3

Among the more security savvy community (very much including security.stackexchange) there is an ongoing discussion about the strength of different password policies. Examples include the Tr0ub4d0r&3 vs correct horse battery staple, Bruce Schneiers scheme, the BBC scheme, among others.

These different approaches have all been examined in-depth, down to entropy-level calculations, how easy certain passwords are to remember, etc. -- and I think we can all agree on the qualities good passwords need.

Also, we all know the stories of password, love, 123456, querty and all the other useless phrases that the average Joe sometimes relies upon and that appear every time a large collection of passwords gets leaked somewhere.

But have there actually been known cases where people invested some thought/effort in picking passwords which in hindsight proved to be too weak? I sometimes get the feel that if an organization/person is aware of the password issue, and has even a basic understanding of security principles, they are already 99.9% safe on that front.

To reformulate the question:

How often has password strength been an actual security problem in a professional context?

With 'professional context' I explicitly mean a context where some informed decision was undertaken to choose decent passwords.

E.g. somebody picked a non-trivial password (maybe Tr0ub4d0r&3-style), and it was actually cracked and exploited in a context where a different scheme would have proven more resilient (and where the reason for the incident was not some other failing part of the security chain).

Community
  • 1
fgysin
  • 715
  • 1
  • 9
  • 13
  • 1
    "I think we can all agree on the qualities good passwords need." not even close :D I personally think most research on the topic is deeply, deeply bogus. The strength of an individual password from an individual user means absolutely nothing in 2016. – Steve Dodier-Lazaro Jan 26 '16 at 13:02
  • 1
    This is what I meant, really. Is it actually worth our time to still be discussing password policies when an exploit/backdoor/phishing/social engineering/... attack is so much more likely... – fgysin Jan 26 '16 at 13:38
  • I would love to answer this question, however it would be too based on opinion rather than fact. – GdD Jan 26 '16 at 13:39
  • Agreing with @GdD here. I have unpublished research which explains why current password research *might* be a problem but I'm not willing to share that pre-peer-review. I can go on and on about why there *might* be issues, but if you want a somewhat objective account of the limitations of password policies on actual security... come back in 10-15 years, even the best researchers in our field aren't able to do that yet. Partly because we don't have good enough methods for measuring security outcomes in organisational contexts, at least yet. – Steve Dodier-Lazaro Jan 26 '16 at 14:12
  • 1
    I think another way to answer your question is to look at what has been found in public password dumps, specifically cases where the passwords were hashed and a large percentage were cracked. For example we do sometimes see different password techniques showing up in those large sets of "cracked passwords" which would imply that the users did attempt to do something beyond the basic level of passwords. I think the fact that these too occasionally get cracked means that teaching better password development techniques is in fact still relevant. – Trey Blalock Jan 26 '16 at 15:18
  • 1
    Why the votes for close? Can someone suggest edit that would make this question more eligible? (I'm really asking for *specific real world occurrences of failure of decent password policies* - this seems answerable to me, if not necessarily obvious.) – fgysin Jan 26 '16 at 15:18
  • The problem is that very few breaches are dependent on a single factor, such as password policies being weak. Weak password policies won't cause database extraction. They won't help with poor password storage. However, the breaches you see which include passwords usually have both of these. There are other breaches, but if you can't crack the passwords, you can't assess the password strength. – Matthew Jan 26 '16 at 15:44
  • 1
    Hey @fgysin [this paper](http://passwordresearch.com/papers/paper462.html) may not answer the part of your question about a weakly created password actually being exploited but it does provide insight on what password strengthening measures average people take that may not provide much security benefit. – PwdRsch Jan 26 '16 at 17:29
  • As for your question about failure of decent passwords, there are a few examples that I can think of, but here's a [pretty good one](https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Ryan-Castellucci-Cracking-Cryptocurrency-Brainwallets.pdf) regarding bitcoin brainwallet cracking by Ryan Castellucci. If you look at page 33 of the slide PDF he lists a few examples of the passphrases he cracked, which I'd argue many people would believe most of them were secure, and yet there weren't strong enough in this case. – PwdRsch Jan 26 '16 at 17:34

0 Answers0