topic Re: Password strength – fiction, fact, or what should secure your environment? in Industry News

Password strength – fiction, fact, or what should secure your environment?

BrianKunick — Mon, 09 Oct 2023 08:18:31 GMT

The trouble with passwords…

Trouble... We’re not talking about the yellow sticky-notes on the side of monitors or employees sharing passwords. Password composition is at issue. Passwords used today are generally the same as what we were using 20 years ago. This might be acceptable if all other variables within Information Technology have remained the same since then. They haven’t. Those who have not adapted may have placed their IT assets at considerable risk.

Will my password effectively secure everything?

Twenty years ago, probably. Remember the old IBM auto-password generators that gave us hard to remember passwords with the mix of alpha/numeric and special characters that were 8 characters long? That is because that is the number of spaces the operating systems and applications would recognize for passwords. The mix of characters from the password generators might give us something like this: n&}P2^XJ …pretty easy to remember, right? It must be secure because it looks so complex! Not true either. Today’s password cracking arrays make quick work of this password. A couple of minutes to be exact. And, this is where it really goes fast! In 2012, ARS Technica reported that a 25-GPU cluster could crack every possible combination of 8-character passwords in under 6 hours. Again, that was using 2012 technology. What about today?

Still feeling secure with your enterprise password policy?

Justifiably so, you are possibly starting to break a sweat while digesting this habanero of a topic.

Today, we understand much more about strong passwords than we did in the past. NIST has modified their guidelines for password deployment, which we’ll discuss further shortly. What defines a strong password? Is it upper-case, lower-case, numbers, special characters? This is what we’ve been taught. The answer in the past has been yes to all of the above.

To understand what delivers a strong password, we must know what drives password cracking. The two predominant forces are tables/dictionaries of common passwords, and brute force. Tables and dictionaries provide long lists of commonly used or suspected passwords. The crackers can check your password against entries in the tables at light-speed. Brute force involves guessing each character in your password, and takes a little more time due to the number of variables (upper/lower case, numeric, special characters) to run through. But, remember, all possible 8-character combinations are cracked in less than 6 hours…

What is a strong password?

Entropy and Search Space come into play. What is Entropy? Well, think of our complex, hard to remember, but easy to crack password from earlier: "n&}P2^XJ". Entropy relies on excessive complexity to be “unpredictable,” in theory. But, we saw that our example password could be cracked in a couple of minutes. Is Entropy still delivering strong passwords?

Search Space factors in the length of the password in terms of total characters and the number of possible variables included in the password (upper/lower case, numeric, special characters) to determine what the total number of possible passwords can be derived from that combination. In simple terms, the “length” of the password in terms of characters is most important, with some complexity added.

Let’s look at the statistics in this table:

PASSWORD	PASSWORD CHARACTERS	SEARCH SPACE = POSSIBLE PASSWORD COMBINATIONS	EASY TO REMEMBER	EASY TO CRACK	TIME TO CRACK
n&}P2^XJ	8	6,704,780,954,517,120	NO	YES	1.12 minutes
Thisisagreatpassword!	21	33,337,810,962,573,359,664,680,352,920,577,639,625,185	YES	NO	1.06 hundred thousand trillion centuries

While “Thisisagreatpassword!” takes a large amount of theoretical time for advanced cracking systems to solve it, does that make it a strong password? Yes and no. Statistics is a funny thing. Have you heard of anyone winning the lottery on their first try? It does happen. Likewise, depending upon how password crackers have their search or brute force mechanisms structured, they too could hit your password on the first try. The point is to make it as difficult as possible for the password crackers to ever crack your password.

Back to NIST…

NIST has revised their password guidelines as they do periodically. Currently, they still suggest 8-characters with complexity as the bare minimum for a password. Should that be your enterprise password policy? Probably not, unless the variables affecting your Information Technology environment are the same as 20 years ago, or you can afford to lose control of your data or afford regulatory fines for those losses. The rest of us want a more secure password policy. This is also where NIST steps in. As a maximum, NISTS’s revised guidelines recommend 64 characters for your policy with some complexity. Why? Because they realize the value of a long password in protecting your IT assets from credential exposure via password cracking.

Are Password credentials enough to protect your assets?

No. Passwords are not enough to provide secure authentication. Once again, things are not as they were 20 years ago. Our practices shouldn’t be either.

Multifactor Authentication should be used to enhance strong passwords. Multifactor is something you are: biometrics, something you know: password/PIN, something you have: FOB or card (magnetic strip or RFID).

Sure, MFA equates to more cost, administration, user training, etc.. But, can you afford to lose control over your data (PHI, PII, Financial, etc) Where are things going in the next 20 years? Quantum computing for example? Now how long will it take to crack a strong password?

Use MFA, with a strong password/passphrase of at least 14 characters with some complexity. Defense in-depth, layer your security.

Credit to: ARSTechnica.com, NYPost.com, NIST.gov

Brian R. Kunick, is a CIO/CSO servicing the operational and security requirements of the enterprise.

Re: Password strength – fiction, fact, or what should secure your environment?

SemperFi_guy — Tue, 10 Oct 2017 15:10:45 GMT

Great read, I agree that passwords are simply not enough to protect your systems. I work heavily in the UNIX/Linux space and am currently discussing why a password vaulting technology is a BAD idea to secure our UNIX/Linux systems. The idea of just using native password controls to secure my critical systems is alarming to me, not to mention having to give the password vaulting technology full blown root access to all of my servers to manage the passwords... WHAT.

Re: Password strength – fiction, fact, or what should secure your environment?

BrianKunick — Tue, 10 Oct 2017 15:17:15 GMT

That is great insight you offer with regard to password vaulting. Most solutions or those designed internally don't take into consideration all of the factors that are necessary at a bare minimum to store passwords securely.

These variables are just some of those needed, and of those in this list, they need to be modified to take into account ever-changing variables in the environment we work in:

Use a strong random number generator to create a salt of 32 bits or longer.
Feed the salt and the password into the PBKDF2 algorithm.
Use HMAC-SHA-256 as the core hash inside PBKDF2.
Perform 40,000 iterations or more (August 2017).
Take 32 bytes (256 bits) of output from PBKDF2 as the final password hash.
Store the iteration count, the salt and the final hash in your password database.
Increase your iteration count regularly to keep up with faster cracking tools.

Re: Password strength – fiction, fact, or what should secure your environment?

SemperFi_guy — Tue, 10 Oct 2017 15:29:46 GMT

Agreed!.

Call me old school but I still like agent based technology to secure my environment. I want to protect not only the front door but also the windows, vents, etc... Using a vault solution is easy and for some environments I am sure it is the right choice (windows system accounts, db account, etc) but easy does not always mean secure.

Re: Password strength – fiction, fact, or what should secure your environment?

sdurbin — Tue, 10 Oct 2017 16:32:41 GMT

@SemperFi_guy

Password vaulting isn't the only option for Linux-based systems.

PAM allows easy integration with multiple authentication mechanisms. The benefit there is that they remain logically separate.

For example, local/AD passwords could be combined with a second auth mechanism. e.g. a software, or hardware token, via RADIUS.

There are a great deal of options available.

The question of suitable password complexity should no longer be our focus.

The more pertinent question is whether a sufficiently complex password is enough on it's own.

The answer is... no.

Re: Password strength – fiction, fact, or what should secure your environment?

SemperFi_guy — Tue, 10 Oct 2017 16:35:03 GMT

I agree, I was simply voicing my opinion on using passwords in general(which turned into my dislike for password vaults as a PAM solution).

I today leverage a technology that actually removes the requirement for a password in most cases for the accounts within my UNIX/Linux servers. Only those accounts that require a password are provided with one and all others are assigned a non-hash able password.

Re: Password strength – fiction, fact, or what should secure your environment?

BrianKunick — Tue, 10 Oct 2017 16:35:28 GMT

Very good point. Entropy, or password complexity no longer offers the protection of the past. I agree with you as also mentioned in my article that passwords alone are not enough to provide secure credentials. Passwords of sufficient strength are not meant to stand on the own anymore. MFA must be used.

Re: Password strength – fiction, fact, or what should secure your environment?

sdurbin — Tue, 10 Oct 2017 16:47:28 GMT

SSH key management is also an area where, in organisations of all shapes and sizes, I have seen some very questionable security practices in the past.

However, more recently there have also been improvements in that domain too!

Re: Password strength – fiction, fact, or what should secure your environment?

arctific — Tue, 10 Oct 2017 17:43:40 GMT

For password strength to mean anything, the strength has to have a definition. The only good in a password is how long it takes to crack after capture. For my purposes, password strength is the time it takes to have a 50/50 odds of cracking a password after capture of a password hash. If the password is captured by a key logger, read from a post it or a vulnerability allows a clear text version of it to be captured from protected memory -- the password is directly captured rather than cracked. Such problems are not addressed by password strength.

Two useful bits of math.

First password crackers grow faster than Moore's Law over time, closer to 11 times faster every 10 years for the same dollar cost in crackng hardware. This happens as the hardware gets faster, the price of the faster hardware goes down with time and speed optimiztions in chips, storage, bandwidth, and software improve performance.
Passwords chosen by humans are not as difficult to search 50% of the available choices as password generated at random. My samples of cracked password files from multiple clients cleanly show a pareto like effect -- 20% of the combinations to search are responsible for 80% of the passwords found. Approximately then, if a human chose the password about 10% of the commbinations to search are worth 50% of the passwords captured to crack. If randomly chosen then 50% of the combinations to search are worth 50% of the passwords captured to crack.

Now it is time to describe the search space. Humans like words, even if they add leet adjustments. But each language on earth has word frequency by length of words. For single place passwords there is a very short list. As words go, there are only two such words, "A" and "I". A peak in the middle near 7 place words happen that is used by "CorrectHorseBatteryStaple" to generate a password and then there are very few words longer than 29 letters. "Supercalifragilisticexpialideaxious" is alone at 31 letters long. Really, "CorrectHorseBatteryStapple" is a four place password with 3 7 place words and 1 5 place word. A variable with every word 7 places long can be listed out and all its leet combinations and the entropy of this password is actually smaller than XKDC thinks it is. Still it is not all that bad. Once we know the places of a password to search and the number of options per variable the math of combinations is not that bad. I use spreadsheet functions to help. Lets stick with Letters, Numbers, Symbols and Extended Ascii for example

N_l = places of letters

N_n = places of numbers

N_s = places of symbols

N_e = places of extended ASCII

It starts with placement of these variable inside the password then goes to places and finally combinations.

Combo = Placement * Places

Placement = fact(N_l + N_n + N_s + N_e) / (fact(N_l) * fact(N_n) * fact(N_s) * fact(N_e)

Places = (52)^N_l * (10)^N_n * (31)^N_s * 163^N_e

If human selected then true combinations to search is closer to 10% * Combo.

If a random password generator selected then the true combos to search is near 50% * Combo.

Both will lead to the 50/50 odds of cracking the password.

Now for the effect of Moore's law on password cracking speed. For simplicy we will use 10 times faster every 10 years for the same true dollar spend on the cracking rig. The math still works even if the attacker simply buys a new rig each year and splits the combinations to search among them over time.

Combinations per second = cps

cps(t) = cps(0) * 10^(T/10years)

C(t) = cps(0)*(sec/yr)*10years*ln(10)*(10^(T/10yrs)-1)

T(C) = 10 years * ln(C/(cps(0)*(sec/yr)*10yrs*ln(10)+1)/ln(10)

T(C) = 10 years * ln(Combs / (cps(0) / (365.2425*24*3600*10*ln(10)) +1)/ln(10)

From this, we can actually compute password strength once we know how fast a password cracking rig is and what it cost at least once in history and project forward correclty accounting for Moore's Law such as the drops in price of computing hardware over time, inflation, speed improvements in software, upgrades in hardware over time.

The Macbook Pro Air -- 32 GB flash ram -- I wrote this from now costs about 2.3k and in August 2013 achevied 6 billion combinations per second. If I bought the next cracking computer for 3.3k, with the right specificaitons it would be faster. Note: splitting the job among parallel computers often gets eclypsed by the growth in speed of Moore's law so parallel computing is only really useful over a 5 year horizon or so, unless it is just cost effective per compute cycle. Consider that sometimes Amazon Cloud Services does not charge full price if you do not download data but only use compute cycles.

So what is a strong password really? First consider the 6 billion combinations per second problem.

Average language has 100,000 words. 10 leet combos per word, 1,000,000 combinations to test. 6,000 languages later, we have a single word password with leet cracking in a target time of 1 second.
The password is forced to change ever 3 months. Such a password better have a half-life -- time to reach 50/50 odds of cracking -- longer than 3 months.
The average password cracking effort lasts about 2 hours. All the easy cracks fall out quickly and watching the computer grind gets boring after a while. Even Police units admit to self terminating password cracking efforts after about 36 hours. So, the password at least needs a half-life of 36 hours or so.

Care to use the math above to work out how long your password would last against my Macbook that costs 2.3K?

Simply sort your language or spell check dictionaries by word length assemble variables by word length. GNU Aspell is not a bad source for free dictionaries in many languages.

Go long and memorable. Avoid short words. Skip leet and just add complexity to meets the allowed limits. Even one place longer than a pre-computed Rainbow Table and the password has a chance.

Re: Password strength – fiction, fact, or what should secure your environment?

EnviableOne — Mon, 30 Oct 2017 10:36:43 GMT

@arctificthis is why the latest advice is use a random password generator and secure encrypted vault for any passwords. this then obviscates any rainbow tables, and improves the complexity.

Beyond this, it comes down to using behaviour and environmental scores turning to a risk based approach. If they are logging in from their desk at the time they usually come in, after having swiped in the building, then a password may be sufficient, if they are loging in form an unrecognised device in a country you dont operate in over a wifi network then maybe step up to a second factor

Re: Password strength – fiction, fact, or what should secure your environment?

KPentecost — Tue, 31 Oct 2017 18:46:45 GMT

We talk about what was good enough 20 years ago, isn't good enough today. It's amazing when you think about it and no doubt, soon enough we'll be saying "What was good enough 3 years go, isn't good enough for today!"

Things are evolving exponentially faster today. The technology that allows the attackers to crack PWs is evolving at light speed compared to 20 years ago.

I feel that MFA will become the base standard for authentication and access control within the next few years. If you don't have it, you'll be considered way behind and COMPLETELY vulnerable to brute force attack.

Great article.

Re: Password strength – fiction, fact, or what should secure your environment?

CISOScott — Thu, 02 Nov 2017 15:21:01 GMT

I think the battle is to try and walk the familiar line between ease of use versus security. I agree the overly complicated NIST requirements and the horrible password practices that it spawned were actually detrimental to good password practices. It has to be at least 14 characters long, 1 from each group, no character repeated more than twice in a row, not a common dictionary word or a L33T version of said words, AND don't write it down. Oh yeah, have another one ready to go in 90 days because we are going to make you change it and it can't be any of the last 10 really difficult but easy to remember passwords that you came up with.

I write my passwords down in a big book. WHAT? You say?

I reuse passwords? Again you may be shaking your head saying that I am violating all of the "good" password rules we learned while preparing for the CISSP. But here's my catch:

If you got a hold of my book you would not be able to log in with any of them without cracking my code. Basically it is more of a password hint book. When I reuse my passwords I do it because I group like minded accounts together. i.e. all of my learning/training accounts use the same password so if you were able to crack my code you would only gain access to my learning accounts. And the passwords for my financial accounts are way different (and I do not reuse a password for the important accounts or vary them enough that you would lock them out before guessing). Each email address has a different password. My password reset requests are sent to my phone and a back up email address.

We have got to find ways to help people come up with more secure methods for using passwords while at the same time making it easier for them. I like the example showing how using a simple phrase can make it harder for the attackers to crack but easier for the user to remember. I am a big believer in using Hidden in plain sight passwords. Got a favorite phrase on a sign in your office? "Those Who Do Not Remember History Are Doomed To Repeat It. - Albert Einstein. 1947." = TWDNRHADTRI-ae1947 that would be pretty hard for a machine to crack but right where the person using the computer could see it or remember it. (And please do not assume that that was a correct quote and attributed to the correct person and timeframe, I just made it up to provide an example.) Teach the users how to make it simpler and easier for them. Also educate on how a hacker would compromise their accounts. Go through the process they would use. Show them the vulnerable points in their thought process around passwords. Show them how answering a seemingly innocent quiz/survey on Facebook of "what kind of Princess are you?" could be getting them to disclose the answers to the security questions on their verification process for password resets. (i.e. what is your favorite color?, etc)

The answer lies in education. If you are not involved in your new employee education process at work, get involved. Ensure what the new employees are given is timely and useful. If you hear misinformation being given out at family gatherings, speak up and educate them.

Re: Password strength – fiction, fact, or what should secure your environment?

arctific — Sat, 06 Jan 2018 15:07:31 GMT

I use a password safe myself. Bare in mind this approach has some pros/cons also.

The good part:

1) Human Memory: I can track 200 unique passwords in a single spot. I really only have to remember the password to get in to the password safe.

2) Password Generators: I can have the safe automatically generate random passphrases of appropriate length that also fit the varying complexity requirements for each account.

3) Personal Dictionary: As sites get different passwords, an attacker can use my cracked passwords as a personal dictionary attack to try to crack sites with better security using my password patterns from sites with weak securty.

The items to watch:

A) Encryption Strength of the Password Safe: AES 256 or better is recommended.

B) The Password of the Password Safe needs to be really, really, really, strong. It protects all other accounts you have access to. It should actually be no less strong than any account with the safe.

C) Password Capture: the system where the password safe resides is the gold mine for a key logger or protected memory capture in clear text of the password for the password safe. Tripple up on system hardening of the system with the password safe. Information Security operations are finding hacked smart phones of systems administrators where the password safe was downloaded and password captured usually by a key logger.

D) Automatic password entry into a website, tool for a reduced sign-on experience means that the browser cache is a prime target for capturing passwords.

Recommendations for safer uses of Password Safes or Encrypted Drives with vital data files:

1) Never, Ever store the password for a password safe in a Key Chain, Browser Cache, etc. MEMORIZE the beastly password.

2) Use Physical Security to protect the sysem with a password safe. An dual mode attack could seek physical accesss to the system to download a copy and then off site submit the safe to cracking efforts. The physical security measures should be aimed to give you a tip-off that this has happened so the safe contents and safe password can be changed faster than the crack can succeed.

3) The password is not an excuse to relax on password strength: complexity, length or uniqueness per site. If 74% of users have the same password for their online banking as they use of other sites -- like facebook -- then all the attacker needs to do is hack facebook then guess your bank. Your safe will not help you protect passwords from hacks of weaker websites. Use the safe to your advantage and be unique per site.

4) Go long even if the password is randomly generated. Pre-computed rainbow tables can still crack passwords whether they are in your safe or not. One digit longer than an attackers rainbow table saves the day.

Re: Password strength – fiction, fact, or what should secure your environment?

EnviableOne — Tue, 06 Mar 2018 10:08:26 GMT

@arctificThe Point with the password safe is you cut the numbe rof passwords you have to remeber down to 1 (the vault password) which you can then choose carefully and make as complex as you like.

most of my previous comments were paraphrasing the latest advice from the UK NCSC, and my favourite password activist Troy Hunt, but its clear to see we have basically created a system where people are forced to create passwords that are hard for humans to handle and just as easy for computers to guess, leading to work-arounds with passwords like P45sw0rd101! which are in most crackers first tranche of tries, but password strenght meters call them secure.

The simple plan is:

Dispose of complexity and increase minimum length (more chars increases combinations x^n more options is only nx)

encourage the use of password vaults

only enforce password change on indication of breach

dis-allow known or common passwords

Troys post ties it all together:

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

Password strength re-imagined

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler