The PINs are actually more secure than the average hack, because they use a different (unknown by the hackers) key each time. If you don’t know the key, and every key is different, you basically have no way of knowing if you guess right. In terms of a hack like the SDMB, if each password was salted and hashed, and the salts were stored separately and not taken, you’d basically be in the same situation - the hashed data is basically useleess.
As far as correct horse battery staple, it is less secure that you would think because the number of english words needed to guess a significant portion is probably going to be on the order of a few thousand word dictionary at best, rather than anything close to the full number of english words possible. Still a good technique though, if you combine with just about anything else such as a few random capital letters or added numbers the time to crack goes insane. The biggest problem is that lots of sites have far too short of a maximum length. Which is stupid, because if you are hashing the password you can allow a password of arbitrary length in the same storage space.
What you are calling “master salt” is not really salt at all. Salt is generally understood to mean non-secret data that is different for each password and combined with it to defeat pre-computed attacks, and to ensure that hashes are unique even if people use the same password, as you describe in (2).
There is another less-used technique called “pepper” (yes, really) which is more like what you describe - a second, site-wide secret that is combined with the password and salt before hashing. It’s debatable whether this adds any security.
But “guessing a significant portion” doesn’t get an attacker anywhere. It’s not like an authentication test will come back with “that password wasn’t correct, but you were close!” An attacker has to get it 100% right, and learns virtually nothing from an incorrect attempt, however close it may have been. So you have to raise the “few thousand” to the power of how many words are used, and that gets very big very fast (again, assuming randomly chosen words)
Indeed, that is why the fact that “password1” and “password2” have completely different hashes is such an important property of cryptography hash functions – it is that property that prevents reversing hashes incrementally.
Additionally, if you’ll note the original “correcthorsebatterystaple” comic, it estimates 11 bits of entropy per word – essentially saying that you would expect to see all these words in a dictionary of 2048 common words. The “trubador” used as the base of the “complex password” was estimated at 16 bits of entropy, implying that it is such an obscure word that you would need a dictionary of size 65536 to reliably attack “passwords like this”.
Even with the handicap, though, the four common words outdo the single obscure word with modifications. The fact that all of the words could individually be found in a small dictionary quickly has been accounted for in the estimate already.
Okay, more questions…
From what I’ve learned here it’s obvious that it is unwise to use the same password for several accounts because if the hackers crack into one account they can invade the others. But what about User Names? Does using a unique and different User Name for each account – say, JohnSmith and BestCook and PackersFan, etc. – help keep those accounts secure?
Here’s another. Say I concoct some devilishly secure passwords using the best advice from this thread, but the resulting alphabet soup of words and numbers is nothing that I could easily commit to memory. So I say, Hey, that’s no big deal because the only time I need to access these important accounts is when I’m sitting at my home computer, not when I’m out in field someplace. I can simply write them all down on a cheat-sheet that I keep in my desk drawer*. Fine. But also say I’m a slow and lazy typist and I hate to sit there pecking away one key at a time carefully transcribing the gibberish on the cheat-sheet to the screen. I could build a text document with a table of all my passwords and just copy&paste the passwords as needed. Is this a safe a scheme, or are there hackers out there scanning my harddrive via my internet connection for just such a document? If so, what if I keep the cheat-sheet on a flashdrive that I only insert when I need to C&P a password, after which I unplug it?
- Please let’s not go off on a tangent about whether my desk drawer is secure. Let’s just assume I live inside Fort Knox.
Talking about ways to generate a password, either from multiple dictionary words or in another way, is missing the point.
If you’re a normal internet user, you’ve got dozens of accounts to keep track of. Are you going to remember “correcthorsebatterystaple” for your bank, and “indifferentelvesfrygracefully” for your eBay account, and another few dozen? No way! That’s way too hard to remember. So you’ll either end up reusing them or you’ll need to use a password manager.
If you reuse them, you’re in danger. Every time you reuse a password, you make it more likely that it will be compromised when one of the websites you used it on gets hacked.
If you use a password manager, then you don’t need to worry about how to generate a password. It will generate a random one using a whole bunch of symbols and it will be way better than anything you will come up with.
Your username should be assumed to be public knowledge, and should be chosen for convenience (most sites nowadays suggest or default to your full e-mail address, which works fine). It isn’t designed to add any security, so you shouldn’t expect any from it.
If hackers have compromised your computer to the extent that they can grab a file off of it over the Internet, then everything you ever do using that computer is compromised anyway, no matter what your password scheme is. The only real worry using that method would be what happens if someone physically steals the actual computer itself (breaking and entering, purse-nabbing while you’re taking it somewhere, etc.).
The title of the thread is “passwords - easy to remember but hard to crack”, so I’d say it was to the point. It may be something of an academic point, because of course password managers are a good idea, but it it still interesting.
I use KeyPass myself for important passwords, but it doesn’t work with everything, e.g. Remote Desktop logins, and it can be a little clunky getting automated hotkey passwords working for some sites.
And I can’t use it for the KeyPass master password itself! That one has to be secure, and yet memorable, because I like to know that I could reproduce it from memory if I didn’t have access to my keyfile or various reminders that I have hidden here and there. So in that one case I really have used a “correct horse battery staple”-style passphrase, although one with more than four words. Surprisingly easy to remember, considering that it must be around 100 bits in strength.
Not a significant portion of any single password, a significant portion of all passwords of that type. Which is to say, if you got the whole world to use the correcthorsebatterystaple method, I suspect you could get a large percentage (30%,40%, or more ?) of the passwords with a surprisingly small dictionary. Lets say, 500 words, which for a four word combo gives 62.5 billion possibilities. If the password hashes are, say salted SHA-256 (common enough), attempting that dictionary against each password would take <60 seconds each on a machine with a single powerful graphics card. (hashcat - advanced password recovery - scroll down to performance). That isn’t a super fast, super practical attack and wouldn’t be the first thing they would try, but it is practical enough to get to eventually and get some passwords from.
Thanks, again, all, for the informative posts. I’ve learned more from this thread than all the articles I read before opening it. For those interested in how password security works from the host-server side, I found this article quite illuminating.
While I agree with this sentiment, I am not sure it is entirely accurate. When I log on to internet banking, my username is a number assigned to me by the bank. To my knowledge, that number bears no resemblance to any account number or any publicly available information on me. Assuming I was stupid enough to use my SDMB password as my bank password, the fact that a hacker does not have my bank username presents an extra hurdle for them.
Please tell me if I am wrong.
No. Either your math is wrong or you’re misunderstanding the correcthorsebatterystaple method. The key point is that the words are picked at random from a list of common words. If they’re not, it’s not correcthorsebatterystaple.
If we assume users pick passwords from a list of the 3000 most common English words, then the odds that all four words of a password use only words for a sub-list of 500 words is 1/1296. At 5000 guesses per second, you would still need about 145 days to brute force this sub-list. Not unfeasible but hardly a huge payoff. Add only one word, and it would take close to 200 years to brute-force that sub-list.
Let’s look at it in another way. Assume that a site that has 1,000,000 users forces everyone to use 4-word correcthorsebatterystaple with a dictionary of 3000 words. They get hacked and the culprits start brute-forcing the hashes. At 5000 guesses per second, the odds that they will discover a single password in one hour is:
(5000 guesses/sec * 3600 sec * 1,000,000 users) / 3000^4 passwords
Okay, that’s about a 22% odds that they will find one password in one hour. Give them four hours and I wouldn’t bet that they would be completely empty-handed. But, that’s one password out of a million and they still have to work another four hours or so to get another one. On average, they will have to work 4 and a half hours per password.
If everybody switched to correcthorsebatterystaple tomorrow, it would put all crackers out of business.
If I use a different password AND a different user name on a site, wouldn’t that require the cracker to guess both?
So stealing a list of names and passwords from one source wouldn’t do him any good, because those names aren’t used elsewhere. Crack the password list all you want and it won’t get you in.
And I mean a totally different name, not just adding an initial.
I think we are mostly agreed and it is just a matter of my disagreeing that most human beings would correctly follow the correcthorsebatterystaple method. That is to say, I think that the average user, when told about correcthorsebatterystaple, putting it into actual practice would not actually choose as good as using random words from a 3k dictionary, failing in two ways:
- using a smaller dictionary than you would think
- Often using english word ordering (momthreebighorses, not horsebigthreemom)
The only other quibble I have is that password cracking even with a single GPU tends to be in the hundred of thousands or millions of hash checks per second for many hashes in actual usage, not 5000.
I definitely agree that if you say, went to a website that randomly generated a password of 4 words from a reasonable size dictionary and used that, it would be a decent password and pretty hard to crack in large numbers unless the hash used was very weak and unsalted.
This is about as good as a lay person can get using standard software. If you’re going to go to that much trouble, though, why not just use a PW manager? 
There’s a plug-in for Remote Desktop.
FWIW, jacobsta811, someone has created an xkcd password generator. His word list has 1949 tokens, derived from a list of words appearing frequently in newspapers. Presumably the generator uses a pseudo-random function, but doubtless is a good deal stronger than someone trying to do this by intuition. Not advocating for or against the generator, btw.* Just passing along as an interesting tidbit. Perhaps the biggest weakness in the strategy, as several folks have mentioned, is that most websites don’t support passwords of sufficient length.
- Nor does its author. Rather, he recommends a password manager.
For me, the answer is that the passwords are near enough mnemonic that I don’t generally need the “cheat sheet.” Which, by the way, is a password-protected Word document (against the hazard of loss or theft of the machine). And, of course, that password is unique.
When I change my password on a website (such as the SDMB), where is the hashing process typically performed? I assume it’s client side…
Nope. Never client side. If that was the case, the hash would become the password and the DB would be storing the passwords in plain text.
Whenever you access a site with a password, to log in or to change your password, you always transmit your password in plain text and the server software performs the hashing. Ideally, this communication should be encrypted but many sites (including the SDMB) do not use SSL for user authentication.
I use to do this, storing random passwords with login data on an encrypted file. I know some leading security researchers do this, so it can’t be all that bad an approach, but really in the end it’s a pain in the ass. Password managers essentially do the same thing and they’re much less of a hassle.