
The man who wrote the book on password management regrets the error - vezycash
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
======
stupidcar
Sadly the "long passphrase" advice is _also_ out of date. It relies on the
naive idea that all password cracking is done brute-force, one character at a
time. But all the huge leaks of password DBs over the past few years has given
crackers a huge dataset to study and understand password generation
behaviours, including how people come up with passphrases.

Ars Technica did a long look at password cracking techniques[1] that covered
stuff like this. The tl;dr is that _any_ strategy short of full randomness is
wrong. Either use a password manager, or use a set of dice, just make sure
that your own human predictability cannot meaningfully affect the outcome.

[1] [https://arstechnica.com/information-
technology/2013/05/how-c...](https://arstechnica.com/information-
technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/)

~~~
GlitchMr
The long passphrase idea as suggested by xkcd is fine, provided you pick
random words. For instance, a database of 2048 words, and a 4 word passphrase
has 44 entropy (2^44 possible passwords).

    
    
      >>> log2(2048 ** 4)
      44.0
    

Even if somebody knows the pattern they have 17 592 186 044 416 passwords to
try. You can further increase number of passwords to try by increasing number
of words. Probably with advances of technology 4 words may be somewhat
unsecure in the future, but 5 words is 2048 times harder to crack than 4 words
password, so it should be still secure.

The article in question shows three word passwords being cracked, but please
note that three words is 2048 times easier to crack than 4 words, and probably
very feasible to crack using graphics cards (provided poor choice of
algorithms like MD5).

~~~
Taek
In practical terms, that's still not very many. GPUs can do 2 GH/s for a
simple hashing function. Your 44 bit password can be cracked in 4 hours by a
single GPU, or in minutes by a cluster.

A large KDF helps, but damages user experience and again starts to become
fragile if your threat model includes ASICs (a $3m expense or so for an
attacker. That's a practical sum for many applications).

To put things in perspective, a CPU can do about 2^20 hashes per second. A $3m
ASIC cluster (made entirely from scratch) can do about 2^52 hashes per second.
It's obscenely asymmetric.

For high security accounts, you really want like 64 bits of entropy in your
password plus a KDF, or you want 80 bits without a KDF.

KDFs have another major problem. If you forget a word in your password, and
you also have a KDF, you have to fight your own KDF to discover that last
word. You don't want that barrier.

edit: was off by a factor of 1000 in my ASIC math. $3m in ASICs can do about
2^52 hashes per second, not 2^42

~~~
corobo
Don't sites also salt (and pepper?) passwords though? Does this still apply in
the scenario that they have done so?

Edit: Realised Google exists, currently reading
[https://stackoverflow.com/questions/16891729/best-
practices-...](https://stackoverflow.com/questions/16891729/best-practices-
salting-peppering-passwords)

~~~
dspillett
> Don't sites also salt (and pepper?) passwords though?

They _should_ salt. They _should_ do many things. But we know some sites
don't, we suspect many sites don't. Unless you know otherwise never assume a
site is handling your data, including your login credentials, securely.

------
lousken
I think nowadays the bigger problem is that sites don't cooperate with
password managers. I am trying to use 20character passwords and some sites
still limit that number to 12 or 16. Also the fact that blizzard or steam
doesn't use TOTP that google auth. uses pisses me off.

~~~
cuckcuckspruce
Related problem: sites that don't let you paste into the password field -
either when setting a password or trying to log in. To the people who do this:
what do you think you're accomplishing? It's not going to stop somebody brute-
forcing your site, and you're making it difficult to use a password manager.

~~~
pwg
> Related problem: sites that don't let you paste into the password field

Run Firefox

Change this about:config option "dom.event.clipboardevents.enabled" to
"false".

No more blocking of pasting into password fields by any site.

------
pselbert
Every time I participate in a security audit for some enterprise contract I
have to explain and defend why we don't enforce complexity and rotation rules.

Lately citing the NSA's change in position has been convincing enough and we
don't get nearly as much push back.

~~~
al452
You mean NIST not NSA, right?

------
jandrese
One thing I suggest to people these days is to instead make a passphrase where
at least one of the words is an "English-like nonword". Something that sounds
like a word but doesn't appear in the dictionary. People are pretty good at
remembering things like that, and I find that most people can remember their
passwords even a week later with this method.

A sample password might be: "Zapagar, lightning chomper"

Or maybe: "plodding! Sloimo can't 3lap"

It's much easier to remember a password if it forms a little story in your
head.

Too many people try to optimize the "hard to guess" part of a password
requirement without considering the "easy to remember" requirement. Typing
long passwords isn't nearly as much of a hassle if it is full of normal words
instead of insane garbage like L1ghtn1nG that computers can easily guess
anyway. Length is the best defense.

~~~
Cthulhu_
Oh freddled gruntbuggly, Thy micturations are to me, As plurdled
gabbleblotchits, On a lurgid bee, That mordiously hath blurted out, Its earted
jurtles, grumbling Into a rancid festering confectious organ squealer.
[drowned out by moaning and screaming] Now the jurpling slayjid agrocrustles,
Are slurping hagrilly up the axlegrurts, And living glupules frart and
stipulate, Like jowling meated liverslime, Groop, I implore thee, my foonting
turlingdromes, And hooptiously drangle me, With crinkly
bindlewurdles,mashurbitries. Or else I shall rend thee in the gobberwarts with
my blurglecruncheon, See if I don't!

~~~
jandrese
That might be a little bit long to type every time you want to log in, but I
bet all password crackers would struggle to guess it.

------
princekolt
At which point will we need to move to strictly external hardware
authentication? I think that even with password managers, it can only go so
far. At some point we will be synchronizing password files with dozens of MBs,
and one day you will want to login to something and won't have access to your
passwords. There has to be a way of building transparent AND strong
authentication.

~~~
iamphilrae
The main problem with this would be non-standardisation. For example, I have 4
bank accounts at 4 different banks and each has a different piece of hardware
for 2FA. Imagine if you needed an individual key fob for every single online
account you have.

I'd love to be in a world where I click the website login button, I then type
a simple pin into a key fob, then I plug the fob into a USB port, and it
authenticates me. No password other than the pin. I'd also love it to just be
a 'thing', not a way to just hack filling in a password field on a form.

------
dhimes
I have an honest question about cracking passwords. Does the cracker know when
they are getting close? I don't understand how they could, but every field has
its experts and surprises so I thought I'd ask here.

So if I have a hashed password, and I start a hashing a dictionary, will I
know that I have, say, the [whatever the word is for iterations or depth of
hashing] correct, before seeing exact matches with the hashed database? Is
there, I don't know, some convergence of some statistical property of the
output as I get closer?

~~~
PeterisP
No.

In general, that depends on the hash function. Some hash functions have that
property (e.g. you might want to use such a function for some internal data
structure), but _cryptographic_ hash functions must not. If you'd find some
property where you could check if you're "getting close", then that would be a
major flaw in that function - i.e., it's _possible_ that SHA-3 has some way to
do that, but as far as we know (and we've tried) it does not, and if it would
be the case then that would be a good enough reason to stop using SHA-3
anywhere.

~~~
dhimes
Excellent. Thank you.

------
Udik
I just wish websites would remind you of their password rules at login time. I
use different passwords depending on what the password rules are, and you only
get to see them at signup/ password recovery, which unfortunately tends to be
quite often with certain websites or web apps.

~~~
rb808
Amen, with a special F.U. to the sites that disallow special characters. What
is the reason for that? (OK I might understand disallowing some uncommon chars
but $%(^ etc shouldn't be disallowed)

~~~
darylfritz
Why block anything at all? If I want my password to be unicode and emoji,
what's the downside to the site?

I assume they're hashing all the passwords anyway.

~~~
feld
hint: they're not all hashing the passwords

~~~
jrimbault
I always wonder what kind of magic those websites do with the string. Hashing
has become so simple. When you hash you don't have to worry about special
chars (encoding issues though). It's only when you have bad practices that you
should worry about ;") in the password field.

------
dalbasal
There are two examples of misunderstanding the human element here.

One is that rotation and complexity rules lead to password spreadsheets and
postit notes, a different kind of security issue.

Another is that forcing someone to constantly defend and explain why something
is the way it is, leads to that persona eventually implementing something that
(even is worse), will attract fewer questions.

------
TheAceOfHearts
I think the software community has generally done a poor job with authN,
authZ, and credential management. The Web Authentication working group is
working on a new spec to tackle some of their problems issues [0], but it's
still fairly young and it fails to address some common pain-points.

It seems reasonable to distinguish between identity and device. If I lose some
device, I can publish its revocation.

Serious internet users will have dozens, if not hundreds, of accounts. How do
we handle revocations and key rotation?

------
Beltiras
Let's say that you have 26 tokens (english lower case alphabet) in your
password policy. Let's also say that there is a cost incurred adding a token.
How many letters would a password need to be for it to be more beneficial to
add a token rather than add to the minimum length? 26^n > 27^(n-1) comes out
to 88th letter providing less entropy than adding a token. The more reasonable
alphabet is 52 letters (lower and upper case) and some tokens, let's say 12
tokens. 64^n > 65^(n-1) makes 269. Lesson to draw from this: always make your
password longer, rather than more complicated.

------
ciro_langone
Are the little devices that change the PIN or passphrase every 30 seconds the
most secure way to lock access? It seems like having to have the right code at
the right time was more secure than having the right code at anytime, but I
wasn't sure why they weren't rolled out en mass. Is this not the best method
of security?

~~~
Joeri
TOTP, the algorithm used by github, google, and many others to provide two-
factor auth is basically that, except your phone is the little device. IMHO
this is "good enough" security for normal people. I haven't read of cases
where people's second factor got hacked, just where it got bypassed (e.g. by
using social engineering to skip passwords entirely).

~~~
jandrese
People say the weakest link is the user in passwords, and that's often true.
But for more security conscious users the weakest link is the helpdesk. It may
not even be where you expect. Plenty of people have been hacked because the
hacker called the support line for their registrar, hosting, email provider,
or ISP and got a password changed without any form of hard verification.

It can be extremely frustrating to do everything right and then have your
knees cut off by some script reader in a cube farm somewhere.

Also, if you do email verification for accounts, whenever someone changes
their email send one to the old account saying 'Hey, this is being changed,
are you OK with it?" and if they say no, revert the email and reset the
password on the spot.

------
jameskegel
And here I am typing a small novel every time I want to unlock my crypt,
feeling smug, when just now I realize that some day even my passphrases will
become "not enough". This is a weird feeling- excitement for the future, but
also fear

~~~
marcosdumay
They won't. If it's a random enough 7 words or more passphrase, it will only
become "not enough" if the key generation algorithm is broken.

------
meitham
you know what "correct horse battery stable" is now one of the popular
passwords, just like "qwerty".

~~~
arkitaip
... followed by "correct horse battery stable 1", "correct horse battery
stable 11", "correct horse battery stable 111"

~~~
feld
those passwords would probably be safe to use because the correct word is
"staple"

~~~
contravariant
Actually a good cracker would probably catch a simple substitution like that
as well.

------
teddyh
The logic of passwords is simple, once you realize that all humans are
_terrible_ random number generators.

When you allow any part of your password to be _chosen_ by a human, i.e.
yourself, you have to assume that the human-chosen part is known to an
attacker. The solution is to _generate_ passwords with enough random bits to
satisfy current demands. And by _generate_ I of course mean to allow a real
number generator (either a computer, or dice, or anything really random; i.e.
something a casino would accept) to choose the password for you. Without any
restrictions except a desire to minimize length, you get the classic
unmemorable 0vT2GVlncZ4pZ0Ps-style passwords. If you add the restriction “must
be a sequence of english words”, you get xkcd-style “correct horse battery
staple” passwords. Both are _fine_ , since they contain enough randomness _not
generated by a human_.

But if you _yourself_ choose, either old-style “Tr0ub4dor&3” or passphrase
“now is the time for all good men”-style, you have utterly lost, since
_nothing_ has been randomly chosen, and “ _What one man can invent, another
can discover._ ”.

Note: this _also_ applies if you run a password generator and _choose_ a
generated one that you like. Since you have introduced choice, you have
tainted the process, and your password now follows an unknown number of
intuitive rules (for instance, there was a story here on HN the other day
about how people prefer the letters in their own name over other letters of
the alphabet), and these rules can be exploited by an attacker.

------
traviswingo
No paywall: [http://archive.is/JNiVT](http://archive.is/JNiVT)

------
mcbruiser3
a) 2FA

or

b) use the "forgot my password" option every time

------
m52go
First, in light of how they handled the Google memo...

Screw Gizmodo.

But regarding the article itself, seems to be a nothing-burger. Once upon a
time, we favored shorter complex passwords. Now, we favor longer intuitive
passwords. The end.

EDIT: I see the link in OP is now a WSJ link. It was a Gizmodo link at first.
Hence my comment.

~~~
Jaruzel
The Daily Mail coverage is worse...

[http://www.dailymail.co.uk/sciencetech/article-4771194/The-m...](http://www.dailymail.co.uk/sciencetech/article-4771194/The-
man-responsible-passwords-says-advice-WRONG.html)

I now predict an uptick in people using 'correctbatteryhorsestaple' as their
password...

~~~
mcherm
> I now predict an uptick in people using 'correctbatteryhorsestaple' as their
> password...

At least that's slightly better than "correcthorsebatterystaple" which
appeared in the XKCD. The _really_ funny part is that I automatically noticed
this when reading your comment because I have "correcthorsebatterystaple" so
fully committed to memory that I noticed when you deviated.

~~~
Ajedi32
> I automatically noticed this when reading your comment because I have
> "correcthorsebatterystaple" so fully committed to memory that I noticed when
> you deviated.

For me it was the opposite. My brain automatically read it as
"correcthorsebatterystaple" despite what was written, just as it would with a
small typo in a word.

~~~
Jaruzel
Accidental deviation. What I wrote IS how I've remembered it apparently. Maybe
because a battery horse makes more sense to me than a horse battery. Not sure.
either way, I'll start using it as my password and see how long it takes to
get pwned.

~~~
marcosdumay
Oh, but the cartoon has the battery connected into the horse :)

What goes to show something, because most people discussing passphrases do not
care to point that it's about mental images, not text. It's either so obvious
that it doesn't have to be said, or so non-obvious that nobody gets it, even
after reading the XKCD.

