Why long passwords? 

@thegibson damn didnt know mine were that stellar

and my personal one is like L O L

re: Why long passwords? 

@thegibson the big takeaway from this chart should be how different it looks from 5/10/20 years ago. The whole thing will be red eventually, so no password should be the only thing between someone and your secrets.

re: Why long passwords? 

@zpojqwfejwfhiunz @thegibson the big takeaway should be to use adaptive hashing algorithms so that you can adjust the work factor to keep up with compute performance improvements

re: Why long passwords? 

@thegibson Do you have a link that explains their assumptions?

Obviously there's a big difference between cracking offline and online ...

My current draft semi-mythical password policy currently says "if its generated by a machine and has max complexity, 8 chars is OK for normal accounts" which seems to agree a bit with their data, but it seems like they're slightly more pessimistic than me, so perhaps they were looking an offline?

re: Why long passwords? 

@yojimbo The NIST advisement now is 15 characters, no complexity. This is "Secure enough"which seems to be backed up by this chart... No I don't know their methodology.

re: Why long passwords? 

@yojimbo 8 character with complexity can be cracked offline within minutes... so I'm not sure.

re: Why long passwords? 

@thegibson So, howsecureismypassword.net looks like a javascript 'length counter' that says 'correct horse battery staple' would take 15 octillion years to crack. So ...

On the other hand, the infographic itself is well presented.

re: Why long passwords? 

@yojimbo The chart looked spot on enough from my experience that I didn't really dig deeper.

re: Why long passwords? 

@thegibson I always like to dig deeper - I'm just so very used to people not doing 'science' correctly that I check check check ...

re: Why long passwords? 

@yojimbo Totally fair... I usually go that route when something smells fishy... this one met my expectations... except I feel like there rates were a little longer than I expected.

re: Why long passwords? 

@thegibson Also I'll point out that not being a very javascripty person, I didn't check their code to work out what they're really doing.

re: Why long passwords? 

@yojimbo I assume the graphic is about time to crack a copy of an hashed stored password with one of the common tools. A dictionary attack on an account or API has way too many unknowns to be pressed into such a visualisation (and everyone with public accessible endpoints should implement some mechanism that prevents unlimited retries).
I don't trust passphrases comprised of full words. Complexity depends on the size of the dictionary used to generate them.
@TheGibson

re: Why long passwords? 

@galaxis @thegibson Yep, I think your assumptions are probably valid, which is why so many of us have looked at the infographic and felt that it reflects the broad truth.

But I don't like assumptions, and want the actual data - because I trust the maths, and want to learn more.

Word lists for example - there's diceware's 7776 words, and 1password's 18,000 words. Which one is "better"? There are some valid words ("a","I" in English at least) that don't make good selections for a wordlist :-) The maths holds up if you don't also examine the makeup of the words, and understand what cracking techniques are being used (this is another area where I'm not very strong)

So "more data!"

Why long passwords? 

@TheGibson even better: xkcd.com/936/

I'm no mathematician but it seems to check out.

Why long passwords? 

@draeath @TheGibson Eh, that's not as secure as it sounds anymore, tbh, because now all you have to do is brute force four words instead of a ton of characters.

Why long passwords? 

@Jo
The graphic takes this into account. The number of tries for the characters would be much larger.

@draeath @TheGibson

Why long passwords? 

@trevdev
You may have a neglected deep well of great long passwords.
I was moved around a LOT as a child. Constantly having to memorize new addresses and telephone numbers. Ain't NOBODY gonna guess those otherwise useless things stored in my brain and nowhere else!
Apt50412105102ndAveEdmontonABT5N0L5
Difficulty to remember: zero.
I have a zillion of them. Can add phone numbers. Combine with old poems and prayers memorized... You're stuck with them anyhow.
@draeath @thegibson

Why long passwords? 

@draeath @TheGibson
correct horse battery staple walks into a bar.
The bartender says: "Why the long password?"

re: Why long passwords? 

@thegibson <insert XKCD reference here>

@TheGibson What I'd really like to see is, say, lifetime or century-crack length over time.

That is, for a given year, what is the shortest password that can withstand likely crack attempts for 100 years.

Or perhaps ranked against budget: cracking for $0.01/key, $0.10, $1, $10, $100, $1,000, $1,000,0000, $billion, etc.

The cracking-rate progress and budget aspects of this are seriously underappreciated. Hell, I don't know these.

#passwords #security #cracking

@dredmorbius @thegibson I think Bitcoin has proven the economy for this is a hell of a lot cheaper than people think. (Which is why I think the estimates in the chart above are woefully naive as they assume a single attacker and a one pw at a time attack.)

The amount of distributed compute power people are throwing around at cryptocoins for no budget but for imaginary profit is extraordinary. No human password survives ~100-days much less 100 years against cryptocurrency "mining".

@dredmorbius @thegibson Passwords that humans type in, much less are expected to "know" are dead as of like three years *ago*, it's just going to take years for people to understand the implications of that.

@abbienormal

I would have suggested that fifteen years ago, but now I鈥檓 not so certain about that either. I don鈥檛 think they are very humane in just pairs. Keybase got close to something but I don鈥檛 think they cracked the mainstream UX.

I鈥檓 slowly, fwliw, growing the opinion we need something *slow*. Involving things like post offices and notaries public, handshakes and stamps. Human time scales. Don鈥檛 know the 鈥渉ows鈥 exactly though.

@dredmorbius @thegibson

@abbienormal @dredmorbius @thegibson What little I know/picture of the 鈥渉ows鈥 is that it may have to get *weird* to be generally useful. Like pulling out weird ideas from fantasy novels weird as the only UX that 鈥渕akes sense鈥 to the average person.

鈥淪orry, I can鈥檛 log in to Gmail until I visit my local Apple Enchanter to re-enchant the magic runes back into my iPhone. Yeah it鈥檚 dumb I have to find a day to take these rune stones and my driver鈥檚 license over, but I like my phone soulbound.鈥

@abbienormal One possibility is that digital infotech is fundamentally incompatible with strong and reliable identity determination and/or assertion.

Another is that some mix of identifiers, including passphrases, but also other factors: observed behaviour, third-party attestations, physical tokens (#NFCRing is one I'm partial to). Maaaaaybe biometrics, though I really don't like them. All of which require robust and efficient, though black-hat resistant, issuing and recovery procedures.

Eliminating needless (or harmful) authentication absolutely as well.

@max @TheGibson

@dredmorbius @abbienormal @thegibson I think 鈥渘eedless鈥 authentication gets overlooked a lot. Too many websites want logins for stupid things like identifier tokens or marketing email collection. The subversion of the dream of the original OG OpenID into walled identity gardens didn鈥檛 help and while there is still maybe some hope for web platform tools like Webauthn and Web Payments, but not a lot (where鈥檚 Webemailaddr?). I still wish BrowserID hadn鈥檛 been eaten/starved to death by Firefox OS.

@max In meatspace there's a great deal of, for want of a better term, transient identity.

That might be token-based --- "take a number" at a deli or other service counter. It may be predicated simply by material presence in time and space --- standing in a queue, answering a door, visiting an office. Being "that guy at the gym" or "that girl at the club". Role-based identities --- museum docent, parks guide, bus driver.

For most of those involved, there's no reason to necessarily establish a longer continuity.

For transactional situations, distinguishing cash vs credit payment also makes a difference --- cash largely closes the book on a transaction, credit does not (absent returns and exchanges).

Online, these nuances are all but entirely lost.

@abbienormal @TheGibson

@FiXato @dredmorbius @thegibson Unfortunately rate limiting is also *hard* in coordinated distributed attacks. It's tough to "scale" your rate limits in the same way you scale the rest of your APIs.

2FA is a good start and useful stop gap, but I worry isn't enough because today's 2FA doesn't scale "socially" well; it's all too easily social engineered because humans are bad at all "factors". We almost need a ground up rethink, says the pessimism in me.

@FiXato Rate-limiting itself leaves open a path for DDoS attacks. Trickle-feed in a constant set of authentication attempts.

#WhoAreYou remains the most expensive question in infotech. No matter how you get it wrong, you're fucked.

old.reddit.com/r/dredmorbius/c

@max @TheGibson

@dredmorbius @FiXato @thegibson Right, yeah, in order to do rate limits you have to do rate counts and *counting is hard* in a distributed system. It's expensive to count correctly (transaction locks), so there's lots of distributed hacks around counting such as bloom filters and HyperLogLog, and a proper rate limit is barely worth even those counting hacks.

@dredmorbius @FiXato @thegibson Even if those counting hacks were worth using for rate limits, they are prone to false negatives/false positives, which is fine for "there are roughly 99+ things in your inbox" but definitely not for "you've tried to log in 3 times in the last 3 minutes on 3 different IP addresses, your account is now locked for three hours".

Anyway, my terrifying canary in this coal mine is somewhat documented on Mastodon under the CW "Steam Password Change Day".

Why long passwords? 

@TheGibson

I knew this, but have never seen it visualized so clearly before. Useful!

Why long passwords? 

@TheGibson assume if they get the hash of the password. Doubt services serve you 10^10 logins.

Also then. which hash?

Kindah think maybe accounts that haven't been accessed for a while should be rehashed a few more times so it takes longer to crack them..

This tactic costs the same extra factor of extra effort for the attacker as the defender.. intuition says better is not possible, neither the server nor the attacker actually knows the password.

Why long passwords? misinfo 

@TheGibson this is what we hackers call a "rainbow table"

Why long passwords? 

@thegibson
put a sample output from my password generator in it, and....
(fwiw the command i use is $(tr -cd "[:alnum:][:punct:]"</dev/urandom|fold -w 64|head -1))

Why long passwords? 

@TheGibson
Thats why I would like 24 Letter random generated Passwords on everything, if Websites didn't tell me things like "Password too long, must not exceed 12 characters" and "Those Symbols not allowed"!

Why long passwords? 

@TheGibson Gosh I dislike such charts. Without mentioning the hash and the assumptions made to calculate the values it's worthless. Almost every time the assumption is, that passwords are having perfect entropy, which is just wrong for every human generated string.
Long passwords are also useless, if the entropy sucks :/

re: Why long passwords? 

@gom I agree, but it is a good simplified communication tool for those who aren鈥檛 as versed... and those are the people who need a base level understanding to justify the complexity requirements as they are enforce by security professionals today.

I agree with you that it capture 0% of the nuance of this topic. But we鈥檙e not the ones who need convincing. :)

re: Why long passwords? 

@thegibson I had a deeper look at this infographic when LinkedIn shared a version that doesn't have the reference to howsecureismypassword.net ...

This website publishes its algorithm from github.com/howsecureismypasswo.

Their defaults are to assume 10e9 (10 billion) calculations per second; so this is based only on offline cracking. Their 'ok' and 'good' thresholds are 1 year and 1 million years.

I've seen claims that an AWS p3.16xlarge machine at US$25/hour will crack at over 600GH/s (NTLM hashes); this is 600x faster than the default hsimp value, but that's not really enough to change their values by much.

The use of these values should set your password policy around risk - if you have accounts at a third-party service you should set password strength to more than the length of the business relationship itself; assume that they will lose control of their backend-password store and not inform you.

A practical password policy is "always use a password manager application" and never allow a human to come up with their own passwords. If the human is expected to type the password in, take the word-list approach. If not, simply maximise complexity & length.

re: Why long passwords? 

@yojimbo

I mean ultimately, maximizing length and complexity is the game right?

Good research you've done there... I usually look at things like this as a nice colorcoded way to raise awareness in those that don't do this professionally, ya know?

It's not really meant for us I suppose.

re: Why long passwords? 

@thegibson Luckily for me, I get to work with technical people here, so I expect they have data to back up their positions ... and therefore I have to do the same :-)

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.