35
6
I tried to change a Linux password to "sitonapotatopanotis" and got this error: BAD PASSWORD: is a palindrome
Why does this rule exist?
Joe Mornin
Posted 2012-03-02T15:56:21.337
Reputation: 1 399
Palindrome passwords disallowed—why?
Answers
11
The manpage for pam_cracklib (responsible for password strength checking) does not specify why this is done:
The strength checks works in the following manner: at first the Cracklib routine is
called to check if the password is part of a dictionary; if this is not the case an
additional set of strength checks is done. These checks are:
Palindrome
Is the new password a palindrome?
However, it's not difficult to imagine that there are some password cracking softwares that try palindromes.
I would not recommend using such a password but it's up to you evaluate what security trade-offs you're comfortable with making (you could use sudo or root account to change the password and it will allow you to change it to whatever you want).
Belmin Fernandez
Posted 2012-03-02T15:56:21.337
Reputation: 2 691
2So if he added/subtracted one character the password would be fine? – Daniel R Hicks – 2012-03-02T19:11:27.013
11@DanH: Yes. If a cracking program is going to try "near palindromes", it pretty much has to try everything. – David Schwartz – 2012-03-02T20:11:50.037
10It seems to me that a palindrome should be counted as valid if the first half counts as a valid password. (But that's nit-picking, of course). – Daniel R Hicks – 2012-03-03T14:35:12.487
17
Because a 20-character palindromic password is only as secure as a 10-character password -- there's essentially no extra entropy in the last 10 characters. So you're getting a false sense of security from having a long password.
Mike Scott
Posted 2012-03-02T15:56:21.337
Reputation: 4 220
11Might be wrong here, but the effective security still depends on how you attempt to crack such a password. Does the attacker know there is a limited character set being used? Do we know the password length? – slhck – 2012-03-02T16:18:57.020
19Do password crackers typically try palindromes of each guess? – Joe Mornin – 2012-03-02T16:19:52.073
1
Hm, it certainly adds to password entropy. However, I certainly wouldn't recommend it. It all depends on how the password cracking software generates permutations.
– Belmin Fernandez – 2012-03-02T17:19:23.03013A palindromic password adds exactly one bit of entropy (is palindrome vs. is not palindrome). It is not "only as secure as a 10-character password", but it's much less secure than an 11 character one. – None – 2012-03-02T17:49:09.397
I thought you can only talk about adding one bit of entropy when the password is randomly generated. @joe – slhck – 2012-03-02T17:52:30.453
I assume Joseph is randomly making some of his passwords palindromic, and some not. Or from the perspective of writing a general password cracker rather than a Joseph Mornin password cracker, I will need to check exactly 2x as many passwords if I suspect palindromes may be chosen. That's one bit. (Perhaps very slightly less if there are some passwords that are incidentally palindromic versions of shorter passwords.) – None – 2012-03-02T18:32:23.757
4I'd say sitonapotatopanotis probably significantly less entropic than a standard 10 letter password made out of English words. Grammatically correct palindormes are very rare. It would be about as secure if you made a palindrome out of 10 random characters mwiovqfbzczbfqvoiwm, or if you just took words and made the palindrome part nonsense doctorwormrowrotcod. Also it adds a little more than a bit of entropy (you could vary how you do the palindrome; e.g., doctorwormrowrotcod or doctorwormmrowrotcod or doctorotcodwormmrowr, etc. But in general palindromes are a bad idea in pw. – dr jimbob – 2012-03-02T21:03:42.127
1
E.g., this palindrome besides being the name of a book falls on this long palindrome list that has ~500 entries: http://www.derf.net/palindromes/old.palindrome.html It wouldn't be that difficult to add these to password checkers.
– dr jimbob – 2012-03-02T21:06:41.36010
People are simply more likely to choose "racecar" as their password cause they like it. So those words are high up on all wordlists (which are used before any brute-forcing). And it's simpler to check against all palindromes than to maintain a list of palindromes in the password checking library.
Some passwords are great and some are really bad.
We use certain factors to judge the quality of a password. Like length or what different characters are used.
For some passwords, these factors become less relevant or not relevant at all.
Like, this is a great password:
v10H73nqMQPkbUvTLOPyKBg4KnkUjWgF
This one, not so much:
acbaacbacaabcabbbaaabcaccbbbaaac
Even though it has the same length, if the same password rules apply and you brute-force it, the second password will be tried a lot sooner than the first password.
Let's have a look at this one:
qwertyuiopasdfghjklzxcvbnm123456
Now, we're rollin' with a serious password! Only that it's almost the worst possible password ever because all letters are used in the same pattern as they appear on a very popular keyboard type.
Someone might look at that password and think it's super awesome because he chooses it under false assumptions (length being most important for a password).
The same could be said for palindromes. First of all, they give a false feeling of security (as Mike notes) because their length is increased by simply duplicating all letters. But the real problem with them is that they are easy to remember and somewhat of a commodity.
Der Hochstapler
Posted 2012-03-02T15:56:21.337
Reputation: 77 228
By that brute-forcing logic, wouldn't "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" be the greatest password of all time? – Braden Best – 2015-11-28T04:50:29.843
1@B1KMusic No. Adding one more z would be greater – Der Hochstapler – 2015-11-28T07:07:22.513
What if...we added correcthorsebatterystaple to all those z's? Nah, that's probably not a good idea. The human mind can only take 40ml of greatness at once the before it blows. And by my calculations, that password would be in the area of 72e+1.72458141456 ml, a lethal dose. – Braden Best – 2015-11-28T12:05:00.013
12-1 "v10H73nqMQPkbUvTLOPyKBg4KnkUjWgF" this is not a great password, it's an awful one, since you simply cannot remember it. – o0'. – 2012-03-02T22:48:37.903
3The only reason why that's a bad password is just because I mentioned it here and it is no longer secret. I only use randomly generated passwords combined with a single-sign-on solution. – Der Hochstapler – 2012-03-03T00:04:28.970
2Version 10 has 73 new quotes. More quotes per knowledge-base under varyingly terse, low orders, pays you kindly, big growth for keen novices’ knowledge. Useful jobs wait going forward. – Synetech – 2012-03-03T05:12:04.663
1@OliverSalzburg: single sign-in are good methods, I use them myself, but here we are in the domain of plain old "remember them" passwords, so it's not a valid twist. Remember that due to other people's idiocy, sometimes you are forced to enter passwords yourself anyway. – o0'. – 2012-03-03T09:20:20.220
2http://xkcd.com/936/ – Jürgen A. Erhard – 2012-03-03T16:52:18.743
@Lohoris: Of course you can, only takes a few minutes... :/ – Tamara Wijsman – 2012-03-20T08:22:55.670
2@OliverSalzburg You don't have to remember the password; it's written on the Post-it attached to my monitor. – Ian Boyd – 2012-04-14T18:20:25.777
0
The easy way to set trivial passwords, even if it's a single character, it is by using root user to set the password.
Joe
Posted 2012-03-02T15:56:21.337
Reputation: 115
1
It's less that the complexity is lower (it is, but that's not the only thing wrong with palindromes), but that cracking wordlists include many common palindromes to try before brute-forcing (
– Max P Magee – 2016-02-09T16:04:46.583amanaplanpanama,sitonapotatopanotis,tacocat<- this last one is a very frequent card in Exploding Kittens).Nobody but the developers of
pam_cracklibcould answer this. I tried looking at themanpageand did a quick web search but no luck. – Belmin Fernandez – 2012-03-02T17:59:00.5072It's nearly impossible to figure out what the person who blocked it was thinking. But when someone's entire job is to think up passwords we're not allowed to use, they eventually start reaching for more stuff to add. i think to answer your question: Why? - someone had too much time on their hands. – Ian Boyd – 2012-03-03T03:38:52.033
That seems like a good password to me, I've seen much worse. – nikhil – 2012-03-09T04:16:46.743