Monday, November 29, 2010

Revisiting password meters

(Screenshot from Swedish PTS on Sunday 28, Nov 2010)

In February this year I wrote a blog post named "Never Trust Password Meters", after a tweet from @mikkohypponen at F-Secure. One of the password meter services I commented on was "testalosenord" (test your password) from the Swedish Post and Telecom Agency. I e-mailed them the same day, just to inform them about my blog post. On November 18 I received a reply.

Not that I expected any answer of course, I write about my personal opinions and I'm just happy whenever I get any feedback. It's a short reply from PTS, but they gave me a link to a page displaying statistics about the passwords tested through their online service. Oh, and they use Cracklib for testing all passwords submitted. The statistics are interesting, the screenshot on top of this blog post is taken from this page.

Yes, I know it's in Swedish. I'm here to help. :-)

Passwords shorter than 8 characters (90.27%)
No surprise really. My guess: most people will test one or more of their passwords, most probably personal passwords not used at work. Even if they do test their work passwords, very few organisations are at length 8 or higher in their password policies.

Passwords without digits (88.07%)
Well, digits doesn't have to be a requirement for making "secure" passwords. I guess this really cannot be interpreted as "bad" passwords, as we do not have any info on length, use of upper/lower and/or specials.

Passwords without UPPERCASE letters (90.56%)
To  me this really indicates that passwords tested are personal passwords, not subject to a "professional" password policy, that will usually require complexity requirements (3 of 4 characters groups must be used). The typical outcome of such complexity requirements are easily illustrated by me this way:
(Click image to see full size)
Passwords without lowercase letters (86.05%)
Now this is really surprising! In a real corporate environment I would expect lowercase letteers in pretty close to ... 99.9% of all passwords or something like that. Of course, with 123456 probably being the most common passwords out there, you could blame some of the statistics on that one, but 86.05% is still surprising!

Passwords without special characters (92.25%)
In a corporate environment I would usually expect this percentage to be lower, meaning more specials in passwords. However, for personal passwords most probably not originating from corporate environments with complexity requirements turned on, this makes sense to me.

Passwords found in the PTS wordlist (16.58%)
Well, I don't know if they are using a standard Cracklib wordlist, or if PTS has edited such a list themselves. I have also questioned what we all consider to be a "wordlist" in a previous blog post named "What's a wordlist?". In any way I really can't see much usefulness in this one, at least for my purposes.

Passwords without any letters (4.65%)
Could simply be user clicking Testa! (submit), or the common 123456 password, or the slightly less common 12345 password of course. In a complexity environment I will usually expect most "complex" passwords to be on the format UllllllDD (Uppercase, multiple lowercase, 2 or 4 digits at the end).

Again; interesting statistics, but I'm afraid statistics LIE. A lot. In fact, not only should you never trust password meters, but I would suggest that you should be very skeptical of password statistics as well.

--
Oh.... Seems as if I just told you not to trust my statistics either. Well, be skeptical at least. Ask questions, like I do. For Passwords^10, I'll try to use the tedPAD in order to create a fantastic presentation with my password statistics. :-)
(If you haven't seen the 6-minute talk on tedPAD, you should do so now! It's fantastic!)

5 comments:

  1. I think this brings up one one of the biggest issues with online password strength checkers. Do you really trust that site with your password? For a really funny example of that check out @iagox86 on Twitter. He set up a fake password checker, and then posted all of the responses online:

    http://www.skullsecurity.org/compromised.txt

    As I joked, the more you are known for your password cracking skills, the less passwords you actually have to crack. People just tell you their password in order to find out if they are secure or not.

    Getting back to your post though, I would really be interested in if the Swedish Post and Telecom Agency is storing the passwords they collect in plaintext, or if they are collecting the metrics as they are submitted. Also what strikes me as weird is the percentage of passwords without digits is much higher than I expected, but the percentage of passwords without special characters is much lower. I wonder if they set up their checker to correctly handle non-basic-ascii characters correctly or not, (aka those a's, and i's you Scandinavians like to use...)

    Finally I have to imagine the "Passwords without lowercase letters" metric is wrong. The percentages just don't add up otherwise. Aka:

    12% contain digits
    10% contain uppercase letters
    14% contain lowercase letters
    8% contain special characters
    Total Possible Max: 44%

    ReplyDelete
  2. People are lazy, and even if they have a sense that its about security they don't understand the implication.
    The biggest fault with companies is that they could help themselves by having one simple course about it, to teach their employers how to use good passwords. Teach them how to make one that they could remember, maybe a little background on how easy a "Password123" or "123456" type password is hacked.

    It often flies over the heads of most people why certain types of passwords are better than others.
    Simply cause they do not understand the nature of the system.
    Most I have talked to think that the combination of their login and the password is key to secure login. I am not kidding, that's the consensus.
    Who can guess Berit's login Berit56 and the password 123456 in one sitting, gotta be some sort of wizard....

    ReplyDelete
  3. Matt: I didn't get much info from PTS in Sweden in their reply. They do say that they do not store any tested passwords, so I guess the metrics are updated for every submission before the tested password is discarded. With a standard Cracklib installation I wouldn't be surprised if our 3 additional characters in the swedish/danish/norwegian alphabet are considered specials.

    Once again: never trust password meters. And be skeptical to password statistics. ;-)

    ReplyDelete
  4. Tom; thank you for the reply!

    Some research has actually shown that the time spent on (repeated) security awareness training may actually represent a bigger cost than the potential everyday losses due to the lack of such training.

    First and foremost I think that organisations as well as online service providers should work harder on setting minimum standards that are more difficult to crack (at least through bruteforce), while at the same time improving usability. The answer (at least within the realm of passwords) is pass phrases. Use a sentence as your password. I've moved to America a long time ago. There's a passphrase for you that just cannot be cracked through bruteforce. It should be easy to remember as well. Now combine that with longer change frequencies, and we may have a winner.

    ReplyDelete
  5. don't use english in your password use other language like korean/japanese/chinese/arabic/hindi/hebrew/germans/swedish/other religious mantras gospels rites etc. language that no common human will read or care about. heck why not use biological plant name or insects / latin. combine all these multi-dimension-linguistic and make it your "own-language" as password. that's it.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.