And if we could only get password taking software to not require special characters and numbers if the password was longer than 15 characters, life would be peachy. (that is 19 characters if you're wondering, and no I don't use it as a password)
My biggest pet peeve with password requirements is limiting the scope of special characters to some arbitrary subset, i.e. "you may only use the characters @#$%^& in your password", or not allowing spaces. Without spaces I can't use a phrase without running it all together, and my instinct is to type the spaces, so I end up getting frustrated and using some less secure password instead.
Whenever I see those sorts of limitation I assume there's probably some kind of poorly handled escape situation to exploit and their fix was "well just don't allow that pesky < character"
Which is why I use the method of making up a random sentence with a number in it and using the first letters of each word and the punctuation.
I memorize the sentence.
My favorite 7 beavers aren't taking to water!
Password would be: Mf7ba'ttw!
It's highly random just like the poems. It's easier for me to remember. It has the right length and random symbols to make the strong password detectors happy.
You tend to say the sentence as you type the password so for bonus points, you can make it a nice motivational mantra.
You're good enough, you're smart enough, and doggone it, people like you.
The original complain was about password boxes not allowing passwords longer than 15 characters. Another common complain is only a few special characters allowed and space is often not on the allowed list. This gets you most of the memorability while still working with the common password box restrictions.
I've built up partial evidence that as the rules become more restrictive, the triviality of the password INCREASES and the entropy DECREASES.
The idea is that people can't use their personal passwords so they fall back on trivial variations of common ones.
For evidence, I've been assembling so called "cracks" and database "leaks" over the past several years and cataloging the password policies on the sites and then doing statistical analysis on the passwords.
It's in interesting project ... check my user info and email me if you want to know more about this
Using rhyme and meter to remember things has a rich history, back to the epic poems.
The phrasing of the title made me think of an Onion article along the lines of: They found the perfect password, it's '42Lemons?' and everyone should use it!
What they found is an excellent password scheme for humans.
> The phrasing of the title made me think of an Onion article along the lines of: They found the perfect password, it's '42Lemons?' and everyone should use it!
I thought the same thing. A great example of "what worked for someone else may not work for you".
Once you see them as tokens that 3rd parties will probably lose, then you know our efforts should be in secure token management software (keepass, lastpass, 1password, etc).
Maybe the problem is that we have it backwards. Maybe it shouldn't be something you remember and push to the authentication mechanism, but something that the authentication mechanism pushes to you.
Like, what if you pick the corpus of a novel that you've read as your master password. And the password manager uses that novel plus several other novels that you have selected (but didn't read/won't read?) to give you a series of multiple choice selections to determine if you know the right book. Just a few short passages. Preferably with proper nouns stripped out.
You have to select the passages from the correct book for all the multiple choices. That way rather than recall, the memory factor is recognition. Combine it with a non-memorable token which you have to present first in order to even see the recognition factor test and you might have something workable.
I didn't say to use it by itself. I said that your OTP would be required first to even access it. And of course you could provide backoff. And then you'd also have to be answering a series of multiple choice questions all correctly.
I dunno, just a thought, but do you get what I'm saying about recognition vs recall? Why don't we have the computer test us about things we're good at if part of the test has to be something only our individual brain is capable of?
You've just redefined memorable to make the problem disappear. That's not terrible useful. The idea is not to come up with a perfect solution that virtually no one will use.
Not entirely - I just think that the concept of a "master password" is still quite a bit broken. I would love if there were more biometric ways of me proving my identity to some system that maintained all these secure tokens that was also somehow revoke-able. I realize that may relate to mental memory.
For now, I guess it looks like a master password, which yes this paper elucidates methods for. But as long as you're memorizing 1 password (not 400), then how you manage to memorize it is of fairly small systemic gain.
Passwords, which are easy to remember, are not random and not strong. If I will know that your passwords are 3 dictionary words, I will try to bruteforce them using words, not characters. 50000 common words in ^3 is too small.
Jut generate random password and memorize it, like you memorize other random numbers and strings, like lock combinations, room numbers, car numbers, etc. Learn how to memorize arbitrary long strings of characters and you will have no problems with them for rest of your life.
To make life easier, memorize short password first, e.g. Gc@b%, let call it "alpha", then, when password expired, memorize two new short passwords, "beta" and "gamma", and include your old password "alpha" between them (or rotate it, or flip, or use part of it, etc.), so your password will 2 times longer and stronger. Repeat procedure next time. In short time, you will have list of "words" - short pieces of random strings, which are hard to guess by strangers, but remembered well by you. You can use that dictionary to construct new passwords while keeping adding new random or non-random "words" to dictionary, e.g. "car" - something related to your car, "house" - something related to house, etc. Then your password might look like "alpha-car-beta-house", which is easy to remember by YOU, but hard to guess.
No one recommends a 3 word passphrase. And for the situation you were asked about - a master password for a password safe - the recommendation is a 7 word phrase.
Even if you use the limited Diceware list (7776 words) you get 7776^7 which is plenty.
> Gc@b%
26 upper, 26 lower, 10 numeric, 20 special chars (which are risky to use)
82^5. 3707398432. That's weaker than the 3 words phrase from a 50,000 dictionary, which is a phrase that no-one recommends and that you rejected as being too weak.
82^5 is for just one word. Combine 7 of them and you will have strong master password, much stronger than one made from 7 common words. My master password contains 16 random characters, but it still easy for me to change it when needed. I can make it twice longer without problem, but it is hard to type already.
It is random, and it is strong. It starts with a random 60-bit number and uniquely maps it to one of 2^60 distinct two-line poems. For 120 bits, memorize four lines.
"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
I know you're making a joke but a passpoem or a passstory for lack of a better word is usable and something I do.
I take a passage of reasonable length from a book that I've memorized, could be song lyrics or anything though. Then to create a password I take the first several words to make a password roughly the length I want, do a standard transformation on it that results in a string with numbers and special characters and use that as a password.
When I need to change my password, I just take the next phrase from the passage and apply the same transformation. This has the distinct ability of letting me go back in time and remember what password I would have used at a certain time which has come in handy for remembering the root password on an old server.
I think we should held a competition to find out how old this tibit of knowledge really is and also the oldest article about security experts demonstrating passphrases are wide open to dictionary attacks.
This isn't just about pass phrases, or using a whole sentence as a password. The new part (to me, at least) was using short nonsense poems complete with rhyming and meter. This makes it easier to remember longer phrases/sentences. Not that the idea is hugely innovative, but it strikes me as helpful, and not already well worn.
"If you want your own little poem password, you can enter your e-mail here, and their program will send you a secure one, which will then be deleted from their server."
Uh...
They went through all the trouble of making a website. Maybe use https and just show me the password on the website?
Why not? we can remember the lyrics to every single song we like, or the dialog from some stupid show from 20 years ago, but pass-phrases are out of reach?
We remember the songs and TV shows because we listen and watch them, repeat them in our heads, talk about them with friends. We dont do that with passphrases.
Just continue to use a password manager, and save the poems for your master password, your ssh key, your unix account, etc. Only then do you need to recall on demand.
Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.
People are completely free to use password managers, but that's their individual choice.
Additionally: There are how many songs in existence today? Apparently some tech dude said there are >97 million. [1]
How many of those are lyrical? How many unique excerpts are possible of those lyrics?
You can chose an excerpt of your favorite song as a pass-phrase, and the chance of a computer guessing that is infinitesimal (though this statement is very hand-wavey without any maths to back it up), and it is supremely easy to remember. It's also highly unlikely that you'll ever share it with anyone on the planet, let alone the same site (also hand-wavey).
If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters.
Like I said, you/anyone is free to use a password manager, but I'll continue to prefer other means.
Isn't the downside of using any information that is personal to you that it massively reduces the scope of potential words and phrases that you would end up using?
There might be >97 million songs, but how many songs does one individual know well enough to decide to use them for a passphrase?
Possibly, but what are the chances that the attacker trying to crack a salted/derived key from your password knows you well, instead of being someone halfway around the world?
If a lot of your friends are trying to hack you ... maybe stop pissing people off? idk, that's an attempt at humor, but probably not a good one.
> Create a single-point-of-failure for my entire digital-life? Thanks, I'll pass.
A password manager does not have to be a single point of failure. To lose access to my passwords, I'd have to lose my phone, tablet, two computers at home, and one at my office, as well as my offline backups.
> If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters
I have around 400 passwords. That's a lot to remember. Don't forget that not only would I have to remember 400 pass phrases, but I'd also have to remember which goes with which site.
For sites that I have to enter passwords frequently, I could probably keep track, but there aren't actually many sites like that because of cookies.
To make 400 memorized pass phrases work, I'd have to maintain a file with a list of sites and pass phrase hints...and now that file is as much a point of failure as a password manager database would be. Those hints might help an attacker guess my pass phrases, so that hint file needs to be kept secure.
Wait...so now I'd essentially be using an improvised, half-assed pseudo password manager that has all the potential downsides of a password manager, but that doesn't actually remember the passwords for me! That is totally texas [1].
One of these passwords, if they truly are sufficiently-secure, could be used to secure a password manager's encrypted file at rest on a system outside of one's own control.
Right now, the best guidance is to only use a memorable password on files which never leave one's physical control, and to use truly-random passwords on remote machines. This is a pain, because it means that one cannot (or at least, should not) back up one's data securely: any encrypted backup would require a password under one's physical control, but the whole point of the remote backup is to recover from incidents compromising one's physical control. It's a conundrum.
This development could be of real use in securing a remote backup of one's passwords: high-entropy and memorable.
Encrypt your backup using a secure password that's stored in the backup (in your password manager), and then just have a physical copy of the password stored in a fire safe, or safety deposit box, or something else of that ilk. As long as you haven't suffered catastrophic computer loss, you can recover your password using the password manager. If your house burns down with all your stuff in it, you can use the physical copy to access your backup (or, ya know, some other mobile computing device like a laptop or smartphone that also has access to the password manager).
For services, sure, generate a long random password and remember it via a password manager. But this seems like a fine method to generate your disk encryption passphrase, or GPG/SSH key passphrase.
Everyone who is serious about passwords should run a cracker for a week or so on some large set of passwords. You end up getting a pretty good sense on what falls quickly.
I was wondering what the real "entropy" (?) for these kinds of passwords is? If you take the vocabulary of common words (ie. not generated from a list of eg. 300k words like in the article), aren't the permutations rather small?
If some person just makes these four words up from words they know (and probably use quite regularly)
Eg 10000^4 or even 1000^4 (for those types who would use "password" otherwise)? Isn't that quite bad or am I understandig something incorrectly?
If you include names, the word list becomes pretty immense. Most of the words any one given person knows are names. If you include at least one name, you're pass phrase is pretty secure.
I was thinking about that... The average person is using 5000 words. We could assume that the poems do too.
(5000^4/ (300,000,000,000))/(60*60) = 0.57 hour with 4 words at 350 billion guess per second (http://arstechnica.com/security/2012/12/25-gpu-cluster-crack...). 1300 years with 6 words.
In 1997 I inherited a network which had a password I needed to recover... It was some Cisco Device -- I cant recall model number or how we recovered the password; but Ill never forget that password:
The problem with passphrases are wordlists and combinator attacks. This is been known for a long time.
This headline is very misleading and I hope no one use passphrase-based passwords for extremely sensitive data.
Can you describe how a wordlist and combinator attack is risky for something like eg diceware?
Let's make it easier and assume the diceware list only includes the 26 lower case characters (nothing else), that all words are separated by a single space, that the passphrase contains 7 words. And we assume our attacker knows all of this, and has the same wordlist we used. Heck, we'll even give them our dice too.
The biggest drawback is that many sites these days limit the number of characters that you can use in your passwords, so these poems are probably too long for many of your accounts. But perhaps that will change someday soon. More and more sites are considering dropping the character limit, since shorter passwords are a lot less secure.
This is my biggest pet peeve. Actually, my second-biggest. My biggest is when registration silently fails because the password was too long.
Top for me are sites that silently truncate part of the end of a new password without informing you, then leaving you logged in thinking that the registration process completed successfully.
The same could be said for the majority of financial institution websites. It's ridiculous how insecure and behind the times they are. Behind password restrictions, I'd say the next biggest thing that angers me is that they claim to support two-factor when it's really just "Wish It Was Two-Factor" in the form of so-called "security questions": http://thedailywtf.com/articles/WishItWas-TwoFactor-
That only works against basic bruteforce attacks, if you are using hybrid attacks those passwords become easier to crack.
What people don't realize that professionals who crack passwords for a living use quite sophisticated techniques using known information about the target, common masks, and patterns makes cracking specific passwords easier than just bruteforcing them.
If you use a 300K words dictionary and know or can assume that the paraphrase will be constructed out of 3-5 words the password entropy isn't as large as just thinking this is a single case or mixed case alpha with say 12-16 characters.
When dealing with generic password your basic unit is a character so a 16 char password is made out of 16 units each of those has a specific search space single case alpha it's 26, mixed alpha it's 52, single alpha numeric it's 36 and so on.
Here you have 3-4 units each has a fixed search space and that's the dictionary you use, the search space can be even more restricted if we can assume certain things about the algorithm that generated the passphrase.
If we take the poem example we can assume that words will not appear more than once in the passphrase and that they might need to rhyme this alone can reduce the password entropy considerably.
If we take other examples like story based passphrases e.g. "the quick brown fox jumps over the lazy dog" then we can base our assumptions based on what we know of the English language for example that words like "the" will appear at least once in such sentences as well as take some estimates about how many verbs, nouns, and pronouns will appear on average in each sentence based on their common distribution which allows you again to reduce the search space considerably.
Passphreases are still great when you need to ensure that your passwords won't be broken in bulk when a breach happens because unless your account is admin@ijustgothacked.com you most likely won't be a target and those types of datadumps are still usually broken through basic dictionary, masked and cheap bruteforce attacks.
If you might be targeted directly or phished than passphrases might not offer any sufficient level of protection and could actually be weaker than an annoying mixed-alpha-num-special password.
That of-course will change if everyone will start using passphrases if you expect that 50% of your hashed passwords dump is passphrases you will adapt your password cracking techniques accordingly.
They generate a random 60-bit number and map it to a poem, so it has exactly 60 bits of entropy. If you want to double it, memorize four lines instead of two.
Their passwords do have 60 bits of real entropy, but the estimates in the article aren't based on how long it would take to brute-force a 60-bit password - according to the paper, that would only take 11.3 years on a single (2011-era) GPU, rather less than the 5 million they told the Washington Post. At a guess, they're counting the entire 79-bit poem pool they're culling the actual valid passwords from, on the assumption an attacker will have to test all of them. (The algorithm maps those 60 bits onto one-million-poem wide slices of the pool, and returns only the one that looks most like valid English.)
You can also memorize a sentence or a paragraph from a book that you love and own (which also can be used if you ever forget, or need to share the password with anyone)).
If you've read the paper you'll see they have an optimization process that produces passphrases which are more easily memorized, this process allows you to build a specific dictionary, so you can build a hash table which will include all the hashes of all of the possible passwords that can be created by this method.
The password cracking numbers they reference in their paper refers to bruteforcing LM passwords using a GPU by randomly generating characters, using a rainbow table increases that number by several orders of magnitude, using masks and dictionary attacks also increases that number considerably.
Other assumptions like knowing the maximum password length supported by the authentication mechanism you are attacking can make this even more trivial to attack because while their average input is 52 or so chars per poem if you are attacking a system that does not allow more than 36 chars for example you pretty much limiting the password entropy to a few thousands of passwords in their case.
This was an interesting read but it lacks quite a bit of stuff to work in the real world, just like the fact that a 2048 bit RSA keys are in theory almost impossible to factor doesn't mean you can't do that if you can assume allot of things about the key, when you can employ work reducers you start shedding quite a bit of that on-paper entropy.
The optimization attempts to pick the most easily-memorized poem out of a million possible poems for each 60-bit number. It doesn't reduce the entropy below 60 bits, it starts at higher entropy and reduces it to 60.
Obviously if the authentication doesn't allow the password to be entered then the scheme won't work. That's true of any password scheme.
You make some good points, but I'm not sure that non-repeating and rhyming actually need to affect entropy at all. If you randomly generate a sufficiently large number, then break it up into smaller pieces (as the article suggests), and then apply some mapping algorithm that goes from those pieces to a poem, as long as every possible number would generate a distinct poem, you haven't lost any of your randomness. More specifically, constraints like "must rhyme" don't have to lose randomness, they just have to have an algorithm that can map every possible number to a distinct rhyming phrase, which can easily be done by adding words to the poem (e.g. if you have 300k possible words, don't use an 18-bit number to generate each word, use a smaller bit size and map the number to a subset of the dictionary. Now you can control which subset each number maps to, and the only penalty is adding a word or two to the poem.
The only real constraint here is every single number must map to a viable poem, and every single poem that can be generated must represent one and only one number. This means the poem is truly just an encoding scheme for the number, and as long as the number is sufficiently large and randomly generated, the poem should be just as secure as the original number was.
No. A passphrase constructed from 5 words /randomly selected/ from a 300k word dictionary has approximately 2.4 × 10²⁷ possibilities or 90 bits of security. Trying all combinations is effectively impossible. Even assuming you happen to know the exact dictionary that was used.
And, I would be shocked if the poem constraint takes off more than a few bits of freedom. (Only 1 in 128 words are compatible for your rhyming pair? That's 7 bits. Compensate for it in full by just adding one more word to the passphrase.)
But it's not random they specifically select sentences that form a poem that is valid in the English language and is easy to memorize.
If you apply other restrictions like knowing that the authentication mechanism only allows X number of characters and assuming that the user will attempt to come as close as possible to that max but cannot pass it obviously it allows you to reduce the amount of valid poems even further.
People who are good at password cracking and social engineering can often reduce the amount of possible passwords for a specific target to about 10,000 with quite high accuracy, this is less math and rocket science and more common sense and psychology in this case.
> they specifically select sentences that form a poem that is valid in the English language
How many possible rhyming couplets are there? I'll give you a hint, it's a huge number.
> and is easy to memorize.
They do this by choosing from a million candidates. That reduces the key space by log2(1000000) ~ 19.9 bits. Compensate in full by increasing the key size by two more words.
> social engineering
Irrelevant. The passphrases are selected by computer.
77 comments
[ 3.2 ms ] story [ 135 ms ] threadWhich, in turn, implies that some system handles the password as plaintext rather than via a password-appropriate digest.
I memorize the sentence.
My favorite 7 beavers aren't taking to water!
Password would be: Mf7ba'ttw!
It's highly random just like the poems. It's easier for me to remember. It has the right length and random symbols to make the strong password detectors happy.
You tend to say the sentence as you type the password so for bonus points, you can make it a nice motivational mantra.
You're good enough, you're smart enough, and doggone it, people like you.
Y'ge,y'se,adi,ply.
The idea is that people can't use their personal passwords so they fall back on trivial variations of common ones.
For evidence, I've been assembling so called "cracks" and database "leaks" over the past several years and cataloging the password policies on the sites and then doing statistical analysis on the passwords.
It's in interesting project ... check my user info and email me if you want to know more about this
The phrasing of the title made me think of an Onion article along the lines of: They found the perfect password, it's '42Lemons?' and everyone should use it!
What they found is an excellent password scheme for humans.
I thought the same thing. A great example of "what worked for someone else may not work for you".
Once you see them as tokens that 3rd parties will probably lose, then you know our efforts should be in secure token management software (keepass, lastpass, 1password, etc).
To put it another way, what would you suggest for a master password for the token management software?
Like, what if you pick the corpus of a novel that you've read as your master password. And the password manager uses that novel plus several other novels that you have selected (but didn't read/won't read?) to give you a series of multiple choice selections to determine if you know the right book. Just a few short passages. Preferably with proper nouns stripped out.
You have to select the passages from the correct book for all the multiple choices. That way rather than recall, the memory factor is recognition. Combine it with a non-memorable token which you have to present first in order to even see the recognition factor test and you might have something workable.
number of options * number of questions
This is essentially the same "password reset questions" loophole that allowed the apple cloud storage hack on a bunch of celebrities.
I dunno, just a thought, but do you get what I'm saying about recognition vs recall? Why don't we have the computer test us about things we're good at if part of the test has to be something only our individual brain is capable of?
For now, I guess it looks like a master password, which yes this paper elucidates methods for. But as long as you're memorizing 1 password (not 400), then how you manage to memorize it is of fairly small systemic gain.
Jut generate random password and memorize it, like you memorize other random numbers and strings, like lock combinations, room numbers, car numbers, etc. Learn how to memorize arbitrary long strings of characters and you will have no problems with them for rest of your life.
To make life easier, memorize short password first, e.g. Gc@b%, let call it "alpha", then, when password expired, memorize two new short passwords, "beta" and "gamma", and include your old password "alpha" between them (or rotate it, or flip, or use part of it, etc.), so your password will 2 times longer and stronger. Repeat procedure next time. In short time, you will have list of "words" - short pieces of random strings, which are hard to guess by strangers, but remembered well by you. You can use that dictionary to construct new passwords while keeping adding new random or non-random "words" to dictionary, e.g. "car" - something related to your car, "house" - something related to house, etc. Then your password might look like "alpha-car-beta-house", which is easy to remember by YOU, but hard to guess.
Even if you use the limited Diceware list (7776 words) you get 7776^7 which is plenty.
> Gc@b%
26 upper, 26 lower, 10 numeric, 20 special chars (which are risky to use)
82^5. 3707398432. That's weaker than the 3 words phrase from a 50,000 dictionary, which is a phrase that no-one recommends and that you rejected as being too weak.
http://www.schneierfacts.com/fact/27
I take a passage of reasonable length from a book that I've memorized, could be song lyrics or anything though. Then to create a password I take the first several words to make a password roughly the length I want, do a standard transformation on it that results in a string with numbers and special characters and use that as a password.
When I need to change my password, I just take the next phrase from the passage and apply the same transformation. This has the distinct ability of letting me go back in time and remember what password I would have used at a certain time which has come in handy for remembering the root password on an old server.
I think we should held a competition to find out how old this tibit of knowledge really is and also the oldest article about security experts demonstrating passphrases are wide open to dictionary attacks.
1982 reference on passphrases http://www.sciencedirect.com/science/article/pii/01674048829...
Uh...
They went through all the trouble of making a website. Maybe use https and just show me the password on the website?
The "email me a password" service also currently has a note on it that says "Note: Site is super busy! Approximate waiting time: 269 hours."
Relegating you to use a password manager anyway, at which point you might as well just generate random passwords that don't rely on dictionaries?
Just continue to use a password manager, and save the poems for your master password, your ssh key, your unix account, etc. Only then do you need to recall on demand.
People are completely free to use password managers, but that's their individual choice.
Additionally: There are how many songs in existence today? Apparently some tech dude said there are >97 million. [1]
How many of those are lyrical? How many unique excerpts are possible of those lyrics?
You can chose an excerpt of your favorite song as a pass-phrase, and the chance of a computer guessing that is infinitesimal (though this statement is very hand-wavey without any maths to back it up), and it is supremely easy to remember. It's also highly unlikely that you'll ever share it with anyone on the planet, let alone the same site (also hand-wavey).
If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters.
Like I said, you/anyone is free to use a password manager, but I'll continue to prefer other means.
[1]http://www.marsbands.com/2011/10/97-million-and-counting/
There might be >97 million songs, but how many songs does one individual know well enough to decide to use them for a passphrase?
If a lot of your friends are trying to hack you ... maybe stop pissing people off? idk, that's an attempt at humor, but probably not a good one.
A password manager does not have to be a single point of failure. To lose access to my passwords, I'd have to lose my phone, tablet, two computers at home, and one at my office, as well as my offline backups.
> If you're smart enough to remember more than one song, you can probably build up several pass-phrases that are supremely easy to remember, nearly impossible to guess, and easier to type than some rando-group of characters
I have around 400 passwords. That's a lot to remember. Don't forget that not only would I have to remember 400 pass phrases, but I'd also have to remember which goes with which site.
For sites that I have to enter passwords frequently, I could probably keep track, but there aren't actually many sites like that because of cookies.
To make 400 memorized pass phrases work, I'd have to maintain a file with a list of sites and pass phrase hints...and now that file is as much a point of failure as a password manager database would be. Those hints might help an attacker guess my pass phrases, so that hint file needs to be kept secure.
Wait...so now I'd essentially be using an improvised, half-assed pseudo password manager that has all the potential downsides of a password manager, but that doesn't actually remember the passwords for me! That is totally texas [1].
[1] https://news.ycombinator.com/item?id=10439977
Right now, the best guidance is to only use a memorable password on files which never leave one's physical control, and to use truly-random passwords on remote machines. This is a pain, because it means that one cannot (or at least, should not) back up one's data securely: any encrypted backup would require a password under one's physical control, but the whole point of the remote backup is to recover from incidents compromising one's physical control. It's a conundrum.
This development could be of real use in securing a remote backup of one's passwords: high-entropy and memorable.
Eg 10000^4 or even 1000^4 (for those types who would use "password" otherwise)? Isn't that quite bad or am I understandig something incorrectly?
That's plenty secure for most passphrases, even if the attacker has the exact same wordlist as you do.
FeetFourMonkey
Let's make it easier and assume the diceware list only includes the 26 lower case characters (nothing else), that all words are separated by a single space, that the passphrase contains 7 words. And we assume our attacker knows all of this, and has the same wordlist we used. Heck, we'll even give them our dice too.
How at risk is our 7 word passphrase?
This is my biggest pet peeve. Actually, my second-biggest. My biggest is when registration silently fails because the password was too long.
What people don't realize that professionals who crack passwords for a living use quite sophisticated techniques using known information about the target, common masks, and patterns makes cracking specific passwords easier than just bruteforcing them.
If you use a 300K words dictionary and know or can assume that the paraphrase will be constructed out of 3-5 words the password entropy isn't as large as just thinking this is a single case or mixed case alpha with say 12-16 characters.
When dealing with generic password your basic unit is a character so a 16 char password is made out of 16 units each of those has a specific search space single case alpha it's 26, mixed alpha it's 52, single alpha numeric it's 36 and so on.
Here you have 3-4 units each has a fixed search space and that's the dictionary you use, the search space can be even more restricted if we can assume certain things about the algorithm that generated the passphrase.
If we take the poem example we can assume that words will not appear more than once in the passphrase and that they might need to rhyme this alone can reduce the password entropy considerably.
If we take other examples like story based passphrases e.g. "the quick brown fox jumps over the lazy dog" then we can base our assumptions based on what we know of the English language for example that words like "the" will appear at least once in such sentences as well as take some estimates about how many verbs, nouns, and pronouns will appear on average in each sentence based on their common distribution which allows you again to reduce the search space considerably.
Passphreases are still great when you need to ensure that your passwords won't be broken in bulk when a breach happens because unless your account is admin@ijustgothacked.com you most likely won't be a target and those types of datadumps are still usually broken through basic dictionary, masked and cheap bruteforce attacks.
If you might be targeted directly or phished than passphrases might not offer any sufficient level of protection and could actually be weaker than an annoying mixed-alpha-num-special password.
That of-course will change if everyone will start using passphrases if you expect that 50% of your hashed passwords dump is passphrases you will adapt your password cracking techniques accordingly.
Paper: http://www.isi.edu/natural-language/mt/memorize-random-60.pd...
The password cracking numbers they reference in their paper refers to bruteforcing LM passwords using a GPU by randomly generating characters, using a rainbow table increases that number by several orders of magnitude, using masks and dictionary attacks also increases that number considerably.
Other assumptions like knowing the maximum password length supported by the authentication mechanism you are attacking can make this even more trivial to attack because while their average input is 52 or so chars per poem if you are attacking a system that does not allow more than 36 chars for example you pretty much limiting the password entropy to a few thousands of passwords in their case.
This was an interesting read but it lacks quite a bit of stuff to work in the real world, just like the fact that a 2048 bit RSA keys are in theory almost impossible to factor doesn't mean you can't do that if you can assume allot of things about the key, when you can employ work reducers you start shedding quite a bit of that on-paper entropy.
Obviously if the authentication doesn't allow the password to be entered then the scheme won't work. That's true of any password scheme.
The only real constraint here is every single number must map to a viable poem, and every single poem that can be generated must represent one and only one number. This means the poem is truly just an encoding scheme for the number, and as long as the number is sufficiently large and randomly generated, the poem should be just as secure as the original number was.
And, I would be shocked if the poem constraint takes off more than a few bits of freedom. (Only 1 in 128 words are compatible for your rhyming pair? That's 7 bits. Compensate for it in full by just adding one more word to the passphrase.)
If you apply other restrictions like knowing that the authentication mechanism only allows X number of characters and assuming that the user will attempt to come as close as possible to that max but cannot pass it obviously it allows you to reduce the amount of valid poems even further.
People who are good at password cracking and social engineering can often reduce the amount of possible passwords for a specific target to about 10,000 with quite high accuracy, this is less math and rocket science and more common sense and psychology in this case.
How many possible rhyming couplets are there? I'll give you a hint, it's a huge number.
> and is easy to memorize.
They do this by choosing from a million candidates. That reduces the key space by log2(1000000) ~ 19.9 bits. Compensate in full by increasing the key size by two more words.
> social engineering
Irrelevant. The passphrases are selected by computer.
> to about 10,000
Do the actual calculations.