Why long passwords? 

@thegibson damn didnt know mine were that stellar

and my personal one is like L O L

re: Why long passwords? 

@thegibson the big takeaway from this chart should be how different it looks from 5/10/20 years ago. The whole thing will be red eventually, so no password should be the only thing between someone and your secrets.

re: Why long passwords? 

@zpojqwfejwfhiunz @thegibson the big takeaway should be to use adaptive hashing algorithms so that you can adjust the work factor to keep up with compute performance improvements

re: Why long passwords? 

@thegibson Do you have a link that explains their assumptions?

Obviously there's a big difference between cracking offline and online ...

My current draft semi-mythical password policy currently says "if its generated by a machine and has max complexity, 8 chars is OK for normal accounts" which seems to agree a bit with their data, but it seems like they're slightly more pessimistic than me, so perhaps they were looking an offline?

re: Why long passwords? 

@yojimbo The NIST advisement now is 15 characters, no complexity. This is "Secure enough"which seems to be backed up by this chart... No I don't know their methodology.

re: Why long passwords? 

@thegibson @yojimbo
The recommendation for longer passwords instead of artificial complexity is about 2 years old:

web.archive.org/web/2019070823

I expect bank password policies to start changing in about 3 years

re: Why long passwords? 

@yaaps @yojimbo the ones that are my clients are already changing/have changed.

re: Why long passwords? 

@yaaps @thegibson It's the threat levels I'm trying to pin down; many of our password stores are away in online services that we don't run, so the online attack model is interesting.

We also have a bunch of in-house passwords, and need to look after those differently. So a single view of the topic isn't nuanced enough, unless it clearly differentiated between an offline attack and an online one.

I may steal the sample presentation layout though, just use it with my own assumption numbers.

re: Why long passwords? 

@yojimbo 8 character with complexity can be cracked offline within minutes... so I'm not sure.

re: Why long passwords? 

@thegibson So, howsecureismypassword.net looks like a javascript 'length counter' that says 'correct horse battery staple' would take 15 octillion years to crack. So ...

On the other hand, the infographic itself is well presented.

re: Why long passwords? 

@yojimbo The chart looked spot on enough from my experience that I didn't really dig deeper.

re: Why long passwords? 

@thegibson I always like to dig deeper - I'm just so very used to people not doing 'science' correctly that I check check check ...

re: Why long passwords? 

@yojimbo Totally fair... I usually go that route when something smells fishy... this one met my expectations... except I feel like there rates were a little longer than I expected.

re: Why long passwords? 

@thegibson Also I'll point out that not being a very javascripty person, I didn't check their code to work out what they're really doing.

re: Why long passwords? 

@yojimbo I assume the graphic is about time to crack a copy of an hashed stored password with one of the common tools. A dictionary attack on an account or API has way too many unknowns to be pressed into such a visualisation (and everyone with public accessible endpoints should implement some mechanism that prevents unlimited retries).
I don't trust passphrases comprised of full words. Complexity depends on the size of the dictionary used to generate them.
@TheGibson

re: Why long passwords? 

@galaxis @thegibson Yep, I think your assumptions are probably valid, which is why so many of us have looked at the infographic and felt that it reflects the broad truth.

But I don't like assumptions, and want the actual data - because I trust the maths, and want to learn more.

Word lists for example - there's diceware's 7776 words, and 1password's 18,000 words. Which one is "better"? There are some valid words ("a","I" in English at least) that don't make good selections for a wordlist :-) The maths holds up if you don't also examine the makeup of the words, and understand what cracking techniques are being used (this is another area where I'm not very strong)

So "more data!"

Why long passwords? 

@TheGibson even better: xkcd.com/936/

I'm no mathematician but it seems to check out.

Why long passwords? 

@draeath @TheGibson Eh, that's not as secure as it sounds anymore, tbh, because now all you have to do is brute force four words instead of a ton of characters.

Why long passwords? 

@Jo @draeath @thegibson
Not quite. Those of us, with more errudite tastes, create our own lists from our favorite authors, whether Goethe, Mark Twain or Homer. Multiple language dictionaries add even more fan flavor, whether French, German, Elvish or Klingon.

Why long passwords? 

@Jo
The graphic takes this into account. The number of tries for the characters would be much larger.

@draeath @TheGibson

Why long passwords? 

@trevdev
You may have a neglected deep well of great long passwords.
I was moved around a LOT as a child. Constantly having to memorize new addresses and telephone numbers. Ain't NOBODY gonna guess those otherwise useless things stored in my brain and nowhere else!
Apt50412105102ndAveEdmontonABT5N0L5
Difficulty to remember: zero.
I have a zillion of them. Can add phone numbers. Combine with old poems and prayers memorized... You're stuck with them anyhow.
@draeath @thegibson

Why long passwords? 

@draeath @TheGibson
correct horse battery staple walks into a bar.
The bartender says: "Why the long password?"

Why long passwords? 

@TheGibson
Remember that quantum computing will bring those numbers down quite a bit. Stuff that is secure now won't be in the future.

Nefarious three-letter agencies hold onto encrypted blobs in the hopes of cracking the passwords in the future. Use a much longer password than these.

re: Why long passwords? 

@Photorat Oh yes, I am very familiar with the quantum break.

re: Why long passwords? 

@TheGibson @Photorat By what order is 1st Gen quantum computing expected to speed this up? Ballpark.

re: Why long passwords? 

@Shufei @Photorat

It won鈥檛, it will make most currently used forms of encryption invalid.

Instantly open.

There are encryption methodologies they are quantum break resistant, but they are usually 鈥渇orward secrecy鈥 models.

re: Why long passwords? 

@TheGibson @Photorat 鈥淭oo many secrets.鈥 Frightening.

re: Why long passwords? 

@Shufei @TheGibson @Photorat The expected security loss for symmetric cryptography like symmetric encryption or hash functions because of quantum computers is only the factor 2. Example: A cryptographic primitive with classical security of 512 bit will have only 256 bit security in the quantum setting. This means we do not need to worry much about symmetric encryption and hash functions.

re: Why long passwords? 

@blipp @TheGibson @Photorat Righto! That鈥檚 encouraging, thanks heaps! So, a file zipped up with blowfish or threefish will likely take just half as long to crack?

re: Why long passwords? 

@Shufei @TheGibson @Photorat That is an excellent question.

Sorry, my previous post was a bit ambiguous or at least inconclusive.

The factor 2 of security loss is in the _exponent_ of the attack complexity. In general, a security level of X bit means that the adversary needs 2^X operations to succeed the attack. If you loose a factor 2 in the security level (in the exponent), the attack gets a quadratic speedup.

re: Why long passwords? 

@Shufei @TheGibson @Photorat
Ignoring constant time factors, a quantum computer would be expected to take roughly the square root of the time a classical computer needs to break a symmetric cryptographic primitive.

The encouraging part of the message is that it is _only_ a quadratic speedup. This can be mitigated by doubling key sizes, which is feasible for symmetric cryptography.

See also the introduction of this article about Grover's algorithm en.wikipedia.org/wiki/Grover%2

re: Why long passwords? 

@Shufei @TheGibson @Photorat
Asymmetric cryptography is hit much worse by Shor's algorithm, leading to an _exponential_ speedup for attacks. This cannot be feasibly mitigated by increasing key sizes [1], we need to switch to new cryptographic primitives. That is what the NIST Post-Quantum Cryptography project is about csrc.nist.gov/projects/post-qu.

[1] although there is a paper presenting a quantum-safe variant of RSA with public keys of size 1 TB eprint.iacr.org/2017/351

re: Why long passwords? 

@blipp @TheGibson @Photorat Wow, thank you for that lucid explanation! I鈥檓 beginning to get a better idea of the dimensions of the issue.

It鈥檚 certainly a challenge, but not *entirely* a cryptopocalypse, if long symmetric crypto keys are still somewhat secure. But no one will be using 1TB public key, haha.

Which of the recent NIST finalist algorithms do you reckon most secure? How come? How long before we have a Post-Quantum PGP?
csrc.nist.gov/projects/post-qu

@blipp
#ShufeiStar for later perusal

Quantum computing and cryptography funtimes.

re: Why long passwords? 

@Shufei @TheGibson @Photorat Right, cryptography is not entirely broken by quantum computers. However, asymmetric cryptography is an integral building block, that e.g. makes the key distribution problem manageable.

I am not knowledgeable enough about the math involved to be able to say which post-quantum cryptographic primitives are the most promising. The NIST competition is in round 3, quite some have been rejected already.

re: Why long passwords? 

@Shufei @TheGibson @Photorat However, I expect it will take years until we develop enough confidence in the algorithms, and until smth like post-quantum secure messaging is deployed.

Hybrid post-quantum security is an interesting waypoint: mix some post-quantum crypto into a classical protocol. If the post-quantum part turns out to be not even classically secure, you still have security by the classical part of the protocol.

re: Why long passwords? 

@Shufei @TheGibson @Photorat If quantum computers break the classical part, and the post-quantum part holds up, you keep some security as well.

WireGuard, the new VPN protocol, permits such a usage: the pre-shared key could be agreed upon by a post-quantum secure protocol.

VPN provider Mullvad has been offering this service, I did not check if it's still available mullvad.net/en/blog/2017/12/8/

re: Why long passwords? 

@thegibson @Shufei @Photorat
The focus on forward secrecy in quantum resistant algorithms is because it's public key cryptography that is vulnerable. Quantum computing doesn't have any predicted effect on symmetric cryptography or brute force password cracking

I'm still looking for information on the type of hashing done with password storage. As far as I can tell, there's no impact, but the structures proposed for forward secrecy with hash based signatures might have positive impact on the hygiene of password storage systems

Why long passwords? 

@Photorat @TheGibson quantum computing doesn鈥檛 help with guessing a random password. Where it really will drastically change the game is cryptography.

The reason is that guessing random sequences until you find the right one is more a problem of raw throughput which is better suited to classic computing. Narrowing in on the prime factors for a giant number is a very specific type of computation that quantum makes (not technically trivial but computationally) trivial.

re: Why long passwords? 

@DalaiComma @Photorat

Yes. It isn鈥檛 about passwords, quantum break will make non-forward secret cryptography irrelevant, and instantaneously broken.

re: Why long passwords? 

@thegibson <insert XKCD reference here>

@TheGibson What I'd really like to see is, say, lifetime or century-crack length over time.

That is, for a given year, what is the shortest password that can withstand likely crack attempts for 100 years.

Or perhaps ranked against budget: cracking for $0.01/key, $0.10, $1, $10, $100, $1,000, $1,000,0000, $billion, etc.

The cracking-rate progress and budget aspects of this are seriously underappreciated. Hell, I don't know these.

#passwords #security #cracking

@dredmorbius @thegibson I guess you'd have to model predicted increases in computational clock speed against cost per cycle (which are both a lot more difficult to predict now than back when we thought exponential increases in single CPU speed was going to be a thing, and more of the computational research was done out in the open and not behind corporate firewalls)?

@vortex_egg If only there were a heuristic for predicting future increases in compute power.

No ... not a heuristic. More a law.

@TheGibson

@dredmorbius @thegibson I think Bitcoin has proven the economy for this is a hell of a lot cheaper than people think. (Which is why I think the estimates in the chart above are woefully naive as they assume a single attacker and a one pw at a time attack.)

The amount of distributed compute power people are throwing around at cryptocoins for no budget but for imaginary profit is extraordinary. No human password survives ~100-days much less 100 years against cryptocurrency "mining".

@dredmorbius @thegibson Passwords that humans type in, much less are expected to "know" are dead as of like three years *ago*, it's just going to take years for people to understand the implications of that.

@abbienormal

I would have suggested that fifteen years ago, but now I鈥檓 not so certain about that either. I don鈥檛 think they are very humane in just pairs. Keybase got close to something but I don鈥檛 think they cracked the mainstream UX.

I鈥檓 slowly, fwliw, growing the opinion we need something *slow*. Involving things like post offices and notaries public, handshakes and stamps. Human time scales. Don鈥檛 know the 鈥渉ows鈥 exactly though.

@dredmorbius @thegibson

@abbienormal @dredmorbius @thegibson What little I know/picture of the 鈥渉ows鈥 is that it may have to get *weird* to be generally useful. Like pulling out weird ideas from fantasy novels weird as the only UX that 鈥渕akes sense鈥 to the average person.

鈥淪orry, I can鈥檛 log in to Gmail until I visit my local Apple Enchanter to re-enchant the magic runes back into my iPhone. Yeah it鈥檚 dumb I have to find a day to take these rune stones and my driver鈥檚 license over, but I like my phone soulbound.鈥

@abbienormal One possibility is that digital infotech is fundamentally incompatible with strong and reliable identity determination and/or assertion.

Another is that some mix of identifiers, including passphrases, but also other factors: observed behaviour, third-party attestations, physical tokens (#NFCRing is one I'm partial to). Maaaaaybe biometrics, though I really don't like them. All of which require robust and efficient, though black-hat resistant, issuing and recovery procedures.

Eliminating needless (or harmful) authentication absolutely as well.

@max @TheGibson

@dredmorbius @abbienormal @thegibson I think 鈥渘eedless鈥 authentication gets overlooked a lot. Too many websites want logins for stupid things like identifier tokens or marketing email collection. The subversion of the dream of the original OG OpenID into walled identity gardens didn鈥檛 help and while there is still maybe some hope for web platform tools like Webauthn and Web Payments, but not a lot (where鈥檚 Webemailaddr?). I still wish BrowserID hadn鈥檛 been eaten/starved to death by Firefox OS.

@max In meatspace there's a great deal of, for want of a better term, transient identity.

That might be token-based --- "take a number" at a deli or other service counter. It may be predicated simply by material presence in time and space --- standing in a queue, answering a door, visiting an office. Being "that guy at the gym" or "that girl at the club". Role-based identities --- museum docent, parks guide, bus driver.

For most of those involved, there's no reason to necessarily establish a longer continuity.

For transactional situations, distinguishing cash vs credit payment also makes a difference --- cash largely closes the book on a transaction, credit does not (absent returns and exchanges).

Online, these nuances are all but entirely lost.

@abbienormal @TheGibson

@max
which also shows the importance of rate limiting or user credential checks and 2FA.
@dredmorbius @thegibson

@FiXato @dredmorbius @thegibson Unfortunately rate limiting is also *hard* in coordinated distributed attacks. It's tough to "scale" your rate limits in the same way you scale the rest of your APIs.

2FA is a good start and useful stop gap, but I worry isn't enough because today's 2FA doesn't scale "socially" well; it's all too easily social engineered because humans are bad at all "factors". We almost need a ground up rethink, says the pessimism in me.

@FiXato Rate-limiting itself leaves open a path for DDoS attacks. Trickle-feed in a constant set of authentication attempts.

#WhoAreYou remains the most expensive question in infotech. No matter how you get it wrong, you're fucked.

old.reddit.com/r/dredmorbius/c

@max @TheGibson

@dredmorbius @FiXato @thegibson Right, yeah, in order to do rate limits you have to do rate counts and *counting is hard* in a distributed system. It's expensive to count correctly (transaction locks), so there's lots of distributed hacks around counting such as bloom filters and HyperLogLog, and a proper rate limit is barely worth even those counting hacks.

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.