FBI for passphrases - Cambridge Uni disagrees
This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office positioned itself on the side of longer passwords. Would that really make a difference?
Let me start with the statement of the FBI Portland office as presented in its weekly tech advice column - Tech Tuesday :
"Instead of using a short, complex password that is hard to remember, consider using a longer passphrase,"
"This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."
I remember Joe Bonneau analysing several password datasets at around 2013. They also looked at the strength of the passphrases in Amazon PayPhrase system. They found around 8,000 phrases using a 20,000 phrase dictionary. When they added a bit of statistical processing, they could translated that into a bit more readable result. It said the complexity of 20bits for the attacker trying to compromise 1% of all user accounts. This compares to the complexity of 10bits in systems using passwords without any "password policy".
Now 20bits equals 1,000,000 tests, compared to 1,000 for 10 bits. But as I mentioned the 10bits number if when no password policy is in place, i.e., users can choose whatever password they want. When we enforce minimum length, prohibit most common passwords and add a need for a special character, the 10 bits is likely to turn into more than 20bits.
Passphrases are hard however, and there are three reasons for that:
- They are much harder to remember as we are in general not used to them - they also take longer to type - especially on mobile devices - and there's hardly to be any typo-correction in place.
- There are no commonly used rules that would detect "weak passphrase" - you can't enforce special characters any more as the whole point of passphrases would be defeated. And the length will always be loooong enough.
- Many systems can't deal with passwords longer than 20-30 characters.
(Believe me, it's really hard to come up with a system of secure passwords that could be used across all the websites any one of us uses.)
While the NIST standard 800-63 from 2017 urged websites to allow use of passwords of up to 64 characters, I'm pretty sure majority of companies never heard of that.
What's the bottomline? Be reasonable - when you can, use the support offered by operating systems and browsers. Avoid really weak passwords- see below for some examples. A good approach is to combine an easy to remember word with something personal (like part or your address, pet names, ... something you don't use online too much). All major web browsers will generate secure passwords and store them securely on your computer - Google and Apple now even sync passwords between your devices. So long as you remember the username, you can always request an email with a recovery password or link.
You have better things to do. KeyChest with its global database of web certificates can instantly create an initial "big picture" so you can start analyzing your exposure to cyber attacks and adjust it according to your risk appetite.
Password Experiments
I think that the best way to learn is to experience. If you have a Wordpress site, it's really easy to run experiments to detect passwords that are tried by hackers. WP is so common platform that whole bot-nets specialised in this particular system. I did a small experiment myself and here are my own results - which very much agree with a general advice.
Which Passwords To Avoid
It seems to be a very bad idea to use password consisting of only digits. I have logged passwords of 1 digit to passwords of 12 digits. As such, even a long number does not help. 22% of all guesses used number passwords.
Another bad idea is to use a name as your password, be it the name of your girlfriend or son. The number of names being tested is very high indeed.
The common often used passwords is another thing to avoid. Here is a selection of “password” variations we found: Password!, P@ssw0rd1, P@$w0rd, pa$$w0rd, password12345, pass1234, pa$$word, Pa55word, pass12, p4ssw0rd, p@55w0rd.
Finally, if you believe that qwezxczasda is a good password, think again. Passwords made form keys that are close to each other are not so often but I was still surprised by some of them. Here is again a small selection: q1q1q1, qwertuiop, ytngfh, k,jdm, qweasd123, 123asd, qazwsxedcrfv.
The biggest surprise however was when we identified passwords that used names of post authors as well as the website’s URL. There were more than 10 variations of one of the author’s name and even more passwords made from the website’s name and “padding” (like 11111, 12345, pass, …).
Most Often Tested Passwords
While in general the results are similar to what you can read in annual surveys, I found "new" passwords even in the 10% of most frequent attacks. Here is our top 33.
- admin1234
- Password!
- internet:)
- 23946587
- 123456789
- P@ssw0rd1
- qwerty1
- nursing
- naked
- admin_id
- michelle1
- tuborg
- pass1
- P@ssword123
- nemesis
- ibanez
- eugene
- 56789q
- danny
- connect
- (website name)
- chantal
- buttons
- baseball1
- qweqweqwe
- liliana
- control
- administrator1
- 987654321
- 12345
- 101012474
- stacey
- Passw0rd1