As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy. By Bruce Schneier
I figure the names of my ferrets in Pig Latin and a hash of their DNA should be good until the end of the week.
Just tweeted by David Brin:
A virus spread by poorly secured WiFi networks:
I don’t see any clear evidence from your example of why the XKCD method is bad. every example cited immediately before it was either two words, or a string of related words. XKCD recommends 4 or more unrelated (random) words. The reason for the security in this is the size of the problem space.
The obviousness of why this works is even made clear in the comic cited…
Passwords of the form you recommend are harder to come up with and harder to type.
Like @davidfwatson, I don’t see how these developments render the xkcd password method obsolete - as long as the words are truly randomly chosen from a properly large dictionary, it seems to me that guessing them would come down to brute forcing an (n)-item permutation of (dictionary size) possibilities.
If the dictionary is 10,000 entries (a ball-park estimate for the vocabulary of the average anglophone), that’s 10,000^4 = 10^16 possibilities, or about 2^53. The xkcd comic estimates the entropy of such a password considerably below that - 2^44. Still plenty strong.
That said - if Bruce Schneier makes an assertion as to password security, and I don’t agree, I’m pretty sure the odds are considerably in favour of Schneier being the one who’s right.
So, Bruce - if you’re monitoring comments - can you elucidate that point in your article?
I like that he recommends against secret question reminders, but I feel that one key piece of advice has been omitted: that by far the most critical password you have is not your bank or your brokerage account, but your email account. Because if I can take over your email, I can initiate password resets for everything else.
If it is a common word, isn’t it easier to guess than a random letter string? The set of 6-letter common words is a much smaller subset of the set of all possible 6-letter combinations. Would the pass word be stronger if you chose common words and spelled them backwards?
Also - green text on black, seriously? I upgraded from my monochrome monitor awhile ago and I am not going back.
it burns the retinas!!! At least they didn’t put a whole bunch of ones and zeros all over the place to make it look moar digital.
Too hideous; didn’t read.
What Bruce said was that its not a good strategy because it is now commonly used.
That’s the reason.
As soon as you make a system with like, “rules” it gets easier to create instructions a computer can follow to crack the code.
My interpretation of this is that brute force cracking a long string of characters like “correcthorsebatterystaple” is hard just like Munroe said, but once you realize that this longer string is made of a subset of 4 dictionary words, and that a lot of people are using this system, then you can now try brute force guessing using combinations of 4 words rather than 25 individual characters.
And like Bruce wrote, nobody chose random characters anyway, the same pseudo words were used over and over again which made guessing passwords succesful. If the same people start using a different strategy now, its a good bet we’d get people using the same common word combinations or at the very least, common words in those 4 word passwords.
But yes, you can still make relatively hard passwords using uncommon words like supercallifragilisticexpialidoucious, or from different languages or one of the words in reverse or in morse code, or with weird spellings, but it would still hold that most passwords using this system could be cracked by simply trying different combinations.
But I’ll shut up now, before anybody gets the impression that I actually know what I’m talking about
As already mentioned by multiple commenters, the article fails to address any weakness or flaw in Randall Munroe’s four-random-words scheme. Given a 2000-ish word dictionary, the xkcd scheme ensures 44 bits of entropy. It seems like Bruce Schneier mistook the scheme as one relying on sheer password length (which would have yielded 117-ish bits of entropy for the xkcd example) rather than dictionary size. Either way, I’d like to hear from Bruce what he meant.
As for the “Schneier Scheme”, it has a deceptive (and significant) weakness: The sentences people will tend to choose will not be random or unique. They will be based on famous quotes, song lyrics, company slogans, catchphrases, memes, and poem verses. This, coupled with the near-certainty that people will want a password of a reasonable length, leads the industrious password cracker to do something like this:
(disclaimer: I have actually used a scheme identical to Schneiers method for over a decade, but I would prefer to switch to the xkcd scheme today if most password policies didn’t require numerics and special chars)
-
Collect poetry (all the popular stuff is easy to find), lyrics (millions of tracks easily found), quote collections (readily available), movie scripts (easily gotten from subtitle databases) and the all-time-greatest-hits of the Gutenberg collection. This would amount to a good chunk of data at first glance, but in reality it shouldn’t be more than a couple of gigabytes. Still, too much to process by hand, so we throw a little bit of Big Data processing at it; a small Hadoop cluster should make short work of it.
-
First we split all the text into smaller chunks, by sentence or part-of-sentence – whatever feels reasonable, possibly multiple ways to account for passwords starting mid-sentence
-
Then we strip all but the first letter of each word and remove all the spaces. Special characters like dashes are kept, words with common single-char abbreviations are rewritten (‘and’ to ‘&’, ‘you’ to ‘u’, ‘one’ to ‘1’…). The result is a large (perhaps even too large) corpus of ‘Schneier Scheme’ strings encompassing every well-known sentence in the english language, including some punctuation and all the expected upper-lowercasing.
-
Of course, the above corpus is still a bit large, so we weed out the too-short and too-long strings, since most sites/systems require a minimum password length, and most people will not want to type much more than maybe 12 characters. This brings our corpus size down a little.
-
Finally, we do some qualitative scoring on the strings; we might do a simple case-insensitive word count on the results in case some gibberish strings tend to appear more commonly; we might construct a suffix trie of the entire corpus, we might use frequency analysis on bigrams and trigrams, and we might give additional weight to this year’s pop songs or recent blockbuster movies; and through all this arrive at a (still very large) corpus of 6-12 character strings, sorted by some (admittedly fuzzy, but probably not half bad) measure of ‘likelihood’.
-
Finally we return just the top million strings or so – hardly a challenge for any decent password cracker tool, and it’ll find every single instance of “Ik1g&Ili” – “I kissed a girl and I liked it”.
Couple these with some mutating appendages and I’m betting you’ll break most real-world “Schneier Scheme” passwords. Not because the scheme itself is broken (it’s not), but because people are pragmatic and not very good at generating (or remembering) personal, unique sentences.
People want something they can remember, and the more “pattern-breaking” (i.e. hard) transformations they do to the string, the harder their password becomes to remember. Most people will choose a quote they like, include a comma or a dash in the correct place, capitalize the correct word(s) and perhaps add an appendage (especially if the original sentence wasn’t very long).
Worse yet, some people will actually choose a unique sentence they like, but they’ll choose one they like so much that it can be mined right off their own Twitter/Facebook/Google+ feeds.
Anyway, to make a long story short: I’d still like to hear Bruce elaborate on why he won’t recommend the xkcd scheme.
I didn’t like that one so I changed it!
It’s funny how things change. We used to tell people to never write down their passwords. Now, we tell them, they HAVE to write down their passwords. Writing them down is the only way to keep track of them, when you use a different password for everything.
So, now, we teach them to use password managers. I use KeePassX. We use several different ones. All are preferable to using the same password everywhere. But some people need more physical reassurance. So, in my password presentations, I show people how to make a credit-card sized book. Then I tell them that it is OK if they write their passwords down in the book, as long as they keep it safe with their credit cards.
Making these books is simple. You fanfold a piece of paper around a credit card. Then you draw a line across the middle and put a couple staples side-by-side
on the line. Then you fold on the staples and trim the other 3 sides till they are slightly smaller than a credit card. The 16 pages are about the same thickness as a credit card, and it stores easily with your cards.
If people ask ask about losing your passwords when they get mugged, I suggest they remember a simple transformation. Perhaps:
- Switch the 2nd and 3rd characters when they write them down;
- Or rotate the 4th character when they write them;
- Or swap the 1st and last characters when they write them.
I just have a loosey goosey* formula for generating my passwords for a given site. There is a relatively simple one for sites where I am not too worried about security and a more complicated one for sites where I need security.
* the formula tends to vary a bit (fuzzy logic, I guess)
My problem is the password recovery questions…
I try to be clever and pick stuff that I am sure that I will remember, but is not an obvious answer to the question – problem is that I never remember my clever answers?
I end up having text files for those questions. The harddrive has whole disk encryption so there is that to break if it is stolen. But not much better than keeping a scrap of paper about really.
Try their names backwards in Klingon…
Yes…Bruce is just wrong on this one.
"The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. "
Personally, I use DiceWare to generate passphrases to all of the accounts I use. As long as the site I’m using allows for long passphrases, that’s safe.
The problem is that normal people don’t do that. Instead they will create passphrases like “ihatehackers” or “iloveharrypotter” which are not random at all and not a good practice.
The problem with password recovery questions is that websites use them at all. What I do is generate a random string for the answers and store those in my password manager as well. So the answer to “What’s your grandmother’s maiden name?” is going to be “xlzy385671L%aiop!”