FlippedBITS: Four Password Myths
In the course of writing “Take Control of Your Passwords,” I came across — and attempted to debunk — quite a few myths involving password security. Of course, I encourage you to buy the book to read about password problems and my recommended solutions in detail, but for this installment of FlippedBITS, I want to focus on four extremely common misconceptions about passwords, all of which can lead to dangerous behavior.
1: Nine Is Enough — I want to begin with a myth I propagated myself in my now-obsolete 2006 book “Take Control of Passwords in Mac OS X.” Although what I said in that book was reasonable based on the available data at the time, I grossly underestimated the rate of technological progress. So, I hereby retract and apologize for a particular piece of advice I gave back then: I said that if you chose a random 9-character password consisting of upper- and lowercase letters, digits, and punctuation, you’d be effectively safe from any attack, because it would take centuries, on average, for even a supercomputer to crack such a password by brute force.
Well, it turns out that I was off by a few orders of magnitude. Today, with off-the-shelf hardware and freely available cracking software, a nine-character password can be broken in a maximum of five and a half hours (that’s maximum, not minimum!). If your password contains nine or fewer characters, regardless of how random it may be, it’s about as unsafe as a Wi-Fi connection protected with WEP (which is to say, safe against only the most casual snooping).
If nine characters are too few these days, how long should a password be? I wish I could give you a straight answer, but the truth is “it depends.” For example, I could claim, with some justification, that a random 14-character password is effectively safe from brute-force attacks given today’s technology. But I’d have to qualify that in a few different ways.
First, I have no idea what tomorrow’s technology will look like. Maybe a few years from now, someone will develop a quantum computer that can crack any 14-character password in the blink of an eye. I don’t expect that to happen so soon, but I’d be foolish to bet against it.
Second, not all encryption techniques are equally secure. A password that’s protected with a weak encryption algorithm might be crackable in seconds, whereas the same password, encrypted with a better method, could thwart a brute-force attack for years. Related to this is that some password security systems put additional barriers in place to slow down the rate at which passwords can be guessed. Although these aren’t foolproof (as I discuss in a moment), they can, in certain situations, give a simple password much higher effective strength.
Third, length isn’t the only factor that affects a password’s strength. As illustrated brilliantly in the xkcd comic Password Strength, even a password consisting entirely of lowercase English words (such as correct horse battery staple
) can be just as strong as a shorter but more random password with a mixed character set. That’s because a password’s entropy (a mathematical approximation of how hard the password is to guess) can come from length, character set complexity, randomness, or any combination of these. Higher-entropy passwords are more resistant to automated attacks, but there’s more than one path to entropy. (If you’d like
to test a given password’s entropy, there are many online tools that let you do so. I quite like the zxcvbn tool for this purpose.)
We can take some comfort in the fact that each additional character in a password increases its strength exponentially. So, if we were to restrict ourselves to just 26 lowercase letters, a 10-character password wouldn’t merely be 10 percent better than a 9-character password — it would be 26 times better! There are over 5 trillion possible passwords consisting of nine lowercase letters (26^9), but make it ten letters (26^10), and there are more than 141 trillion possibilities. That means a system that can crack a 9-character random password in 5.5 hours could take over 500 hours to crack a 10-character random password — a huge difference.
Even so, 500 hours is too little for my comfort. You could make that more than 500 years by choosing a 12-character password, which certainly seems safe enough for all practical purposes. But then, that’s what I thought about 9-character passwords seven years ago. So, when I suggest 14 as a safer number, I’m building in enough of a buffer to account for a few years of technological development, not in any way saying that such a password will in fact be uncrackable for the over 4,000 millennia it would take at today’s rate.
2: Old Tricks from Old Dogs — I’ve encountered quite a few people — including some major names in the Mac world you’d recognize — who have developed mnemonic techniques for creating and remembering passwords that they imagine to be quite strong. Although specifics vary, there tends to be a consistent element or easily constructed pattern in each password, along with some site-specific portion. For example, maybe I use zombieGooCats
for Google and zombieAppCats
for Apple. (In reality, most people I know who do this sort of thing have far more sophisticated techniques, but you get the general
idea.)
I myself once (cough) advocated such an approach, but I’ve since seen the light. The problem with all such tricks — and that also goes for “leet” or “1337” (replacing letters with similar-looking numbers), using patterns of keys on a keyboard, and so on — is that no matter how clever you think you are, hackers and their advanced cracking algorithms are smarter. These tools can test a vast number of subtle patterns that few humans would notice, which means even a fairly long, fairly random-looking password might in fact be quite easily guessable. Because remember, we’re not worried so much about humans guessing your password but about machines guessing it, and machines are likely to test lower-entropy passwords —
especially those based on common mnemonic techniques — long before higher-entropy passwords. (And, if you use the same technique to construct all your passwords from patterns, an attacker who learns one or more of your passwords has an even bigger leg up in guessing the rest.)
More to the point, any technique that relies on your brain for creating and remembering all your passwords is, in my opinion, a waste of mental effort that could be put toward more useful pursuits, such as thinking up bad puns. We have computers and iPads and iPhones and other devices to do this sort of tedious work for us, and they’re much better at it than we are. Let a password manager such as 1Password or LastPass generate, remember, and enter passwords for you, and then you can make them as long and random as you like — it’s no more effort for an app to make a 32-character password than a 10-character one. Sure, you’ll still need to remember a few
passwords, but if you’re doing it right, it’s only a few. (I have only 5 passwords memorized, out of more than 600.)
3: One Password to Rule Them All — Speaking of password managers, these tools make it easy to create a unique random password for every single site and service that uses passwords, and I recommend doing so. I can’t emphasize strongly enough what a bad idea it is to use the same password in more than one place — even if it’s a great password. The fact that reusing passwords is entirely unnecessary if you rely on an automated tool makes it that much more egregious an offense.
Why is it so bad to reuse passwords? Well, it seems like every week or so, there’s another news report about some big company experiencing a security breach of some sort in which thousands or even millions of passwords are lost, stolen, leaked, or hacked. This happened recently to Evernote; before that, a long list of other companies had passwords compromised – Facebook, LinkedIn, Twitter, and more. You can bet this trend will continue.
Now, if someone hacks Amazon.com’s servers and gets your password, that’s bad news, no question about it. But if all your passwords are unique, at least the damage will be limited to that one account. On the other hand, if you use the same password for iCloud, PayPal, Twitter, Gmail, and so forth, you run the very real risk that the attacker may try your password at all those other sites, too, doing considerably more damage.
I’m saying: using unique passwords — even strong unique passwords — doesn’t guarantee security. But it does enable you to contain the damage if your password for any one site is compromised. The people most likely to be harmed by password breaches are those who are oblivious to the problem of password reuse. Don’t be one of them!
4: Online vs. Offline Attacks — Earlier, I mentioned that some sites and services put barriers in place to slow down or derail automated attacks. For example, if you mistype your password once, you might get one or several additional chances to enter it — but with increasing time delays between guesses. And if you enter it incorrectly several times in a row, you might be locked out entirely for a period of time, or until you take some independent action to confirm your identity. The whole point of these barriers is to prevent an automated system from trying many passwords per second until it breaks into your account.
While it’s an excellent idea for developers to employ such barriers, they aren’t as strong as they might appear. That’s because most successful attacks don’t go through the front door, as it were. The real danger comes when, due to a leak or security breach of some kind, someone gets hold of an encrypted file or database that holds all the passwords for a site. With the file in hand, they can perform what’s known as an “offline” attack — they hammer on the raw file with automated tools that check billions of possible passwords per second. Because they’ve entirely circumvented the security measures that slow down guessing, they can potentially decrypt massive numbers of passwords in a short period of time.
(I’m simplifying the story here. Smart developers can also use a combination of techniques — the key terms to look for are “salting” and “hashing” — to frustrate offline attacks, but all too often, a programming error or infelicitous security choice leaves gaping holes that hackers can exploit.)
So, don’t assume you can use a short, simple password because you can’t see any way an attacker could try billions of passwords a second. You’d be surprised what someone can do, particularly given physical access to the computer where the password is stored. Your best defense is to use high-entropy passwords (which take longer to guess) and make sure each one is unique.
Don’t Worry, Be Happy If I’ve increased your anxiety about passwords by telling you what’s wrong with techniques you depend on, I’m sorry. Well, only a little bit sorry, because I want you to have just enough discomfort that you take action to improve your password security and reduce the chance that bad things could happen to your digital life. For extensive details on passwords, including further threats and risks you might face — and my stress-free, three-point strategy for password security — please pick up a copy of “Take Control of Your Passwords.”
Comment I left on Adam's FB post:
The one thing I'd like to see more people talk about is that reusing passwords is only half of it.
*Far* too many sites require email addresses as user IDs, and if you're what I like to call a normal person, you have one, maybe two of those. So now, if someone gets your email address, they have half the credentials needed to pose as you.
Whenever possible, don't just use different passwords. Use different user IDs. if an attacker has your password, but not your user ID, then they have? more work to do. That's what this is about, making it as hard as possible to crack your account, without making it impossible for you to USE your account.
Talking about passwords in isolation is like saying your ATM pin should be more complex, but everyone sharing the same card.
I do talk about that somewhat in my book, FWIW. However, it's considerably more work, because the automated tools that generate random passwords for you don't also generate random but usable email addresses. That increases manual effort for every single set of credentials to the point that it's impractical for most people.
You have named the elephant in the room no one else mentions. Fortunately for me, all my bank and CC accounts, eBay, and most others where someone could gain access to or mess with my money use other usernames (unique to each site). But Amazon and PayPal, AFAIK, don't permit this, at least to the exclusion of your primary email as an 'alternative' username. For PayPal at least, the temporary solution is to link only one bank account, and that account has only enough $ to cover planned PP usage, plus maybe $100, and NO overdraft. Some protection, there. And I admit, inconvenient and not practical for many people to maintain a separate bank account just for this purpose. But for many others, it can seriously limit access and damage.
I also concur with the usage of long, random passes stored in a password manager, though I'd advise using as many layers (Open Firmware, FileVault, automatic logout, strong admin passes) as you can tolerate, and print out that password list
I think there's another issue here, which is the difference between a targeted attack and a fishing net. If you're worrying about a targeted attack, then different usernames at every site make more sense, since you're not just trying to make it hard for an attacker to login as you, you're trying to hide the fact that it's YOU that they're logging in as (and that they'll try to do so elsewhere as well). If I were Sarah Palin, you can bet I'd be doing this.
But if you're just Joe User, it seems that the concern is more about a single site's password file getting stolen and cracked. As long as you're not reusing passwords, you're no more vulnerable anywhere else even if your email address has been made public. Of course, you'll probably be added to even more spam lists, but that's an unpleasant fact of life that's impossible to avoid these days.
As you say, though, using email address is unavoidable at many sites (ours included!). In part that's because it's guaranteed to be unique, rather than forcing people to try and try to come up with johnsmith23 username variants to differentiate themselves from other people. And at those sites where there are true usernames (where email address is often an accepted alternative), it's often used as public identity, as in discussion forums. There's a reason I'm "adamengst" everywhere - I do want that identity (since there is another Adam Engst out there. :-)).
The easy(-ish) answer is to get your own domain that you use just for this purpose, such as myids.net, set it to forward all incoming email to one mailbox (which could be your main incoming mailbox), and then create a new address for every site you sign up with. Examples might be [email protected] and [email protected]. This way you have a different username for every login. I have used this approach for many years and it has worked absolutely fine for me.
As a result I am much less nervous about this whole subject - any username/password pair is only a risk for that one site.
I do something like this, but forwarding all email to a given domain creates a much larger surface area for people to spam you.
I have a little script that generates an email address on my MacBook and adds it to a list on my server of whitelisted addresses, it works well without expanding the surface area.
Under "One Password To Rule Them All" you say "...if someone hacks Google’s servers and gets your Gmail password, that’s bad news...if all the passwords are unique, at least the damage will be limited to that account." But this ignores the use of email for account recovery. If that GMail account receives password reset messages from other services you use, they can be compromised as well. Unfortunately, the situation with passwords is even worse than you portray.
You make a valid point, and that's something I discuss at length in my book. So as not to confuse the issue here, I've edited the article to use a different example.
I use 1Password, but I always kind of bristle at the advice to rely on a password manager to create strings of characters that you will never look at or even remember. Apps fail. Data files get corrupted. Laptops get stolen. Yes, you can take measures to ensure that you won't lose all of your passwords in case something happens to you, but I'm just a little uncomfortable with the thought that I'm one app disaster away from losing every password I've ever used.
I don't worry about any of those things. I have copies of 1Password running on five devices, plus lots of backups—some local, some in the cloud—so I have complete confidence that in the unlikely event my data file were ever corrupted, I could retrieve an older version. If you take reasonable precautions, then you never will be one disaster away from losing all your passwords.
Joe
Can 1Password can export to other formats and or allow printing of an entire list. Like Anonymous, I'm edgy about relying on 3rd party solutions, if 1P won't export or print your backups provide only provide protection against data corruption. They'd be useless if 1Password stopped existing on all desired devices.
Although right now, this sounds like a far fetched. But I've been bitten way too many times by Apps that that were reliable for many years, (and these were owned by well established and/or large companies with long track records).
>Can 1Password export to other formats and/or allow printing of an entire list?
Yes and yes.
with a few wise steps, you will not be "one app disaster away" — 1Password has several methods of access; first, it runs well on multiple devices, so you have Mac, Windows, iOS and Android options (depending on what you have), all in sync
even better is a clever feature called 1Password Anywhere: the files that compose your vault contain a browser-based JavaScript application which can securely decrypt the items in your vault; so sync your vault with Dropbox (and know your Dropbox password), and/or back up your vault onto a thumb drive, and/or get a copy of your vault from wherever your backups go … then load the vault into any modern browser and get the passwords you need; 1Password also keeps versioned backups in case of corruption
while i think 1Password has gone down the rabbit hole with UI gewgaws, and their Chrome extension crashes often for me, in terms of engineering of the basic vault concept i am very confident in 1Password
(disclaimer: just a happy customer)
I have to say I don't entirely understand #2.
The thing is that if an attack fails, the attacker has no idea if he or she was close or not. In other words, if your password was
zombieGooCats
and the attacker guesses
zombieGooCaps
the program doesn't tell him, Gosh, you're on the right track. As far as he knows the password is equally likely to be Dj9#folq(2NnA. Or, for that matter, q06, since the attacker doesn't know how long the password is.
Not arguing with you -- just saying that i don't understand the "easily constructed pattern" that an algorhythm would find.
I'm not sure I articulated that very well. Let me try another example.
Let's say your password was: 1234qwerasdfzxcv
I can see how an attack program could figure that out. It's just a common keyboard pattern.
But what about this:
1234qwerXasdfzxcv
by putting an X in the middle, haven't I completely bolluxed up the pattern? If the algorhythm is busily trying pattersn, and hits on:
1234qwerasdfzxcv
Well, you know and I both know that's damn close. *But the attack program doesn't*. All the program knows is that that didn't work.
You raise an important question, and this is something I talk about in my book. Let me give you the short(er) version.
Checking a quintillion possible passwords would take a very long time, even at billions of guesses per second. So hackers have fine-tuned their algorithms to check more likely passwords (anything containing patterns) sooner than less likely passwords (those that are completely random). They'll start with a list of common passwords, move on to words in a dictionary, continue with common substitutions (letters for numbers, transpositions, etc.), but then try *any* sort of pattern before moving to a pure brute-force search. In this scenario, 1234qwerXasdfzxcv would be tried long, long before any random password with the same number of characters. So, even though 1234qwerXasdfzxcv might stay unguessed longer than 1234qwerasdfzxcv, we're only talking about a slight delay, not a defeat. On the other hand, the same number and selection of characters, arranged completely randomly, might not be checked until so much later in the process that the attacker gives up in the meantime.
The problem with patterns manifests itself in other ways, too. For example, any piece of data an attacker has about your password can be fed into the algorithm to narrow down the search area. If someone looks over your shoulder and notices that you typed the letters q and x, they can tell their algorithm to check only passwords that include those two characters, eliminating a vast number of possibilities. If an attacker knows how many characters are in your password, what's in any particular position, or that you have _other_ passwords that follow certain patterns, all of that information can be used to speed up an attack tremendously.
So, you're going for the best odds. Random passwords (or, to be more accurate, higher-entropy passwords) take, _on average_, much much longer for a machine to guess than passwords that contain any sort of pattern. High-entropy passwords buy you time—and the hope is that they buy you enough time that the hacker gives up and moves on to an easier target.
Joe
Ah, I see. Thanks! - aj
Hey Joe, I'm sorry, I have one other question -- or, I don't know, maybe more of an observation -- and was wondering about your thoughts.I understand that randomness is better than patterns. But to my understanding, even more important than randomness is length, as illustrated in that famous "correct battery horse staple" xkcd cartoon.But here's what I dont understand. Many (maybe even most) Web sites don't accept long passwords. They limit the length to 12 or 16 characters. Why is that, and does a user have any recourse? aj
Once again, I want to refer you to my book, where I talk about this in further detail.
Length isn't _more_ important than randomness. Length, randomness, and the types of characters chosen all contribute to entropy. A 10-character random password with upper- and lowercase letters, digits, and punctuation might have just as much entropy as a 20-character password consisting only of lowercase words.
As to why many sites disallow longer passwords, I truly don't know. It's an arbitrary decision, and it costs a developer almost nothing to permit longer passwords. But, other than complaining to each site individually, there's nothing you can do to change that.
And that's yet another reason I say to let a password manager create random passwords for you! Then you don't have to worry about it at all, and you can still have a strong password even if it's "only" 12 or 16 characters long.
Joe
Have you been hacked, or any of your clients? I have had two clients with hotmail accounts and easy passwords that were apparently hacked. How common is the actual occurence?
I've never had a password hacked, as far as I'm aware—but then, I've tried to follow smart password practices for years. That's not to say it couldn't happen, but I believe the odds are in my favor.
(I have suffered from other sorts of hacks—for example, a number of years ago a Web server I ran had a PHP injection attack—but that was due to sloppy programming on my part and had nothing to do with passwords.)
I have, however, known lots of people who have been hacked. I know of no statistics to say how common an occurrence it is, but it clearly happens a lot.
Joe
How I became a password cracker
Cracking passwords is officially a "script kiddie" activity now.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
That's a great article, and I recommend it to everyone. It goes into beautiful detail about just how easy it is to crack passwords, especially shorter ones with low entropy. Perhaps once people see what the process looks like from the hacker's point of view, they'll be inspired to take stronger measures to protect themselves!
Joe