Robert Hensing's Blog

Software Security . . . and stuff.

Blogs

Admin Personas? Not yet - the final word on Passwords vs. Passphrases

  • Comments 5
  • Likes

So yesterday Jesper posted his final installment in his 3 part series in passwords vs. pass-phrases and while I had some issues with some of the assumptions he used to draw conclusions in his 2nd installment, I have no such issues with the conclusions he draws in the 3rd installment - it's all good and I agree with everything he says so go read it!

Here's the landing page you should bookmark to find future articles by Jesper: http://www.microsoft.com/technet/security/secnews/newsletter.htm

Here's the URL to the latest installment itself: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx

The key take-aways from his article are:

  1. 5-6 word pass-phrases seem to be just as strong as purely random 9 character passwords.
  2. Bonus points (Kudos?) are awarded to those among us who use 733t speak in their pass-phrases as it dramatically increases the entropy (sadly). :)
  3. Misspelling words actually helps too (I once misspelled 'Halo' in one of my pass-phrases - it's nice to know my general stupidity actually contributes to my security well-being.  Ironically my head was thinking 'Halo' but my fingers were typing 'Halow' for some reason.  Interestingly I was able to type this consistently without issue for weeks and it wasn't until I wrote it down in e-mail, to submit to Jesper, that I realized I had been misspelling 'Halo' for weeks.)

Jesper even goes into how to use Group Policy to enforce your password policy, some of the limitations inherent in Windows when it comes to enforcing password policy and how to work around those limitations (custom password filter).

The article concludes with a topic I've actually been meaning to blog about and I passionately agree with him here too:  Account lockouts are evil and I personally would never recommend they be used (IF you have a good enough password policy).  Think about it:  What are account lockouts used for really?  They are used to protect weak passwords!  So if you fix the weak password problem, you don't really need account lockouts right?  I'll gladly let any hacker in the world pound away against my password - he's not going to guess it in the 70 days that it's used for.  We don't use account lockouts here at Microsoft but we do have ways of monitoring for excessive authentication attempts so that we can tell when accounts are being attacked.  (People tend to use account lockouts as a poor-man's IDS but often don't realize the hidden costs of account lockout until after they've been hit by a worm that locks out all the accounts in the domain repeatedly, in a loop).

I'd like to conclude this post with some advice that I feel will help ensure you choose strong pass-phrases so that as people start using pass-phrases they don't end up using weak ones thinking they are better than 9 character random passwords.  This is important because it's just as easy to create a weak pass-phrase as it is a weak password.  For example 'Password;1' is technically a 'strong' password in terms of 'complexity requirements' (it meets all of them, I could even use this as a password here at Microsoft) but it's actually very weak and cracks almost instantly in LC5 in hybrid crack mode (where it uses dictionary words and then random character combinations tagged on at the end in a brute-force style attack for each word in the dictionary).  The same could be done with pass-phrases.  For example I'm pretty sure this is a weak pass-phrase 'This is my password' and would not recommend using this combination of words as your pass-phrase.  With that said, here are some things that can help create stronger pass-phrases.

  1. As I've stated before - go for length.  The more words the better.  It would be pretty difficult to remember 10 random words (just as it would be difficult to remember 10 random characters).  One of the key reasons I like to use pass-phrases is because I can remember them but I can't remember 10 character random passwords.  If I can't remember 10 random character passwords, it's safe to assume I won't remember 10 random word pass-phrases.  So to solve this problem I use sentences that I can remember - I find it's really easy for me to remember a long sentence.  My current pass-phrase is 7 words long and is 43 characters in length (including spaces) which doesn't seem all that long but I routinely use longer ones without difficulty (but I'm a touch typist).  Pundits will point out that sentences tend to have lower entropy since they are not composed of truly random words and the English language is predictable.  I acknowledge this and one thing you can do to help this situation is to just make really loooooonnnggg pass-phrases . . . but keep reading for more things you can and should do to improve the strength of your pass-phrase.
  2. Try to use words in your sentence that you don't use every day . . . in Jesper's second column on pass-phrases he drew some conclusions based on a presumed 300 word vocabulary - if you can use words from a much larger vocabulary (the English language probably has over 60,000 words and word forms, not counting slang etc.) that will make your pass-phrase that much harder to crack.  Since I tend to be un-creative when it comes to selecting new pass-phrases I tend to let other people come up with pass-phrases for me.  I like to quote great literary works or people (which usually use words I don't use every day but that I can remember in the context of a famous quote).  I like famous quotes from Einstein and Plato or Homer etc.  I also like to quote pop-culture (movies like the Matrix, favorite songs etc.).  Speaking of slang - are there any Jeff Foxworthy fans out there?  When the inevitable pass-phrase dictionaries / crackers start showing up on the market I wonder how easy they'll be to subvert with a word like 'Usetacould'. :)
  3. As Jesper points out in his 3rd installment - using character substitutions or misspellings in your pass-phrases can increase the entropy greatly which may help counter the lower entropy of 'normal' English sentences.

I leave you with a parting thought that also just so happens to make a great pass-phrase (I think). :)

"But I can only show you the door, you're the one that has to walk through it" - Morpheus, The Matrix  (78 characters with quotes and spaces . . . mmmmmmm entropy)

 

Comments
  • Great post Rob. I love the idea of using famous quotes. Nothing like learning something while being secure at the same time. I, like most I'm sure, have been using pass phrases since your first post about them. Love 'em. Plus, I love watching the expression on people's faces when they watch me type them in (and they're longer than the textbox provided) :)

  • I confess, I haven't read the articles :-) but isn't using a pass phrase from your personal interests (Einstein quotes and the like) a weakness in itself? I guess how much of a weakness it is depends how many quotes you know and how well the attacker knows you.

    Taking a step to one side slightly, what's in your (you being Robert Hensing or any random person) .sig file...?

  • Ask Oxford puts the number at about three times what you cited.

    http://www.askoxford.com/asktheexperts/faq/aboutenglish/numberwords?view=uk

  • OK.  Let me get this perfectly straight.  I am not going to give you a new way to do your passwords...

  • OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like