Educause Security Discussion mailing list archives
Re: password vs pass-phrase
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 18 Mar 2010 09:20:36 -0400
Interesting thread, but I think that both passwords and pass phrases have outlived their usefulness at this point. Most compromises are accomplished by either phishing or key logging - and I don't care how long, complicated or obscure your secret key is, when they give it away, the strength doesn't matter. For my money, two factor authentication, in one form or another, is the future. On the complexity topic (right now) there are no rainbow tables available for any password/phrase longer than 15 characters - I would just apply the standard password rules to the words in a pass phrase and make sure that as least one of them passes. My 2 cents Joel --On Thursday, March 18, 2010 7:42 AM -0500 Ken Connelly <Ken.Connelly () UNI EDU> wrote:
That loses length, which is the big gain from using a passphrase. - ken Allison Dolan wrote:RE: pass-phrases - what about the variant where you use only the first letter of each word, and then throw in a gratuitous special symbol or two - eg. using Steven's examples Ilteprot$% !#mfdwas Short, easy to remember - assuming you can remember the passphrase ......Allison Dolan (617-252-1461) On Mar 18, 2010, at 3:45 AM, Steven Alexander wrote:If we assume the hash isn't compromised, then the passwords don't really have to be nearly as strong stand up to attack, especially with any sort of lockout or delay. I don't think we should wait until they are before we worry about passphrase security. Attackers may be using better tools well before we become aware of them. The last time I looked, the standard password cracking tools were not capable of doing the sort of phrase guessing that I mentioned, but it would not be hard to create separate word/phrase lists and adapt a program like John the Ripper to create passphrases based on those lists. The lists could even be generated by doing a word count on the text of a sample of current news articles, fiction, etc. Assuming someone takes the time to modify or create a program to do basic guessing, phrases like "I like football" would probably fall pretty quickly, much faster than an average brute force attempt against a 40-bit key. I think we should encourage people to longer more unusual passphrases, things like "I like to eat purple rhinos on Tuesdays!" or "My first dog was a stegosaurus." -Steven ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Eric Case [ecase () EMAIL ARIZONA EDU <mailto:ecase () EMAIL ARIZONA EDU>] Sent: Wednesday, March 17, 2010 9:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right in rejecting security advice?) <snip> Is it obvious to a brute force password cracker? If we assume the password hash has not be compromised and a key logger was not used, is it obvious that four score and seven years ago is an awful choice? Based on how the U of Arizona implemented NIST SP800-63, the above password/passphrase would score 53 bits of entropy. 4 score and 7 years ago Would only score 48 bits of entropy even though it uses three character classes and the first one only uses two classes. <snip> But we're also going to run into problems with userspicking phrases that are too simple and end up being subject to predictions based on language analysis.I agree, once the password crackers start using language analysis or AI, the game will change. Until then, can we get by with long 'simple' passphrases that are easy for users to remember? Based on how the U of Arizona implemented NIST SP800-63 . . . I swim waffles = 37 bits of entropy I like pancakes. = 40 bits of entropy I like football. = 40 bits of entropy My husband is boring. = 46 bits of entropy Alice in Wonderland = 44 bits of entropy TriSsmitp = 27 bits of entropy My lawn is always green = 48 bits of entropy My lawn is sempre verde = 48 bits of entropyI'm not suggesting that passphrases are bad, just that they are unquantified. Without good language analysis and lots of real-world examples of chosen passphrases, we don't know whether people actually choose better passphrases than passwords or how a passphrase of length X compares to a password of length Y.At least for now, you can quantify them based on length, character classes and dictionary/complexity checks by using NIST SP800-63. When the crackers evolve, we will play catch-up (again). NIST SP800-63 uses the research the Brian points out. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase This email has been scanned by a Spam/Virus Firewall. If your email has been classifed as Spam please contact the HelpDesk at (209) 384-6180.-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)