[clug] [OT] all text passwords == secure?

[Scott Ferguson]

On 27/08/12 22:54, Sam Couter wrote:
> Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
>> Unfortunately some people have difficulty understanding a very basic
>> concept - it doesn't matter if the password is composed of one word, or
>> twenty - *if it's composed of words it's vulnerable to a dictionary attack*.
> 
> I think you've missed something here, 

No. I am not missing anything.

> and that's the size of the set of
> words from which you're selecting the password compared with the size of
> the character set you're using.
> 
> If we assume around 131,000 (2^17) words in English, four randomly
> selected words is way better than an 8 character extended ASCII password
> which is used by nobody ever and it's easier to remember. Three words is
> about the same as a more normal password using only printable ASCII.

Yes. But I'm not, and have never, argued that people should be using
short passwords.

A dictionary attack is too easy - and it's the first attack tried. Add
just one non alpha character to that multi word string and only brute
force will guess it - then you have a much harder password to break.
Much, much harder.

The difference between brute forcing 8 characters and brute forcing 25
characters is greater by a large factor than the difference between
brute forcing 8 characters and a dictionary attack on 4 words - even if
the speed of the attack is only a million attempts per second.

But adding one non alpha character is apparently "too hard".  That's the
problem - not that people are really so retarded they can't pick a non
alpha character, remember it, and add it to all their passwords (just
not as the last character or as a alpha substitution).

Examine all the major security breaches and you'll find someone,
somewhere, decided it was "too hard" to do something very basic. That's
a mental problem most typified by the sort of thinking that constructs
elaborate arguments and investing great energy to justify doing very
little. This leads otherwise intelligent and rational people to abandon
logic and let emotion blind them - instead of measuring the various
arguments they look for (and invent) flaws in the person presenting an
opposing view in a sad attempt to justify their recalcitrance. eg. an
ad-hominen attacks using large words for wanker (too be clear - I'm
*not* referring to you Sam).


Most of the math people are trotting out is just fetishism - it should
*never* apply. Any system that allow fast password attempts (more than a
few per minute) or a large number of failed attempts is a bad system -
regardless of how many "developers" "need" the ability to fail all day long.

> 
> Longer combinations of words are much less vulnerable.

Longer *numbers* of word are *less* vulnerable than shorter *numbers* of
words.

What you are missing is that the XKCD strip is being interprete to mean
that number of words (total of 25 characters) is *less* vulnerable to a
brute force (try all 218 characters) attack on 8 mixed character. It is.
What the strip misses is that in real life (not a comic strip) an attack
would *not* be brute force - it'd be a dictionary attack.

> 
> I don't know whether 131,000 is a fair count of the number of English
> words. Adjust numbers according to your method of counting.

I'm guessing you could probably at least triple that to take into
account SMS speak, names etc.

> 
>> Simply adding one non-alpha character somewhere (preferably *not* at the
>> end of the password, preferably not a number) will render a dictionary
>> attack useless. Now entropy is applicable to determining the difficulty
>> of guessing the password.
> 
> Your extra character has added a few bits (depending on how random your
> selection of character and position is) 

Yes. An almost irrelevant amount of extra complexity. I get the point of
the cartoon.

Do you get the point where the extra non alpha character *forces* a
brute force attack? Whereas without it entropy doesn't apply because
entropy is a measure of randomness - which does *not* apply to
dictionary attacks.

> and makes the password much
> harder to remember. 

One non-alpha character, used in every password, is 'much' harder to
remember?

> I'm not saying don't do it, I'm saying don't
> overestimate the strength you've added compared to the difficulty of
> remembering it. Consider just adding another word instead.

That doesn't force a brute force attack - which is the point. Entropy
impresses people and it blinds them to the fact that it only applies (as
illustrated in the strip) when all 218 variations are tried. Doesn't
happen. Even script kiddies have tools that try dictionary attacks first.



> 
>> That's where typing:-
>> "SiteNameRecipesMango"
>> hitting the Home key followed by one press of the right-arrow and
>> entering the glyph works.
> 
> This is fantasy - in the real world people have to use systems where
> it's difficult or impossible to make cursor keys work right.

It applies to any system that uses a standard keyboard.

People don't type 25 characters of words into their phone - and banking
terminals don't allow for alpha characters. Just because some systems
suck doesn't mean all systems should be made to suck.

> 
>> Idiots[*1] on the back-end are a problem. I don't 'believe' passwords
>> should be directly handled by the application
> 
> More fantasy? 

Only if it can't be documented.

> Authentication is pretty integral to most applications
> because authorisation is integral to them.

That reads like gibberish (but I think I understand what you mean).

I can think of a number of examples of where that's been a very bad idea
- better to use a dedicated tool than knock up something for every
application. I note that is not always easy, or possible - but plenty of
times (with database driven web applications) that approach has created
a situation where people get lazy and make a mistake elsewhere in the
application which leave the whole thing wide open. I can think of
several applications where it's common practise (two are very popular CMSs).

Kind regards