Wednesday, June 15, 2011


@itinsecurity asked me for a blog post regarding Haystack, described as an interactive brute force search space calculator. Haystack comes from  from Gibson Research Corporation (@sggrc). I did retweet, asking @purehate_, @iagox86, @lakiw, @quelrods, @CrackMeIfYouCan and @d3ad0ne_  for their opinions as well. Since we're all above average interested in passwords, why not see if we have any opinions in common? :-)

@purehate_ replied with a link to a blog post from @d3ad0ne_ called "Does password padding make your passwords more secure?", which I guess directly relates to the podcast from @sggrc and Haystack.

@quelrods (James Nobis) has also written his opinion on Haystack, as his very first blog post! (woohoo!)

There's probably no point in writing much more; I'll agree with purehate_, d3ad0ne_ and quelrods. Padding your password to lower the chances of crackers breaking it is not the best of ideas, as with probably ... oh.. a LOT of similar suggestions.

Lets talk a little psychology and security awareness instead.

I think we - as humans - are better at remembering positive things than the negative ones. Sure, there are some events way back there in your brain that won't go away anytime soon, but for most parts I think we're better at the positive things. I can still remember what color and type of clothes my wife was wearing the very first time I saw her. Black trousers, black shoes, red sweater, oval green sign with "Smash" written in white. (she worked at a clothing store at the time). Could that sentence be my password^H^H^H^Hphrase? I'd love to see somebody crack that, with no prior knowledge of either password policy restrictions or my preferred choices of passwords.

Obtaining a written password policy, as well as the various technical implementations, is "piece of cake". It's easy. It is so easy that calling it "social engineering" is.. well... an overstatement.

On the other hand, you really don't need to talk to many users before they will curse you from here to anywhere, when you ask them about password policies and password construction schemes. Try your mother, probably a good place to start.

See; there are way too many security people out there trying to teach people advanced password construction schemes in order to create - AND REMEMBER - advanced passwords. Suddenly the poor end-users must not only try to remember their password, but the construction rules instead. It just doesn't work in most cases - at least not in the scenarios I've tried out. (I have to admit this sure is something I'm going to dig deeper into, along with psychologists and other people studying human behavior etc).

That's why I've been telling my mom - and others - to write a sentence in normal language as their password. Hey, it's summertime, barbeque and margueritas, here we come! Positive sentence, shouldn't be that hard to remember.

Drop 99% of your written password policy and construction guidelines. It's pretty useless. People are just not interested. Breaks my securityheart, but not much to do about that. Tell them to use sentences. Positive ones. Deploy electrical treatment to all programmers and sysadmins who refuses to implement UTF-8 length 255 password support.

A large part of the problem is on our side. The security folks, the sysadmins, helpdesk who mess up everything, the haystacks of old and ridiculous policies stowed away in something called "QMS". 

Stop blaming the end-user every time something goes kaboom. To you they keep you with a job. Don't fight them, help them!

And that's it from the happy-shiny-people's department today.


  1. So, in sum, you're making the same point as Gibson: length trumps entropy?

  2. Erm.. No. Or yes. :-)If that's what you read, I've made a mistake.

    Read the (old) blog posts from Matt Weir at in regard to entropy. You probably remember my slides on per-position entropy as well.

    I think that a sentence in most cases will trump a padded password at same length, but it will all of course be a bit dependent on the attack method used. Bruteforce will be difficult when you don't know too much about either entropy or length. Various types of logical attacks, like those of @lakiw (Matt), @purehate_, @de3ad0ne_ and our new friend Norbert in Germany should give a higher probability of recovering passwords in a lower amount of time.

    In summary with the other me: I'd prefer the combination of length + entropy. @sggrc pretty much suggests length as the sole factor for achieving "unbreakable" (Thanks Oracle!) passwords, I don't. I want the combination, and more importantly; I don't want much info in my (written) password policy, as that greatly aids in setting boundaries and limits to simplify and speed up logical cracking attacks.

    On the other hand; if you worry about somebody running Cain on your LM/NTLM password, you could use space (blanks) as your padding at the end of your password. Cain doesn't display the HEX value of your password, making it more difficult see the actual password. ;-)

  3. Seems we agree perfectly, really :)

    Actually, to Steve Gibsons defence, he is very clear on the fact that a minimum of entropy must be present, although his way of saying so is slightly cumbersome. He talks about alwasy using all four character classes in your passwords. If you only stick with mixcase, or maybe just lowercase, you expose yourself to the risks of a very reduced solution space.
    The flaw of that argument is of course that if it's predictable how you use them...

    But I agree with you of course, there must be minimal knowledge of length and entropy. But for me that's a given: "Dear User, never tell anyone your exact system for creating passwords." But even that is also a stretch to think we can achieve.

    And since our policies are more or less public information they shouldn't contain too much details. They shouldn't contain any significant detail on how you create passwords at all. If we security folks can't avoid that, we only create more problems for ourselves. We become David Gunson's air traffic controllers, I guess: "All we do with air traffic control is to force the airplanes down very narrow corridors, thereby greatly increasing the risk of collision, and thereby justifying the job of an air traffic controller to keep them apart."

  4. I concur with you and @itinsecurity regarding complex password policies. The more advice security professionals give users on password construction the more we'll see Summer2011.

    Now, we just have to solve how long pass-phrases are entered without error when the user just sees *****. Also, someone at my office only a year older than me cannot touch type so even requiring length + 1, where length was the old requirement, causes a lot of grumbling to come my way.

    As a Texan I must correct your spelling of "margueritas". The proper spelling is margaritas. It is one of few consolations in our 36C summer days. BBQ is an event for spring or fall as summer is when you stay inside.

  5. Creating a strong password really comes down to doing something unique. As long as only a few people use padding to create their passwords it's a strong scheme. I certainly don't try 'password....................' in my cracking sessions because it's just not that common of a mangling technique. If on the other-hand a significant portion of users, (let's say 2-5%) start following the haystack method, it becomes a worthwhile target to attack. Likewise as @quelrods talked about in his blog post there's certainly attacks, (including rainbow tables), that can target such a mangling technique.

    That being said, I think we're missing a bigger point. I've slowly come to the belief that password strength rarely matters as long as users pick a password that is resistant to online attacks, (aka can't be guesses in a thousand guesses or so). Yes there are a few exceptions like file encryption, but for your average user picking a mediocre password doesn't have any negative impact for them that can't be solved some other way. As a security community we need to be pushing users to select different passwords for different types of sites. While I'm a huge fan of password vaults, it's going to take a while for them to gain a large scale following. In the meantime my main advice is everyone needs at least four passwords. One for their online financial sites, one for their webmail, one for their social network sites and one for the millions of other sites that you have to log onto. That way if you signed up for a Sony contest, (to use a recent example), you don't have to worry about your e-mail getting hacked because Sony stored your passwords in plain text.

    I also think much of the responsibility of password security needs to fall on system designers. Hashing and salting passwords is a must. Likewise rate limiting online guessing attacks is very important.

    I may just be jaded, but I think that trying to get users as a group to pick strong passwords is one of the most difficult ways to go about ensuring password security. The analogy that I enjoy using is it's like we're proctologists who turned automechanics. Yes our tactics may work, but we put a lot of effort into trying to fix everything by going through the tailpipe ;) Let's instead try to directly fix the parts that are breaking.

    BTW, thanks Per and @quelrods for writing blog posts since this is a lot easier to respond to than twitter postings ;)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.