3

I have seen many questions concerning passwords: how to measure password strength, why don't we pick passwords for the users and obviously the best one: passwords vs phrases and the one i would like to focus on a bit more.

Something I have never understood is, if you create a pass phrase, what ever it may be. lets say: ILoveAskingUselessQuestions (or even separate by spaces) or a password: 1L@UQ, now I get that that the password is shorter so easier to brute force. If it wasn't for brute force the password would be harder to obtain.

But we do live in a world with brute force therefor (with increasing computer speed) the shorter something is the more insecure it becomes.

I would argue a pass phrase is always the best thing to use. obviously with pass phrases you would get a similar trend as with passwords some phrases would show up more than others. Now obviously there are ways to prevent this and ways to check for this so it should not be a real issue.

If people were to use something personal in their pass phrases no attacker would ever be able to gain passwords (if password hashing schemes are done properly). You could argue attackers would make a list of words and try every combination but such a list would be language specific (an English attacker would never get a dutch password that way).

So my question is, why don't we make it easier for users and demand pass phrases, they are allowed to use base64 symbols and the length should be at least... 20? (that number could probably be better if someone with knowledge (not me xD) made some calculations).

and to help the users in creating good pass phrases (or explaining what it is) someone like Bruce Schneier (or anyone you'd like, why not make it a peer reviewed effort) makes a good simple to read post about it and we all link to it during account/password creation.

everything fixed, or is it not that simple?

Community
  • 1
Vincent
  • 433
  • 3
  • 9
  • 2
    one reason I can think of for not making any password standards is that as soon as you make a standard you take some of the guesswork away from the attackers because now at least they know the standard. (This works for any standard and it is why I appose enforcement of password rules in general) – KnightHawk Apr 22 '15 at 16:17
  • Vincent - in your second para you say "if it wasn't for brute force the password would be harder to obtain" - no. The passphrase is going to be harder than the password. And adding something personal is not a fix I'm afraid. Social engineering and research goes a long way to getting passwords! – Rory Alsop Apr 22 '15 at 16:37
  • @RoryAlsop in case of an attacker targeting a specific user you are right but how often is that the case? If we want to secure the normal user we would be safe? Or am i making to many assumptions? – Vincent Apr 22 '15 at 17:49
  • A passphrase is more secure than a password in general (because it is longer) so it is irrelevant whether you are talking about 1 user or many – Rory Alsop Apr 23 '15 at 08:44
  • @RoryAlsop I meant the Social engineering and research, hackers would do that with people they consider valuable enough, i think for our everyday user they won't go through that amount of trouble. (or is that an assumption i cannot make? ) – Vincent Apr 23 '15 at 09:43
  • it is effort that an attacker would go to for a desirable target - that may not be the normal user, who may just be a useful vector because their protection is weak – Rory Alsop Apr 23 '15 at 10:29

1 Answers1

5

If by "we" you mean the small subset of developers reading security.stackexchange.com who create the authentication systems for a small subset of applications, then there's no reason to limit what symbols users are allowed to use or the length of passwords they're allowed to input. Well, perhaps 1000 characters would be a good password limit in order to prevent denial of service attacks. But you're right that limiting password length to 8 characters, only containing a subset of possible characters, etc. is bad practice. It's better to give users the flexibility to use whatever authentication method(s) they choose, and to encourage users to choose good ones like using longer passwords instead of shorter ones. (Although providing users a link to a book or a long blurb on password techniques during account creation will probably get used as often as terms and conditions get read. Password strength meters are generally inaccurate, but at least they're something.) And in addition to making a system that allows users to have good passwords, we should also implement other security controls like limiting logon attempts, storing passwords securely, protecting against SQL injection, changing passwords of default admin accounts, and so on.

The problem is that we're not every developer. Lots of developers see computer security as an obstacle they need to overcome or a checkbox they need to check before publishing their system. Many times non-technical people in management positions will impose bad requirements on developers, like a bank executive demanding that users be able to use touch tone phones to input their web password so people can log in through some antiquated phone service system the bank developed a few decades ago. So you'll never see every system have good password practices because you can never make "knowledge of good password practices" a requirement for system development.

As for passphrases specifically, I don't think anyone should use memorized passwords on any system they don't control if they can help it. In 2007 the average user had 25 accounts, and I suspect that number has increased significantly. It's humanly impossible to memorize that many passphrases if you require them all to be truly unique. The biggest risk with passwords is password reuse: if you get all your users to make 40 character passphrases and store it with PBKDF2, you're still going to have identity theft on your site when your users use the same credentials on a site that's storing passwords in plaintext and that site gets hacked. So rather than pushing passphrases, I think we should be pushing password management software. Passphrases are great (Diceware is better) for locking password managers, and then you can use truly random passwords for meeting whatever requirements are imposed by the developers of the systems you're using.

Aron Foster
  • 1,204
  • 2
  • 11
  • 19