Tuesday, August 16, 2011

xkcd 936 - the discussion continues

WOW. That was my immediate thought (We use wow in Norwegian as well) when I saw xkcd 936. WOW. That is pretty close to exactly what I've been trying to tell people for the last 10+ years, while  researching passwords. Hat off, kudos and whatnot to Randall Munroe for this one! Now for some of the discussions in the wake of 936....

1. Password Entropy
Stop using mathematical entropy to measure the strength of passwords! You are most probably doing it wrong anyway. I'll be the first to say that I *suck* in math (WolframAlpha to the rescue!), so for starters on entropy I would suggest you to read Matt Weir's blog at reusablesec.blogspot.com, and his paper Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords (Weir, Aggarwal, Collins, Stern). NIST SP800-63 says something about password strength through resistance to online cracking, and to quote from his blog:
"Our findings were that the NIST model of password entropy does not match up with real world password usage or password cracking attacks."
Now, I could poke Matt with saying that their analysis were done towards revealed passwords in the form of leaks from sites like Rockyou etc. Having cracked almost nothing else than passwords from Microsoft Windows systems of real corporations and organisations for 10+ years, I think I've got evidence enough to say that "my" passwords are better in almost any measurement compared to the Rockyou, Hotmail lists and more. (Matt; what about applying your metrics to my data? ;-))

2. Never Trust Password Meters
This link will take you to an earlier blog post from me, and then back to the first one, based on an infographic that Mikko Hypponen made a tweet about. I hope and believe those 2 blog posts will widen your horizon in regard to password meters, password entropy and more.

3. xkcd 936 - related websites
Sure, they appeared very fast. simplestrongpasswordgenerator and passphra.se are just 2 examples that I've seen. Unfortunately they will fail in many situations, especially corporate environments. Simplestrongpasswordgenerator gave me this: widelyorderprivateestablished. Huh? Am I supposed to remember that?
Here's a good place to quote Troy Hunt and his blog post on the subject: "I'm sorry, but were you actually trying to remember your comical passwords?". Although I do not agree on everything he writes, he sure does have many good points in his blog post.

Although difficult sometimes, we should remember the difference between protecting our personal accounts, and (personal) accounts at corporations and organisations where a security breach can have a much wider impact than that of your own privacy.

4. Mixing it all
Mikko Hypponen really do impress me. Never met him, but his information, in any channel, is precise, short and informative. He also does a terrific job with his tweets, including all the retweets from others. And suddenly today, he retweeted this image from @ly_gs. Right back at the entropy calculations :-)

Melvin; We have 29 characters in our Norwegian alphabet, make your infographic with various charsets and/or languages applied. :-)

Phadej and davienthemoose followed up (among others) with some objections. Lets take a look:

Phadej posted this feedback:
We actually need more words, as entropy of the words is less than characters. Suppose there is about 50000 words (There is 301 000 main entries in OED). Than 50000^x > 94^13 => x => 5.5
So i would say that "balloons are very nice" < "@$XsBv2JMc473"
Also entropy of word like "are" is almost zero, so predictable. And xkcd strip actually kind of takes this into account. I will stick with pronounceable/memorizable passwords like pwgen kindly generates for me.

WolframAlpha says there are 600,000 words in the Oxford English Dictionary, 2nd edition. Lets take a shot at WolframAlpha: 600000^4 (4 simple words) = 129600000000000000000000 combinations. No offence, but I REALLY think we should drop this blind entropy discussion for measuring password strength.

Davienthemoose tweeted "until you use a dictionary set for cracking by word to break passphrases. Then each word becomes a char of 1".

Nice idea. After the CrackMeIfYouCan competition at this years Defcon, somebody said something like "we are now actually able to crack '4 simple word passphrases' (Can't remember exactly who, where and when, sorry!). Sure we/they can!  On the other hand; being able to so is closer to blind luck, IMHO. Why? Well, back to the entropy, corporate password policies and just plain common language.

We've said password for decades, and we've tried to convert people to use 'passphrases' instead. Is  widelyorderprivateestablished a good passphrase? Not in my opinion. Maybe the sentence "I live in New York, USA." (without the quotes) could be better? At least it should be easy to remember for quite a few people over there.

No, do NOT look at the contents of the password and say "Duh! DORK!". You have absolutely no idea what the password is before you actually crack it. See "Please crack my password" below.

Davienthemoose: Nice idea, and you should talk to some of the hardcore John the Ripper (JtR) guys to learn more. From my point of view: we're right back at the entropy stuff again, SP800-63, and much more. Please go back to Matt Weirs paper. :-)

I'll leave it for the evening right here, it's 23:47 and I've got to sleep. again. Just this last one, just for the fun of it:

5. Please Crack My Password
Please crack my NTLM hash: DD1E31A5C1709A9CF54893B89E24CA09
It is 4 words, and it complies with probably most (reasonable) common corporate password policies. It is very personally related to me, making it easy to remember. Good luck, you've got 14 days.
I'll donate some money to freerainbowtables.com or any other password related open-source project of your liking through PayPal, if you can crack my ... password/phrase/sentence above. I'd really appreciate an explanation on how you did it, and of course you can mock me for a LONG time afterwards.


  1. I think we're mostly in agreement on these issues, but let me add another perspective which supports your position. We know from numerous breaches - many storing plain text passwords (i.e. Sony Pictures) - that the vast, vast majority of passwords are short, simple and reused. My Sony analysis is just one of many sources reflecting this pattern: http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

    These are the "low hanging fruit" that are often easily broken through brute force attacks (crypto scheme dependent, of course). The point is that beyond the fancy entropy calculations, longer stronger passwords are unlikely to be deliberately targeted as they're simply too rare to provide much return on the effort.

    Particularly with the #AntiSec hacks we're seeing lately, there seems to be a deliberate attempt to simply expose as many accounts as possible, as quickly as possible. We (they) have a good idea of the structure of the bulk of the passwords and brute force attacks are tailored appropriately. And on that basis, I doubt the individual make-up of those 20 character long passwords has very much impact at all.

  2. Sadly, you are probably correct Troy, and your analysis of the Sony passwords were very interesting. I'm a PS3 owner/player myself, and did a blog post about their efforts to correct the situation back in May.

    I've said for many years now that if a company get their Active Directory compromised - account data and complete password hash history for every account - you can't recover. period.

    As I tweeted back to you, changing human behavior is difficult. Starting with the developers, software companies and service providers to design, implement and uphold minimum "good practice" password policies would be good.

    Although the economists need a proper business case for doing good security, the Sony compromise should clearly show them that spending a couple of millions initially as well as having a CSO with a budget could probably have avoided this years disaster.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.