The idea that computer users should use long, complex passwords is one of computer security’s sacred cows and something we write about a great deal at Naked Security.
They need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.
Passwords are the keys to the IT castle and it doesn’t matter how strong your walls are if the lock on the door is easily picked.
They’re of particular interest to people like me because they’re often the one component of a security system whose creation and safety is entrusted to the users of that system rather than its designers and administrators.
And that, unfortunately, is why we have to keep talking about them – users remain stubbornly attached to passwords like 12345 and password that are so bad they can be cracked in less time than it takes to type them.
Spurred on by this obduracy, some computer security professionals spend a great deal of time either thinking about how to explain themselves better or thinking up ways to force users into the correct behaviour.
But what if we’re going about this the wrong way… what if we’re giving out the wrong advice or we’re giving the right advice to the wrong people?
Those are the kind of questions raised by a paper recently released by Microsoft Research entitled An Administrator’s Guide to Internet Password Research.
The authors, Dinei Florêncio, Cormac Herley and Paul C. van Oorschot, contend that “much of the available guidance lacks supporting evidence” and so set out to examine the usefulness of (among other things) password composition policies, forced password expiration and password lockouts.
They also set out to determine just how strong a password used on a website needs to be to withstand a real-world attack.
Their conclusion is that creating strong passwords is wasted effort a lot of the time.
They suggest that organizations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.
To understand their conclusions we need to look at the difference between online and offline attacks.
ONLINE ATTACKS
Online attacks occur when someone attempts to log in to a website by guessing someone else’s username and password using that site’s standard login page.
Of course, most attackers don’t sit there manually entering guesses – they use computer programs that can work day and night and enter guesses at a far higher rate than any human being could.
These cracking programs know all the popular passwords (and how popular they are), have huge lists of dictionary words they can consult, and know the tricks that people use to obfuscate passwords by adding funny ch@ract3rs.
Any system that’s online can be subjected to an online attack at any time and such attacks are easy to perform and very common.
However, online attacks are also subject to a couple of natural limits. Even on extremely busy websites like Facebook, the amount of traffic generated by users who are trying to log in at any given moment is relatively small, because most users aren’t trying to log in most of the time.
Attackers cannot subject a system to too many guesses because of the amount of activity their attack generates. An attacker sending one guess per second per account would likely generate thousands or even tens of thousands of times the normal level of login traffic.
At the very least this would be enough to attract the attention of the site’s maintainer but it could also easily be enough to overwhelm the website completely.
Similarly, an over-zealous effort to crack one individual’s account is likely to attract the attention of the site’s maintainers and any automatic IP address blocklisting software they’ve used. Individual accounts are also, typically, not very valuable and simply not worth the attention and cost of millions of guesses.
This natural rate limiting also means that online attacks don’t become more deadly as computers get faster – it doesn’t matter how many guesses an attacker can make in theory because of the throttling effect of the target.
Finally, attackers must contend with the fact that as the number of password guesses they make increases, the frequency at which they guess successfully drops off dramatically.
…an online attacker making guesses in optimal order and persisting to 106guesses will experience five orders of magnitude reduction from his initial success rate.
Sooner or later the costs outweigh the benefits and it’s just not worth attacking that system any more.
The authors suggest that a password that’s targeted in an online attack needs to be able to withstand no more than about 1,000,000 guesses.
…we gauge the online guessing risk to a password that will withstand only 102 guesses as extreme, one that will withstand 103 guesses as moderate, and one that will withstand 106 guesses as negligible … [this] does not change as hardware improves.
One million guesses might sound a lot but even a very short, randomly generated five character password like 03W3d would likely survive.
The research also reminds us just how much more resilient a website can be made to online attacks by imposing a limit on the number of login attempts each user can make.
Locking for an hour after three failed attempts reduces the number of guesses an online attacker can make in a 4-month campaign to … 8,760
Offline attacks are in a different league entirely though.
03W3d might go uncracked for months in a real-world online attack but it could fall in the first millisecond (that’s 0.001 seconds) of a full-throttle offline attack.
OFFLINE ATTACKS
Offline attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database.
With the database in an environment that the attacker can control, the shackles imposed by the online environment are thrown off.
Now the attacker can throw the kitchen sink at your passwords.
Offline attacks are limited by the speed at which attackers can make guesses and that means it’s all about horsepower.
So how strong does a password need to be to stand a chance against a determined offline attack? According to the paper’s authors it’s about 100 trillion:
[a threshold of] at least 1014 seems necessary for any confidence against a determined, well-resourced offline attack (though due to the uncertainty about the attacker’s resources, the offline threshold is harder to estimate).
Luckily, offline attacks are far, far harder to pull off than online attacks. Not only does an attacker have to get access to a website’s back-end systems, they also have to do it undetected.
The window in which the attacker can crack and exploit passwords is only open until the passwords have been reset by the site’s administrators.
Of course, once they’ve gained access it’s possible that an attacker won’t need to perform an attack at all.
Passwords should be stored using repeated hashing algorithms like PBKDF2, bcrypt or scrypt.
That’s because password hashing systems that use thousands of iterations for each verification don’t slow down individual logins noticeably, but put a serious dent (a 10,000-fold dent in the diagram above) into an attack that needs to try 100 trillion passwords.
But the history of website data breaches suggests that’s often not done.
The researchers used a data set drawn from eight high profile breaches at Rockyou, Gawker, Tianya, eHarmony, LinkedIn, Evernote, Adobe and Cupid Media. Of the 318 million records lost in those breaches, only 16% – those stored by Gawker and Evernote – were stored correctly.
If your passwords are stored badly – for example, in plain text, as unsalted hashes, or encrypted and then left with their encryption keys – then your password’s resistance to guessing is moot.
THE CHASM
To understand the difference between online and offline attacks it’s helpful to see the numbers side-by-side.
| Scenario | Guesses a strong password must withstand |
|---|---|
| Online attack | 1,000,000 |
| Offline attack | 100,000,000,000,000 |
Not only is the difference between those two numbers mind-bogglingly large, there is – according to the researchers at least – no middle ground.
In the region from 106 to about 1014, improved guessing-resistance has little effect on outcome.
…incrementally increasing the number of guesses the password will survive delivers little or no security benefit.
In other words, the authors contend that passwords falling between the two thresholds offer no improvement in real-world security, they’re just harder to remember.
WHAT THIS MEANS FOR YOU
The conclusion of the report is that there are effectively two kinds of passwords: those that can withstand one million guesses, and those that can withstand one hundred trillion guesses.
According to the researchers, passwords that sit between those two thresholds are more than you need to be resilient to an online attack but not enough to withstand an offline attack.
Users, they suggest, should shepherd their resources wisely and focus on high value sites.
User effort available for managing password portfolios is finite. Users should spend less effort on password management issues … for don’t-care and lower consequence accounts, allowing more effort on higher consequence accounts.
Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.
The password strength meters and policies provided by systems administrators don’t work and putting the burden on users by asking them to create passwords long enough to withstand offline attacks is wasted effort – they simply won’t do it in large enough numbers.
…attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures…
Zero-user-burden mechanisms largely or entirely eliminating offline attacks exist, but are little-used…
Demanding passwords that will withstand offline attack is a defense-in-depth approach necessary only when a site has failed both to protect the password file, and to detect the leak and respond suitably.
If systems administrators did all that properly, they say, then you and I could happily stay secure with nothing more than a short pin code for each website.
Unfortunately there’s no way for you to tell the good sites from the bad ones – do you know if the website you’ve just used stores its passwords in plain text or uses keyed hash functions? And if they told you, would you believe them?
As a user, the only part of a security system you know anything about for sure is the bit you create, namely your password. Your password choice might not strengthen a weak system but it can certainly weaken a strong one.
THE BOTTOM LINE
Concentrating your efforts on the sites that really matter sounds like a good idea, except that it stirs new complexity into the mix: how to decide where to draw the line between “important” and “lower consequence” accounts.
Fortunately, you can bypass the authors’ notion of a ‘fixed time-effort’ budget by using a password manager.
That way, you no longer need to differentiate your lower consequence accounts: you can simply treat all your accounts as important.
With a password manager, the effort involved in generating and storing an extremely strong password is exactly the same as the effort needed to create a weak password.
Alternatively, you might decide that an almost zero-effort password manager churning out incredibly strong, random passwords is for your lower consequence accounts and that you want to create and memorise the really important ones yourself.
If you want to roll your own then our video will tell you how to pick a proper password – one that will withstand the most brutal offline attack.
(Don’t forget that if you do use a password manager, you will need a really strong password for the password manager itself.)
