If everyone followed good password advice, we’d be less secure

Passwords are hard. To be useful, they must be hard to guess. But the rules we put in place to make them hard to guess also make them hard to remember. So people do the minimum they can get away with.

Earlier this week, security company Webroot took a look at the unintended consequences of password constraints. The rules organizations set in order to ensure passwords are sufficiently complex reduce the total number of possible passwords. This can make automated password guessing more

Good passwords are easy for the user to remember and hard for computers and other humans to guess. Let’s say I wanted to use a password like 2Clippy2Furious!! Various password checking sites rate it highly. It’s 18 characters long and contains upper- and lower-case letters, digits, and special characters. But because it contains consecutive repeating letters, some companies won’t allow it.

Writing for Webroot, Randy Abrams says “it’s length, not complexity that matters.” And he’s right. That’s the point behind the “correct horse battery staple” password in XKCD #936. So let’s all do that, right?

Well…it’s not so simple. If I were trying to brute force passwords, and I knew everyone was using four (or five or six) words, suddenly instead of “CorrectHorseBatteryStaple” being 26 characters, it’s four. Granted, the character set goes from 95 to (using /usr/share/dict/words on my laptop) 479,828. “CorrectHorseBatteryStaple” is many powers of 10 more secure if the attacker doesn’t know you’re using words.

And let’s be real: they don’t. This hypothetical weakness has a long time before it becomes a real concern. Don’t believe me? Just look at the password dumps when a site gets hacked. There are a lot of really bad passwords out there. If we took all the constraints off (except for minimum length), people would just use really dumb, easily-guessed passwords again. But it amuses me that if everyone followed good password advice, we’d actually make it worse for ourselves. Passwords are hard.

Sidebar: Yes, I know

The savvier among you probably read this and thought “it’s better to use a random string that you never have to memorize because your password manager handles it for you. Just set a very long and memorable password on that and you’re good to go.” Yes, you’re right. But people, even those who use password managers, will often go to memorable passwords for low-risk sites or passwords they have to use often (e.g. to log in to their computer so they can access the password manager). 

One thought on “If everyone followed good password advice, we’d be less secure

  1. Wow, I wish I had seen this back when I wrote the piece on password constraints.

    It is erroneous to say that a four-word passphrase is four characters. Four tokens, yes, but not all tokens are characters. You allude to the math when you said the character set goes from 95 to 497,828, but you followed up with a sentence that really means nothing without numbers.

    What length of a password are you comparing to a four-word passphrase when you say that “CorrectHorseBatteryStaple” is many powers of 10 more secure if the attacker doesn’t know you’re using words.” For many scenarios it doesn’t matter if the attacker knows you ware using words. Incidentally, I recommend a minimum of five words. Four was enough back when the XKCD example came out.

    Let’s do some number comparisons.
    5-character password – 7,737,809,375 permutations
    5-word passphrase – 100,000,000,000,000,000,000 permutations. That’s assuming a 10,000-word dictionary. It makes no difference if the attacker knows I am using words. If you are using a 497,828-word dictionary, then a five-word passphrase would have 30,577,121,419,109,500,000,000,000,000 permutations. The 5 words have 3,951,650,904,957,780,000 times more permutations than the 5-character passphrase.
    8-character password – 6,634,204,312,890,620 permutations
    5-word passphrase

    There are a few critical points here.
    1) How big is your dictionary? A 497,828-word dictionary is not feasible for a brute force attack. The odds are that you will be dead before a 5-word passphrase is cracked, or passwords will be. Of course, one lucky guess and it’s all over. Unless a lucky guess is impossible. Next item
    2) Just one word that isn’t in the dictionary and a two-word passphrase will beat the token attack. Perhaps even one word. Is pneumonoultramicroscopicsilicovolcanoconiosis in your big dictionary? OK, I can’t remember that word either ? Out of curiosity, are razzmatazz and bemuzzling in your big dictionary? If just one of them is not in your dictionary, then using the two words gets me at least a 20-character password that you will never crack with your dictionary. I can remember “bemuzzling razzmatazz” (21 characters with the space). Darn, now I can’t use it.
    3) We are talking about an offline attack. Nobody gets 2 billion attempts at your gmail password or Facebook password.
    4) You have to compare net security gain or loss to make a useful assessment. What is the status quo vs the resulting security profile?

    Yes, with a password manager all your eggs are in one basket, but if you reuse passwords they are as well. I’d run with the password manager adds security if it gets people to use different passwords at different sites, especially good passwords.

    An example I use to teach people how to make a fun, memorable, secure passphrase is “piglet was one cute little dude.” Over 30 characters and 6 words long. Tell me how long it takes you to brute force that. How likely is “piglet” to be found in a dictionary of a reasonable size. Reasonable means that there are not so many permutations that a brute force attack can finish in time.

    Before you go onto predictable sentences, we also have predictability with common password construction techniques. Of your 33 symbols, only a handful are regularly used. Effectively we are not talking about a 95 character-set.

    As for logging onto the computer to get access to the password manager, I’d guess the risk of that local attack happening is far less than the risk of reusing passwords.

    I do not see any supporting evidence for the title of your blog, in fact I think it is not representative of the truth. It does have good marketing value as a title though.

    As a side note, numerically a fully constrained 8-character password still has more permutations than an unconstrained 7-character password ?

Leave a Reply

Your email address will not be published. Required fields are marked *