My understanding is that the password advice in this comic isn’t very good. If I am correct (and I might not be), the most usual way for passwords to be stolen is that someone uses SQL injection (or similar) to make the website they’re interacting with regurgitate a list of encrypted passwords. You can’t take the encrypted password and directly turn them back into the unencrypted password that you’d need to plug into the login window, but you can guess what the password is and run the encryption algorithms on your guesses and see if it matches your encrypted password. Note that once you manage to trick the server into giving you this list, you are no longer limited by how often the server is willing to interact with your computer – you can make guesses as fast as your own hardware and software allow.
So we get back to making a bunch of guesses, except there are two critical differences from the situation described in that comic
#1 You do not make a ton of random mixed of numbers and letters and like wep98vtw904t2 and use those as your guess. Instead, most of the guessing is done by combining words that have been found in previous passwords, or doing slight variations on those. For example, a guess might be B@tteryHorseStaple1. This does not bode well for a password made of 3 or 4 words.
#2 1,000 guesses per second is a comical underestimate of the efficiency of these programs. Actual performance will depend on hardware, but I’m seeing a report of one person doing 20,000 per second on what’s probably a very low end machine. I say probably very low end, because I’m also seeing reports of trying 100,000,000,000 per second on a single high-end graphics card. Note that dedicated hackers can use machines that combine a lot of different graphics cards.
In short, only long strings of random numbers and letters (NOT combinations of words) are safe against an attack of this kind.
If you are working with a dictionary of say 10000 common words and you choose 4 of them at random there are 10^16 combinations. If you use 10 random letters and numbers upper and lower case there are 62^10 ~ 10^17 so basically if you add one digit to your 4 words they’re the same complexity.
A good password hash needlessly burns CPU on purpose (take the password and do 1M rounds of SHA256 on it, and has a random “salt”.
The xkcd idea is perfectly fine if people design hashes properly.
I wish the approach advocated by XKCD worked in practice, but quite a few websites do not allow “long” passwords for some reason. So I use a 16-character passwords (numbers+letters gives me 86 bits of entropy, if a website insists on punctuation then I add something), and use a password manager (KeePassXC) so I never reuse the same password twice.
But for anything important (banking, your e-mail, etc), the best thing you can do is enable 2FA. It would be great if everyone just supported TOTP, instead of push messages or their own quirky solution with an “app”, but those are still better than nothing.
Passwords are an idea whose time never came and never will. That they would prove useless was entirely foreseeable from day one. There is no password-based scheme that is workable. Using strong passwords and a password manager is, I suppose, the best approximation. But if you lose your password manager, or if somebody figures out the “meta-password” you use to access it, it is all for naught.
It seems to me that we need to do two different things for internet security. First, many of the “accounts” that I have had to set up to carry out routine business do not need any security at all. In fact, many of them should not even exist. So, sites that don’t maintain any important private information should simply leave them open, and should give serious consideration as to whether user accounts even serve any real purpose.
On the other side, any site that does hold private information should be required to use two-factor authentication. Password-only security should be eliminated. It’s a burden on the user and provides no real protection.
My take on the issue of passwords – they are evidence of a design flaw. We all know the weakest link is the user but we shouldn’t blame the user for a design flaw. Having to keep choosing more complex passwords, constantly needing to update them, then needing to use 2 factor authorization (when will we get to 3 factor authorization?), and having to complete Captcha puzzles (that I am increasingly failing at) are all evidence that the whole system is poorly designed. I don’t have a better model, but I am weary of the IT folks blaming users for their poorly designed systems.
Tamas and I use the same system basically… KeepassXC is the best we’ve got.
Use a good long XKCD type password (4 or 5 words) for the keepass database, use a keyfile (which adds entropy but is another thing you need to back up), and use keepassxc browser plugin, which makes it pretty easy to insert your credentials.
On an android phone keepass2android is great.
I sync my keepass file through a private nextcloud instance. So my desktop, laptop, and android phone all have the same database (and all have a copy of the key file).
I use two factor for my most important accounts.
This is the best you’re going to get today. It works, it’s secure, I’ve literally never had any account compromised by someone guessing my passwords. Even my 75 year old non-techy mother is able to utilize this same system.
2 factor authentication clearly increases security massively. On the other hand it always struck me as ticking time bomb that will inevitably result in the user eventually getting locked out of their accounts, as it seems to assume a world where the user’s phone is never lost, stolen, or broken.
How about time-outs. Wrong password and the system shuts down for ten seconds. A second wrong guess within ten minutes shuts the system for five minutes. A third, down for an hour. Someone trying a brute force approach will not tolerate the delays.
All good systems have a rate limit, but they should generally be more generous than the timeouts you mention. It’s easy to mistype a password, allowing 5 in a row before say a 5 min timeout for example.
“https://xkcd.com/936/”
My understanding is that the password advice in this comic isn’t very good. If I am correct (and I might not be), the most usual way for passwords to be stolen is that someone uses SQL injection (or similar) to make the website they’re interacting with regurgitate a list of encrypted passwords. You can’t take the encrypted password and directly turn them back into the unencrypted password that you’d need to plug into the login window, but you can guess what the password is and run the encryption algorithms on your guesses and see if it matches your encrypted password. Note that once you manage to trick the server into giving you this list, you are no longer limited by how often the server is willing to interact with your computer – you can make guesses as fast as your own hardware and software allow.
So we get back to making a bunch of guesses, except there are two critical differences from the situation described in that comic
#1 You do not make a ton of random mixed of numbers and letters and like wep98vtw904t2 and use those as your guess. Instead, most of the guessing is done by combining words that have been found in previous passwords, or doing slight variations on those. For example, a guess might be B@tteryHorseStaple1. This does not bode well for a password made of 3 or 4 words.
#2 1,000 guesses per second is a comical underestimate of the efficiency of these programs. Actual performance will depend on hardware, but I’m seeing a report of one person doing 20,000 per second on what’s probably a very low end machine. I say probably very low end, because I’m also seeing reports of trying 100,000,000,000 per second on a single high-end graphics card. Note that dedicated hackers can use machines that combine a lot of different graphics cards.
In short, only long strings of random numbers and letters (NOT combinations of words) are safe against an attack of this kind.
If you are working with a dictionary of say 10000 common words and you choose 4 of them at random there are 10^16 combinations. If you use 10 random letters and numbers upper and lower case there are 62^10 ~ 10^17 so basically if you add one digit to your 4 words they’re the same complexity.
A good password hash needlessly burns CPU on purpose (take the password and do 1M rounds of SHA256 on it, and has a random “salt”.
The xkcd idea is perfectly fine if people design hashes properly.
So now I should just use “60”, right? ;-P
I wish the approach advocated by XKCD worked in practice, but quite a few websites do not allow “long” passwords for some reason. So I use a 16-character passwords (numbers+letters gives me 86 bits of entropy, if a website insists on punctuation then I add something), and use a password manager (KeePassXC) so I never reuse the same password twice.
But for anything important (banking, your e-mail, etc), the best thing you can do is enable 2FA. It would be great if everyone just supported TOTP, instead of push messages or their own quirky solution with an “app”, but those are still better than nothing.
Passwords are an idea whose time never came and never will. That they would prove useless was entirely foreseeable from day one. There is no password-based scheme that is workable. Using strong passwords and a password manager is, I suppose, the best approximation. But if you lose your password manager, or if somebody figures out the “meta-password” you use to access it, it is all for naught.
It seems to me that we need to do two different things for internet security. First, many of the “accounts” that I have had to set up to carry out routine business do not need any security at all. In fact, many of them should not even exist. So, sites that don’t maintain any important private information should simply leave them open, and should give serious consideration as to whether user accounts even serve any real purpose.
On the other side, any site that does hold private information should be required to use two-factor authentication. Password-only security should be eliminated. It’s a burden on the user and provides no real protection.
My take on the issue of passwords – they are evidence of a design flaw. We all know the weakest link is the user but we shouldn’t blame the user for a design flaw. Having to keep choosing more complex passwords, constantly needing to update them, then needing to use 2 factor authorization (when will we get to 3 factor authorization?), and having to complete Captcha puzzles (that I am increasingly failing at) are all evidence that the whole system is poorly designed. I don’t have a better model, but I am weary of the IT folks blaming users for their poorly designed systems.
Tamas and I use the same system basically… KeepassXC is the best we’ve got.
Use a good long XKCD type password (4 or 5 words) for the keepass database, use a keyfile (which adds entropy but is another thing you need to back up), and use keepassxc browser plugin, which makes it pretty easy to insert your credentials.
On an android phone keepass2android is great.
I sync my keepass file through a private nextcloud instance. So my desktop, laptop, and android phone all have the same database (and all have a copy of the key file).
I use two factor for my most important accounts.
This is the best you’re going to get today. It works, it’s secure, I’ve literally never had any account compromised by someone guessing my passwords. Even my 75 year old non-techy mother is able to utilize this same system.
2 factor authentication clearly increases security massively. On the other hand it always struck me as ticking time bomb that will inevitably result in the user eventually getting locked out of their accounts, as it seems to assume a world where the user’s phone is never lost, stolen, or broken.
I have three devices with the same two factor database.
How about time-outs. Wrong password and the system shuts down for ten seconds. A second wrong guess within ten minutes shuts the system for five minutes. A third, down for an hour. Someone trying a brute force approach will not tolerate the delays.
All good systems have a rate limit, but they should generally be more generous than the timeouts you mention. It’s easy to mistype a password, allowing 5 in a row before say a 5 min timeout for example.