Interesting analysis of password choice and susceptibility to cracking etc…

Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

Because here’s the thing: When it comes to composition and length, your password (mostly) doesn’t matter.

To understand why, let’s look at what the major attacks on passwords are and how the password itself factors into the equation for an attacker. Remember that all your attacker cares about is stealing passwords so they, or others, can access accounts. That’s a key difference between hypothetical and practical security – your attacker will only do really wacky, creative stuff you hear about at conferences (or wherever) when there’s no easier way and the target of the attack justifies the extra effort.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984

It’s an interesting article, but the headline seems somewhat at odds with the discussion.

In the case password spray attack, which is listed as being very high frequency, if you happen to pick a password on the list of stupid passwords the attacker is trying, then your account is vulnerable. So clearly the password matters a lot here.

Similarly, in the case of the brute force attack the password matters a lot, too. And, yes, the frequency of this is listed as being low, but it’s not as if there are not reasonably regular db breaches from large websites such as e.g. LinkedIn — and the article says as much.

So really it’s not so much that your password doesn’t matter, but more that it doesn’t matter until it does, and if you want a more secure system overall you’re better off looking at MFA than more betterer passwords.

I can see why my version wouldn’t make for a snappy headline though.

‘If your password is shit it’ll be cracked’

There that’s better.

It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”

‘If your password is shit it’ll be cracked’

‘If your password isn’t shit it’ll probably still be cracked’ is closer to what the article says. I read it a little while ago, it makes some interesting points. I keep meaning to distil it into something a bit more user-friendly that I can use to batter IT users with.

Passwords, really, aren’t fit for purpose and arguably never have been. In isolation they’re a terrible method of security. 2FA is much, much better.

if you happen to pick a password on the list of stupid passwords the attacker is trying,

It doesn’t even have to be a “stupid” password. I’ve got a copy of one of the more recent breaches, it’s something like half a million passwords long. Good luck coming up with something that isn’t on the list, your challenge is basically “think of a password no-one else has ever thought of”. Dedicated cracking rigs aside, with a modest VM I could iterate through that list in the order of minutes.

It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”

Yeah, but, there may be some delay here. The goal of the attacker might not be to use your credentials but rather to sell them on.

I agree in principle though, changing it at set periods causes more problems than it solves. If I’ve got someone’s password, it’s “Arsenal27”, I try it and it doesn’t work, I’m reasonably certain that I can guess what it’s been changed to.

Another example: one of the most common passwords recently was “Summer2019!”. This might not be immediately obvious as to why, but think about the password requirements of a Windows domain network. Mix of uppercase / lowercase / numbers / symbols (pick any three), minimum of 8 characters long (IIRC), and expires every 90 days. What else expires every 90 days? Boom, you’ve got a genius, memorable password scheme that you can iterate through until the heat death of the universe! The only problem is loads of other people have thought of the same scheme as a direct result of Windows’ default password-change policy so you’re on the list. Pwned. Sorry.

They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”

Wrong. Many times over.

But the answer isn’t playing the game of forcing users to change their password super often.

More generally, password only authentication is useless these days, where you genuinely want any level to security. You need at least one other factor, or you might as well not bother.

MFA usually depends on a password as one factor so passwords remain however as part of MFA many of the attacks listed in the MSFT article are prevented. Complexity requirements are there to introduce variance however are often overzealously used to the detriment of overall security. Organisations are getting better at protecting stored passwords through hashing and salting and therefore I expect for the most prevalent stuffing and spray attacks (whilst I’ve not researched it), the average age of a pwned (see HIBP) password is probably increasing and therefore its value is decreasing.

Wrong. Many times over.
Cool, great explanation there.

I prefer this one First Google result

Wrong. Many times over.

The other cheek of this arse is that credentials stolen aren’t always then used on the systems breached – in fact, that’s probably a rare occurrence. Rather, most people reuse credentials.

If I want to hack your email account (and I do, because it that falls then I have “I forgot my password, please email me a reset link” access to everything else you have), that’s probably going to be challenging. Gmail, Outlook etc are mature products, they’re going to be pretty secure*. So rather, I’d go for lower-hanging fruit like, say, a popular mountain-biking website running WordPress. If I can breach that, then I potentially have a big long list of credentials that by law of averages some of which will be the same as their email logins.

This is where password changing could mitigate a problem (though as Kelvin says, it’s not the best solution). The breached accounts could be quite old – my Yahoo credentials were breached and I haven’t logged in to Yahoo in maybe a decade.

At work we monitor for compromised corporate email accounts. In the vast majority of cases the accounts are for people who are no longer with the company.

(* – in theory)

Jeez! why am I discussing work related bollox on STW?! 😆

Cool, great explanation there.

I prefer this one First Google result

The point really isn’t that password expiration isn’t inherently useless in isolation, rather that it’s the wrong solution to the problem.

User education – don’t reuse passwords, don’t use corporate accounts for personal websites, for the love of pete ensure that if nothing else your email and bank passwords are unique – 2FA, password managers etc are all better ways to mitigate these risks.

Good luck coming up with something that isn’t on the list,

I use Apple’s password generator I believe it’s 15 characters long. Why yes it’s never going to be perfect it’ll take a lot of work and I’ll only lose one if they breach a database.

It’s probably time to post this again.

https://haveibeenpwned.com/

The email account I use for website logins has been in ELEVEN different data breaches. Don’t reuse passwords, kiddies.

I use Apple’s password generator I believe it’s 15 characters long. Why yes it’s never going to be perfect it’ll take a lot of work and I’ll only lose one if they breach a database.

Yup. See also, LastPass, KeePass, and a supporting cast of thousands. Half of my passwords, I don’t even know what they are.

a valuable point here is also passwords are vastly useless with integration of functioms now…once there in ..that’s it they have easy access to most of it..

This is where password changing could mitigate a problem

Agreed. Most of the big boys were using 12 month expiration, while they waited for all (most) of their users to move onto MFA. It was mandatory monthly changes that Microsoft were ringing the death bell for in the PR behind that link, I assume… I only read the headline.

Yup. See also, LastPass, KeePass, and a supporting cast of thousands. Half of my passwords, I don’t even know what they are.

Yup used those in the past. I know maybe 2 or 3 at most.

I’m reasonably certain that I can guess what it’s been changed to.

I’m not so sure you can – password modifications are notorious for being forgotten quickly (and still remaining simple enough for dict attacks).

Why do companies like NSI put a 20 character length limit and disallow a high proportion of characters from their passwords? I thought the more complex and longer was better?

I thought the more complex and longer was better?

No neccesarily. Long complex passwords are hard to think up and remember for users. This leads them to using the same one for multiple accounts, writing them down, and recycling them by changing one or two digits.

A lot of my passwords are on the cracked lists, but I only use them for sites where I don’t really care if it gets hacked eg no personal / financial info at stake.

Long complex passwords are hard to think up and remember for users.

Probably time to post this one:

https://xkcd.com/936/

Long, simple passwords can be both strong and easy to remember.

Some of the “no”s in that article are pretty disingenuous. The first row should be “yes – it absolutely matters that you don’t re-use your password.” Similarly for “password spray”.

On the XKCD thing,

A common suggestion is to use passphrases instead of passwords. This is solid advice, but falls into the same problem as the breached password lists above. Ie, if it’s common, it will probably have been done. “Somewhere over the rainbow” might look secure at a glance but is highly likely to be in a wordlist. “Where trouble melts like lemon drops” perhaps not so much. “My uncle Norbert’s performing gerbils” better yet.

Also, L33tsp34k – fooling nobody, sorry. We’ve been wise to that little trick for a long time.

Erm, they have, I mean. Obviously.

I was more asking the question in the context of arbitrary length limits and character limitations. We’re told to complexify our passwords and make them long and to take advantage of password managers only to find a 20 character length limit and not allowed to most of the non-alphanumeric chracters on a standard keyboard.

Don’t get me started on special characters and logging into systems without a UK keyboard/region set and spending an hour pulling your hair out

Password systems that enforce use of special characters are evil. Insisting on a minimum length is fair enough. And the “four random words” approach is great, any one can remember those (and of not, keep them out of your system)… so low maximum length is also evil. But still, ultimately you need more than a password anyway… that is still the main takeaway. Turn on multi factor for everything.

I was more asking the question in the context of arbitrary length limits and character limitations.

Yeah, it’s just bad coding, there’s no reason for it other than a fear of not being able to sanitise inputs correctly (or a database built in 1985). There’s an XKCD about this too:

Blocking characters like ‘ and ” is a lazy (and not wholly effective) way of mitigating this sort of vulnerability.

Passwords should never be stored in a database anyway.

Don’t get me started on special characters and logging into systems without a UK keyboard/region set and spending an hour pulling your hair out

Oh yeah, I once got bitten by this building a HP server. They have an ‘assisted install’ wizard where you feed in usernames, passwords, licence keys etc into an interface at the start, then it installs Windows and feeds in all the info you’ve provided post-install. Except, the wizard is US-only keyboard and it didn’t make this overly clear (and of course, you can’t see what you’re typing in a password box). Then the system comes up and.. your password doesn’t work. Cue much wailing and gnashing of teeth.

Take-away from this, do not use [@] symbols in passwords…!

Yeah, it’s just bad coding, there’s no reason for it other than a fear of not being able to sanitise inputs correctly (or a database built in 1985).

Only this morning I was asked to purge <> from a dB dump as the customer’s dB input parser coudln’t handle it! And yes, their own employees had entered them into a text field somewhere.

Most of the arguments above only relate to password only systems. That’s the whole point of the OP article. Passwords alone should not be relied upon.

Take your bank card for instance, it is secured by a 4 digit pin. So that’s a simple 4 digit passcode + something only you have. That’s what make it secure. No bank ever has required you to have a 10 digit pin that contains special characters and then force you to change it every 3 months. Why, because with MFA complex passwords are not necessary.

Passwords should never be stored in a database anyway.

Unencrypted passwords shouldn’t.

https://plaintextoffenders.com/

Unencrypted passwords shouldn’t.

Let alone unencrypted raw biometric data!

Quite possibly the worst designed security system ever devised, as used by multiple Government agencies….

https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data

No salting, no hashing, no encryption, just all the raw personal user biometric data up for grabs to anyone who wants it…

Long complex passwords are hard to think up and remember for users.

Probably time to post this one:

But with the developments in quantum computing, and the real prospect of quantum supremacy in the next few years, then there will be computers that can make millions or billions of guesses per second and suddenly your 44 years can be cracked down to workable timescales; the only security against quantum computer based hacking will be codes that are also designed by quantum computers.

(not that password hacking would be the way that QC would hack into accounts anyway)

I keep a list of captcha codes and assemble passwords from them.

Or DO I?

Let alone unencrypted raw biometric data!

Well, that’s a whole other tin container of annelids. Muggers rocking up to take your wallet, equipped with a pair of secateurs?

Moreover, “sorry, our database has been breached. Please immediately change all your… uh… fingerprints and retinas.” I’m quite a fan of biometrics, but it’s so very, very hard to revoke. At best you’ve got ten fingerprint resets before you’re shit out of luck (unless you’re from St Helens).

But again, here we are back at 2FA / MFA.

then there will be computers that can make millions or billions of guesses per second

And when they can they’ll still be stymied by any system that limits the number of login attempts over a set time period, that’s why current attacks tend to the “low and slow” approach where quantum would offer no advantage. The security threat from QC will be to non-QC encrypted data, not passwords per se (although non-QC hashing will obviously be vulnerable where passwords are stolen).

But yes, MFA. And preferably not one-time codes over bloody SMS please! That’s you, Amazon, Paypal et al…

Why do companies like NSI put a 20 character length limit and disallow a high proportion of characters from their passwords?

Ooooh think I can answer my own question here! Because telephone. Because symbols you can’t pronounce or know name of. Because words for characters are sub-optimal for transmission in speech.

“here we are back at 2FA”

2FA is really hard though. If you use a phone or a phone app for the second factor you can’t guarantee that the user isn’t using that phone as the first. And you still have the lost second factor reset problem (LastPass users, try the 2FA reset process and then ask yourself if 2FA gives you any real security at all).

Old-style RSA keys/Yubikeys and those calculator things that banks issue work but they’re expensive.

And when they can they’ll still be stymied by any system that limits the number of login attempts

Absolutely, unless you’ve already got a local copy of the database in which case all best are off.

2FA is really hard though. If you use a phone or a phone app for the second factor you can’t guarantee that the user isn’t using that phone as the first.

It’s not perfect, sure. But it’s orders of magnitude better than a password alone.

(LastPass users, try the 2FA reset process and then ask yourself if 2FA gives you any real security at all).

Well, I don’t know what you’re referring to specifically but that’s presumably a flaw of LastPass rather than 2FA? (I should probably look into that…)