[Security] Passwords, passphrases, and big numbers: first the good news
Way back in the 1990s, during the Q&A session after an EICAR presentation on social engineering, there was an animated discussion arising from some slides I'd included on password selection and usage. Some wondered why we were still discussing and promoting password strategies when there were (and are) better alternatives to static passwords.
Timeslip… Before you know it, it's late in 2011, and IBM is predicting that within the next five years, multifactor biometrics will mean that we never have to use a password again. Yippee! No more lockouts because of mistyping, or harsh words from security mavens about the post-it on your monitor, or lectures from me about not making your password or PIN too obvious!
But then, when we've barely got over our New Year hangover, Cormac Herley and Paul van Oorschot hit us with a (rather good) article averring that not only will passwords be with us for a good while yet, but that they're actually still the best option in some scenarios, even though "usability has degraded significantly, while security has not improved." So it's not surprising that Dark Reading's Ericka Chickowski came up with another good article on whether passphrases are a viable alternative to passwords.
As it happens, ESET has been advocating the use of passphrases where practical since the Jurassic. It’s the way that security is sometimes implemented that militates against good practice. For example, sites that only allow alphanumerics, are case-insensitive, restrict length, and yet allow unlimited login attempts. That’s often about prioritization of the convenience of a sysadmin or webmaster nowadays, rather than a restriction imposed by a security vendor, though hardware/software limitations may also be a factor (say on some mobile devices).
Still, it can’t be denied that security vendors will sometimes refrain from enforcing strict security if/when they know that it will alienate their customers. And the Stratfor breach strongly suggests that security specialists may be as prone to use convenient but brain-dead passwords as anyone else, on occasion. Perhaps it’s just easier to type a simple password than a lengthy passphrase, even if it’s a memorable passphrase. Especially for a hunt-and-peck typist.
In fact, you can overestimate the entropic value of a passphrase, though you can increase uncertainty by applying the same strategies that you can apply to a password. It depends on (for instance) how susceptible the countermeasure is to brute-forcing. If your login failure allowance is three strikes and out (and no retries after [n] minutes/hours/days), a good four-digit PIN should be adequate. (However, "good" doesn't mean 1234 or 0000.)
If you’re talking about a file or a device allowing unrestricted attempts to decrypt or access, on the other hand, then there’s certainly a crackability differential between “aaaaaaa” and “Now is the time for all good men to come to the aid of the party”. However, common phrases are also guessable, even before cracking software starts trying to break a passphrase into tokens. “Dis passéfrase 1s kwite gud bot wd b betr wiv m0r #s & karakters that r nut alfan00meric” is a further step in the right direction, even if it’s actually harder to memorize and enter than b4x87g-m. (On the other hand, according tohttp://howsecureismypassword.net/ it would take about about 6 noventrigintillion – 10120 - years to break it on a desktop PC: too bad I can't use it because I've just published it.) But you’re not talking about absolute uncrackability, but reducing the ROI (return on investment) so that it's too expensive (in terms of time and CPU cycles. Though in real life there's also the matter of balancing security resilience against convenience, so while "Now is the time for all good men to come to the aid of the party" is orders of magnitude easier to crac k (and to remember), it's still worth a respectable 150 trigintillion (1093) years of effort, apparently. Except that the estimate in that case doesn't seem to take into account the possibility of a dictionary attack that includes common phrases as well as or instead of single words. You might, in that scenario, be better off with "My cat's name is Rumplestiltskin" (1042) which is less likely to appear in a dictionary.
Then there's multi-factor: ah yes, the holy grail… Here's a thought, though. A (hardware) token isn’t necessarily two-factor by virtue of being a token. A device that’s (say) PIN-protected and displays a frequently changing token could be described as two-factor because it incorporates something you know as well as something you have (like a chip-and-PIN ATM card), but if the PIN protection is weak, you could actually be more secure with a good single-factor measure. Which I suppose gets us back to where we started.
Hat tip to John Leyden for flagging by the paper by Herley and van Oorschot. And another to Infosecurity Magazine's Eleanor Dallaway (via Rob Slade) for passing on this very apposite quote:
"We had an agreed BB policy requiring a long, complex password string.That changed when a senior exec requested a simple password. He said he couldn't enter the complex one while he was driving".
Here's a list of relevant resources (including some that were referred to above) in no particular order:
Keeping Secrets: Good Password Practice
Passwords, passphrases and past caring
No chocolates for my passwords please!
Choosing Your Password
Passphrases A Viable Alternative To Passwords?
A Research Agenda Acknowledging the Persistence of Passwords
Hearing a PIN drop
David Harley CITP FBCS CISSP
ESET Senior Research Fellow