August 8, 2017

"The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!"

"Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error."

It's in the Wall Street Journal, so good luck trying to read it. Maybe the headline alone will be useful.

Excerpt:
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, [said Paul Grassi, an NIST standards-and-technology adviser]. Those rules did little for security -- they "actually had a negative impact on usability," he said.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S....

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters -- since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.
The article points us to this popular cartoon, which memorably and accurately shows the problem:



And I liked this:
Collectively, humans spend the equivalent of more than 1,300 years each day typing passwords, according to Cormac Herley, a principal researcher at Microsoft Corp.
And here's Lorrie Faith Cranor, the woman who made a dress out of the 500 most-common passwords (like iloveyou).

67 comments:

Henry said...

I have three secure systems I have to use at work with three different logins.

One password expires every 90 days. Another every 120 days. The third once a year.

You can't reuse old passwords.

Drives me insane.

rehajm said...

Teller's take on remembering passwords is interesting, too.

Laslo Spatula said...

Thanks for the info on spoonflower.com. May have to try that.

I am Laslo.

Etienne said...

The password (no matter the length or complexity) is normally converted to a digital hash. The industry has proven time and again that they can't do hashes properly.

The hash has to be cryptographically secure. You would faint if you knew how your password hash from many companies can be easily reverse engineered.

A hash is defined as a one-way function. Stupid people make it a two-way function.

Where possible, and the tool is in place (Google mail), I use my Yubikey

Beloved Commenter AReasonableMan said...

Henry said...
I have three secure systems I have to use at work with three different logins.
One password expires every 90 days. Another every 120 days. The third once a year.
You can't reuse old passwords.
Drives me insane.


The end result is that most people will write their passwords in a file somewhere in order to keep track, which is then easily hacked.

Laslo Spatula said...

Henry at 7:37.

Password Fatigue.

I am Laslo.

Tank said...

Tank has 83 passwords; I had more when I was still working. No, they are not all unique.

Etienne said...
This comment has been removed by the author.
Fernandinande said...

Passwords should be complicated enough that you need to keep them on sticky-notes attached to your monitor.

I hate seeing **** that you can't turn off - do They really think someone is looking over your shoulder?

Household hint: Password field -> Inspect element -> change type from "password" to "text".

Henry said...

The end result is that most people will write their passwords in a file somewhere in order to keep track, which is then easily hacked.

Or on a Postit note beneath the monitor. Really security-conscious users keep the Postit note stuck to the inside of their file cabinet.

My Dad, on the other hand, uses a series of personal mnemonic clues to remember his passwords. He writes them down on a piece of paper. But there are more clues than passwords and occasionally when he changes a password he forgets to update the clue. If he forgets a clue, no one has a clue.

Laslo Spatula said...

For Google I use politically incorrect statements as passwords.

'DiversityDoesNotWork'

'WomenAreDifferent'

'IkeTurnerWasRight'

Things like that.

Google will never figure them out.

I am Laslo.

Matt Sablan said...

Alligator Eats Car is still one of my favorite passwords I ever used (don't worry, I don't use it any more, so I'm free to share it.)

Etienne said...

I use this program on my linux and windows computers:

Password Safe

It is a password repository. Every time someone asks for a password, you can generate a new one and add it.

All of the passwords are then secured with one password you open the repository with.

Ignorance is Bliss said...

I use a really secure password for my online banking. So secure that I was even complemented on it by a Nigerian prince!

Ralph L said...

I use one password for things involving money and another for everything else but gmail and all three are similar. Is that dangerous?

I still have dreams about not remembering the code to get into my office hallway...in 1983.
They're as bad as the ones about going to school in underwear or forgetting about a college class I'd signed up for weeks before.

Henry said...

@Etienne -- I use KeePass, which is similar.

Michael K said...


For Google I use politically incorrect statements as passwords.

'DiversityDoesNotWork'


You're fired !

Matt Sablan said...

"I use one password for things involving money and another for everything else but gmail and all three are similar. Is that dangerous?"

-- Matters whether you practice good computer safety. If you do, you're probably more in danger of whoever owns the systems you log into being compromised some other way. I am relatively lax on my password discipline, even though I know I could do better, and the only time I've been "hacked" is when my bank or the government have been compromised -- and I play MMOs, use PayPal, Steam, etc.

Matt Sablan said...

Oh, wait. The Playstation Network was compromised at some point with my data as well, and Target (which surprised me, since apparently they automatically started tracking my data even though I opted out, which believe me, I gave them an earful.)

Fernandinande said...

humans spend the equivalent of more than 1,300 years each day typing passwords

5+ seconds per person for all 7 billion people? Sounds a bit high.

Ralph L said...

During a security inspection at my second defense contractor job, a co-worker was asked to open the safe in his office, so he opens his wallet and pulls out a piece of paper in front of the inspectors.

He used 300 baud DARPAnet to run "yuge" nuclear weapons (blast and fallout) effects programs on the supercomputer at Los Alamos.

Matt Sablan said...

If you're worried about password security, where possible, turn on two-token authentication (or whatever the new fancy term is.) Even if Blizzard gets compromised, no one can access my Blizzard account without using the one-time code generated by my authenticator (and at some point, I'll get one for FF14 as well.) I already have it set up so my phone needs my fingerprint to authorize any purchases, and Google Play is set to require that every time my phone tries to make a purchase.

Matt Sablan said...

"5+ seconds per person for all 7 billion people? Sounds a bit high."

-- In government facilities, anytime you step away from your desk, you have to pull your card, meaning that some people re-enter their passwords dozens of times a day.

Tommy Duncan said...
This comment has been removed by the author.
Tommy Duncan said...

John Podesta was not available for comment.

ELC said...

I started in computers when I was a senior in high school, when we had to punch cards to write a program. When the advice came out to change passwords frequently, it made no sense to me. It seemed to me to be obviously useless and possibly risky.

Matt Sablan said...

"It seemed to me to be obviously useless and possibly risky."

-- I always thought that a good password shouldn't need to change every 90 days, and that by changing it, you were just increasing the odds of someone taking short cuts to remember passwords, or that people would start doing things like Nach0ch33s31! to Naco0ch33s32@, defeating the purpose of the new passwords.

But, I'm not a computer person.

Matt Sablan said...

Hah. I think it is funny my second example bad password has a typo in it.

Etienne said...

ELC said......we had to punch cards to write a program.

What??!! No timeshared BASIC?

In 1971 our school purchased two ASR-33 teletypes and hooked into the Timeshare computer at the county with 110 baud modems. In 1972 we traded those in for the ASR-35 teletypes (more rugged, less breakdowns).

We did have a keypunch machine, but it was only used for Senior Math class where you had to make a Fortran program do something with matrices.

By the way, the password to the school account was the same for everyone. One account, one password.

Ron Winkleheimer said...

There was a lot of dissent within the information security community and IT in general when that came out. The push back was exactly what is being said now. That it just made it harder for users to remember their passwords and did exactly squat against brute force cracking, which how most account hacking is done. The hacker somehow acquires a copy of a file containing login credentials and uses the same algorithm the compromised system uses to encrypt passwords and then starts encrypting various words/symbol combinations and comparing them to what is in the file until one matches. There a various ways to speed this up so the cracking won't be entirely random. Password cracking software will have rules, such as use the word "password" or the account ID on the first pass. Absent password setting software that prohibits it you'll get 5 to 10% of the account passwords right there. After that it will do things like use $ where an S might be and 0 for o. Then there are thing such as rainbow tables.

https://en.wikipedia.org/wiki/Rainbow_table

But, NIST had spoken and if you did not follow their diktats then you weren't following best practices and that was bad. When people would complain to me that they couldn't remember their passwords I would tell them to write them down and put them in their wallet. How many people have access to your wallet after all?

Ron Winkleheimer said...

@Henry

Sounds like we may work at the same place.

Ron Winkleheimer said...

The reasoning behind requiring passwords being changed periodically is that if someone does get hold of the credentials file and starts trying to crack accounts it will take, with modern computing power, so many days to brute force them. So, you should change your password every 30 days because on average that is how long it will take to crack it and by the time it has been cracked, it is no longer valid. That is why these days some systems allow you to create a pass phrase, such as in the cartoon and will only require you to change your password every 90 days. Though, as the cartoon illustrates, you shouldn't ever have to change it. But changing passwords on a regular schedule has become a habit in computer security.

David said...

"turn on two-token authentication"

It certainly works well to keep me from accessing my accounts.

Ron Winkleheimer said...

The reason your admin can't tell you what your password is when you forget it is that it is a one way hash. When you login your password is encrypted and the encrypted password is compared to the previously encrypted password in the credentials file to see if they are the same. To prevent encrypted passwords from being the same if the same password is used something called "salt" is used.

If anyone else besides me is at all interested in this subject here is a good intro to it.

https://crackstation.net/hashing-security.htm

bagoh20 said...

I have a formula that gives me a long and different password for every site, yet it's easy to remember. These password rules sometimes will not allow me to use it, so I have to keep those in a spreadsheet, but not the passwords themselves, just clues that tell me how to remember them. The system I like best and which almost nobody uses is having customizable hints that you make which pop up and tell only you what you password is.

stlcdr said...

I like to remind all the IT and security people that I have all my passwords written down on a piece of paper under my keyboard. I also tell them that whenever they ask me to change it I put a single line through the old one and write down the new one. If they have someone remove the paper, I just say that's ok I have a photocopy....somewhere around here.

Basically IT people are regular street hookers with enough Microsoft certifications to get the job.

Ron Winkleheimer said...

Basically IT people are regular street hookers with enough Microsoft certifications to get the job.

As an IT guy I just want to say, I love this.

mockturtle said...

Excellent article and illustration. Makes sense.

Nonapod said...

A long enough string of just regular case insensitive alphanumerics, even if you're just using 0-9 and A-Z and excluding punctuation and special characters, is both stronger and easier to memorize than shorter passwords that include a larger set of characters. So a password that's 20 characters long that only uses A-Z and 0-9 (26) has 26^20 possible combinations, which is a much higher number than a password that is just 10 characters long and uses all printable ASCII (126-32=94, which would be 94^10). I wish more systems would go that route.

stlcdr said...

"As an IT guy I just want to say, I love this."

You must be one of the good ones. When faced with a disparaging comment about ones position, those that take offense are generally the ones that justify the disparagement. Conversely, those that don't have a skill and knowledge of value, and do the job their profession requires.

As an engineer, I know we have a tendency to keep fixing things until it's broke...

Lipperman said...

You could use a Post-It note to safely store your password. Just mask most of the letters, so that the remaining letters are enough to jog your memory. For example, if your username and password for Blogger are
diversity@gmail.com>Hugefuckstick then your Post-It could say

Blogger
diversity@gmail.com>Hu********k

Just email all of your usernames and password to yourself, and have access to the list from anywhere.

stlcdr said...

Oh, and when faced with a password change, try changing it 10 times in a row(adding 1, 2,3 etc) then go back to your original password. Depends how obnoxious or lazy the security people are.

Big Mike said...

1300 years per day? That's a lot of logins, or some very slow keyboarding.

Unknown said...

What color is that dress?

readering said...

I like made up words that are close to real words.

Sydney said...

I especially resent the time I waste trying to recover passwords I can't remember. And yeah, I write them down, but I have so many that sometimes when I have to change one it is on the fly during a patient encounter and I can't take the time to write the new one down. Since the log-in password change is already sucking time from my patient encounter.

The Sage of Altadena said...

I use the same kernal (a short string of random alphanumerics)for all my passwords, modified in idiosyncratic ways for each website. There are several problems for passwords: some websites require a window of characters (say, from 5 to 20) and some insist on special characters and capital letters. A universal problem is that "*****" on the screen, so it's hard to tell if you've entered your uber-secure-with-special-characters-and-capital-letters password correctly. I could save lots of time if they'd give me the option to let me see what I was doing.

buwaya said...

Single Sign On systems.
Also hardware second factor.
Make life possible.

Hey Skipper said...

Oh, for pete's frickin sake, use a password manager.

Take 1Password, for instance -- but they all have basically the same capabilities.

I know just one password, the one that opens 1P.

It generates completely random passwords per whatever recipe each site requires, saves successive passwords, warns you when you haven't changed a password for too long, completely prevents phishing schemes, holds all manner of other secure information, synchronizes across all you devices, and autofills.

Oh, and here's a free tip for security questions. Pick a rule, and stick with it. For instance. the answer to every security question is the second letter in each word of the question. The variations are nearly infinite. Easy to remember, consistent, and uncrackable.

Left Bank of the Charles said...

There is another problem with passwords that only gets worse as you make them longer. That's typing all the characters accurately in the limited number of tries you are allotted before the system locks you out. I'm finding that harder and harder to do as I get older.

Unknown said...

I use "p@ssw0rd" for my password, like my idol John Podesta.

How did the Rooskies ever get one past him?

Otto said...

Will be OBE in a few years with body recognition technology.

Jason said...

"uncrackable."

Lulz. :-)

buwaya said...

"Will be OBE in a few years with body recognition technology."

Probably hackable, like fingerprints (or fingers) proved to be.

Bruce said...

The company I work for is, in general, very good about security. But the password rules seem simply awful to me. Our password has to be exactly 8 characters (not 8 or more), it has to contain at least one digit, and at least one punctuation mark which can only be #, $, or % . This seems like not only have you told a hacker exactly how long the passwords are, but you've vastly reduced the search space they have to try (for sure one of the exactly eight characters can only take on 3 values?!?).

Other than that they are pretty strong - two factor authentication, separate accounts for routine vs privileged access, etc. But I've never been able to wrap my head around the password rules.

Matt Sablan said...

On security questions: I lie in the answer to mine. Like, outlandish lies. Like, if a question was, "Where did you go to vacation as a child?" I'll say "Jupiter."

That way, even if someone knows me, they can't crack the security questions.

Bruce Hayden said...

My first computer systems were time sharing systems in the early 1970s. Only got to learn the joys of punch cards later. As a college kid, it shouldn't be a surprise that we tried to hack the system. Tried brute force, over a 110 baud modem, to no avail after maybe a week of trying. The guy who managed to do it used the old fashioned approach - by finding the Admin password taped to someone's monitor in the room with the computer. To none of our surprise, he spent much of the next 40 years working in computer crime in a federal law enforcement agency.

Currently have maybe 150 passwords, often variations on a theme. Need to weed out the obsolete ones some day. But moving rapidly to long phrases that have some meaning to me, but not to anyone else. Like that a lot better than the shorter harasses with weird substitutions (e.g. "0" for "o", "$" for "s", etc) which I inevitably screw up.

Fabi said...

Mine is "I_forgot"

Roy Lofquist said...

Billions of real money transactions are made each day using a 4 digit PIN. So, how is this secure? You only get 3 tries and there are 10,000 4 digit combinations. Using 8 uppercase (or lowercase) letters have 208 billion+ combinations. So, how does a password get compromised?

.. You write it down.
.. Somebody looks over your shoulder.
.. The target site has been hacked, but as noted above most sites hash the passwords.
.. Keyboard loggers. Use a good malware detector.
.. Phishing. Either through redirection (malware) or you respond to an authentic looking email that provides a link. If in doubt enter a phony password, e.g. Aaaaaaaa1!. If the site accepts it the site is phony.

JaimeRoberto said...

At work I have to change my password every 6 months, which can make it difficult to remember the new password. I take a poem or script and take the words in order and do a few other things to satisfy all the requirements. For example, I'll start with There1cwasaMan then I'll use fr0mNantucket, and so on.

Michael K said...

Using 8 uppercase (or lowercase) letters have 208 billion+ combinations. So, how does a password get compromised?

European ATMs take only numbers.

Todd said...

I like SecureSafe. Works on all of my devices, the renewal is resonable, allows me to store more than just passwords, and what else could I do? I have over 130 passwords...

Michael in ArchDen said...

I wonder if there was ever 90%+ scientific consensus that the "Tr0ub@dor&3" method was the most effective...

Earnest Prole said...

In theory there's no difference between theory and practice.

Rigelsen said...

Ron said: "But changing passwords on a regular schedule has become a habit in computer security."

This has always been a bad habit, and damaging to good password hygiene. It encourages people to write down passwords, or worse, come up with simple, easy to guess, password schemes that often vary just in some digit. Of course, it also tends to be a high source of calls to the IT help desk, so maybe there was a method to the madness.

It has always been better to come up with strong high entropy passwords that you yourself can remember and stick with it until you have to change it for other reasons.

As far as cracking, password files and databases should always use salting (before hashing) to render rainbow tables useless. Unfortunately, many app developers that use such databases never learned this basic technique even when they learned to not store the passwords in the clear. Unix password files have supported salting and hashing since at least the 80s.

Since you don't know how good a particular site or app's password management is, and bad things can happen even if you do, it is a good idea to use separate passwords, especially for important stuff like finance, communications and work applications. As many have pointed out, a personal password database, especially one you can access on the go, can be very handy. They can reduce the hard passwords you have to remember to a handful, one for the password database, and the few more passwords you may have to enter all the time so that you don't have to look them up every time. (My personal password database shows about 250 distinct passwords.)

Rigelsen said...

Left Bank said: "There is another problem with passwords that only gets worse as you make them longer. That's typing all the characters accurately in the limited number of tries you are allotted before the system locks you out. I'm finding that harder and harder to do as I get older."

This is a problem, especially on mobile phones with their tiny on screen keyboards. Unfortunately there has always been a tradeoff between security and usability, and security practitioners often don't sufficiently appreciate that concern.

(It used to be commonly said in security circles that the most secure system is one that is stored in a locked closet, powered off and disconnected. Of course such a system is useless. In the last decade or two, though, a lot of so called information security experts seemed clueless about this fact and what it means.)

MadAir said...

"It's in the Wall Street Journal, so good luck trying to read it." Because of the paywall? It's easy to bypass.

1. Log into your Facebook account (sorry, this method depends on you having one).
2. Paste the following into your browser: https://www.facebook.com/l.php?u=
3. Paste the URL of the WSJ article after the u= and hit Enter.
4. Click the "Follow Link" button.
5. Click the X in the upper right corner of the subscription ad.