Password Strength

Factual Questions
1

A tech columnist (Manjoo, maybe? I can’t remember) endorsed this XKCD cartoon in a tweet. xkcd: Password Strength

The gist of it is that a string of random but memorable words is a better password than a short word and a few numerals. So in the cartoonist’s example, “correct horse battery staple” is a much better password than Tr0ub4dor&3.

Do any computer security experts want to weigh in on this?

I always thought we were encouraged to use something short and sweet for a reason. No?

If the cartoonist is on to something, then that makes me wonder whether the words need to be truly random. For the sake of memorability, could I achieve the same security with words picked from some famous source. For instance, would “not what your country can” from JFK’s inauguration speech be sufficiently random?

Any other suggestions for passwords that are both secure and easy to remember?

2

There was some discussion about that here.

3

I’ve been advocating this for years. The mathematics of it is laid out right there in the XKCD strip

As for using less random strings of words, such as “not what your country can”, you again just have to consider how many possibilities there are, and you should always assume that the attacker is aware of the scheme you use to generate the password. Otherwise you are committing the sin of “security through obscurity”.

Your scheme appears to be “a number of consecutive words from a memorable quote”. Let’s say there are, I don’t know, 500,000 memorable quotes, and for each one there are five places where you could start, and for each of those there’s three places where you could stop. That’s 7,500,000 possibilities, about 2^23 or 23 bits of entropy, in the terminology of information theory. That’s worse than either XKCD scheme. Even if I’m underestimating the number of memorable quotes by a factor of 100, that only adds 6 or 7 bits, making it about as good as the first XKCD scheme.

The strength of XKCD’s second scheme really comes from the unconnectedness of the four words, and it makes the point that the symbol set you choose from does not need to include obscure, hard-to-remember possibilities (weird symbols, in the case of choosing from alphanumeric characters, or rare words in the case of dictionaries).

4

**Ximenean **nailed it.

Speaking just to the quoted part above …

I’m not sure what you mean by “short & sweet”. Longer has always been thought of as better. People with passwords like “123” or “ABC” have all-but zero security and have since the invention of computer passwords several decades ago.

In the early internet days when a lot of web sites gotten written by less-than-professionals, for a while it was common that sites would not accept passwords longer than 8 characters. This was sort of a holdover from mainframe systems from the 70s, plus a bunch of laziness, and/or rush to get online & get rich-ness.

Given a limitation on password length, the best way to increase security is to use more potential characters. Upper & lower case letters are better than upper case alone. Adding numbers or symbols is better yet. Adding both is even better. Again given a short limit on password length.

So when everybody in the civilized world got online & started dealing with passwords, the conventional advice was “make it include complex characters (plus as long as you can remember or the site will accept)” which most non-technical people heard as just “make it include numbers and shifted numbers”.

And that garbled conventional advice is what xkcd is lampooning.

But once that length limit is relaxed or eliminated, then it becomes mathematicaly easier to increase complexity by making your PW longer, rather than obscurer. And as xkcd points out, it can make remembering easier too.

The only challenge then becomes: Can you type “To boldly go where no man has gone before. Yo Beavis!” correctly every time when you can’t see what you’re typing? I can’t.

I think that, paradoxically, those dots that appear when you type a password will soon be recognized as an obstacle to security. For the 99% case when nobody is looking over your shoulder, all they do is prevent people from choosing long passwords. Better to have the characters show on-screen.

5

In my experience, most web sites will still not accept long passwords, and not a few will not accept non-alphanumeric characters. (Others insist on them, which is surely almost as bad.) Heck, I think there are still some about that do not distinguish upper and lower case.

Agreed. I use the “Reveal passwords” add-on for Firefox to address this. (Even if anyone is looking over your shoulder, they can watch your fingers anyway.) I won’t be holding my breath for your very sensible suggestion to be taken up generally, though.

6

The short answer is that a password made up of words found in a dictionary is going to be very weak for its length. Password cracking programs use dictionary words in their brute force attacks.

A better idea is to use acronyms. If you make up a phrase of about 25 words that will be easy for you to remember, and it contains caps, numbers, and symbols, then taking the first letter of every word will give you a password as safe as you could ever want.

For example, “I wish I had a 5 dollars for every time Judy and Sam were late. No, on second thought, make it ten.”

Translate that into “IwIh5$4etJ&Swl.N,o2t,mi10.”

That’s a 26-character PW where each position can be any one of 75 or more characters, so the odds of someone guessing it on a given try, even if you tell them the length, are about one in 75^26, which is over 5*10^48, or 5 trillion trillion trillion trillion. If a billion computers each trying a billion passwords per second had been running since the Big Bang, they wouldn’t have made a dent in it.

If you use it even once a day, you’re not likely to forget it, but you can ensure you don’t by just writing a clue somewhere convenient. For that phrase, you might have “I could make a lot of money if my friends paid me for the time I spend waiting for them.” That should jog your memory enough to remember the real phrase, and it’s perfectly safe to leave lying around.

And as long as you’re idiosyncratic about the spelling, you don’t even have to make anything up — you could just use the lyrics to a favorite song, preferably lyrics that you got wrong for several years, so that you remember a different version than the rest of the world. Like “SmwIktg” for “Excuse me while I kiss the sky.”

7

Since most every site I use nowdays, especially banks, doesn’t allow infinite retries without a lockout, and doesn’t allow retries for several minutes after the lockout, and probably logs all attempts, it makes discussion of password strength mostly moot. A dictionary attack won’t be very effective even on a password like “Klaatu barada nikto” if the system only allows 4 tries per hour and reports 10 tries a day to some security authority.

8

It’s only weak for its length if you specify the length in terms of characters. There’s no particular reason to do that. Specify the length in terms of symbols (words, in the case of passphrases), and it is just as strong.

It’s not a bad approach, but things like that are annoyingly difficult to type, especially on iPhones and the like. I prefer simpler passphrases using lower case alphabetic characters only (append something standard like “.A1” if the service insists on upper case/numerics/non-alphanumerics). That way, you make it as easy to type as possible - no shifting necessary, no switching to numeric keyboards, no hunting for rarely-used characters.

Using your example phrase, I would turn in into a password of “iwihfdfetjaswlnostmit”. There’s no need to include upper case or punctuation,even spaces. It’s overkill and just makes it harder to type, and to remember the precise format that you chose.

9

I only use a standard keyboard, and I can type numbers and punctuation as fast as letters, but I see your point.

Actually I agree it’s overkill for most uses, but it is a good way to remember a very secure password without much trouble.

10

I’ll figure out a pattern on the typical QWERTY keyboard that’s easy to type with one finger, and within a small range. It’s random, not a word, and all you have to remember is the pattern.

See if you can figure out this pattern:

mkiuygbn

11

Sure, “correcthorsebatterystaple” (or rather, something else constructed in that manner, not that exact string) is low-security for its length, but that doesn’t mean it’s low security. Any scheme can be made secure if it’s long enough, and “correcthorsebatterystaple” is long enough for all practical purposes. You could make a more secure password with the same number of characters, but really, is there any difference between “takes a century to crack” and “takes a googol years to crack”?

12

I contend that these “secure” passwords are less secure. If I can’t make my password the dog’s name or something else easy to remember, then it goes on a yellow sticky note next to the monitor.

13

Like everything else, it depends. If you’re trying to keep your computer illiterate wife out of your files at home, then “swordfish” is probably fine. If you work for Boeing, and have files on your office PC that could attract the attention of serious people, then the five minutes it takes to come up with something mathematically infeasible to crack is well worth it.

14

Use your dog’s name. MyDogsNameIsSpot or SpotIsMyDogsName are a mighty lot more secure than Spot though. Even the monitor sticker is secure if it’s just a formula to help to remember. My Dogs Name Is?

15

I disagree. An acronym of a phrase is inherently less secure than the phrase itself.

Also, as previously stated in the thread linked above, password crackers make use of statistics to speed up the cracking by guessing the most likely human usage. So that means that common sayings and proverbs such as quoted above are more vulnerable than people might think. Ditto with music lyrics as a base for passwords. Pretty much all lyrics are stored in databases somewhere, and again making use of statistics to weed out the less popular music, the search space is reduced.

And another thing, people advocating for some scheme or other as a method for creating passwords forget that this site and others where password mnemonics are discussed are indexed by google, and easily searched by bots, incorporating the techniques discussed into a database of most likely methods. This reduces the search space of password cracking immensely.

So moral of the story is that phrases are not truly more secure if they’re based on common human usage.

The XKCD example of four truly random words works because there is a true random combination of words.

16

Spotisthedogsname
*incorrect, try again
SpotIsTheDogsname
*incorrect, try again
SpotIsMyDog
*incorrect, try again
TheNameOfMyDogIsSpot
*Your account has been locked for your protection.

Not only that, but some sites required numbers and other symbols. Fair enough, I can tack on an exclamation mark or my birth year, but then you have to change it every 3 months.

What happens? The whole thing goes on a yellow sticky note.

17

There is also the very likely scenario that a hacker gets his hands on a list of hashed passwords to a site, in which case a computer can happily attempt cracking as fast as possible until the hash is broken, then you try that password on the real site once, successfully. Cracked.

18

Only if the “bots” have unprecedented levels of artificial intelligence, sufficient to divine a set of mechanical rules from free-form English text. And if they do, the security of our Amazon passwords is probably the last thing we should be worrying about.

19

It’s not unprecedented. Computers have long been able to construct strings based on English usage rules. Basically, you just construct big tables of “if the last word (or two words, or three words, or whatever) were ___, then the most likely next words are ___, ___, or ___, with this set of probabilities”. Of course, most such constructed strings quickly degenerate into gibberish, but it’s still a much smaller search space than a bunch of independently-selected random words.

20

Presumably the scenario is actually that the bots find discussions containing key words or phrases, such as “secure passwords,” and then bring them to the attention of their black-hat human masters, who actually write the cracking programs.