Credit: Technology Review
Computing
Passwords that are Simple--and Safe
A new approach does away with the need for long strings of letters and numbers.
- Monday, July 19, 2010
- By Simson Garfinkel
Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers.
Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure than no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords.
Increasingly complex password requirements--rules like "passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols"--make it difficult for attackers to guess passwords using a so-called "dictionary attack," which involves trying many possible passwords in succession.
Without such restrictions, people tend to pick passwords that are easy to remember, easy to type--and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be "trivial passwords" such as consecutive digits, dictionary words, or common names, according to an analysis last January by the Web security firm Imperva.
Requiring that passwords include numbers, symbols, and mixed cases significantly increases the number of possible passwords. With such rules, a dictionary attack becomes infeasible, but passwords also become harder to remember.
One way that system designers try to defeat dictionary attacks is by temporarily disabling an account when a wrong password is submitted more than a few times. This is called account lock-out, and not surprisingly, attackers have discovered a simple way to defeat the approach. Instead of guessing thousands or millions of passwords for a single account, attackers simply guess the most commonly used passwords for thousands, or even millions, of different accounts.
The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users--websites like Microsoft's Hotmail, for instance.
The approach is described in a paper written by Microsoft researchers Stuart Schechter and Cormac Herley, due to be published at the Hot Topics in Security conference in Washington, DC, in August. Michael Mitzenmacher at Harvard University is also a coauthor of the paper.
"Replacing password creation rules with popularity limitations has the potential to increase both security and usability," the authors write. "Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.
- 1
- 2
Related Articles
How Your Username May Betray You
The more unusual your username, the easier marketers and scammers can build a profile of you.
How Websites Make You Spill Your Secrets
People divulge more sensitive information on sites that look less safe.
Weapon
1 Comment
- 1034 Days Ago
- 07/20/2010
What if hackers try out some passwords that are banned and attack some old accounts?
Maybe some probability scheme can be provided to decide whether a password is banned.
martinaatayo
112 Comments
- 1034 Days Ago
- 07/20/2010
password construction,security and common database.
Whereas the microsoft team took
up an interesting topic,it is mind
pondering why no mention,no declarative
statement, or link of any kind to an
ongoing concept of creating a common
internet browsing password database.
It is further pondered if simplification of
password along the line of cyber security,
will likely eliminate internet user
information privacy infringement
within the context of social
media boarderless interaction(s).
Simplification of user's password
construction, as worked on by
microsoft team,ought not to target, strictly,problem of recollection
each time the user accesses
a system,but the wider ease
of secure access granting and
browsing without compromising,
both personalized,corporate or
services provider's classified
information.
Martin Atayo
(In Chicago, visiting)
shatuga
17 Comments
- 1034 Days Ago
- 07/20/2010
I do not understand how this technology prevents statistical guessing for millions of accounts. Even if users are required to have unique passwords in the entire password pool, it's still possible for a hacker to attack a million accounts simultaneously and distributed, guessing from a large set of "easy" passwords.
A distributed attack would be slow to execute but might be feasible. Requiring cookies for login and limiting login attempts per user cookie (rather than per account) would greatly reduce the chance of success for a hacker.
doanwon
76 Comments
- 1034 Days Ago
- 07/20/2010
Yes, it's a little confusing. If the service is a public one, the attacker can create an account and then keep changing the password to build up a list of banned passwords that he can later use as sure hit targets. In a private company, a malicious coworker can use the same method to access other people's data putting the other coworkers more at risk than before.
jonathangrubb
2 Comments
- 1034 Days Ago
- 07/20/2010
You are correct, but the newly introduced problem, building a list of valid passwords, is preferable to the existing problem, having lots of accounts with the same password.
While the hacker knows that a certain password is valid, they don't know what account it is linked to. Since it can only be linked to a small number of accounts, the chance of finding that account is reduced down to ~zero. As stated, this only works when there are lots of accounts.
doanwon
76 Comments
- 1034 Days Ago
- 07/20/2010
I was thinking that it would be much easier for hackers to obtain account IDs in the same way that spammers have been doing it for a living. With a pool of tenacious hackers from various directions, they can pretty much weave a complete tapestry of accounts that can encompass the system. Then it's not so difficult to get an automated app to try one password in a long list of passwords for all the accounts--with a sure hit. With elimination of the breached account this hurdle becomes progressively easier to overcome.
danthompson
2 Comments
- 1034 Days Ago
- 07/20/2010
I fail to see how removing popular words will make passwords easier to remember... because now they don't have length / complexity requirements? The problem with this is that users will inevitably choose words they normally do (and are admittedly vulnerable to dictionary attacks), which will then get banned, and then they'll have to come up with new words, which they'll forget because they don't use them on a regular basis.
What they NEED to work on is a way to enforce passPHRASES, not passWORDS. PassPHRASES are long and complex by nature if you include proper punctuation. So instead of using 'fluffy' as the password, you'd use 'I love my dog his name is Fluffy!'. That is trivially easy to remember, is 33 characters long, and includes two capitals and a special character (not counting the spaces as "special characters"). That is a much better solution and can be implemented TODAY with the right user training on systems that accept spaces and long values.
gauvins
1 Comment
- 1034 Days Ago
- 07/20/2010
The problem with a 33-letter passphrase is the time required to enter it, without typos. I suggest abbreviated passphrases such as, in your case, ilmdhniF. I also suggest context-dependent credentials such that if you are compromised on one site your other logins are safe. An easy way is to insert the first letter of the site (ilmdThniF). Last, I suggest additional combos for sensitive sites, like banking. ilmd2654BhniF) . Pick meaningful digits and symbol. Really simple :)
danthompson
2 Comments
- 1034 Days Ago
- 07/20/2010
That's not a terrible idea for remembering random passwords, but the reality is... what you are suggesting is no longer a passphrase, but a password with random characters. It could be cracked by brute force in a fraction of the time (less than a day) it would take to crack a true passphrase (arguably never in any realistic timeframe). True it will take some user training, but I guarantee your users will get the hang of typing it and you won't hear any complaints. Do the exercise yourself. Create a passphrase, and then a random password of HALF the length. I guarantee you'll type the passphrase with greater success than you will the totally random password and it will be infinitely more secure.
Check out Jason Fossen's rant on the subject here: http://blogs.sans.org/windows-security/category/cracking-passwords/ He also includes a spreadsheet that will help you calculate how long it would take to crack a given password. Sobering stuff.
I also agree with using different passwords for different sites, but again, the reality is that a lot of users don't. That's how compromised Facebook passwords lead to compromised paypal passwords.
TeCNoYoTTa
1 Comment
- 1029 Days Ago
- 07/25/2010
I like the Idea of pass phrases but you said in your post that cracking a password like "ilmdThniF" can be cracked in ~ 1 day how come ?
(26 * 2)^9
2779905883635712 combinations
Phineas
128 Comments
- 1021 Days Ago
- 08/02/2010
I model passwords in this fashion, with a few punctuations thrown in, if the site will accept them. The use of site letters in the pword is a nice touch. Thanks.
syb
32 Comments
- 1027 Days Ago
- 07/27/2010
Can't this problem be attacked from the IT side rather than from the user side? If a company wants to keep it's data secure, why can't they just take your password, along with everyone else's, and tack on a 32 bit random string of characters, or use an encryption method that they keep locked up and in-house that augments your password behind the scenes? Now you have your password as a level of protection and the encryption tacked on by IT as another level. So users never have to change their password if they don't want to because the institution is changing it for them. I'm not a computer guy so someone else point out why this won't work. =)
gzuckier
4 Comments
- 1025 Days Ago
- 07/29/2010
a variation; so many sites have the "forgot your password" option which asks you some questions you preselected and decides if you are OK based on your answers.
How about just giving the thing a database of 10 or 20 or 100 questions and answers, and to get in you have to answer a randomly selected 5 or 10 or whatever? If you don't succeed, the next time you get a different selection, which means you get a second chance if you've forgotten one answer, and that the brute force attack is going after a moving target, as it were.
The questions don't even have to be anything with an answer that could be ferretted out rationally. For instance, you could give yourself a challenge question "alfstoopvoi" to which only you knew that the proper answer was "fnard"
jonathangrubb
2 Comments
- 1034 Days Ago
- 07/20/2010
"Requiring that passwords include numbers, symbols, and mixed cases significantly increases the number of possible passwords."
This is provably false. Requiring numbers does reduce the efficacy of dictionary attacks, but it doesn't increase the number of possible passwords. In fact, it *decreases* the number of possible passwords.
Here's why:
If a password must be 10 characters long, then the user can choose any character for each of those 10 slots. If a number is required, then one of those slots has a drastically reduced set of characters to choose from, 0-9.
Still, anything that keeps people from making their password "password" is a good move, even if they just upgrade to "passw0rd".
AndrewDover
2 Comments
- 1033 Days Ago
- 07/21/2010
Yes, you are right. "Requiring" that a particular symbol exists lowers the entropy, "Allowing" more symbols increases the entropy.
Consider a 3 symbol password made only of the 26 lowercase letters: There are 26^3 = 17576 possible.
Allow the ten digits and letters gives 36^3 = 46656.
Now add the constraint that one symbol must be a number, and you subtract all the ways in all symbols are letters, ie 36^3 - 26^3 = 29080.
Phaldor
1 Comment
- 1033 Days Ago
- 07/21/2010
Whenever I see a discussion regarding the security of a password protected system I have to ask why even debate the topic. The reality is the whatever the rules, password protection schemes always are vulnerable to one or more forms of attack, all of them trivial to a determined cracker. What's more is cracking tools are now packaged and distributed openly in GUI interfaces, making the number of attackers so large that no system can prevent eventual compromise. What is necessary for people to understand is that IT security professionals need a new system to move away from an obviously vulnerable system. Two factor or higher authentication is that necessary step. Some systems using this are inexpensive, trivial to deploy, and highly secure. Any serious online gamer that enjoys playing a game that employs an authenticator system can tell you that they breathe a lot easier after First using the one time key authenticator in conjunction with a password. Some are time based and use mathematical formulas mixed with a seed key making them as unbreakable as the more secure encryption algorithms on the market today. This is where the public sector should be moving. What's even better is that it has minimal user impact and allows for a much less restrictive password rule set.
My two cents
mattgroom
290 Comments
- 1033 Days Ago
- 07/21/2010
The idea that you can identify banned passwords and search every account until you hit the right one, is on the face of it interesting.
I agree it would making hacking peoples accounts easier. And this is how they would do it for those who didnt understand the previous people.
You would create an account and change the password using an automated system,since no system ive seen asks you to authenticate your human-ness when changing your password. This would eventually allow a group of accounts, stolen perhaps by other ways to easily compromise every other account on the system by brute force.
To stop this I propose any system using this technique incorporate a human based test within the password change system.
The other idea of limiting password changes per hour/day is pointless,counter productive and will be ineffective before anyone trys to do that.
CREinstein
2 Comments
- 1032 Days Ago
- 07/22/2010
Facebook has 500,000,000 users, 5m!
If they limit it to 5 active uses of a password, say 5 people can use abc123, then a hacker trying to get into an account using dictionary based attacks has got to find the 5 in 500,000,000 that use this password. Now this is the problem. Before a hacker would try to crack a certain number of accounts using common words. But given there are only about at most 10,000,000 easy combinations, this makes cracking large numbers more problematic. He will get 10% in brute force at most. Not 50% as stated in the article.
This means that the general issues with defense become a matter of gathering ALL email adresses successfully (Or suffer another drop in total passwords you cxan attempt).
However I believe that in smaller pools this would be a disaster... take a company of 50,000 employees for example... If they all chose an easy password, and since a directory commonly exists for their emails, they would be entriely laid open for a hacker to obtain almost all data from those emails the hacker would desire to obtain.
I myself tell people to pick two favorite words, two favorite symbols, and two favorite numbers for those pesky companies that always switch passwords frequently. The number of variations that can be created with that is extreme, but ultimately you can guess it out with ease. And no hacker on the planet will use that much processor time to try to crack a password of that strength. Common site with no changes I just say two words, a symbol, and a number, and make four memorized variations of it... One for trusted sites (banks, emails, and other extremely secure sites), one for mostly trusted sites (games like WoW, craigslist and similar sites), one for probably safe sites (car companies your applying for credit from, hotels, and the likes) and then insecure sites (like x-rated sites if your into that stuff [65% of the internet I think?]).
Such password methods work well, are easy to ultimately remember, and have so many possible variations that brute forcing it is hard
Take a simple set of words with two numbers and two symbols on a common keyboard.
Go
eAt
1
4
/
There is only two and three characters in the two words, they have a value of caps included and are from 52 possible letter combinations. They are therefore 52^2 and 52^3 each. The numbers are easier at 10^1 each and symbols are 32^1 each.
This is 2704, 140608, 10, 10, 32, and 32 each respectively in total possible variations. Just flipping the location of the two words forces tests to see their locations (If say the hacker somehow knew two words were used of two and three characters in the first two spots and needed to test every letter combination) this becomes 760,408,064 outcomes.
Once you start twisting it around with characters and numbers as well, then the number of tries, even if you knew the length, that it has two caps letters and three lowercase, two symbols and two numbers, and that the letters are clumped into two and three character sets, becomes so high that it is for most intents and purposes uncrackable.
For the record I do not reccommend two digit or three digit words, but four or more and easy to memorize.
Previously, before a trusted site of mine was hacked and I changed all my passwords I used:
@allcosts12* for my least secure (a three and a five digit word), and variations were 1*costsall@ 1costs*@all and all*costs1@ (from lowest to most trusted)
With proper password protection on easy to know words, numbers, and characters, this makes most sites with heavy security even more protected with ease of memory.
If your scared of this, just use two words, one number, and one character in an easy to identify sequence. 1%toRule for example. You have 24 variations you can use, and your only in danger if one of your sites gets hacked and the passwords get found out
bgislason
1 Comment
- 1032 Days Ago
- 07/22/2010
I'm not certain on this but could this not make it easier for hackers? They just need to create accounts and test a variety of passwords until they are told it is banned. They could then test that password against many users until it associates and presto.
jhhl
2 Comments
- 1031 Days Ago
- 07/23/2010
A middle path - one that's halfway between badly chosen but easy to remember short passwords and long, secure, hard to remember or type pass phrases would be: to require more than one unique password on each account. Already you can think of the "username/password" combination as a binary password, which has the extra property of treating the first "password" as an account id. So why not increase the number of password fields, and never allow any of them to match. It would be a "reframing" of the passphrase solution in an easy to understand way. You could make up security rules to say one of these things should be a number you like.
paulie_paulie
2 Comments
- 1030 Days Ago
- 07/24/2010
If Dictionary attacks are the problem then is it not better to look at preventing such attacks by only allowing a single access request every 10 seconds or so and/or locking out for a short period of time when a password is entered incorrectly multiple times.
mattgroom
290 Comments
- 1030 Days Ago
- 07/24/2010
Id be surprised if peoples accounts are not being attacked constantly in a public environment...
Hence any long term denial of service to its users is a bad idea.
Denial of service is currently the in-thing for hackers. They dont care that they dont have access as they can make it so you dont have access. There job is done.
Remember that at the moment the hacker gets a "password is wrong" reply to which they can constantly try to brute force the attack. Taking forever. Hence the term brute-force they could conceivably test every variation until they strike lucky.
Now consider this proposal, you run a botnet of 500000 computers across the world and have each running a brute force attack against a public service. These accounts create every password for an account and sometimes it comes up saying password in use !
They have in one swoop ELIMINATED brute force attack. They have just been given a free password.
Talk about the most insecure system in the world....
It would then take 500000 computers accessing every account 1 hour to find every account with that password. And the process continues.
I estimate it would take a large botnet a month to break every password in even the largest public system.
Now consider that there are hundreds if not thousands of botnets out there commanding 100'000's of computers or more. They are in fact bought and sold in bulletin boards/websites in the hacker world...(allegedly).
The oldest trick to defeating computers automated brute-force attacks is with the human verification systems. They ask you to look at a picture and tell you what it says.
The problem today is these dont work anymore...because computers with neural nets can easily decipher them. Hence accounts are being brute-forced attacked at the moment....
The concept of having a password is pretty moot anyways, most systems are so insecure that they dont need them. And if you really wanted access to a system permanently you just get employed there. Many governments, companies and hacker groups have people placed in areas where the concept of "hacking a password" to gain access is laughable.
Infact if you want to catch a spy yourself, look at the employees going through google after the china incident and see whos applied for a job. I bet you a person having been and worked in china would have applied...
Now you have caught your spy...what do you intend to do with them!
(I used to do some security work a long while ago)
nphyx
2 Comments
- 1028 Days Ago
- 07/26/2010
"When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."
This is an inspired phrase. Someone needs to stamp this on the front door of every agency in the world somehow intended to "protect" people. If people understood this, they'd understand why security checkpoints, let alone full-body scanners, in airports need to go away, why metal detectors in courtrooms are entirely useless, and why pointing pencils at eachother in the classroom is not a suspension-worthy offense.
I had just about written up a lengthy reply on the subject of the article, but as I reasoned through it I grokked. This is a very interesting idea; I'd like to see some implementations in the wild. One question I have is, how do you reasonably secure your database of used passwords? Assuming you use the common "hash of password + other user supplied field (like username)" scheme, you are going to have to store your passwords in plaintext in order to compare them, or at the very least store a hash of just the password via some algorithm (not much better). Because the passwords aren't linked with any particular account an attacker still has quite a bit of work to do if he gets at that database, but it still feels to me like you're trading one kind of insecurity for another.
Loosing a database into the wild sucks, but it sucks a lot more when that database increases the risk of continuous attack in an adversary's possession. I'd much rather have a list of plaintext passwords that will let me get into accounts tomorrow, the day after, and the day after that, than just a dump of the current database (in some cases I may rather have just the former than just the latter).
snardiff
2 Comments
- 1001 Days Ago
- 08/22/2010
We have similar problems at our organization. Every year the password requirements more and more stringent. There is no evidence whatsoever that this makes accounts more secure.
capacity
1 Comment
- 1001 Days Ago
- 08/22/2010
How do you know that your systems are not more secure?
snardiff
2 Comments
voretric
1 Comment
- 549 Days Ago
- 11/17/2011
Generally speaking Data Security is an issue everywhere, Encryption products and technology should be the way to go.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
mattgroom
290 Comments
my honest opinion...
It will have a dramtic effect on drive-by attacks. Those that are there to get into any old account.
It will negligible or no effect (on its own) on people trying to get into specific accounts.
Password expiry should also be used on these accounts.
Reply