48 comments

[ 4.7 ms ] story [ 112 ms ] thread
One of the more persistent annoyances of the modern web for the tech-savvy is the experience of putting a long, randomly generated password into a site and getting an "invalid characters" error.
Or sites that don't let you paste in, and ask you to confirm it.
Or sites with a maximum length of something like 10 characters
I'm really surprised at maximum character lengths.

I use a password generator that defaults to 256 characters, and literally nobody has allowed that yet that i've tried.

It's funny the arbitrary numbers some cut off at.

Many limit it at 32, a strange number at 40 for some reason, a few at 60, and others still will silently truncate it to some number on the signup form, then forget to truncate the login form...

256 characters is ~1536 bits depending on what characters you use.

There is secure, and there is silly. NIST recommends 80 bits for passwords. Anything over 128 bits is excessive, anything over 256 bits is silly.

I'm not complaining about them not supporting 256, I just find it strange the arbitrary limits imposed.

A site I signed up for today limited it at 42. Why?

And even if 128 is way over excessive, does it actually make a difference to the server? Obviously you don't want to be hashing multi megabyte passwords, but don't most password hashing systems need a certain sized key to work, so it's padded out to that point anyway? And once it's processing further "iterations", the size of the first password is pretty much irrelevant.

bcrypt, for example, is limited to 50-70 character inputs, depending on the implementation.
If you use a password manager there is practically no cost to the user to use any number of characters. Why not go for something insanely large from the user perspective?
Or sites that don't tell you the max number of allowed characters and then quietly truncate the password for you. Then you have to guess how many characters they chopped off and try logging in until you get it right.
This! This is the most infuriating... and the salt in the wound is that some of the offenders are career/employment sites for firms that should have enough tech savvy employees to code a form that does client-side verification and clearly indicate password criteria to the user.
Royal bank of Canada uses a single 8-character alphanumeric password for online banking, and that login is also good for identifying yourself for government services (e.g. Tax services). I still can't believe it.
Just use diceware. Simple and effective.

http://world.std.com/~reinhold/diceware.html

Diceware is not suitable for general use, because it is important to have a unique password on every service. That practice isolates you from the damage of sites like LinkedIn and Dropbox being compromised.

If you use diceware for everything you've got to remember all of those unique passphrases which defeats the whole point of diceware.

Where diceware shines is in creating a master password, which is explained in the guide.

Diceware is great for passphrases.

Passphrases are not passwords and I think they shouldn't be recommended for use as passwords.

Passphrases are fantastic for encryption keys, where trying to otherwise memorise a suitable amount of entropy to match the required strength would be almost impossible.

But passwords don't need to be 256 bit. If you're using a password manager it doesn't hurt to keep passwords as strong as each service will allow, but Diceware isn't the right tool for the job for passwords, because while it's great for memorizing one or two high entropy phrases, there's no way someone could be expected to memorize the dozens of passwords they use on a daily basis.

At which point you're back to bad solutions such as writing it down, using the same phrase everywhere or cheating on the lengths.

The only sane way to manage dozens of services in a way that doesn't bleed risk from one service compromise to the next is password managers.

At which point a 16-20 character password of random characters is more suitable than a passphase. It's harder to memorize if anyone happens to see it due to a miss-paste or whatever, it's easier to type in if you need to and it's less likely to suffer from "silent truncation" effects.

So use a password manager, use a diceware phrase to secure the master password (encryption) there, but allow the password managers to generate passwords which are short and random.

I haven't lookek at keepass in a long time, and a quick glance at the website didn't help. The author of TFA says that keepass handles synchronization for you. Is that true? Because it didn't do that in the past.

Also, can keepass generate secure passwords for you? That's something I love about lastpass.

UPDATE: also, how easy is it to use on an Android?

Keepass can generate secure passwords yes, with customizable rules. I think synchronization on Keepass's side is possible, but to me the fact that your password database doesn't talk to "the cloud" is a major selling point. I even use the alternate version of Keepass2Android that doesn't have internet permissions as an extra precaution.
I believe what the article was referring to with regards to synchronization is that it works fine with existing file sync software like Dropbox or Google Drive, and knows how to merge changes. I believe there are plugins for things like SFTP as well. It does not provide a hosted synchronisation server or anything like that, so that would still be a selling point for LastPass or 1Password's subscription services if you want that feature.
There are plugins for syncing to various cloud providers. For each device platform, there will be many apps available that support Keepass. Each app will vary in how useful it is to you (each one is a different third-party developer), but I've found the level of functionality is good enough that it ultimately became my password manager. I use it cloud synced with a Windows PC and Windows Phone app. I only install/use plugins/apps that are linked directly from the Keepass website as trustworthy projects.
> At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.

That is a non-starter....

Why would anyone use more than 128 bits of entropy in a password/passphrase? (24 characters alphanumeric with upper and lower case.) The answer: "I don't have to out-run the bear. I just have to out-run you!"
And then protect it with a 128 bit AES key...
But when a website you're using is hacked, it's probably not your password database that's being attacked. It's probably that site's password hashing that's being attacked.
If you are like me and you like the idea of password managers but don't trust them because they're giant targets for cyber criminals and intelligence agencies have at my trusty ruby script:

    puts ((rand * 1_000_000_000).to_i.to_s + \
      ("a".."z").to_a.sample(10).join + \
      ("A".."Z").to_a.sample(10).join + "_")
Some benefits: If you need to enter in a password on your phone the numbers / capitals are all in a row, so you're not constantly shift-on / shift-off-ing. There is multi-case alphanumeric with a symbol, so it passes most website checks. If the website is something dumb and they don't allow special characters your underscore is right at the end so you can just delete it, and since it is an underscore it's a special character usually allowed (unlike % for example) because they're not weirdly encoded, even in URLs.

You can save your passwords in a gpg'd text file if you want, though it usually doesn't matter that much. Just store them in chrome and use two-factor. If you get logged out just password reset to your email.

Making the password easier to enter on a mobile is a clever idea. Those who don't care for that, and want to generate a random password can use openssl -

    $ openssl rand -base64 25
What do you do when you're traveling and don't have a laptop handy, but need to log in to Gmail on a public computer to email your family? Or just if you're traveling and have a phone (but not a laptop), and need to access your banking account?
Gmail is the only password that you need to memorize. As for banking, not being able to log in without my laptop hasn't been an issue, but I can always call my bank with the weak phone password (but which includes voice detection software) and once authenticated have them do most types of things.

You're right though, it isn't perfect.

Having worked in IT, this is the kind of "guide" that I hate. It's theoretically correct, but wildly impractical and therefore not useful at all.

Do not let perfect be the enemy of good. Right now, people's password hygiene is not even "good".

Some specific criticisms:

> At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.

Sometimes you have to type in a password, even if you use a password manager. Maybe you are using a public computer. 32 character passwords are laughable. NIST recommends 80 bits, that's ~14 characters. Entirely sufficient.

> Do not use online password services

If it means you're using different, reasonably strong passwords for all your accounts instead of just one password shared with everything, then PLEASE DO use an online password service. You will be vastly more secure.

Getting "normal" people to use good passwords means their password manager has to be super easy to use. LastPass is fine. 1Password is fine. Hell, even writing your passwords down in a book is fine, as long as you look after the book.

I think encouraging longer passwords is a good idea. Even if 14 characters is suitable today in 2016, as computers get faster it will soon not be adequate.

By encouraging different password habits, people will be better prepared for the future.

I have to question your expertise on this matter since you suggest writing passwords down in a book, as well as using online password databases, both are terrible ideas.

Passwords significantly longer than 14 characters will never really be practical. Users hate typing them in. Password managers will never be ubiquitous. This is why the "pass phrase" has never really caught on and replaced the "password".

But I don't believe this is really a problem. As computers get faster, hashing can get slower. There is no upper limit on hash complexity.

Edit: This is your guide, isn't it? It would be ethical for you to disclose that, given that it has an advert for your business at the bottom.

And we'll never need more than 64kb of RAM too.

It was not many years ago when strong 8 character passwords were completely suitable. So respectfully I think your statements are false.

One of the reasons the guide recommends Keepass is that it eliminates the need to type in passwords completely. Even in the rare case of poorly designed apps that block pasting, the auto-type capability works around that.

Apples and oranges, imo. There is no difference in practicality or usability between 64k of RAM and a gigabyte. There is a big difference in both as you make passwords longer and more random. This is not a commentary on whether that's a good or bad idea :).

For the people who recommend password managers, I do wonder why the password manager site is deemed to be more trustworthy than all the presumably untrustworthy (i.e. with respect to secure practices) sites, the passwords to which are stored in it?

For the most part, because they pay attention to it, and because their business success depends much more critically on it. Look at the Lastpass hacks -- they were breached, but there was approximately no impact to their users, because their security model for password storage is sane. In contrast, consider, say, the Adobe breach, which leaked 150M passwords that in many cases could be matched to their cleartext quite trivially.

Most password managers worth considering do not store the users' passwords unencrypted (or ever touch them unencrypted). Instead, they use a master password known only to the user, followed by a computationally expensive key derivation (PBKDF2 or similar) to create an encryption key, and encrypt the passwords with that. They then use a different derivation path to handle authenticating the user to their servers.

It's a very reasonable architecture unless you're on the extreme end of paranoia. Notably, I have about four passwords I don't store in my password manager. But I'm very happy trusting it with my bank and financial stuff.

The reality is that getting people to use a good password manager with randomly-generated passwords, regularly, on all of their accounts and devices -- with 2FA for the important stuff -- is far more important than the slight extra security risks from using the online components of the good services.

I think the point is that hashing algorithms can be adjusted to scale with the increase in processing speed.
Exactly. It is made easier if you store the hashing algorithm and parameters used against each user record. As you increase the parameters, or change the algorithm, you can update user passwords on login.
A fully random 8 character password, using uppercase, lowercase, and digits, should still be OK today if hashed with bcrypt (or similar or stronger scheme).

I searched around and found someone posted some hashcat-ocl benchmarks done with a Titan X about a year ago, and it could do 14440 bcrypt hashes per second. So let's calculate how many "Titan X * days" are required to brute-force such a completely random password using that character set:

    >>> (26 + 26 + 10) ** 8 / 14440 / 3600 / 24
    175005
If you assume the best GPU today is twice as fast, and that someone has 8 of them in a rig, that's still 10 thousand days to search all possibilities, which means 5 thousand days on average until the hash collision is found.

For a typical user account, 5 thousand days of crunching by 8 of the most powerful GPUs on the market, is pretty good.

I personally go for 9 or 10 character passwords that include some symbols too, but are a bit less random ;)

Anyway, the biggest factor is to use a unique password for every account, because you can't guarantee that none of the websites you use didn't totally fuck up and accidentally put the original password somewhere, nor can you guarantee that they won't be hacked to the extent that the passwords are intercepted during sign-in.

> A fully random 8 character password

If you were given a list a human generated passwords and computer generated passwords, you could spot the difference immediately. Passwords are not random, and crackers take this into account. Most passwords are letters with a stray symbol here and there. More advanced password crackers take a dictionary of base words and use Markov chains of passwords to try.

This greatly reduces the search space and the eon-long searches start looking more in reach.

That's true - human chosen passwords are vulnerable to more clever non-brute-force attacks. This effect is rather different than the interplay between computer power and hashing schemes though. (Thus my strong qualifications about fully-random :)
Have you ever dealt with actual non-techies on this?

In a week we learn, via HN, of the Last FM top 50 passwords (usual suspects, no surprises), and that 50% click on any link sent them moving the needle at all is more important than getting it to great.

I've come across many intelligent, successful, professionals who still reuse passwords, who still use child's name + random number for important things. Is using a book or online service a terrible idea compared to using steve36 for his domain registrar? What you call terrible at least moves the needle away from zero.

I agree. Moving the needle is more important than puritanism.
Infosec has struggled with 'good is better than perfect' - where good advice that is practical for most people is criticized for not being perfect practice that is often impractical.

Thankfully, now that there is a lot more public awareness of infosec practices - driven in large part by there seemingly being a big infosec story every week - a lot of the best practices advice has been loosened towards the more practical.

In terms of password management, I agree with you completely - the default advice should be to use an online password manager. I've got my partner and most of my family using Dashlane and with near 100% unique password compliance.

That type of adoption with regular users would never have happen had I stuck to "keepass, diceware and 32 character unique passwords" level advice.

For passwords I need to be able to remember (not many) or share (initial passwords for user accounts) I use a passphrase generator. Everything else is random 24-character Keepass.

Plugging my super simple passphrase generator built upon the EFF wordlist: https://spg.brashear.me

(comment deleted)
Any 'password manager' is a priority target. Just use longish pass phrase and don't walk around with a target on your back.
The only complicated part of this method is securing the key, and the key is definitely required or you may as well just save it as plain text.

You sync your DB across multiple cloud services, and to decrypt you use a weak master pass and strong key.

I've been struggling with how to move that key around.

.1) Put it on a USB drive or hide it in your filesystem.

This is cumbersome and losing the drive could be disastrous. It's also trivial to scan a filesystem for key-like files.

.2) Use an authentication dongle.

This one is better but requires third party hardware in most cases, and is slightly expensive.

.3) Bluetooth/NFC to your device.

This can be intercepted at extended ranges as proven at defcon etc. Though is admittedly the most convenient method. The data can be signed, but I haven't seen anything out there that implements this well just yet.

.4) Timed one time passwords, PushBullet etc.

This feels like a bonus feature.

I'm not sure how to go about this. You lose or leak the key then you're screwed.

Is there a wristwatch or phone app with signed credential sharing based on wearer input, compatible to a standard?

What about 8-character passwords with letters, numbers, and symbols? What if it includes non-ASCII characters?