Password Rules Are Bullshit

This really doesn’t work, not because of any deep crypto or math, but because it doesn’t stop the actual threat model for password cracking, it may even make it worse. There are two main ways of password cracking, online and offline, with offline being much faster since a site can’t throttle you.

For reference a modern securely stored password is the result of a function like hashedPassword = hashSalt + sitesHash(hashSalt, usersPassword), assuming sitesHash is a strong hashing algorithm.

Your scheme looks something like hashedPassword = hashSalt + sitesHash(hashSalt, usesHash(usersPassword, siteDomain)), effectively usesHash(usersPassword, siteDomain) replaces the usersPassword in the old equation. This looks like your sending a unique password to each site, but potentially you aren’t!

Lets assume in the future a scheme like yours became very popular, maybe baked into Chrome, the result would be that some one that compromised a site and got the sites database of hashed passwords would know that for some set of user passwords they are run though that extra step. An attack on those passwords looks something like this:

1. make a guess at a password
   1.1. also compute usesHash(usersPassword, siteDomain) as the hashed guess.
2. for all uncracked passwords compute hashSalt + sitesHash(hashSalt, passwordGuess) and check if it matches the stored password. If it is a match we know it is valid for this site and we think it may be valid for other sites.
   2.1. also for all uncracked passwords compute hashSalt + sitesHash(hashSalt, hashedGuess) and check if it matches the stored password. If it is a match we know it is valid for this site and we also know it is almost certainly valid on other sites!
3. if there are still uncracked passwords go back to 1.

So the balance is this, does the cost of hashing the guess and an extra hash per salt off set the idea that you have picked a much simpler password that will be guessed much sooner? Add to that since a correct guess will expose you master password and that the weaker the sites hashing algorithm (possibly plain text!) the more likely you are to have your passwords for all sites exposed.

In the end if this is baked into client software and many people are using the same deterministic system that is still vulnerable to guessing based on human behavior then it will become the primary target of attackers.

tl;dr

As long as we are passing a secret to sites to log in that is derived from human input the only real security factor is the guess-ability of that input. Any deterministic steps we add between that can impact, for better or worse, how long it takes to verify a guess, but it won’t ever stop attackers from making guesses. The only real defense is to remove the human input (randomly generated passwords) or make the human input hard enough to guess that it won’t be guessed in a reasonable time.

There’s two basic problems that I immediately see. First, assuming that the algorithm is known, then it has the same downsides as a conventional password manager like keepass, that being that if your master password gets out, everything is compromised.

Also, consider what happens if your password for a single site gets compromised. What happens? Well, you’d like to change just that password, but how? You could relax the requirement that the second string must be a domain name, and allow it to be whatever, and if you have 99% of sites just using the domain name, and 1 or 2 that use some other pattern, that essentially ensures you’ll never remember it.

If you don’t want to allow the second input to be arbitrary, the other option would be to use a different master password. Of course, that would involve either changing every password, or remembering which sites use which master password.

Hi!

Just wanted to share, that PayPal limits passwords to 18 characters (last time I checked).
And they don’t reply as to why I can´t have a longer password.

Where is the problem to allow 25 oder let it be 50 chars?
Too much security for them?

Thanks for listening!

Best regards,
shatt0r

Hi,

I think there is a very simple manner to solve the password authentication problem:

Just forget it!

That way:

• No more headache to try to remember a complicated enough password
• No more risk to choose a too simple password
• No more risk to use the same password anywhere
• Less risk for the server to be hacked for the email/password couples

How to do that??

You know it and you already have it implemented on all your websites.

The answer is called “Password forgotten”.

And this is the mechanism which everyone have choosen a secure enough password finally uses!

So:

• Remove the password mechanism, just provide an input field to ask for the username.
• Add a captcha mechanism to be sure the action is performed by a human
• Find the corresponding email address and send it a login link containing a temporary token.
• When the user go to its mailbox and click on the link, you just have to compare the received token with the ones you recently generated (maybe in the time limit of 2 minutes ago).
• If ok, establish the session!

That’s all folks!

If every website do that, the only remaining security hole is the mailbox and even if the mailbox is hacked, the hacker will be able to only access a website through a login link established 2 minutes ago!

It is a bit like saying that the best way to secure the door to your house is to put a boulder in front of it that is too large for humans to move. You would need some type of large equipment. But the crooks have large equipment!

We need something that humans can use, but large equipment does not give any advantage. Also: something that cannot be lost, stolen, spoofed, replayed… We need something that knows that you are you. A closed electronic system can never solve this problem, because you are not inside the system. The system needs to prove a fact that is outside the system. This is like proving that God exists. Sorry.

No! It’s not like saying that at all, it’s more like saying: Your front door key is a “randomly generated password” that opens your front door.

I find your large equipment analogy humorous, as I was arguing that sticking large equipment between a site and a weak password doesn’t provide any extra security. Let me analogy my prior “tl;dr” for you: Using a hash derived from your master password like putting a bolder in front of your door and then leaving the keys in the crane you used to move the bolder. My argument was simply that if your going to use heavy machinery at least choose to do it right.

You try and compare a password system to a home door lock and then describe requirements for something exactly unlike a common home door lock. I have lost my home keys before and had to call a locksmith, keys get stolen all the time, and you can 3D print spoof keys from photographs, the same key works for multiple locks in my home no matter how many times I use it.

I’m going to suggest that maybe your arguing against a position that I did not intend to take in my prior post. I do not at all think that passwords are a good authentication scheme, I think they are failing and will continue to fail. If you make one secure enough to provide reasonable authentication assurances they are very often to hard for most people to remember more than a few of them at a time, and if you make them easy enough to remember you tend to make them to weak to be secure. As a user, if I want to use a site that requires a password I have few good options. I could use a simple insecure password, I could use a very secure password I will probably forget, I could ask technology to create a secure password and remember it for me. All three of these options have drawbacks. When sites let me use a method other than passwords I will very often use that instead, but most of those methods also have some other drawback.

What other methods can we currently use, and what are the drawbacks?

One way to do security for a building is to have a guard. If you look familiar, you can walk right in, otherwise, you are challenged. This is something that cannot be stolen, lost, spoofed, replayed, etc. Add a dog, and you would have to smell right, too. Pretty much impossible to get past. No passwords, keys, etc necessary.

God yes, I hit this recently and was struck by the utter insanity of it.

My personal favorite set of rules.

Well that’s up to the site, Discourse for example can use passwords, or OpenID.

The drawback to OpenID (or Login via Facebook, etc.) is that it just shifts the authentication burden to another source, that ultimately in my case is still authenticates with a password (and a second factor). It still relies on shared secrets, it just shifts them from between the site and user to between the site and the OpenID provider. Shared secrets can always be compromised, and that can lead to attacks on the exposed accounts. It also exposes what sites I use to the OpenID provider (they probably already know every site I use).

When I log in to any of the systems I do work on it’s mostly done via public key. With traditional PKI this means giving each system a copy of the same public key, which has some minor issues, and requires some technical infrastructure to handle validating those keys. There are a few initiatives to provide more modern public key style authentication for websites via plugins and/or smartphone apps. They generally hope to be both secure enough, and fix the “propeller heads required” nature of traditional PKI allowing it to be used by the masses.

My introduction to entropy as a wee lad: A Microsoft Basic program that would draw pixels on the Mac 128 screen at rand()x512, rand()x384, and to my amazement drew diagonal stripes on the screen instead of grey static. This caused me to rush out and buy the entire set of Knuth’s “The Art of Computer Programming.”

@AB2ndGuide, regarding the ‘forget password’ suggestion:

You would need to change your mail password every 2 minutes though, because otherwise any hacker who manages to break that can reset your passwords anywhere else by claiming ‘password forgotten’. And of course he can take his time, because the moment he gets into your mail account, first thing he’ll do is change the password so you can’t get him out anymore since you can’t get in…

Of course, he doesn’t actually need time, because, since you always keep requesting new passwords it will be a breeze to find references, including links and usernames, to all of your accounts - with an automated tool. It’ll take about two seconds to shut you out of all of them at once.

You can’t even rely on strong passwords here, because, as we all know, providers get hacked on a regular basis with tons of account info stolen. If you’re lucky and the database is reasonably secured, it may take a few hours or days to break in, but the question is whether your provider actually notices the theft in time to inform you, and whether you receive that notice in time to change your password.

I’d rather go with one very strong password (for a password manager database) that is extremely unlikely to get hacked, ever, than betting my security on the security of a mail service provider

That’s a well-known problem with early random number functions: the resulting number series behaved pretty much like what you would expect from a random walk, but if you link two random series it turns out that the pairs of random values are correlated.

Current RNGs are much better than that, although, depending on the application, they still have their weaknesses. You won’ notice any of them in a trivial application like your example, though.

This is kinda fun: https://haveibeenpwned.com/
Would be nice if someone could make a similar one that checks if your password is in the most common list

Funny how no one has yet comment on the most brilliant password policy ever.

Passwords get magically more secure when they need to be changed every three months.

Even in case of a stolen password, an attacker can use it for only three months, max.

Yep.

What a shame… !Sandra5 doesn’t work any more…I have been pwned by the 1337 password rule system!

Seriously?

Persona was an attempt to use your email address as your identity (plus add browser capabilities for identity management), with one-time passwords sent in emails as the fallback strategy (if there was no provider-specific login method, such as Google login for @gmail.com addresses). It was clever but sadly did not catch on and was shut down.

I would suggest that one single, simple system could replace ALL password rules, forever. This one rule to rule them all is to adopt a Universal Password Blacklist. I wrote the details of how this would work here. In short: submit your “new” password to a system that tells simultaneously tells you if it has ever been used before, and also stores it so no one can ever use it again. If everyone used this, in a few days/weeks it would be “stronger” than every set of password requirements implemented anywhere, and it would only get stronger over time.

I also feel that no password discussion is complete without mention of at least one “password replacement scheme”. There are a few of them, but my favorite is SQRL, which implements a special type of public-key encryption so that users never enter passwords. Instead of entering a username and password, a user basically signs a login-token to assert their identity; then the user is logged on. It’s had a lot of problems worked out, but so far has very low adoption. I think because people are just used to the username+password paradigm, and change is hard.

The problem with long passwords is they’re hard to type on a phone. It’s tricky to find a system for making passwords that can be typed easily on a phone. Consider:

• Emoji seem like a good idea, except that you don’t know if the next system release will bury your smiley and promote a nearly identical smiley, perhaps with a Unicode variant (e.g. skin color.)

• Long words are hard to type, but not as hard as long ANYTHING ELSE.

• Switching from characters to digits is annoying; switching to other characters is doubly annoying

• Clustering character types may be easier: once you get to your digit or punctuation keyboard, it may be worthwhile to include several such characters—assuming they don’t kick you back to the alphabetical keyboard.

• On the same note, ending a string of numbers with a character that kicks you back to the alphabetical keyboard may be convenient.

• Space is always the easiest character to type.

• Your next phone might change the rules entirely, making easy combinations hard and vice-versa.

As others have commented, Unicode is problematic because many characters are interchangeable and depend on the keyboard mapping. Personally, I use Diceware as a starting point for passwords I need to remember. Even adding one Diceware word to a password can improve the entropy in a fairly memorable way.

It is interesting and I agree with you; in the big scheme of things smartphones push people away from traditional passwords, in favor of other approaches. On the whole I think this is a good thing!