7

Over the last few months I have had to enter WiFi passwords into smart phones, TVs, printers, etc. None of these have real keyboard and they make it hard to enter long passwords or passwords that constrain symbols etc. Therefore all the normal rules about choosing good passwords seem to be out of date…

(It took ages on the phone for me to explain to someone how to enter their password into a “TV stick” due to these issues and not having the same “TV stick” to try it out on myself.)

Ian Ringrose
  • 641
  • 1
  • 4
  • 9
  • 6
    @drewbenn Please tell me that's sarcasm. – Iszi Jan 27 '16 at 19:53
  • @drewbenn WPF seems to not work most of the time. – Ian Ringrose Jan 27 '16 at 19:56
  • 6
    what about 4 or 5 space-separated words? Something like 'eraser boat yellow expensive airplane'... Easy to type, your auto-correct probably will not mess up with, and with enough entropy. – ThoriumBR Jan 27 '16 at 20:02
  • 1
    @drewbenn Fair enough point. But you should really disclaimer such suggestions up-front. Don't need anyone coming back here to complain after they mistakenly took it too seriously. – Iszi Jan 27 '16 at 20:02
  • 4
    It's not a problem with the password rules being out of date, you are simply encountering a negative user experience when entering good passwords on devices not intended for fast character entry. – PwdRsch Jan 27 '16 at 22:45
  • @ThoriumBR, I yet to find an issue with auto-correct, as it does not operate in any input field that is set to type "password" – Ian Ringrose Jan 27 '16 at 23:21
  • @IanRingrose It happens when you send the password to someone via Whats App or something like that – ThoriumBR Jan 28 '16 at 10:22
  • 2
    @IanRingrose Auto-correct aside, Thorium's suggestion would be more efficient on keyboards that have features like Swype or predictive text. You could enter passwords effectively one word at a time, instead of one character at a time. – Iszi Jan 28 '16 at 14:24

7 Answers7

7

Most good password advice (suggesting long passwords with characters randomly selected from a large character pool) will not ever go "out of date", except perhaps with regards to "minimum length" recommendations. (Used to be 8, then 12. Soon enough, if not already, 12 will be too short too. I recommend 15, preferably 20+.)

The problem you have is one that cannot be worked around without weakening the strength of your password, because strong passwords will never be very human-usable regardless of what interface you're using to enter them. The really strong passwords aren't even fun to enter on a full QWERTY desktop keyboard, let alone any of the more limited UIs available on "smart" devices of any sort. The best passwords aren't even human-memorable.

Unfortunately, that's just the nature of the beast. You can have a strong password, or you can have one that's easy to use and remember. Intersecting the two is nigh-impossible.

Some suggestions for your WiFi network:

  1. Pick a PSK as long and random as your router will allow. You'll generally only have to enter it once per device, so you're getting solid protection for practically zero impact to your daily life.
  2. Be very selective of who and what you allow onto your WiFi network. This saves you the headache of having to enter in the password (or talk someone through it) more often than you really need to, and reduces the attack surface of the network as well. Troy Hunt has a blog post on the subject that's worth a read.
  3. Wire things up wherever possible. If something doesn't need to move around, it doesn't really need to be wireless. Again, this saves the headache of punching in the PSK when you really don't have to. It also helps network performance for the device you're hard-wiring (giving it higher speed & reliability), as well as the devices you're leaving on WiFi (freeing up airtime for them).
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 2
    I think this is bad advice. First off, strong passwords can absolutely be human readable and they can be composed of nothing but alphabetic. Take a look here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/. The OP was right that all this strong password nonsense is dated. **Longer is stronger**. Lastly, the bits about not using WiFi are not helpful. The question is basically: "_assuming I have to do it_ what's a good password?" Answering "_don't do it_" isn't helpful. Especially in this case, where setting a password is something he really has to do. – Paco Hope Jan 29 '16 at 13:41
  • @PacoHope The problem is, partially, an X/Y issue. OP is complaining that he can't follow common password guidelines because it's a pain to enter them on anything other than a full-size keyboard. Easiest way to deal with that is to just not have to do it which, in the OP's scenario, is generally very possible and would also enhance the performance and security of their network. – Iszi Jan 29 '16 at 15:19
  • As for the password guidance, your thinking is somewhat flawed. Yes, length will generally increase entropy more than the size of the character set. But the increase is substantially smaller when you do limit your character set. It becomes even smaller if you start chunking characters together (i.e.: using words, instead of randomly selecting each character individually). Also, you're mis-interpreting my statement - I said strong passwords aren't human-***memorable***. This has nothing to do with their readability. (Of course they must be readable, otherwise we couldn't enter them.) – Iszi Jan 29 '16 at 15:23
  • I linked to a blog post full of pointers to credible research on password length and complexity. It's better than anything I can do myself. But the point is that "correct horse battery staple" is stronger and massively easier to type than "Tr0ub4dour&3". Link to some research that shows otherwise. When you get up in the 15-20 character length you don't need to worry so much about crazy variety in character set. – Paco Hope Jan 29 '16 at 16:47
  • 1
    @PacoHope But when you get into the 15-20 character range, you're already stretching the patience of anyone trying to enter the password on anything other than a full-size QUERTY keyboard. So, why *not* bump the strength up a notch anyway? – Iszi Jan 29 '16 at 19:18
  • 1
    I think it's about efficiency and ease of entry. On crappy UIs, like TVs and stuff, special and upper-case characters often take 2 or 3 taps/button presses, etc. just to type one. There's a symbols page, a shift key, etc. So if I'm going to do 2 or 3 taps/presses, why not just put 2 or 3 lower-case letters into the password? For example, it's 17 taps on an iphone to get Tr0ub4dour&3. For the exact same effort I could have a password of 17 lower-case letters that would actually be stronger. – Paco Hope Jan 31 '16 at 12:31
  • @PacoHope doesn't help the stock iPhone keyboard if much more poorly designed touch keyboard than the stock Android in the first place. On Android 14 presses to enter that word (I need to 2 presses for the capital T, the rest is 1 button still). – ewanm89 Oct 30 '16 at 20:41
  • It doesn't matter how well an Android or iPhone keyboard is constructed. The OP was about TV remotes and devices that are substantially worse. I stand by my original guidance that if you have to do 15 taps, 15 lower case letters is a better password than 8 or 9 mixed-case, symbols, and so on. My point is that it is utterly irrelevant how easy it is to get capital letters and symbols. You can have perfectly strong passwords without them as long as they have lots of characters. – Paco Hope Nov 04 '16 at 14:22
5

This was suggested in a comment but isn't an answer yet for some reason.

I suggest using the concept used by diceware and made popular by a certain ubiquitous XKCD comic.

That is, get a word list of a few thousand words, and randomly (i.e. using dice or numbers from random.org or a high-quality PRNG) choose some words from the list. This set of words is your password.

For WiFi passwords I recommend you don't use the standard Diceware list, because it includes a bunch of punctuation and the like which you want to avoid on smartphone keyboards or other places this is hard to enter.

Instead use something like the 5000-word sample list from the Corpus of Contemporary American English or the New General Service List (2000-3000 words) for your source of words.

This should let you choose a WiFi password that's easy to type in since it is all common words which you probably know how to spell, with no punctuation, yet is completely random. Since it's a WiFi password you're probably going to write it down somewhere so generate as many words as you need for the level of security you want. 5-8 words should be plenty, and much easier to tell somebody one word at a time than painstakingly typing one character at a time while switching keyboards back and forth for the usual type of password.

Ben
  • 3,846
  • 1
  • 9
  • 22
3

Try a passphrase (this method is also recommended by Snowden. If you do a search on youtube you'll find a few of his related videos). This method allows your password to be extremely long and very easy to remember.

Example:
- Create a phrase such as "thinkingoutloudonasundaymorningat110dbwith4beersinthefridge"
- Swap a few characters with numbers, capitalise some letters, get a bit creative.

This is just a starting point and you can make your key much more complex by adding words from different languages, making your passphrase more illogical, or even making up words. Using your imagination is key here.

2

If you want security with ease of use, it may be easiest to just randomly generate a long password of nothing but lowercase letters (or numbers if you are using flip phones). The basic point of password security (I'm oversimplifying here) lies in the concept of entropy which in this context means the difficulty in guessing. So what this means for you is that out of x number of possible password combinations, how long would it take an attacker to 'guess' the correct one? The answer is a function of how many guesses the attacker can possibly make and how many guesses the attacker does actually make.

For instance, if you have a 4 digit long password and allow only digits 0-9, you would have 4^10 possible password combinations, this may seem like a high number but consider that an attacker could potentially 'guess' really quickly (depends on the resources thrown at the guessing algorithm).

The bottom line is that if you limit your pool of unique characters (IE just use lowercase letters or digits) then you would need to increase the minimum password length.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
2

For one of the business I work with, they need to allow employee access to their network, as well as various devices that report data back to a central server.

With a key rotation requirement in place, entering a wifi key into every device was pretty time consuming. One of the requirements I imposed was the key had approx 64-bits of entropy, which for a password is quite a bit, but was designed to eliminate brute force attacks within the key rotation schedule.

The key needed to be fairly easy to enter on both a keyboard and a mobile device, and not be unnecessarily large or insecurely small. The solution I came up with is to use groups of lower case letters and numbers, or just a long random number.

anu629brq763pfr = 62.2 bits
5167053194830046378 = 63.1 bits

Obviously, neither of these are very memorable, and they did not need to be because of the environment they are used in, but the grouped method did allow someone to remember it while entering it into half a dozen devices (me). Usually I would make a typing mistake at least once when entering a complex password a bunch of times, but by separation of letters and numbers, I did not mistake an l for a 1 or an O for a 0. Grouping can keep the error rate very low during entry, in fact I did not make any mistakes, every device connected the first time, and that is not typical for me.

The additional advantage to generating the codes in this way is they are very easy to enter on things like mobile phones and television remotes, and contain no spaces, capitalization, or punctuation, but they do need to be long to compensate. Since they are essentially random (within constraints), they do not need to be as long as a password with guessable words or phrases.

I this situation we had a business grade router with the ability to use multiple SSIDs on the same frequency each with separate encryption keys, and could isolate employee access from other devices for security purposes, but for most people this is not necessary, although I would not trust a smart TV to be on the same network as the rest of my devices...

Richie Frame
  • 565
  • 2
  • 6
1

You were right at the beginning. This is a password for a Wifi network. It has some different properties than something for, say, your bank or your company. For one thing, you'll be entering it on a zillion different devices—many of which have terrible user interfaces. (TVs, PS4, printers, mobile phones, etc.) So if you do the usual advice and put in all sorts of symbols and things, you're dooming yourself to a life of misery with these interfaces. I think it is safe to say "longer is stronger". And if you can manage to think of a long phrase that makes sense, just type the whole thing. Remember also that spaces are completely legit in WiFi passwords (though, again, you may find some devices don't do it well).

So a password like "this is a secure network" is perfectly good enough for a WiFi network and is simple enough to type. The password strength estimator zxcvbn is really good. https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

Paco Hope
  • 401
  • 2
  • 2
-1

You need to have a long password but you also need to use as many character types as you can and as randomly as possible. The less random you are the weaker you are.

But let's compromise so that security is convenient because we can do good things here still and meet in the middle.

Dispite how it looks this is a very strong password "AAAA 9999 ???? aaaa 0000 !!!!"

You get some subtraction of security from repeated characters and consecutive characters and consecutive types like uppercase or numbers but in a brute force scenario it would take an octillion years because the only way they would crack you is by using lower, upper, number, and symbols on the above 29 character password.

Now the attacker could create dictionaries to help them with this sort of password schema the reason why is it's a pattern and then it would be less good but it only helps the attacker if this pattern was very common and got good success rates which it does not at this time. An attacker wants to crack you very quickly you just need to make him tired of trying before he wins.

But that 29 character password is easy to remember so why not make it a little longer.

"AAAA 9999 ???? aaaa 0000 !!!! zzzz 7777 .... ZZZZ 5555 @@@@"

If you want to take this up a level do mixed characters together instead of repeating the pattern.

"ABCD 9876 .,?! wxyz 1234 '@&$"

Which of the last 2 is harder? Well AAAA is longer but ABCD has a more complex pattern

The answer is ABCD because it is more random If you did AbCd 9$8&7@6' wXyZ that would be even more secure and the pattern harder notice I alternated character's case and numbers and symbols. I also changed the pattern between the spaces etc. so I now have a more random and long password that would be near impossible to both brute force and dictionary attack.

Just make one like that last one that is random but easy to remember and type for your devices and you're good. Also note that length is good but length without complexity could be a risk. Try to make it to about 30+ characters for wifi.

Hope this helps.

David
  • 1
  • 1
    I'm not seeing a lot of 'random' in your example 'strong' password. I like that you want to talk about favouring entropy in restricted situations, but you don't actually go so far as to recommend high-entropy solutions. Yes, you can gain entropy with randomness and length when you lose it for lack of character space, but you don't actually pull all that together in your answer. – schroeder Oct 30 '16 at 21:11
  • "Can't type certain characters? Make up for it by a longer and random password!" – schroeder Oct 30 '16 at 21:12
  • I'm trying to solve the original pain point for people to setup a wifi password that is easy to type into devices with poor keyboard setup. I'm encouraging randomness in support of them going that route and how they can control the security level themselves and what a more and more secure password looks like. Sure using something like lastpass and fully generating a secure password is ideal and for phones you could do something like scan a QR code but if the premise is the keyboard entry is not there or limited that progression of randomness provides strong and increasingly stronger passwords – David Oct 30 '16 at 23:39
  • Oh wow, QR code. I may just print off one for my wifi password, that's not a bad idea... – Ben Oct 31 '16 at 13:44