Restrictions like OPs make the site less secure because meow a hacker has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.
I think people have a hard time with the scale. They don't realize the 6634204312890625 combinations is from the 8 characters is a huge amount. And then the other restrictions are actually about making sure you don't get caught by a using a stupid password.
The real practical effect is that the user is likely to write the password down instead of memorizing it, resulting in access to the system only requiring access to the user's workspace.
Yeah, you're right. But people also tend to use those rules predictably; either using a word with a capital on the first letter and a number and symbol at the end, or a word with a capital on the first letter and a number replacing a letter with a symbol on the end.
Statistically speaking, there's an immense amount of variety remaining, because people could freely use "35@Q#x0" as a password... but they won't. They'll use "Trumpet1!"
The average user goes into that screen with a password in mind. And when they submit it, they get an error message. "You must use a number, a capital, and a symbol!" So the capital goes at the beginning (we have to be good grammatically, after all), and the number and punctuation go at the end.
I'd like to do some kind of third party authentication service. Kind of like what you do with Facebook, but using some kind of encrypted portable device or something.
I mean, imagine putting a device on your keychain that's basically a USB stick with a fingerprint reader. When you set it up, you create an account with a third party website which you can use to verify your identity, then scan your fingerprint on the device. The thumb drive is self-contained with the necessary firmware to store and recognize your fingerprint, and then send a confirmation to the third party site, which confirms your identity for the site you want to log into.
It'd work a lot like Facebook, in practice, except it wouldn't rely on a browser cookie. "Sign up with Biometrix. Log in with Biometrix. Link your account to Biometrix." Your accounts don't share a password, and the sites you log into don't get access to any credentials. There can be no data leaks except from the authentication service itself; all you have to do there is change your password and you're golden.
I'm not a software engineer, but I've spent enough time trying to manage passwords and dealing with the consequences of a custodian of my data being careless with it that I've spent a fair amount of time thinking about it.
Correct me if I'm wrong, but isn't Yubikey a replacement for two step verification? So you still need to use a password with it - one that meets the organization's password requirements. I'm proposing something to simplify that process.
If they're running attempts against hashes rather than brute forcing a login those attempts are measured at millions of hashes per second. The 55% reduction in space then makes a significant difference.
Most users won't have random characters though, and will have passwords based on dictionary words or minor variations. Most hackers would start with a set of standard dictionaries, testing passwords that match the specified requirements.
I wonder if using the user name to look up friends, family, and pets on social media, then seeding a dictionary from that data would be more effective.
You're assuming users will be choosing their passwords randomly from the password space. This will not happen. People will adapt easy to remember stuff or just use something as simple as possible that still fits the requirements. When applied to passwords normal people come up with, this dramatically shrinks an already small space.
Even for most people using a random generator, do you expect them to take the time to pick randomly from the entire space? No they're going to use the easiest subset that still works.
These requirements are sane for generating passwords to assign to a user. They are brain damaged requirements for a chosen password.
Since you said you're a web admin I'll take a moment to ask:
Even though the space hasn't been sufficiently reduced to allow a full on random brute force attack isn't the roadmap strong enough that with a large enough user base someone is going to have a password that looks like:
[common 5 letter word][2 non sequential numbers][#,&,!]
And since that is what I would expect to find given just the fact that I need 8 characters a special and a number, shouldn't we be starting their and then chopping words out of that list and numbers out of the equation?
You're methodology is assuming the user is using a random string, which if were true, we wouldn't need all the rules in the first place since we'd just use the space afforded to us by 958.
Don't the passwords just get easier and easier to guess with every rule after you've set up the space (8 characters, special, number)?
Thanks! I know a little. Not about security exactly but enough to follow along. One more question though and this one is a bit more speculative. Would you in your experience believe that making these complicated password procedures leads to an increase in people storing their passwords in other far less secure methods? I feel like as soon as you need to write your password down you've nearly defeated the purpose.
In case anyone is interested, here is the information this set of rules is giving a potential attacker, and their consequences:
Passwords must be at least 8 characters in length: means that it's safe to assume that a lot of passwords will be exactly 8 characters in length.
Passwords must include at least one non-alphanumeric printable character: rules out passwords that consist only of alphanumeric characters (order 109 ); very likely that there will be exactly one symbol, and that it will occur either at the start or at the end of the string; good chance the symbol will be one of the four symbols (#, *, $, @) shown in the rules.
Passwords must include at least one number: as above, very likely that there will be exactly one number, and that it will occur at the start or end of the password; good chance that it will be the number 1 or some number between 50 and 98, i.e. year of birth, minus any years with repeated/consecutive numbers.
Passwords cannot contain repeated characters: rules out many more (> 1011 ?) potential passwords that feature runs of the same character. Prevents users from using the string password in their passwords, also stops people from using passwords like $password1, $password2, etc.
Passwords cannot contain (alphanumerically or not?) consecutive characters: this one is incredibly stupid, intended to prevent combinations like 12345, abc, and the like, but forbids many short (2-3 character) combinations that can easily be generated randomly.
But it's okay! Then, when the hack invariably happens, the IT guy can look at his boss and say, "Hey man, I don't know what else I could have done. Stupid user wrote down his password instead of memorizing a new one that fit my rule every month. In addition to all of his other passwords."
And the boss goes, "Yes, this is certainly the user's fault."
Fair point, but I don't think it's necessarily the worst thing, so long as the person appreciates how important it is to keep the written copy safe and secure.
I mean... post-it/taped under the keyboard is clearly more secure than on the monitor. You can see the person's monitor just by passing by, but nobody can casually fli the keyboard to look under it (not even the person who forgot his/her password).
I think the best thing is to put it in a journal or something that also contains drawings/notes/etc. so it's not immediately obvious what it is to anyone who's not the owner.
I've put a few numbers or passwords in my phone contacts as numbers to people or as email addresses. And then I forget the name the password is under. It's a double fail safe.
Yeah, actually if you don't show anyone writing on paper is arguably more secure than any kind of password storage whatsoever. Password vault software, like any software, is susceptible to exploits and we have seen these time and time again.
There is no method for a remote hacker to access your underwear drawer, and it's pretty unlikely for a hacker to physically break and enter to get your password.
I say the last bit because passwords are so easy for hackers to get remotely by phishing or remote code execution, they don't need to go around breaking down doors to get passwords.
Yes, I've heard this a few times and I agree. It's especially true for older people who are well accustomed to keeping special documents and items safe in their homes.
Whenever a friend or relative talks to me about difficulties they're having with passwords, I tell them to consider writing it down and filing it in the same place they keep things like bank statements, letters from ISPs and that sort of thing.
That depends on where they leave it. Leave it by your computer and it's easy to find. Stick it in your wallet and it's as secure as your credit cards. Especially if you obfuscate the passwords and/or sites they go to in some way.
Saying it's the biggest hole of all is a bit of a hyperbole, I was just quoting a professor I used to have, but I still think it's very high on the list. Most other things can be accounted for, a competent IT security worker can defend a server against automated attacks with some effort. Setting some rules to stop people from using passwords like "password" isn't difficult to stop smarter attacks.
But if someone writes down their information the security that IT can provide doesn't matter much anymore. It switches the focus of protection from the IT department to the user; now one of the easiest avenues of attack is just to get that password. If someone leaves their password on their desk, someone with access to the building can just walk in and take it. All they need to do is find one. Excessively frequent mandated password changes only increases the chances of it happening.
Sure for your day to day employee this doesn't matter but in high value situations it's a real risk. I'm pretty sure no one cares if you write down your personal passwords in your own home, I'm talking about in business situations.
Yeah, it's definitely a bigger risk in a business environment. With that context in place, I'd agree that it's important to physically secure passwords. But how much that matters also depends on the physical security posture of the whole building, your floor, your area, etc. Generally speaking though, averaging out the entire internet population, I would argue that writing down your password is way less dangerous than using a weak one.
My mother in law, out of the kindness of her heart, gave me a notebook with PASSWORDS in bold letters on it. "It's so you can write down all of your passwords. Look, here's mine..." With all of her passwords and account numbers etc etc etc. That she takes with her everywhere. She has a retirement account in the 7 figures. How?
It's kind of sad that is quite close to how i do my work password, but with A1, B2, C4, F1, F5, are some of my favorites and I get excited when i use them (make the same stupid joke every time i do my password).
I don't even know how you would do the non-consecutive, non-repeating test neatly using a single regular expression. You'd have to use back-references I think?
You could do it much more simply with two very basic loops:
# Consecutive?
current = lower_case(password[0])
for i = 1 to length(password) - 1
next = lower_case(password[i])
if is_alphanumeric(current) && is_alphanumeric(next)
if value(next) - value(current) == 1
return true
current = next
return false
# Repeating?
current = password[0]
for i = 1 to length(password) - 1
next = password[i]
if current == next
return true
current = next
return false
Or you could do it with several smaller, simpler regexes (better than one jigsaw regex), but I think the pattern for consecutive symbols would still be a monster. What the password rules don't state is whether it's okay for symbols to be consecutive in reverse.
Thanks. Would be better if I could provide the maths to back it up, but there's some funky stuff involving those two rules about repeat/consecutive characters that I can't figure out.
Yeah, I think the real solution here is that no matter what sort of passwords you allow/disallow, the strength of the cryptographic setup is what matters.
Google doesn't impose any particularly stringent restrictions on your passwords, it just tells you how strong they are before you commit them, and stores them properly so they're hard to crack even if they are stolen. I'm fine with that. What worries me are sites that say "No symbols allowed" or "Must be between X and Y characters", because it tells you that there might be some fundamental design problem behind the scenes that has caused those rules to materialise (why only underscores? why only 20 characters? Jesus Christ why case insensitive?!)
Remember the big Adobe leak from a while back? I don't know what sort of requirements they had for passwords, but the weakness there was the late-90s-era hashing scheme they were using.
Don't fuck with me security people. I can and will create gigantic security holes when you make my life hard. Make my life easy and i will help you do your job.
Yep, I agree 100%. Having said that, the companies that can take the risk and allow weak passwords (with stronger underlying security) maybe don't have as much on the line, and don't have to answer to a ludicrous bureaucracy like a government IT guy.
These rules generate way more combinations than they rule out. 8 character passwords alone have more combinations than the lower 7 combined. The rest prevent dictionary attacks.
8 character passwords alone have more combinations than the lower 7 combined
I'm not sure how that affects anything I've said.
These rules generate way more combinations than they rule out.
I'd like to see some maths before I take your word for it. Two of these rules specifically reduce the number of combinations by a factor of 1010 at the bare minimum.
A properly tailored dictionary (as part of a hybrid attack) would work against this by making assumptions about user habits (password length, symbols/numbers in predictable positions). Yes, a naive dictionary attack will not work, but it's 2016, not 2002.
Even if a hacker knows the password length is 8 it will take them longer to go through all 8 character combinations than the lower 7 combined. Making a minimum length makes it harder for hackers, not easier as you claim.
Where are you even getting the number 1010 from? The number of combinations the other rules reduce is a function of password length so I don't know there you are pulling your numbers from.
I think you've misunderstood something? When I say that the minimum 8-character conddition makes it easier (and I explained this pretty clearly), I specifically said that it makes it much more likely that people's passwords will be exactly 8 characters, not 9, 10, 20, etc. I didn't say anything about 7-character passwords, you've come up with that yourself.
As for 1010, that's because there are around 100 printable ANSI characters to choose from (the number is actually 95). I have made a very rough estimate of the bare minimum, and I've been frank elsewhere that I don't know how to calculate this exactly. As I said in the previous comment, if you can provide mathematics that make sense, I'll take your word for it. Otherwise, settle down.
Uh what? The 8 character minimum isn't going to somehow magically force people who tend to make longer than 8 character passwords anyways to somehow cut their passwords down to 8 characters. The only thing it will do is force people who tend to make shorter than 8 character passwords increase their password length, very likely to exactly 8 characters which is how I interpreted your point. Your reasoning about how having a 8 character minimum will somehow make people decrease their password length to 8 characters makes absolutely no sense. You will have to explain your reasoning behind it much more clearly if you want me to understand.
What does the fact that there are 100 printable ANSI characters have to do with anything? If you are trying to say that forcing people to use a number or a non-alphanumeric character means you are limiting their options and reducing it from 100 to around 10, then you are missing the point of the rules in the first place. Without them it is very likely that people will only use alphabetical characters in their passwords (as you pointed out in your original post), which with an 8 character minimum means at least 268 combinations. If you force people to use at least one number and special character you are now looking at 408 minimum number of combinations. (26 alphabetical + 10 numerical + 4 most common special characters). Even if we followed your claim that people will only put the non-alphabetical characters in the first and last position, we are still looking at (142 )*(266 ) combinations. Your reasoning that the middle should only contain alphabetical characters directly contradicts the claim you made in this post that people are going to choose from the 100 printable ANSI characters and that by limiting one character to either a numeral or special character you are actually reducing the possibilities from 100 to 10.
Thanks for this. I never really think of that type of unintended consequences. Makes you realize this isnt increasing security, but rather eliminating lots of guesses .
In all fairness, many of the eliminated possibilities are redundant anyway - things like $$$$aaaa or #aaaaaaa that may never be used as passwords by anyone, ever. I think the important thing is that the rules might end up exerting too much control over user behaviour. People who don't know computers intimately don't know what 'symbol' means, so they're more likely to use one of the four that's presented in the rules, etc. In a sense, that doesn't eliminate guesses so much as it structures your approach.
Probably the biggest blunder is the inability to use consecutive or repeated characters, which immediately tells you that after a letter 'D', for example. you can never see an 'E', probably an 'e' (depends on what they mean by 'consecutive'), or another 'D'. After a '1', there can never be a '2' or a '1', etc.
My conceit is that I think users will see that short list of symbols, and either assume that those are the only symbols that can be used, or show a bias towards them because they happen to be listed. I don't think keyboard layout will make as much of a difference there (but it certainly could). I'd love to see a study into how these sorts of rules affect people's choice of password.
I didn't realize that was happening, actually. I friend setup a now => meow shortcut on my iPhone. I keep forgetting to remove it and now I never even see it anymore.
You'd think so, but the fact is that without these restrictions a high number of people would use passwords that are extremely easy to guess (i.e. abcd1234 or some such). With these restrictions, yes, they give a small amount of additional information to the attacker, but they ultimately increase the security of the average user.
Restrictions are a double edged sword: It stops stupid people from making stupid passwords, but each one makes the whole system orders of magnitude less secure. The no consecutive characters alone eliminates billions, possibly trillions of combinations within a reasonable length. Ideally there are other ways to try to prevent stupid people making stupid passwords than to compromise the whole system for everyone.
each one makes the whole system orders of magnitude less secure. The no consecutive characters alone eliminates billions, possibly trillions of combinations within a reasonable length.
Reducing the password space by billions or trillions is not making it orders of magnitude less secure.
Even if you excluded 999 trillion passwords from all possible 8 character passwords (with caps/noncaps,symbols,numbers) you'd only be excluding 15% of the possible combinations. I don't really have the time to figure it out, but just go to a random password generator and take a look at how many times you'd have to regenerate a password, on average, to hit one of these exclusion policies. It will be extremely rare.
The XKCD is absolutely correct though, because one of the important parts of a password is being able to remember it. A long passphrase with some randomness thrown in will make a password which is impossible to brute force.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
It's difficult to calculate what the change would be (it may be more than I'm estimating). Like I said in another post, this particular strategy is sort of half-baked, but still, the logic is sound.
Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
No offense, but you're wrong. You're right, it limits the possibilities by but forcing people to use symbols that 99% do not (IE: Capitalization, Symbols) then you'll end up with a way larger pool of diversity.
Restrictions like OPs make the site less secure because meow, a hacker, has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.
I like to think putting the commas after 'meow' and 'hacker' makes this comment much better and funnier.
Not really. A hacker would use a pre-defined list containing common passwords and variants, and move on to another username if it didn't work. More work, since now they have to try random combinations of letters, symbols, and numbers.
803
u/[deleted] Mar 08 '16
Restrictions like OPs make the site less secure because meow a hacker has a set of rules they can use to pre filter their attack list. Many less combinations to try meow.