Passwords.. security is in length, not complexity

Passwords.. security is in length, not complexity. Use password-PHRASES, easy to remember phrases. "LondonBridgeisfallingdown" this easy to remember phrase is 25 digits long and will extremely hard to crack. 42 digits long is almost impossible to crack.

Robert Hensing - Microsoft PSS Security Team

And beyond that, don't use random short strings of characters (like the stupid default strings that are given by security folks)

It's actually remarkably easy for a guy sitting across the room to watch you type, and if you're hunting and pecking the letters on the keyboard it can be very accurately imitated after watching. a phrase you can touch type is much more immune from this too.

One has to wonder though that advise coming from MS when I've worked in many MS environments where I was forced to use no more than 6 or 8 characters and had to change them every few weeks.... Interesting how advice changes isn't it /ubbthreads/images/graemlins/smile.gif

the phrase idea is a good one, i do that. I'm sure raggie has some good ones!

"mamaalwayssayslifeislikeaboxofchocolates"


I used this a looooooong time ago for something. I don't even remember what it was for so if there are any crazies out there, don't try anything that you may think of.

Security increases with length, but dictionary words are ALWAYS a NO. The encrypted password can be analyzed for frequency of characters and compared to dictionary words.

Y'all should read the recent notes on cracking some commonly used encryption. The problem with trying to encrypt a message is that it is FULL of dictionary words.

Doesn't matter anyway..... I'm guessing that the # of account breached because of password guessing/cracking is exceptionally small. Social engineering has been, and always will be the single best method of gaining access to someone's accounts/data/etc.

Re: Passwords.. security is in length, not complex

Watch where you type those long passwords... I changed my Earthlink login password to as long as field as their web page would allow (something like 10-15 characters)... Then everything went screwy. Logins were erratic, email did not work, calling in and reading password to phone support did not work because I did not know how long the string was on his screen, etc.

In the end, I had to have it reset and just stayed with 8 characters.

-Bill

PS: you should also mix punctuation, numbers and mixed case letters... Except when the programmer does not allow punctuation and seemed to normalize password case-- /ubbthreads/images/graemlins/wink.gif

You can't win.

By the way, our local credit union is starting to roll-out biometic (finger print scan) on some of their stations... That will be interesting (I am waiting for the first robber that takes a finger or thumb)... ugh.

Re: Passwords.. security is in length, not complex

I agree with that, long passwords does not eliminate the possibilty of getting your password stolen though. It just reduces that likelihood. The trick is to making it sufficiently secure enough as to not make it worthwhile for the thief to actually break it. For example, 256-bit RSA encryption is known to be breakable, just it requires a large amount of distributed computing power (or a supercomputer). By the time they manage to crack the password and gain access to your computer, most likely the information has been time-expired (after a year, the relevance of important/confidential information is almost nill). And if you really want to make a computer safe from internet attacks, the only surefire way is to completely isolate it from the internet. Either way, encryption is only as good as the human devising it, and can never really be unbreakable as no human method is ever really random.

Re: Passwords.. security is in length, not complex

[ QUOTE ]
BB said:
...By the way, our local credit union is starting to roll-out biometric (finger print scan) on some of their stations... That will be interesting (I am waiting for the first robber that takes a finger or thumb)... ugh.

[/ QUOTE ]
A year ago a Japanese crypto student unveiled fake fingers using two completely different designs and destroyed the credibility of ALL of the major players in the biometric fingerprint reader business in one day. The guy was just a hobbyist! All of the fingers were easily made from common materials (one of his successful designs used 'Gummy Bears').

He found that it was very easy to quickly lift the target's prints from his work area and IIRC he etched them using techniques commonly used for photo-etching circuit boards.

Biometric print readers cannot be trusted without a guard there to actually watch the whole authentication process -- and I probably wouldn't trust the guard. I think that the US Gov uses guards at all of their readers.

The reader makers are taking steps to make them more secure but I wouldn't trust them for anything.

There is also the nagging problem that whatever their actual security value, anyone who uses a print reader must digitize their fingerprint(s) which will then be stored on servers whose compromise would be a real drag for the owners of the signatures of the digitized prints it they were stolen. Once they're out -- they're out. You can't reset your own fingerprints if they are compromised like you may a pass-phrase. You'll just have to live with it.

This technology needs to be well thought out before implementation.

Here is an interesting article on the problem.

For passphrases I like to work in upper and lower case, numbers and special characters (punctuation, etc). I like at least 12 characters in length.

Re: Passwords.. security is in length, not complex

turbodog, yes eventually tools will be written to break password-Phrases. but until that times comes, length increases security by brute force attacks.

How long would it take to crack these phrases by brute force?

"it'shopelessI'maflashcolicbecauseofcpf"

"Mcgizmoisoneofthemostprolificflashlightdesignersaround"

"watchitorMr.Bulkwillgiveyouhisfamouscutoff"

Re: Passwords.. security is in length, not complex

Us1ng numb3rs f0r L3tt3rs 1s @ g00d W@y t00. /ubbthreads/images/graemlins/smile.gif

Re: Passwords.. security is in length, not complex

I generally choose nonsensical phrases for my passwords - mostly with made-up terms. I don't use special characters that are difficult to type - I'm always aware of the possibility of "shoulder-surfing." I just stick to characters on the keyboard and usually avoid anything that requires use of the SHIFT key since that buys precious shoulder-surfing time for observers.

I'm thankful that the work systems I use with short password fields are company-internal.

I also count on the greater-fool theory - the average person is terribly unimaginitive about their passwords, making them a much easier target than me.

<ul type="square">
A well-known electronic security expert once said that a good security system requires "something you have, something you are, and something you know."
[*]Something you have is a key. Maybe it's a public key like PGP uses, or perhaps it's a dynamic key that's time-synced with the server, and not easily predicted. Regardless, it's stored on standalone hardware.
[*]Something you are is some sort of biometric like fingerprint, handscan, iris scan, etc that has some capability to detect forgeries.
[*]Something you know is the familiar password, preferably lengthy and not something easily discernable with basic biographical knowledge (dates, addresses, relations) or personal association. A great deal more creativity could be exercised on the part of system designers on passwords - multiple passwords requested at random and branching "Q&A" are two things I can think of just offhand.
[/list]

Such a system does not present a single point of failure that's easy to exploit, like a password. Passwords are disconnected from the individual and readily duplicated once known.

It's not perfect, but nothing is. Passwords can be guessed or forced, keys can be stolen, and fingerprints can be replicated (or fingers severed!).

Re: Passwords.. security is in length, not complex

I currently work for Microsoft. Their fantastic unified password database systems have made it so I only have to keep track of 4 passwords and 5 unique user names (Including phone login) /ubbthreads/images/graemlins/rolleyes.gif

1 of the passwords must be changed every 6 weeks, can be no *LESS* than 8 letters and must include 1 number and 1 symbol, and must be 80% different than the last 4 or 5 passwords you've had. It's basically a PITA.

Re: Passwords.. security is in length, not complex

I always like to use ********** as a password. Who would ever guess it, haha.

RadarGreg

Re: Passwords.. security is in length, not complex

I usually have 2 classes of passwords, one regular, and one more complex for financial transactions.

Re: Passwords.. security is in length, not complex

Well, at one of the supercomputing centers I log on to, the system offers you the possibility to choose automatically generated "easy to pronounce" passwords.
That's fine, but I sure haven't worked out in what language they're meant to be easily pronounced /ubbthreads/images/graemlins/crazy.gif

Re: Passwords.. security is in length, not complex

[ QUOTE ]
Sub_Umbra said:

A year ago a Japanese crypto student unveiled fake fingers using two completely different designs and destroyed the credibility of ALL of the major players in the biometric fingerprint reader business in one day. The guy was just a hobbyist! All of the fingers were easily made from common materials (one of his successful designs used 'Gummy Bears').

He found that it was very easy to quickly lift the target's prints from his work area and IIRC he etched them using techniques commonly used for photo-etching circuit boards.

...

[/ QUOTE ]

Do you have any links to this? I'd be really interested in reading about this case.

Re: Passwords.. security is in length, not complex

[ QUOTE ]
...I don't use special characters that are difficult to
type...

[/ QUOTE ]

I use a password manager which keeps my passwords safely encrypted
in a file, so I only have to type one password and from there
I have access to all of them without typing them, so shoulder
surfing isn't an issue.

Password managers also have the advantage of allowing you to use
much more complex passwords than you would ever try to routinely
type OR remember.

gpassman and Gringotts are good password managers for
*NIX and Password Safe uses Blowfish to protect your
pass-phrases in Windows. My password manager is one the programs
that get shut down twenty minutes after my screen saver locks my
desktop. This works very well for me.

[ QUOTE ]
gregw said: [ QUOTE ]
Sub_Umbra said:

A year ago a Japanese crypto student unveiled fake fingers using
two completely different designs and destroyed the credibility
of ALL of the major players in the biometric fingerprint reader
business in one day. The guy was just a hobbyist! All of the fingers
were easily made from common materials (one of his successful designs
used 'Gummy Bears').

He found that it was very easy to quickly lift the target's prints
from his work area and IIRC he etched them using techniques commonly
used for photo-etching circuit boards.

...

[/ QUOTE ]

Do you have any links to this? I'd be really interested in reading
about this case.

[/ QUOTE ]
HERE is a link to a news story that appeared in The Register
that hasn't expired yet.

HERE is a link to an article on the subject from the Crypto-Gram
Newsletter by Bruce Schneier. This link is in the article
mentioned above but I repeat it here separately because the author
has far more credibility on this subject than the Register
does.

Bruce Schneier invented Blowfish encryption and has been a
respected security consultant for years. He wrote Password
Safe (mentioned above) and gives it away on his web site. In
fact, there is a link to Password Safe on the left hand
side, near the top of the page with his article on fingerprint
scanners (above).

EDIT: The link in my original post on this subject is to a very
comprehensive article by Tsutomu Matsumoto, who built the fingers
in the first place. The article tells all, even including step by
step instructions on the process.

Re: Passwords.. security is in length, not complex

[ QUOTE ]
Saaby said:
I currently work for Microsoft. Their fantastic unified password database systems have made it so I only have to keep track of 4 passwords and 5 unique user names (Including phone login) /ubbthreads/images/graemlins/rolleyes.gif

1 of the passwords must be changed every 6 weeks, can be no *LESS* than 8 letters and must include 1 number and 1 symbol, and must be 80% different than the last 4 or 5 passwords you've had. It's basically a PITA.

[/ QUOTE ]

Emphasis mine.

I've read that corporate policies that impose expiration dates on passwords usually make their systems much less secure. The employees who are just trying to do their jobs and have this burdon continually thrust on them are far more likely to just write their constantly changing passwords on Post-Its and stick them under their desks -- which is probably NOT what the management had in mind.

Re: Passwords.. security is in length, not complex

For the REAL world...... security is much easier than all this malarky to implement.

Example: windows 2003 server: password security is turned OFF by default. Turn it on, and any password failures over the limit you specify automatically disable the account.

Brute force attacks are really only good when you have the object needing to be cracked (zip file password guessing is one example).

And, thankfully, there are laws that help protect you in case your accounts are compromised.

Re: Passwords.. security is in length, not complex

This scheme has worked pretty well for me, for generating high security passphrases:

http://www.diceware.com

I used to have a web page that does it for you automatically, but that hasn't worked in a while (I'll get it running again one of these days).