back to article Password strength meters promote piss-poor paswords

Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley (@MarkStockley) revisited his examination of …

Page:

  1. Anonymous Coward
    Meh

    I'm in the wrong job!

    Like many will say here, it's stating the bleeding obvious.

    Password1! = Great

    jodfnbjiobioebvjiowrbvhuirbkomefbjonerinbkowmbvjibefirkobjoernobneriobvjklfnbjonfon = Bad

  2. This post has been deleted by its author

    1. Robin

      My company's website doesn't have any sort of password meter. I always thought them to be a bit suspect at the best of times.

      Nor does it limit choice of password characters.

      What it does do though, is force a password length of 10 characters or more

      It's about time we got rid of annoying character restrictions and focussed more on password length. The number of sites which still accept 6-character passwords is amazing.

      1. Peter2 Silver badge

        Don't forget sites that demand fixed length passwords without using special characters.

        1. Paul Crawford Silver badge
          Facepalm

          Don't forget site that demand all of the restrictions in terms of mixed case, punctuation and numbers, along with a minimum length, then email it back to you in plaintext!

          Happened to a friend who filled in for Landlord Registration central online system for Scotland. Doh!

      2. bombastic bob Silver badge
        Devil

        correct horse battery staple

        perhaps the obvious isn't good enough.

        back in the day, CompuServe generated a password for you, consisting of two unrelated words and something from the 'shift number' row on your keyboard. Same basic idea.

        besides, abc123-fart would be just fine. It doesn't take much to destroy a dictionary attack. they're not that sophisticated. most of them are probably done by non-native English speakers or script kiddies anyway...

        (but don't use 'fart' as it's probably going to go into a dictionary now)

        so go ahead and use your easily remembered password, then add something else that's unrelated with a shift-number figure in between.

    2. Darryl

      "And it has 'Password1!' too. ;)"

      Ah, but does it have 'Password3!'?

      1. VinceH

        And don't forget password meters that are quite simply broken: http://misc.vinceh.com/2014/01/ryanair-website-telephone-support-fail/ (more or less the second half of the page)

      2. Francis Boyle Silver badge

        no

        but it does have password1701. Also Picard 4-7 Alpha Tango (you wouldn't want anyone using that one).

  3. Crisp

    Passwords need to be rethought

    There are lots of sites out there that seem to be stuck in the 1980's when an 8 character password would have been enough. Times have changed. Storage space is now so cheap we can afford for our users to have passphrases hundreds of characters long.

    (Obligatory XKCD link)

    1. Chazmon

      Re: Passwords need to be rethought

      The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!

      1. Version 1.0 Silver badge

        Re: Passwords need to be rethought

        While correcthorsebatterystaple style passwords have some flaws they are still several orders of magnitude better than Password1. The other "solution" used by US government sites is to force the users to change their password every few weeks - this gives another illusion of security as many users simply increment the number at the end of the password or write it on the monitor - I saw someone enter Password35 a while back.

        Personally I always use Passowrd1 ... (OK, I'm kidding).

        1. Charles 9

          Re: Passwords need to be rethought

          "The other "solution" used by US government sites is to force the users to change their password every few weeks"

          That's mainly to close or detect undetected breaches. Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected as the user is prevented from changing the password (because the crook did it first) and raises the alarm with IT.

          1. JLV

            Re: Passwords need to be rethought

            >because the crook did it first

            Well the user couldn't log in that case. So...

            1. Charles 9

              Re: Passwords need to be rethought

              "Well the user couldn't log in that case. So..."

              ...he calls IT and asks what happened. This draws their attention to the breach. Precisely my point. It's a countermeasure to unknown breaches. It either closes them or reveals them.

          2. T. F. M. Reader

            Re: Passwords need to be rethought

            @Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected...

            It also means, especially since the users cannot use passwords similar to old ones (along the lines of Password34->Password35), that a (more) significant portion of the user population gives up on mnemonics and starts writing passwords down. The overall effect is that the probability of breach increases.

        2. Anonymous Coward
          Anonymous Coward

          Re: Passwords need to be rethought

          I like the initial format, eg:

          Bootnotes is the best bit of the register, sod the storage articles

          bitbbotr,stsa

          easyish to remember and pretty secure

          ( That's not my el-reg password, before somebody tries it )

          1. Kubla Cant

            Re: Passwords need to be rethought

            Thumbs up to the initial letters method.

            I favour lines, couplets, or even stanzas from poems or Shakespeare plays. You can include punctuation, it's far more memorable than horses, batteries and staples, and it's moderately incomprehensible to anyone who doesn't know the source quotation. If numerics are required, it's easy to add a bit of 1337 substitution.

            For example: Nadwh,nafn,4hcttrwh - long and obscure, yet absurdly easy to remember when you know the secret. You can probably guess it, but it may take a while.

            1. John Brown (no body) Silver badge

              Re: Passwords need to be rethought

              "I favour lines, couplets, or even stanzas from poems or Shakespeare plays"

              Most people would likely choose one of the most well known quotes, and they are susceptible to dictionary attacks. Great if you have an interest and knowledge of more obscure quotations, but most people don't. One government dept, I did work for assigned passwords to users, non-changable by the users and were invariably the initials from common nursery rhyme lines. Randomly capitalising letters or adding unexpected punctuation would help if it's long enough. A personally memorable phrase that's not a literature quote would be even better.

        3. tom dial Silver badge

          Re: Passwords need to be rethought

          The requirement to change passwords periodically (every 60 days when I left government service) has less to do with crackability and much to do with limiting exposure time if either user passwords or the hashed password file is compromised.

        4. G7mzh

          Re: Passwords need to be rethought

          The company I used to work for had two systems, both of which demanded you changed your password every few weeks- usually at random times during the day when you were in the middle of something more important (like speaking to a customer), and which couldn't be anything you had used before or something similar (So if you had used Password1, then Password<n> was verboten).

          Several of us got into the habit of changing the password on the first of the month (which reset the timer) and instead of trying to think of something secure we just used the date. March2015 was sufficiently different from April2015 etc, and of course wouldn't be used again! Since it ended up with half the office using the same password, the system obviously didn't recognise that this was going on!

          Why thay did this is unknown, it wasn't an environment where operator security was relevant.

      2. Charles 9

        Re: Passwords need to be rethought

        "The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!"

        And what about those with terrible memories, who take that and end up instead mixing it up with "enginestapledonkeywrong" and getting all lost?

        1. Primus Secundus Tertius

          Re: Passwords need to be rethought

          Passwords always have been difficult for the non-spellers.

          I remember a group shared account where the password was set to 'pterodactyl'. The non-spellers were complaining within the hour.

          It is better to write it down in e.g. a diary, rather than on a post-it note by the screen.

      3. Anonymous Coward
        Anonymous Coward

        Re: Passwords need to be rethought

        https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd?language=en

        And this woman says that Randall Munroe was wrong because people end up forgetting those passwords..

    2. Adam 1

      Re: Passwords need to be rethought

      If you think password length is related to the required storage space, you're storing it wrong.

      1. Robert Carnegie Silver badge
        Joke

        Re: Storage space

        I thought of a very efficient hashing system. Only store the length of the password. Up to 65,535 character length can be identified in 2 bytes. Oh wait - 32,767 characters; it's signed. And, yes, I'm allowing password length zero; someone's going to want it. Pedants, I expect.

        1. channel extended

          Re: Storage space

          Actually it's one less, All of the admins will want/have to use zero.

    3. Tom -1

      Re: Passwords need to be rethought (@Crisp)

      How long ago was XKCD/936?

      way back in the dard ages, I used passwords with about 60 bits of entropy, a long time before XKCD suggested that using something with 44 bits of entropy was a good idea, and now I'm happy using passwords with 150 bits of entropy (the XKCD scheme would require a dozen or more English words to match that); I guess our salvations is the good ole password safe.

      Actually, given how many passwords I want (and how reluctant I am to use the same one twice) I's probably have to use a password safe even to hold that many passwords with 44 bits each of entropy (even more so with 64 bits of entropy, which I believe is more like the correct number for a sequence of 4 English words than XKCD's underestimate); and once I'm doing that, I can passwords as complex as I like, all I need to remember is a decent pass phrase (decent means more that 500 bits of entropy, and using famous bits of Shakrspeare or Chaucer or the like) in case someone gets access to my safe or its backup.

      So I believe that the thing about passwords that needs rethinking isn't a switch from things we can't remember to things we can, but a switch to acceptance that passwords we can't remember are what we have to live with - I'm happy to remember one nice long pass phrase, bu I'm not going to truy to remember a hundred (and anyone who does try is crazy).

  4. Novex

    Passweird Generator

    I never relied on those strength meters anyway. I use KeePass, and it has a built-in password generator which seems to be pretty good at coming up with complex passwords, and has configurable options as well. And, because KeePass is a password manager I don't have to remember those passwords, just the hellishly long one I use for the master password. I also use a keyfile, so it's not just a case of getting hold of my master password to try and get my online passwords. And, because it's KeePass, it's a local solution with no cloud interaction that means my password database stays out of other people's hands.

    1. Version 1.0 Silver badge

      Re: Passweird Generator

      "my password database stays out of other people's hands"

      Dream on.

      1. Charles 9

        Re: Passweird Generator

        "Dream on."

        Oh? How do they get to it if it never goes online?

        1. Captain Scarlet

          Re: Passweird Generator

          Are you recommending everyone write their passwords on paper?

          1. phillip-b

            Re: Passweird Generator

            @Captain Scarlet

            Yes, writing down passwords for online accounts is recommended by no less a provenance than Qi:

            http://qi.com/infocloud/passwords

            "The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware"

        2. William 3 Bronze badge

          Re: Passweird Generator

          "Dream on."

          "Oh? How do they get to it if it never goes online?"

          -----

          Your machine is compromised by visiting a website with an exploit.

          Or is your machine free & your holy Keepass free from all past, present and future vulnerabilities.

          Security is about being paranoid all the time, you sound smug and complacent, an accident waiting to happen.

      2. Novex

        Re: Passweird Generator

        "my password database stays out of other people's hands"

        Dream on.

        Er, well, short of the NSA or GCHQ breaking in to where I live and cracking the password on my laptop, then cracking the password for my encrypted partition; and bearing in mind I am absolutely not putting my password database file anywhere near a cloud service; and noting that I don't let most javascript run in my browser so there's little hope that a script could get a virus onto my laptop via web browsing; and no-one else has a login to my laptop so they can't get anything on to it; and it runs Linux Mint for general work; I don't quite see how anyone else is going to get hold of the database file. So what is my dream exactly?

  5. Fortycoats

    primetime21 ?

    Wow, who'd have thought Deion Sanders was so popular as a basis for a password?

    Was beastmode24 on the list, too?

    1. This post has been deleted by its author

  6. phuzz Silver badge
    Facepalm

    I was trying to configure our Virgin Superhub* 3 the other day, and I'd got as far as the wireless password, so I put in the one that we'd been using previously, which is eleven characters long, and a mix of upper/lower and numeric (with a token symbol).

    Nope, the password strength meter stays on "bad".

    OK, I think, maybe they don't allow symbols.

    Nope, still no joy. It's only after really carefully reading the password restrictions that I notice "and must contain one or two numbers". The password I was trying to use had three numbers, and thus was deemed to be insecure.

    Yup, nice work there Virgin, and by nice I mean crappy.

    * (actual hub may be 60% less super than advertised)

    1. Anonymous IV

      @phuzz

      "I was trying to configure our Virgin Superhub* 3 the other day...

      * (actual hub may be 60% less super than advertised) "

      Your comment made me laugh - but I think your percentage is too low...!

  7. DaddyHoggy

    My first email password was 'ncc1701' (and here's me thinking I was being clever! <facepalm>) because the email system only allowed a max of eight characters. Even now, the same email system allows a max of 10 characters (although they didn't tell me this until I gave it a 16 char password and it wouldn't let me login afterwards - that when support told me it had only registered the first 10 characters and when I was trying to login with all 16 - it wasn't actually the same password...)

    I like long passwords, but ones that make sense to me, but are therefore very easy to remember.

    2bOR!2bThatIsThe? is one I used for quite a while (where systems allowed for sufficient length)

    1. Charles 9

      But can you do that over and over again, hundreds of times, with different sites with different rules, without getting them mixed up? One or two good passwords can be doable for most, but most people have to manage well over 100, and any breach can result in a cascade as the knowledge gained from weaker sites can be used to break stronger ones.

      1. Anonymous Coward
        Anonymous Coward

        I gave it a 16 char password and it wouldn't let me login afterwards

        PayPal does that. 20-chr limit and if you go over it just chops the end off without telling you.

  8. Anonymous Coward
    Anonymous Coward

    "Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites."

    The problem here is that weak sites can still be stepping stones to identity theft which can then be used to gain the credentials needed to break the higher-security sites.

    1. Anonymous Coward
      Anonymous Coward

      Yes, but it's best to have a crap password for sites that don't employ any sort of security, such as posting on tech website forums.

    2. CustardGannet

      "weak sites can still be stepping stones to identity theft"

      Only if you're stupid enough to give your real details to sites that don't need them, instead of signing up as Jethro Q. Walrus-Titty, with an address in the Svalbard Archipelago.

      But unfortunately, as George Carlin said, “Think of how stupid the average person is, and realize half of them are stupider than that.”

      1. Charles 9

        They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up (because people usually can't afford to use two separate ISPs and in any event usually only have ONE connection in or out of the house).

        1. Kiwi

          They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up

          Hell, my IP points back to my domain name (RDNS). Nothing to hide there.

          I use a number of throwaway email addresses (no idea how many, they're single use) eg 10minutemail.com for sites I want a quick answer from that I am not likely to visit again where I have to create an account to get the answer (and I can't find it reasonably quickly enough elsewhere). Cracking those sites would give you nothing, you don't have a valid or even existing email address. You might get my external IP (which gives you a few thousand possibilities for internal IPs) but that's about it.

          For more secure things (bank, email etc including my spam address) I have unique passwords which hopefully are plenty secure enough, and not stored somewhere obvious (yes all are written or typed but even if you had the list you wouldn't know what belongs where).

          Now tell me.. if you have my email address (as many hundreds or thousands of people do) but not my log in details for my email address, what use is that? If you have a couple of hundred of my weak passwords and can deduce what pattern I use, what use is that? So you can log in as me on a few dozen sites I've forgotten about (and probably did not use any identifying info on) - how can you breach anything that matters?

          I would honestly like to know if there is some risk I've overlooked.

  9. Anonymous Coward
    Anonymous Coward

    saggfwuepp53hlq%4k12h

    saggfwuepp53hlq%4k12h

    1. Swarthy
      Joke

      Re: saggfwuepp53hlq%4k12h

      Dammit! Now I have to change my El Reg password!

      - Wait - How did you get my password?!

      1. Adam 1

        Re: saggfwuepp53hlq%4k12h

        Well your auth cookie is sent in clear text every time you login here because apparently TLS is too much effort or something.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like