Tuesday 26 April 2011

How to get people to use strong passwords

Takeaway: Can passwords be both secure and easy to use? Some think “no”, but if you stop there, you simply aren’t thinking enough.

As noted in “Don’t be fooled by the argument against unique passwords,” people giving bad security advice claiming that good security practices are impractical and should be ignored seem to be a surprisingly common sight. As the world’s security issues become more prevalent and problematic, the rate of such incredibly bad advice being offered seems to increase, and can do increasing amounts of damage where people buy into their message.
An example from 2007 that I have only just encountered is “The Usability of Passwords,” which begins:

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.
The underlying assumptions of this statement are several, and almost invariably wrong. First, it suggests that password strength through complexity necessarily makes passwords unusable. Second, it suggests that simple passwords can be “strong enough” for almost all purposes. Third, it subtly suggests — like the majority of such overly facile arguments — that convenience trumps security all the time. Finally, it suggests that its author Thomas Baekdal knows more about security than people who actually study its intricacies. While this may or may not be true in and of itself (at least in some cases) with no further evidence than the first paragraph of The Usability of Passwords, the rest of it serves to demolish such a hypothesis when his incomplete understanding of the factors involved in password security is displayed.

Before proceeding, let us demolish his entire argument with a single fact.

Strong passwords are easy to manage

A good password manager solves the problem of password usability quite neatly in at least 98% of cases. In fact, employing a good password manager can actually make password use easier than heeding the simplistic, dangerous advice of most of these advocates for bad password policy. Using one really strong password for all the “important” sites, and one really weak password for all the “unimportant” sites, requires remembering two passwords, where a password manager only requires remembering one; using differing weak passwords everywhere requires remembering many passwords, which does not really make things much more convenient; and using passphrases made up of easy to remember terms in one’s native language requires a lot more typing than a single password for a password management application. Meanwhile, choosing a password manager carefully and configuring the software well can result in a relatively pleasant experience protecting one’s security. The software I typically use is pwsafe with a keyboard shortcut driven interface for the X Window System — secure, simple, well-designed, and thanks to the addition of my keyboard-driven interface wrapper, it is also very easy to use.
For those using Microsoft’s flagship OS, another earlier article covered how to use Password Safe on Microsoft Windows 7. In discussion following both this article and the article discussing how to set up a keyboard driven interface for pwsafe, other suggestions of password manager applications were offered.

The incomplete arguments

Much of the problem with non-secure security arguments like Thomas Baekdal’s is an incomplete understanding of how things actually work. Examples drawn from “The Usability of Passwords” are numerous, easily deconstructed, and easily refuted by a more thoughtful individual than its author. Each of them starts with a seed of truth, and proceeds to wander outside the realm of applicability and accuracy when he starts filling in the holes in his understanding with poorly considered conjecture.

How to crack a password

In The Usability of Passwords, its author explains how passwords are cracked (showing his intimate knowledge of the subject by misusing the term “hack” where “crack” would be correct). He lists five possibilities:
  1. Asking
  2. Guessing
  3. Brute Force Attacks
  4. Common Word Attacks
  5. Dictionary Attacks
He (incorrectly, I believe) claims that the most common methods of cracking a password are asking and guessing. While it is true that people asking others for their passwords is probably the most common way that someone might gain access to another’s password, the vast majority of these cases involve honest people who intend no harm and are simply trying to get their work done — or, in some cases, even trying to help the person whose password they acquire in this manner. As for guessing, it boggles the mind to consider the notion that in this age of profitable, computer powered, automated security compromises someone would think that a security cracker sitting down in front of someone’s computer and typing in strings of characters to try to gain access to password protected resources lands within the top ten approaches to cracking password security. Do not let CSI: New York fool you into thinking that is a common approach, relative to other approaches Thomas Baekdal listed.
The closest we might get to truly common usage of the “guessing” approach he describes — using information about an individual to inform one’s attempts to guess — is using information about an individual to prioritize the potential password combinations used in a brute force attack.
The most sophisticated attacks that actually rely on coming up with the password itself are, in some respects, all brute force attacks. What he terms a “common word attack” is in fact a dictionary attack using a “dictionary” smaller than the Oxford English Dictionary. A dictionary attack is just a way to prioritize a brute force attack so that the most likely passwords to be used by security-unconscious users are tried first (or perhaps only). Contrary to his description, in fact, most automated dictionary attacks start with “love”, “god”, “password”, and several other common terms first, rather than just going through the OED in alphabetical order. If the way he described things was accurate, picking “zen” as your password would improve security substantially, while “aardwolf” would mean almost instant compromise (beaten only by “aardvark”, proper names, and initialisms like AAPSS). In the real world, “password” comes before either of those options in the vast majority of cases.

How to protect yourself

Following the rhetorical question, “When is a password secure?” we are treated to some dubious claims. For instance, the first claim made:
You cannot protect against “asking” and “guessing”, but you can protect yourself from the other forms of attacks.
Well beyond dubious, this is quite blatantly false. To protect yourself from “asking”: Never tell anyone else your password.
As for protecting yourself from “guessing”, Thomas Baekdal himself provided the answer to this problem when he first brought it up:

This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
The next dubious claim immediately follows:
A hacker will usually create an automated script or a program that does the work for him. He isn’t going to sit around manually trying 500,000 different words to see if one of them is your password. The measure of security must then be “how many password requests can the automated program make - e.g. per second”. The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
It is true that a security cracker is likely to use an automated process to crack a password rather than typing everything by hand (and here he contradicts his own earlier statements about “asking” and “guessing” being the most common). It is also true that the amount of time it takes to try out enough passwords to successfully select the needed password is effectively the measure of password strength. This claim implies that his rule of no more than 100 password tries per second is invariant and reliable, however. It is not. While 100 per second may be optimistic on the security cracker’s part if his script tries to actually sign in via a Web form provided by a server somewhere out there on the Internet, this is far from the only way to crack a password. In fact, most cases of cracking large numbers of passwords involve someone gaining access to a database of encrypted or plaintext passwords, password hashes, or other server-side login data that allows an offline attack. Utilizing technologies like GPU password cracking frameworks and SSD storage of password hash databases for faster access times, fourteen character passwords have been cracked in around five seconds — much more quickly than the three minutes Thomas Baekdal asserts it would take to crack the password “sun” using a brute force attack. The difference is that in the real world, security crackers are often not so naive as to try to brute force a password via a Web login form.
We then encounter the discussion of how difficult a cracking job is “difficult enough”. The claim is made that a password that takes ten years to crack (using the limit of 100 requests per second described above) is unlikely to ever be cracked. His words:

10 years - Now we are talking purely theoretical.
Even if we choose passwords that take ten years to crack at the rates provided by GPU password cracking frameworks in local attacks with SSD storage for the password hash database, this is not “purely theoretical”. It is actually quite predictably going to take much less time than ten years to crack such a password at some point in the future — possibly as soon as tomorrow, if someone comes up with yet another clever trick to speed up the cracking process. With that in mind, this statement of his becomes so naive as to be laughable:
I want a password that takes 1,000 years to crack- let’s call this “secure forever”.
Maybe, instead of “forever”, it can be cracked in an afternoon when someone invents a new approach to password cracking six months from now. Worse yet, the rate of technological advancement is accelerating exponentially.

The answer to our prayers is “NO”

After a set of contrived examples of various passwords and their strengths, Thomas Baekdal has set us up for the Big Reveal. The result:
this is fun
He claims this password — actually three distinct, short, common words separated by spaces — takes about 2.5K years to crack. In truth, it takes far less time than that using the GPU cracking methods already mentioned, because it is basically just an eleven word password selected from a set of only 27 possible characters (26 lower case letters and the space character). All he has done is reinvent the concept of the “passphrase”, poorly. Passphrases, loudly touted by many as The Most Secure Thing EVAR, do not in fact increase both convenience and security the way people seem to think. All they do is rearrange the math used to determine how easily a password is cracked.
Tell me — which do you think is more difficult to crack?
  • this is fun
  • &n” <` O C[
If I was a betting man, I would not put my money on "this is fun". It should be immediately obvious that the first is easier just for the simple fact that this is fun makes use of a set of characters represented by 27 keys on your keyboard with no modifiers (the Shift key, for instance), while &n" <` O C[ makes use of a set of 86 characters used by a random password generator. To give you an idea of how much of a difference this makes, Thomas Baekdal's example offers 5,559,060,566,555,523 different possibilities from his implied character set, or over five quadrillion. My eleven character password offers 1,903,193,578,437,064,103,936 different possibilities, or almost two sextillion -- almost 20,000,000 (twenty million) times as many possibilities. It gets even better if I want a longer password, because adding just one more character multiplies the number of possibilities by 86.
For anything nontrivial, though, I do not trust an eleven character password, using a character set of 86. Twenty is a reasonably good minimum number of characters today, for only moderately important cases. With a good password manager, I can use fifty character passwords if I want to -- as long as the login system allows them -- and do it much more easily than remembering a different equivalent to "this is fun" for each such case. After a while, anyone might forget which site uses "this is fun" and which uses "my alsatian spot".
That, of course, completely ignores an even bigger problem with passphrases like "this is fun". Sure, it is an eleven character password with spaces in it, but that is not all it is. It is also a non-random eleven character password. Given that all the words involved are common words, we now face the problem of using a passphrase having done nothing more profound than moving the goalposts a little. Once the kicker gets lined up, aiming is not so much more difficult than it was before the goalposts moved.
From a certain perspective, "this is fun" is just a password with three "characters" in it. The difference is that the "characters" used are taken from a larger character set. A commonly used password cracking wordlist -- the Openwall wordlist collection -- has four million entries in it, but the majority of these can be omitted when performing an initial cracking attempt against an English-speaking user so naive as to use something like "do the dishes" on Thomas Baekdal's advice. The much shorter, public domain list Openwall offers as a free download contains only 3,158 entries. That is a mere 31,494,620,312 possibilities, or about 31.5 billion. Throw in a few articles, particles, and participles, and you are still well under 4K words.
If your security cracker is the least bit sophisticated, the script used to crack passphrases will choose words by parts of speech to fit common patterns. Suddenly, 31.5 billion options will become something much more modest. If the cracking script assumes any two words from the unaltered Openwall list, with one of "is", "was", "can", "cannot", "for", "will", "should", "looks", or "seems" between them, your number of possibilities drops from 31.5 billion to a mere 89,756,676, or under 90 million, less than one third of one percent the number of options.
. . . and we are still including non-random, non-word strings of characters such as "2kids", "1022", and "!@#$%^" amongst the "words" that might be used. Really, to use examples of Thomas Baekdal's system for creating passwords, we should exclude a lot of those -- and end up with something on the order of only 2,500 words. That brings our hypothetical password cracking script's first pass through possible passphrases down to fewer than seven million possibilities. Even at a rate of one hundred tries per second, already discarded as naive when someone might have access to a database of password hashes, we are now looking at a maximum time to crack "this is fun" under twenty hours.
That is much less time than the 2,537 years he claims, and I am not even trying that hard.

Catching up with today

Somewhere along the line, someone must have told him about the flaws in his reasoning, because he offered this defense:
You need direct access to the database file or the server to hack something faster. If you got that level of access, you do not actually need the password. You can just look up the data directly.
This ignores a number of factors, including (but not limited to):
  • The password hash database might be more accessible than other data; authentication might be performed on a separate server from financial data.
  • The user, following the advice of a non-expert like Thomas Baekdal, might use one password everywhere -- thus making a weak password a vulnerability for many other sites.
  • As demonstrated, a less naive approach to password cracking than he imagined might actually work within a single day even under his unlikely constraints.
  • Password databases on stolen smartphones and laptops could provide password hashes without providing any other data from the server the password might be used to access.
  • A flaw in the authentication application could conceivably expose the server to unforeseen work-arounds, and the strength of your password might be the only mitigation.
Other problems may come to mind with more thought. Of course, he takes the defensive measure of trying to exclude offline attacks from his analysis:

What I am talking about in the article is hacking into remote systems (like web apps).
The problem is that the world does not conform to our wishes. Assuming that our passwords are immune to offline attacks just because he decided to ignore them in his Weblog entry is yet another incredibly naive part of his perspective. Simply pushing away the potential problem of server-side issues that may undermine his argument, such as telling us that passwords are easier to crack if the server admins do not add punitive delays when incorrect passwords are submitted, does not in any way make it less of a problem. The fact of the matter is that people implement crappy authentication systems all the time, and sometimes we use those system -- often without even knowing how badly they were implemented on the back end. Choosing passwords that take longer to crack is a way to mitigate the danger of such poorly designed systems. Saying "it's not my problem" when someone mentions that the server might not be set up to look after your security is nothing more than a good way to provide excuses for not caring about your security.
Yes, the server admin should set up a secure system. No, recognizing that fact does not mean you should not worry about it, even if you are not the server admin.

How I learned to stop worrying and love the password

The real reason people hate strong passwords so much is probably that they are being told to use them by people who, while they are a bit smarter about the difficulty of cracking passwords than Thomas Baekdal, are sometimes downright stupid about security policy enforcement. Telling people they should use long passwords containing capital and lower case letters, numbers, spaces, and special characters just makes the technically uninclined sigh and complain. In "The Usability of Passwords - FAQ," Thomas Baekdal's 2011 follow-up to "The Usability of Passwords," he actually addresses this problem when he discusses why he wrote the original Weblog entry:
The article came to life after yet another discussion with IT, who believed that everyone should be forced to use password with a minimum of eight characters, including two uppercase characters, numbers and a least one special character. I was absolutely furious for several reasons. First, I knew it was like kicking every employee in the groin every morning they showed up for work, that it would do squat for actual security (it is likely to make it worse), and that it would completely destroy the plans I had for password free web application I was working on at the time.
If I had to type in a password like >9Llz]HX2×8w.5&Go{$k~5pIz&{ every day when I checked my email, another like Rk~b$icSNGz:+1C8`Vp <-~q@un6O to check my bank balance, something like gjj-~ixnCs3{/7yS]r(BW#S,q1?9 to log in at TechRepublic, and many more for every site on the Web, I would hate strong passwords too. I type exactly one password for everything on the Web, though. I do not use the same password at every site; I just use a password manager, and let that remember all those different passwords of mine.
The key to getting people to stop worrying and love the password is to stop telling people first and foremost to use strong passwords for everything. Yes, they should use strong passwords — but they should let the password manager handle it for them. Tell them instead to use a password manager, and to configure it to use strong passwords on their behalf.
For more than 98% of cases, your problem is solved by a password manager, and you should not end up being that guy who posts a lengthy explanation of how little he actually understands about passwords and security, thinly disguised as bad advice that a lot of people might actually follow.

No comments:

Post a Comment