Sunday, April 15, 2018

Let's stop talking about password strength

Picture from EFF -- CC-BY license
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavior, such as using bcrypt, there is less onus on the user.

But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.


jpeg725 said...

I often wonder how many people, when faced with a site that demands an email address and a password, will enter their email address and the password of their email account.

Maybe websites should ask "Would this password let me in to your email account?" and go on to say that this password should be different.

Daniel Dennis said...
This comment has been removed by the author.
Daniel Dennis said...

I can't take any security article seriously that actually believes shit like this. Truthfully, the problem is your password is shit and you've reused it. Why? Because reuse multiples the problem. It isn't the point of failure. The point io failure is the strength of the password. A strong, random 32-character password used everywhere is better than a weak 8-character password used once. One can be cracked once and the other can't. Hashcat and rainbow tables can't touch a 32-character password. Your best ootion is a long, random password used once. Additionally, if you can pronounce it you've probably got a weak password. Stop pretending in ignorance that strength isn't a factor. Any serious professional who has spent any time cracking passwords knows reuse doesn't matter if the passwords can't be broken.

Anonymous said...

I can't take anybody seriously that suggests a single password of any strength, even a "32-character" one, to be re-used with everything. The article author is absolutely correct that password re-use is the bigger problem.

If you think your single 32-character random password is strong enough to use everywhere, please allow me a few minutes to set up a compelling web site for you to sign in up with so that you'll willingly give me your email address and "secure" 32-character password that you use everywhere. I won't tell you that I'm doing this, of course, but you won't be able to resist creating a new account on my site because it'll be the next big thing. I'll be sure to mention in my "Privacy Policy" that I'm using 5000 rounds of bcrypt to protect your password. It's not true, but it sounds nice and will satisfy the suckers who think they know what "secure" means, just like you.

As soon as you give me your "secure" password I can sell it to the highest bidder who will just use it to own everything you've got, or turn around and immediately start trying to use it log into various other web sites, including your email provider. How many of the accounts that you've used the same password with actually use some form of two-factor authentication that has some chance of protecting you from your poor security practices? Do you even use 2FA anywhere? Very few sites support 2FA, today, unfortunately. Are you maybe using SMS-based 2FA on some sites? I know some people who can intercept your incoming SMS and deal with that problem.

How well is this scenario going to work out for you? How well is this going to work out for the poor gullible people who believe your BS that a single "strong" password is all you really need to protect everything?

I'll just repeat what the author said -- The "strength" of your password matters less than re-use of the same password.

What this probably means is that you will need to use some type of password management to keep track of everything, and the best part about that is it would allow you to use Strong AND Unique passwords! WOW! Mind. Blown. Well, not really, though, because this is what I've been doing for years at work and home, and help all of my family members do this, as well.

Daniel Dennis said...

I use 2FA wherever possible. Where it isn't, I use the strongest length available for the site, which often falls under 64. I chose 32 because it tends to be my go-to but many are longer. As stated, a password uncrackable based on today's technology is more secure even if it is reused because it's a true statement. I never said it's all you needed. I stated of the two components one is the point of failure where the other simply multiplies the problem. There's nothing factually incorrect about that statement because if you can't crack it you can't reuse it. That's not to say you trust it to never be intercepted or trust every website. But as you validly point out, sometimes you are trusting security based on nothing. We know how things like Windows store passwords but the web is a different animal. That's why I do use a password manager and have for numerous years -- long before they were common. Mine are all random, all ridiculously long and complex, and never used twice. The point is I don't take anyone seriously who proposes secure passwords matter less than reuse. You have to tackle both or you arent doing enough.

Anonymous said...

What you've previously said is not a true statement. At all. "The point [of] failure is the strength of the password" is demonstrably untrue.

It only takes one example to disprove the statement, and I've already provided one. Please provide a solid counter-example of why only "unique" passwords are less secure than only "strong" passwords. Keep in mind the average password complexity requirements in your deliberations.

Let's try this another way. Which of the following scenarios is easiest for the attacker and least likely to be noticed by the victim?

1) A single compromised password of ANY complexity that an attacker can simply copy/paste.

2) Or, unique passwords of ANY complexity that are not all known in advance to an attacker, so the attacker must try to leverage the knowledge of less than the sum total of unique passwords to compromise other accounts of the victim, such as by compromising the associated email account of the victim and then using password reset functionality for other accounts associated with that email account.

For offline brute-force attacks via stolen password hashes to occur, that site must already have been compromised at some level. Other than only stealing the password hashes to try to crack, there is a strong possibility that the attacker has also installed password capture malware on the server that gives them the plain-text password from the web site's login form the next time you use it. There is zero "cracking" of your password necessary at that point. Uber-Strong random 128-character or weak-ass 6-character password -- it just doesn't matter now, the entire password and that account is compromised. Period.

You should assume that any password of any complexity that you submit to a web site is already compromised as soon as it is received. That password should be unique to minimize the leverage that this would provide an attacker.

The entire point of the author's article was to point out that someone trotting out the advice "a strong password is more important than a unique password" is not actually "measuring insecurity in terms of costs vs. benefits, risks vs. reward". Today, it is easy demonstrable that a strong-but-shared password is a greater risk than a weak(er)-but-unique password.

The order of priority that everybody should be shouting from the rooftops regarding passwords is:

1) Uniqueness
2) Complexity

That is not saying that complexity is not important. It is LESS important.

If you can't make every password unique because you can't reliably remember that many passwords or you refuse to use a password manager, then at least weigh your risks and make the most important passwords unique, especially to your email account(s) which provide password-reset ability to other accounts, and then -- if you insist -- use a common password for everything else. The common password can be weak or strong, it doesn't really matter, because the chances are that it has already been compromised.

Daniel Dennis said...

Sure. I've tested numerous environments where hundreds of users have different, weak passwords. They're all unique. They're all weak as shit. They're always cracked. Granted, a Windows network is different than the web. With Windows you know there is a level of security, albeit weak in many cases. The web is a different beasts altogether, which brings me back around to the entire reason for my comments: the whole "stop talking about" aspect within the title of the article. You can't just stop talking about it. You have to add more to the discussion. Length isn't enough. Complexity isn't enough. Together they're better. You bring up malware and social engineering. My initial comments were regarding specifically passwords and their development. I do hundreds of phishing tests every year. I steal dozen of passwords every week. I see lots of shitty passwords. You are right -- people, and often what they accidentally do on the web, are often the problem. But you can't just dismiss strength/complexity either. Length, complexity, reuse, they're all part of the discussion because they're all relevant to different areas.

Anonymous said...

It sounds like what you're saying is that you didn't read anything more than the subject of the article and didn't bother reading any of the actual article content at all, and decided that was enough to spew vitriol and Just Plain Wrong security advice in your first comment.

I didn't even previously address the ridiculousness of "if you can pronounce it you've probably got a weak password", but, well, I'll just leave this right here:

Nowhere -- in the article that you apparently didn't read -- did the author dismiss the importance of strong passwords. The SECOND paragraph literally starts with "Yes, weak passwords can be a problem" and goes on to say that it's not wrong to advise using strong passwords. I also never dismissed the importance of strong passwords in what I've said.

Daniel Dennis said...

I read it. It's chock full of this insane idea that secure passwords advice is obsolete, that while weak and crackable it's really not as big a problem, and even goes so far to call the advice lazy. Leaving it out of the discussion is lazy. Strong passwords, again, are long, complex, random (or not pronounceable), and ideally never used twice. Yeah, this means you have a manager. I'm guessing you agree, right? You're probably using something like KeePass or LastPass. You probably use long passwords with rigid complexity, and you probably aren't using them twice. If you aren't you aren't doing it very well.

Kiki said...

You missed the point. People that develop shit websites store your password in plain clear text in unprotected mongo dB. You only need one shit developer out there leaking or selling your 32 char pwd data to one bad guy to get screwed.

Daniel Dennis said...

I don't disagree, Kiki. I take issue with the notion that, as the article suggests, that discussing complexity is lazy and obsolete and instead recommends the discussion turn to reuse. The solution isn't one or the other. It's not even prioritizing one over the other. I'm testing a network right now that has an admin with a password that hasn't been used more than once and I broke it in under a second because it was a shit password. Any professional knows there are benefits to length and complexity and beating that dead horse has a place in the discussiin because it isn't lazy. Shifting the discussion is lazy. Expanding the discussion is the only legitimate answer. You can't just neglect one angle of the discussion because there are threats that said angle don't mitigate. It's a complex issue that few people have their hands firmly around. Those who have it under control didn't get there by viewing length and complexity as lazy. I crack weak passwords every day and I write up financial institutions for it every day. I also find passwords reused about once every week or two and I'm writing them you for that as well. When we discuss the issue we cover every angle, eand very pro and con. If you're using ridiculously complex passwords that require a manager then chances are you've made the next logical leap to make them all different. At that point you're as safe as you can expect to be unless you're an idiot prone to falling for phishing schemes.