Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 18 Mar 2010 00:45:32 -0700
If we assume the hash isn't compromised, then the passwords don't really have to be nearly as strong stand up to attack, especially with any sort of lockout or delay. I don't think we should wait until they are before we worry about passphrase security. Attackers may be using better tools well before we become aware of them. The last time I looked, the standard password cracking tools were not capable of doing the sort of phrase guessing that I mentioned, but it would not be hard to create separate word/phrase lists and adapt a program like John the Ripper to create passphrases based on those lists. The lists could even be generated by doing a word count on the text of a sample of current news articles, fiction, etc. Assuming someone takes the time to modify or create a program to do basic guessing, phrases like "I like football" would probably fall pretty quickly, much faster than an average brute force attempt against a 40-bit key. I think we should encourage people to longer more unusual passphrases, things like "I like to eat purple rhinos on Tuesdays!" or "My first dog was a stegosaurus." -Steven ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case [ecase () EMAIL ARIZONA EDU] Sent: Wednesday, March 17, 2010 9:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?) <snip> Is it obvious to a brute force password cracker? If we assume the password hash has not be compromised and a key logger was not used, is it obvious that four score and seven years ago is an awful choice? Based on how the U of Arizona implemented NIST SP800-63, the above password/passphrase would score 53 bits of entropy. 4 score and 7 years ago Would only score 48 bits of entropy even though it uses three character classes and the first one only uses two classes. <snip> But we're also going to run into problems with users
picking phrases that are too simple and end up being subject to predictions based on language analysis.
I agree, once the password crackers start using language analysis or AI, the game will change. Until then, can we get by with long 'simple' passphrases that are easy for users to remember? Based on how the U of Arizona implemented NIST SP800-63 . . . I swim waffles = 37 bits of entropy I like pancakes. = 40 bits of entropy I like football. = 40 bits of entropy My husband is boring. = 46 bits of entropy Alice in Wonderland = 44 bits of entropy TriSsmitp = 27 bits of entropy My lawn is always green = 48 bits of entropy My lawn is sempre verde = 48 bits of entropy
I'm not suggesting that passphrases are bad, just that they are unquantified. Without good language analysis and lots of real-world examples of chosen passphrases, we don't know whether people actually choose better passphrases than passwords or how a passphrase of length X compares to a password of length Y.
At least for now, you can quantify them based on length, character classes and dictionary/complexity checks by using NIST SP800-63. When the crackers evolve, we will play catch-up (again). NIST SP800-63 uses the research the Brian points out. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase This email has been scanned by a Spam/Virus Firewall. If your email has been classifed as Spam please contact the HelpDesk at (209) 384-6180.
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)