July 29, 2004

Passwords vs. Passphrases

Today I read an interesting post by Robert Hensing (incident response specialist for Microsoft) about the fact that you shouldn't use passwords of any kind on your Windows networks. Ok, now before you foam at the mouth and think he's nuts, take some time to read the post. Its rather interesting.

What Robert is getting at is that in this day and age, with the number of different techniques that exist passwords (especially through pre-computed hashes) are easy to break. His solution, use long passPHRASES that are more difficult to break through attack vectors such as LC. OK, I'll buy that for a dollar. Mostly because thats all that its worth.

Robert makes a good point that if you have a longer "passphrase", its is extremely difficult for pre-computed hashed to crack per character. What he fails to really point out is that password entropy doesn't simply get better by using length, UNLESS IT IS RANDOM! Shifting to longer passphrases is good, but only to the extend of the random nature of characters used.

Why do I say that? Because tools already exist in the underground that now include precomputed H4CK3R 1337 5P34K, and normalized words that are part of the english language. The weakest link is the human factor here. A passphrase of:

Bob's your uncle! Is Alice in wonderland? The answer is 42.

...is great on length, uses a combination of of upper and lower case letters, digits and even special punctuation characters. It is extremely easy for me to remember, I won't even need to write it down. Yet you know what? It is weaker than a password I can make up that is just as easy to remember, but is way shorter. Let me explain.

As Robert points out in his post, brute force attacks using pre-computed hashes on longer passphrases is nearly impossible due to the sheer hardware requirements needed to store all the pre-computed results. Ram and diskspace limitations make this much more difficult. However, by using passPHRASES you break down the password into distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage.

Now to be fair, a passphrase with 14 distinct components is still amazingly strong, and difficult to crack. However, it also becomes too easy to break down in password management for the user. Why? Well for starters:

  • The longer the passphrase, the easier it is to mistype
  • The easier it is to type out (assuming you are a good typer) the more lax your thought processing will be when entering passwords.
  • The longer the passphrase, the more tiresome it may be for the user to input, in which case they will settle with "b0bsuncle" later when they get tired of typing it the longer and much safer password
  • Even if you could make this all random, easy to enter and protected against user input errors, a passPHRASE of this length is insane. Its like using a 8192 bit PGP key. Its effective strength is great, but insanely impractical for decryption purposes. In security its about "what is enough security", not "what is the ultimate security".

Let me show you a just as effective way of making a strong password/passphrase that will defeat most cracking attack vectors, is easy to remember, and is prone to LESS input errors by humans, the people we are wanting to protect here.

Use the same passphrase technique as Robert suggested in your head, and simply type out the first letter, and any numbers and punctuation that come out of it.

For the passphrase:

Bob's your uncle! Is Alice in wonderland? The answer is 42.

You would get a password of:

Byu!IAiw?Tai42.

Now under the guise of a complex random password, you actually have (in this case):

  • A strong 15 character password with a good effective bit strength. This meets the criteria of a "long enough" password (anything over 14 random upper and lower characters, which also include digits and punctuation will generate a 'good enough' password for most networks that will thwarte pre-compute and other brute force attacks)
  • It is easy to remember, hard to guess.
  • Requires thought as your brain processes each word individually as you type the first character. Studies have shown if you actually have to THINK about something as you type it, it is less prone to error

Robert brings up very interesting thoughts in his post. And you should seriously consider following them, with one change. Remember the user. As security professionals, its easy for us to use insane passwords for protection. We are supposed to know better. But Alice in accounting just isn't going to follow it. With my slight change to simply type out the first letter of each word, and any numbers and punctuation that come out of it, you have a much more PRACTICAL passphrase that is 'good enough' for most networks. With a bit of user education, this can become extremely effective.

Oh, and if on the next password rotation you don't feel like using the first letter of every word, change it up. Use the last letter. Or the second. Just remember if you make it to difficult, you will forget it, making it no better than 'g0d' or 'P4$5w0rd!'. Especially since you are going to have to call IT services to reset your password anyways.

Posted by SilverStr at July 29, 2004 08:13 AM | TrackBack
Comments

Interesting. This is the method I have used and commented on Robert's site about.

Posted by: Robert Hurlbut at July 29, 2004 09:35 AM

I guess great minds think alike. :)

Guess I better go read the comments. *lol*

Posted by: SilverStr at July 29, 2004 12:03 PM

You have a good point that a password policy that's too strict will backfire and make things worse. Fortunately, there's a halfway decent way to create passphrases.

http://www.diceware.com has a wonderfully accurate and practical discussion of passphrases.

They have a list of words you can chose from by rolling 5 dice, and you make a passphrase out of the random words. Then you make up a story to link them.

The Diceware page also has some debatable but well thought out opinions on how long your passphrase really needs to be. They phrase the decision in terms of what other precautions you've taken. For example, a six-word passphrase is wasted unless you have armed guards preventing physical access to the computer. Intruders will attack the weakest point. Making your strongest point stronger adds no security.

Depending on what's threatening your data, I might even advise writing down your password. Not for everybody, but we all know how to guard physical objects like credit cards or slips of paper with passwords on them.

Fred Wamsley CISSP

Posted by: Beryllium Sphere LLC at July 29, 2004 09:45 PM

What are you people's thoughts on managing many passwords?

I'm trying to come up with a strong security policy for handling passwords. Having 15 character nearly-random passwords for 20 switches, 15 routers, 50 servers, root vs. user accounts, ftp accounts, web accounts, systems for different customers, etc it can easily get out of control. Add in password rotation, being able to give a password to somebody to give them access to a single device without compromising everything else, avoid predictability, etc and it's not super easy.

The Diceware site looks pretty good - will have to read it closer later.

In my opinion, it's good to print out the entire password list, broken up into different areas, stuffed into different envelopes, and put in a safe. But this has problems as well, such as it needs to be updated when passwords are updated, if somebody needs one password from a sheet then they immediately get everything else on the page, etc. Hence, sharing some passwords can be ok, make life easier, and reduce the chance of forgetting a password which can have high costs.

A lot of older networking devices, embedded OSs, etc don't support fancy punctuation in passwords, long (> 8 char) passwords, SSH, and so on.

Posted by: Wim at July 30, 2004 12:26 AM

When I first heard of the passphrase idea a while back it seemed like a good idea so I tried to use it with one of my clients. I was helping them impliment a new password policy and we gave the users the option of 8 random characters or 8 word long passphrase. Every single person chose the password over the passphrase and the feedback was they didn't want to have to type that much to be able to log in. So, there's a small case study to prove your point.

Posted by: Dave King at July 30, 2004 05:59 AM

I'm not looking for trolls by saying this, but I use 1337speak or phrases with numbers in it. like '1ncr3dul0us' or '12by2is6'. Using something like a mnemonic is a great idea though!

Wasn't one of leetspeak's original functions bypassing triggerword filters? deterring dictionary patternmatching attacks is very similar~

Posted by: evilmousse at July 30, 2004 11:19 AM

Wim,

There are a couple of good password 'safe-houses' which work to give you one master password to protect the others. Of course, this is a single point of failure and attack, and that one password has to be extremely strong. But it is effective.

I blogged about this a bit before and pointed to an interesting article on MSDN by Keith Brown. You can read the entry over at: http://silverstr.ufies.org/blog/archives/000632.html

Basically there are two really good ones out there that I recommend that you check out:

1) Password Safe from Bruce Schneier (http://www.schneier.com/passsafe.html)

2) Password Minder from Keith Brown (http://download.microsoft.com/download/d/3/1/d31fff33-fd97-488f-9bbd-4b7402905716/SecurityBriefs0407.exe)

If you have a WinCE device and need a good system, check out eWallet. It works well, its pretty light weight and doesn't cost to much. Works great on a smartphone like the MPx200.

YMMV of course.

Posted by: SilverStr at July 30, 2004 03:19 PM

Three words, chosen from a vocabulary of 5000, plus two digits (in between the words perhaps), makes for quite a strong password in practical terms. Most of the password crack programs that I've seen descriptions of claim that they test somewhere on the order of one to ten million passwords a minute. At the high end of that range, the average time to crach such a password would still be over a year. I've seen one program that claims to test one billion zip passwords a minute. If that claim is true, it would crack a password of that strength within one working day, but if you add a fourth word and a third digit, you're going to be in pretty good shape. These calculations do assume, by the way, that the cracking program is aware of the pattern of words and digits that you are using. Vary that pattern, and that particular cracking program will fail. Deliberately mis-spell a word, and that particular cracking program will fail. More numbers here:

http://smokey.rhs.com/web/blog/rhs.nsf/stories/passwordarithmetic

-rich

Posted by: Richard Schwartz at August 1, 2004 04:05 PM

A slightly older version of Passwordsafe is also available for Windows CE (and possibly Linux) . One big advantage of password safe against other systems I looked at, is that it doesn't need to be installed. I keep a copy on a USB memory stick and can use that on any Windows system I want.

I have not used Password Minder so I can't comment on that program.

Richard

Posted by: Richard Clyne at October 18, 2004 05:45 AM

Your logic is flawed. As Richard Schwartz pointed out, the mathematics weigh strongly in favor of pass phrases, even if everyone uses correctly formed sentences in the English language with correct punctuation.

This is because a character sequence of 10 random characters has the limitation that each character only has about 72 printable unique values. Therefore, you get 72 ^ 10 possible combinations (3e18)

With English words, even if you restricted yourself to the 10,000 most common words, and followed the rules of usage which would restrict any position to about 40% of the possibilities based on other positions, a five word passphrase has 4000 ^ 5 possible combinations (1e18).

That's the same order of magnitude.

Therefore, the passphrase:
When will Fido come home?

Is fundamentally as secure as
8*zQ@h.%9(

Robert is right. The first one is easier to remember.

Posted by: Nick at October 26, 2004 05:11 PM