[clug] [OT] all text passwords == secure?

[Scott Ferguson]

On 27/08/12 10:22, Alex Satrapa wrote:
> On 27/08/2012, at 08:53 , Scott Ferguson 
> <scott.ferguson.clug at gmail.com> wrote:
> 
>> Now if the education system taught basic mnemonics (and education)
>>  it might reduce the difficulty some people have. I favour my 
>> password formulae[*1] - but a lot of people get vision problems, 
>> hypertension, and blinding headaches, when attempting it. :-/
>> 
>> [*1]https://lists.samba.org/archive/linux/2012-August/031365.html
>> 
>> I've seen lots of presentations for biometric and presence based 
>> authentication systems... which are much hyped. But every one I've 
>> looked at had gaping holes - and significantly higher costs.
> 
> Here is my "formula" for passwords: write a story about the site that
> I'm generating the password for. No character substitution, no 
> forgetting whether it's F0rmu!a or fORmul4.

Good - character substitution is no protection against a dictionary
attack and it's a common cause for people forgetting their password.

> My password for one particular recipe site is, "I visited this site 
> in order to find more recipes that use red lentils and mango."

Better - because it allows you to use a different password for different
uses. The most common reason people state for not doing that is "I can't
remember which one is which".

> 
> If the site has stupid policies in place like, "MUST contain a digit
>  and punctuation",

Again - I'd argue that they are not "stupid" policies. They're there to
stop people from using passwords vulnerable to password attacks.
Unfortunately some people have difficulty understanding a very basic
concept - it doesn't matter if the password is composed of one word, or
twenty - *if it's composed of words it's vulnerable to a dictionary attack*.
Simply adding one non-alpha character somewhere (preferably *not* at the
end of the password, preferably not a number) will render a dictionary
attack useless. Now entropy is applicable to determining the difficulty
of guessing the password.

NOTES: I'm not saying substitution - addition, preferably 'insertion' eg.
"I~visitedthissiteinordertofindmorerecipesthatuseredlentilsandmango"

If the glyph is the second letter in every password - then every
password can *not* be guessed without a brute force attack.

Of course you are unlikely to remember that phrase (I get your point) -
"S~iteNameRecipesMango" could work.

Unfortunately that won't protect you against password sniffers - so
don't use that password on a computer you don't trust ie. public
library, workplace(?), someone else's computer, especially that terminal
in the frequent flyers lounge.

That's where typing:-
"SiteNameRecipesMango"
hitting the Home key followed by one press of the right-arrow and
entering the glyph works.
Sounds complex - but you'd be doing the same routine with every
password, only the phrase unique to each site/application changes. It
quickly becomes automatic.
It also means you can write it down (the phrase) as it's useless without
knowing what non alpha character you insert - or where it's inserted.


> I'll turn to 1password and generate a password with as many 
> characters as the site allows (remembering that shorter passwords
> are less secure), and keep hacking away until my password fits inside
> the insecure password policy of the site (must have punctuation, but 
> spaces are not allowed, neither are brackets or braces or square 
> brackets or percent signs, yadda yadda, because the company's 
> illiterate suit-wearing programmers don't know the difference
> between URL escaping, HTML entities, SQL and Unicode).

Idiots[*1] on the back-end are a problem. I don't 'believe' passwords
should be directly handled by the application, and not just because of
the limitations they can (eg. php) place on usable characters. Anything
that makes it harder for people to use good passwords is stupid.

[*1]any programmer who says spelling is not important is an idiot.

> 
> The pertinent message of the xkcd episode about password entropy was
>  that "formula" passwords are difficult to remember while long 
> sentence passwords tend to be easier,

Sort of... I get:-
Some people take analogies literally (think the map is the territory).
Humans are stupid. All of them. As long as burglars are stupid your lock
will keep them out - until they realise that the window/wall/roof/floor
etc are trivial to defeat.
Eg. The pertinent message should be that there's a *big* difference
between something that can be guessed with a trivial dictionary attack,
and 550 years.

Something to do with the assumption that only a brute force on
all 218 characters is required to guess a 25 character password.
Despite the fact the the vast majority of people *will* use words from a
dictionary to remember a password that long.
Presuming that any attacker is going to jump right in with a brute force
attack is dangerously naive.

Like most security flaws - the hole exists because people make false
assumptions.


> and the extra entropy from simply having more characters is a bonus.


You confuse entropy with a measure of difficulty. Entropy is a
mathematical measure of the equivalent of coin tosses. Coin tosses are
random - humans are not. We tend to be less original than we'd like to
believe. If entropy (and I dislike the use of the term - it does not
mean what information scientists have applied it to, any more than
organic should mean "natural" or that ocean east of Newcastle is the
Specific) represented difficulty then all attacks would be bruteforce -
*very few are*.

> And the pertinent message from the discussion on this list has been 
> that people can't do statistics & probability, and confuse 
> permutations with entropy

People are also poor at extrapolations. And poor at security in general
- we tend to "guess" about risks and are blind to how easily our
emotional judgements (trust) are manipulated. Just ask Tattersalls,
Unilever & Kitchen, or Bally. ;-)

They are also poor at critical thinking and tend to make deep emotional
investments in their opinions and ability to "judge" the worth of some
one else's opinion. This leads them to disregard facts and avoid testing
their beliefs. It's always amazing to see how much more tima and energy
people will put into a defending a belief - than what is required to
prove it. The whole discussion about the amount of permutations an
attacker *must* try in order to guess a password is a good example -
it's trivial for any Linux user to test eg.:-
echo correcthorsebatterystaple > password.txt
now think like an attacker and point your tool of choice at password.txt.
NOTE: would you, as an attacker, immediately launch an attack you know
is going to take 550 years? (I know - it wouldn't actually take anywhere
near that long - so did the writer of the strip, he's just illustrating
a point ie 5 times the length is not 5 times as many combinations).

> (with a side order of narcissism from people who view themselves as 
> �superior� due to being able to remember arcane passwords, lamenting
>  the mental capacity of the rest of the population who will not 
> partake in algebraic onanism for the sake of password security).

Too much emotional content ;-p
:-D

> 
> Of course storing my passwords in 1password means that I'm vulnerable
> to attacks against the equipment storing those passwords: one airport
> security agent plugging my smartphone into a memory dumping device
> for a few seconds will spell the end of life of all my passwords.

You could also have a minor stroke, your device could be compromised,
1password could be exploited... but you've closed as many holes as
possible. Some people will suggest you rotate all your passwords
regularly to limit exposure (no system is perfect) but I suspect that's
something that systems and applications should be responsible for (limit
speed of login attempts, lock out account after three failures in 24 hours).

> I have taken to changing my collection of a few hundred passwords
> after every trip that involves checked baggage. Thankfully I've not
> yet had security staff demand that I hand over my carry-on devices to
> be inspected, but I can never be sure that checked baggage hasn't
> been tampered with (https://www.youtube.com/watch?v=G5mvvZl6pLI).
> 
> TL;DR: If you don't make it hard for people to remember passwords, 
> they won't write them down on Post-It Notes. Your �simple� formulas 
> are actually arcane.

arcane?
Either that word doesn't mean what you think it does - or a large number
of people represents secret. I didn't invent the technique - it was
drilled into me and thousands of others. ;-p

> 
> Alex
> 
> 
> 
> 

Kind regards