Thursday, August 12, 2004

Why you shouldn't be using passwords

User interface design for ProgrammersInteresting observation by Robert Hensing regarding passwords on Windows networks. He doesn't want you to use them, for a variety of reasons, but mostly because they're weak and exploitable. After describing why conventional passwords are ripe for the picking, he has a good suggestion for an alternative... that just happens to be compatible with Windows' password constraints and policies.

...So here's the deal - I don't want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you ask? Let's take a look at some of my recent pass-phrases that I've used inside Microsoft for my 'password'.

“If we weren't all crazy we would go insane“ (Jimmy Buffet rules)

“Send the pain below!“ (I like Chevell too)

“Mean people suck!“ (it's true)

So why are these pass-phrases so great?

1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don't HAVE to use numbers to meet password complexity requirements)

2. They are so freaking easy for me to remember it's not even funny. For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember 'xYaQxrz!' (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack). That password would not survive sustained attack with LC5 long enough to matter so in my mind it's pointless to use a password like that. You may as well just leave your password blank.

3. I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

Why you shouldn't be using passwords of any kind on your Windows networks


Anonymous said...

Bah, Hensing's reco is crap too. There are already at least two quotes/sayings dictionaries out there that can be used by LC5 and other cracking utilities. Pass phrases are no more secure than regular passwords, and in most cases, I would consider them LESS secure since they would be caught in the 1st run of a dictionary attack. At least with "aa5NfuYw" you force the attacker to use a true brute force algorithm. The only time Hensing's reco would hold true is if you select an uncommon passphrase known only to you, such as "My 2nd cat's name is Little F*ck." Note the use of special characters, numbers, and mixed case.

My reco is still to generate a high-entropy string of 16+ characters and numbers...and memorize it. Then replace it at least once a month. If you don't have the brains to do that, then you probably don't have the brains to protect your data anyway, so you might as well go with no password.

Anonymous said...

I disagree for purposes of practicality. Most people are lazy and:

= won't use a high-entropy string
= won't create otherwise strong passwords with mixed case and punctuation
= most snippets from songs would not be found in a dictionary attack (e.g., "G-L-O-R-I-A... Gloria!")

That's just my 2c.