a line from a movie say) and then modify it a bit. For example "Go ahead, make my day" is pretty easy to remember and modifying it slightly (like maybe use 2 spaces between one of the words or put numbers in one of them or etc) seems like a better idea. What I REALLY like about the new recommendations is the idea of not forcing people to come up with new passwords on a regular basis. If someone takes the time to make-up a really good password, then forcing them to keep coming up with new ones just forces them to find a way to store it somewhere other than their brain!
(Score: 2) by curunir_wolf on Friday August 18 2017, @05:26PM
In the document, the recommendation is to REMOVE multiple sequential spaces so that there is only one space. So for systems that implement those recommendations you won't get a better password by adding multiple spaces between words...
I am a crackpot
(Score: 0) by Anonymous Coward on Monday August 21 2017, @04:28AM
Well, do think of what brute forcing a "findable in a dictionary" word combinations password would entail though. If I had a six word password, and I used a known set of 2048 common words as suggested in XKCD 936, choosing each of the six words by a strong random number generator, brute forcing that would require searching through a key space of 20486 or about 7.37·1019 possible passwords. That's roughly the same as attempting to break a 66-bit symmetric key. If a hacker managed to steal the hashed and salted passwords and set up some system capable of computing ten trillion hashes per second (something like the power of a respectable Bitcoin mining ASIC worth a few thousand dollars), it would still take nearly three months to crack, so presumably then you'd want to change your password at least every two months. Adding a seventh word would increase the cracking time for the same hashing rig to 480 years, which gives you a bit of security even against a well-funded adversary with the resources of a medium to large corporation. You'd need 12 words (132 bits of entropy) to get to the point where not even intelligence agencies would be able to break it, assuming you are using a true, strong random number generator with no back doors to choose your words.
And yes, while adding a bit of "h4x0r153d" changes can't hurt security, it will make the password harder to remember, and if you do wind up forgetting it thanks to these changes, it means fuck all that you've made your password more secure since you then can't remember it!
(Score: 2) by AthanasiusKircher on Friday August 18 2017, @10:48AM
Perhaps the most annoying policy like this I ever encountered was a system that refused to accept any password with a string of more than two letters or two numbers in a row. Nominally, the rationale the system offered in explanation was to avoid dictionary-based attacks for passwords made up of words. But the system didn't actually know any words: it just assumed if you entered three or more letters in a row, it was a "word." Hence, you'd get an error message like, "Sorry, but that password is too weak. Avoid making passwords up from common recognizable words like 'xgq'. Combinations of letters, numbers, and symbols provide strong protection for your account. Please enter another password."
It didn't actually explain what its actual rule was to you, mind you. I believe it mentioned avoiding "words" with 3 or more letters, but you could only figure out that a "word" was any three letters in a row through trial and error. The rule became clear after a few attempts, and I did at some point verify with IT that this was actually the way the system worked.
There was a minimum 8-character limit too, but I'm not sure if there were any other stipulations. Nevertheless, if you tried a 20-character password like Tom3ato98s!v2P4&#%q5, it would be summarily rejected for the words "Tom" and "ato," but if you tried a password like "aa11aa11" you were fine. By the way, this was at a large major institution of higher ed, not just a random small company or something.
(Score: 2) by cubancigar11 on Friday August 18 2017, @12:22PM (2 children)
Now only if this guy rights a personal email to the head of IT in my company *sobs*
(Score: 0) by Anonymous Coward on Friday August 18 2017, @12:59PM
The head of the company would just dismiss that person as some random nobody.
(Score: 2) by WillR on Friday August 18 2017, @01:24PM
(Score: 0) by Anonymous Coward on Friday August 18 2017, @12:24PM (1 child)
So if a guy does something that takes away 60 seconds of 1 billion folks lives that's 1900 man years, or at least 20 life times.
Who should take the prize in that category?
I'd like to nominate the inventors of the TV and Smart Phone.
The marketing folks causing the opioid epidemic might get honorable mention.
This guy isn't even a blip above the noise floor.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @10:40PM
The inventor of sex should get honorable mention too.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @12:36PM
First link (mentioned twice in the fine summary) is paywalled and useless. Second article is technical jumbo mumbo that's impossible to even wade through without falling asleep...
(Score: 1, Insightful) by Anonymous Coward on Friday August 18 2017, @12:50PM
This guy is being scapegoated for the incoherent system of so many different user accounts. It's not his fault that OAuth didn't exist 15 years ago, and remains thinly adopted. What's the alternative to trying to strengthen passwords? Having a few-word phrase like XKCD is not a great alternative, given people's limited vocabulary and the pain of typing on mobile devices. And like the guy said, there was no data available when he wrote the standard.
(Score: 2) by looorg on Friday August 18 2017, @01:41PM
The term 'invent' seems a bit of an overstatement. He was a bureaucrat that wrote down a summary because the higher ups wanted documentation, unfortunately he did a really bad and lazy job. Which if nothing else he should feel bad and be ashamed for. So he was mostly basing it back then on thinking already decades old when the idea was all about increasing the pool of potential characters, making a brute force attack take longer. We are talking the 1980's here so a typical CPU was running at best at MHz speeds and GPU cracking wasn't a thing. Dictionary attacks already existed so picking normal words like 'password' was bad already back then; while 'pASSw0RD' would be a lot better since it required you to increase the pool of potential characters you had to test from just A-Z to something many times greater. Standardizing made it both better and worse tho as it increased the permutation pool but it also created patterns since passwords had to contain certain combinations so the actual numbers of permutations was always then lower then the potential maximum.
So with all due credit to the compulsory XKCD comic, it forgets to factor in the speed was a lot slower back then from where and when he took the ideas. There was no 1000 guesses per second. Neither did implemented password systems allow for you to have massively long passwords. In the end hardware improvements made the rules obsolete. So today correcthorsebatterystaple is a better password then Tr0ub4dor&3 but wasn't always the case.
(Score: 5, Funny) by DannyB on Friday August 18 2017, @03:02PM (4 children)
Here is the most secure password [mostsecure.pw].
I won't post it here, for security reasons, so you'll have to visit the link.
I tested that site on SSLLabs [ssllabs.com], and it scores a grade of A. So that is definitely the password I'm going to use from now on!
All corporate managers should issue a directive to their employees to begin using this password at once!
In addition to the security, another advantage is that you will no longer need password manglers.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Friday August 18 2017, @05:50PM
It doesn't work on my luggage. Would not recommend.
Back to 123456.
(Score: 2) by takyon on Friday August 18 2017, @07:47PM (1 child)
https://news.ycombinator.com/user?id=DannyB2 [ycombinator.com]
We're always watchin'
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by DannyB on Friday August 18 2017, @08:28PM
:-)
The lower I set my standards the more accomplishments I have.
(Score: 2) by gidds on Saturday August 19 2017, @11:08AM
It just shows as ‘*******’ here…
[sig redacted]