Monday, February 22, 2010

Never trust password meters

On February 20th, Mikko Hypponen of F-Secure tweeted this message (click for full size):
 

He linked directly to this jpg file, while the graphic belongs to this article at CXO Europe. I usually find his tweets to be very interesting, as well as blog posts from the F-Secure team as well, so don't get me wrong here. Being a little obsessed with passwords after researching them for approximately 9 years, I had to take a look at this article. (Most articles on password strength and passwords in general are full of assumptions, a blend of information from various resources, and a bit of personal opinion from the author at the time of writing. At least that is what I think of them.)

The CXO article had tested a bunch of passwords against the password strength meter of Google Mail, which you can find when creating a new account (or changing your existing one). The graphic from CXO summarizes the strength of the passwords. Looking at that for <5 seconds was enough for me, i had to release this blog post which I've been thinking about for quite some time.

So without further ado, here's the graphic I've produced quickly (...), without being a graphics artist such as @ripetungi, the creator of the CXO graphic. I believe you'll get the idea anyway. I've used the same passwords as tested by CXO, ranked in the same order as their test. (click the picture for full size):
(1) http://gmail.com/
Password input field has a strength meter. For some reason it says "too short" with my tested passphrase after character number 18, while other passwords/phrases receives the "strong" verdict. Apparently the script from Gmail doesn't really like my passphrase. Oh, and Gmail using the word "unbreakable"... It does remind me of Larry Ellison from Oracle. You should probably find yourself another word to use. :-)

(2) https://www.microsoft.com/protect/fraud/passwords/checker.aspx
This checker has 4 levels: Weak, Medium, Strong, Best. Nothing advanced, as simple as it can be.

(3) https://www.testalosenord.se/
A service from the Swedish Post and Telecom Agency (PTS), this service uses Cracklib as the core of their password meter. It only has two levels, either Weak or Strong. In order to receive a Strong rating, the password must comply with all 6 requirements:
- contain lowercase letters
- contain UPPERCASE LETTERS
- contain digits (0-9)
- contain special characters (!"#¤%&...)
- at least 8 characters in length without digits
- must not be based on a word in their word list

Kudos for using open-source software for their testing, but i would say that using Cracklib for judging the strength of passwords is seriously overkill in many cases, and must be seen in context with online/offline attacks, as well as the use of crypto/hash algorithms and password salting.

Please also note that this service require you to submit the password to their server for analysis! But nobody would ever submit their own password for analysis, right? *wrong*

(4)  http://www.testyourpassword.com/
Seems to be a replica of the Microsoft test on first sight, but without the SSL security applied. Use Microsoft instead, if you must.

(5) http://www.passwordmeter.com/
This service has 5 levels: Very Weak, Weak, Good, Strong & Very Strong, and a percentage score is also displayed for even more granularity. However the service doesn't seem to accept more than length 16, and anything higher gets a Very Weak 0% score. So much for my passphrase at length 25...

Kudos for having the source code available for download. Now if somebody could tweak it a little bit....

(6) http://keepass.info/
I chose to include the password meter capability of my favorite application for maintaining my own personal database of usernames and passwords (I've got close to a hundred of them...) Keepass measures the strengh in bits, I've marked the best (my passphrase) and the worst (11 bits) in the table. A color bar is also displayed in Keepass. My passphrase receives a perfect "green" rating (100%), while the second best (56 bits) receives approximately a 40-45% rating.

(7) My own passphrase

 Now you can be the judge: is (or was) that a good password? Comments highly welcome!

To summarize:
These services all have defects in various ways, and they are obviously not on the same page on how to evaluate the strength of a password. Using online password checkers should be avoided, as it would be very easy to generate a service which will collect information about YOU as well as any information that you type in for testing. Such online services do of course tell you NOT to test a real password that you are using, but I'll bet that's exactly what most users will do.

If i were forced to choose one of the above, i would go for Keepass. With Keepass you have an excellent tool for generating, evaluating and securely storing your lists of various passwords - provided your master password is "secure" of course. For all of them there are lots of improvements that can and should be made ASAP.

Message to Mikko Hypponen: I don't mind you linking to both good and bad content on the Internet. With this CXO article I'm afraid some high-level folks might decide that this article will give them ideas for their next password - which is really a very bad idea.

--
Final note to CXO, Jodie Humphries and @ripetungi:
You made me laugh with your selected passwords for testing at Gmail, and Mikko's comment on ncc1701 was also worth a smile (Personally I'm a Star Wars fan, not much of a trekkie). May i suggest you to get Wargames and Sneakers on DVD, and buy Cliff Stoll's excellent book "The Cuckoo's Egg" for more hardcore geek passwords to test against Gmail? :-)

11 comments:

  1. I think your password is great. I used a similar algorithm for mine for 1-2 years after a password-discussion you and I had 4 years ago. :-d

    ReplyDelete
  2. Password-security is very complex and it changes with the point of view. Your "family password" may be save against anonymous attacks, but may be very easyly leeked by people knowing you or even watching you while typing.

    Another important aspect of password security in my opinion is to have different passwords for different accounts, storing passwords securely and changing them periodically.

    The biggest thread besides fishing in my opinion for passwords may be password reminders. If one can access your e-mail, she/he can access your related accounts.

    ReplyDelete
  3. I fully agree with "The-Dude" here, and blog posts are already in the works for the issues you mention.

    Thx for your reply, highly appreciated!

    ReplyDelete
  4. Did you seriously just post your password?

    ReplyDelete
  5. No, i posted one of the passwords that I used up until i started writing this blog post.

    The previous version was
    Lisbeth&Amalie&PerØyvind!

    If you would like to know. :-)

    Now, obviously, I will never ever use that or anything similar as my password again.

    ReplyDelete
  6. I took your list and sent it through htpasswd:

    user1:BuB/WV8kSu.FY
    user2:JpN2z9ycU21/A
    user3:2piKkLOQFtskM
    user4:KsDI6JmK2gpcI
    user5:0AJE9VhMaUQow
    user6:8kSmpBlk2ufkw
    user7:j2.F/ElOYmDK.
    user8:FH9Sq/deBuCUg
    user9:Kec6iCof0RQME
    user10:08dU385S91NHo
    user11:u4pVdEsaLAtN.
    user12:/ot50MvvlYY0E
    user13:TIfb.Of41X1RY
    user14:KHGfUuzeb2/Xk
    user15:yCsUeqwK5Ps62
    user16:NnykzFwbN9h4.
    user17:W6G0Gb54wGWzA
    user18:wFLBAPm9ylAZM
    user19:i/jxQlVsWp3rk
    user20:2Ymawd1DcE0cg
    user21:5oIlUIEwnSptc
    user22:CKfg.MEG3tTJI
    user23:cV50xSZCOpyiI
    user24:aUnaRfbpgud3Q
    user25:/7BmjjDeqypVE
    user26:wgBh0zbZe3HFw
    user27:rBa4wadm.ZbwQ
    user28:o5O3gDx2sUpGQ
    user29:UvncgJtdWiWs2
    user30:1kSYgMAbfQdsQ
    user31:s9aCFM0vIdFCw
    user32:eIHI/5LXNZLTg
    user33:lQw8iujLX9IUI
    user34:fmiBRm1NVJE5c
    user35:JaJCRN/KXfMWg
    user36:3ZRwflCiReE.2
    user37:zHIlUV578E7Vo

    Afterwards, I let John look at it. Even on my cheap netbook it immediately broke these passwords:

    Loaded 37 password hashes with 37 different salts (Traditional DES [64/64 BS MMX])
    letmein (user30)
    snoopy (user19)
    michael (user18)
    123456 (user34)
    abc123 (user16)
    dragon (user21)
    password (user36)
    money (user22)
    diamond (user28)
    secret (user31)
    qwerty (user27)
    monkey (user24)
    iloveyou (user20)
    football (user32)
    master (user35)
    thx1138 (user9)
    ncc1701 (user5)
    access (user33)
    princess (user23)
    flipper (user11)
    dreams (user15)
    business (user14)
    pass (user29)
    121212 (user25)

    For myself, I started using a password safe that I protected with a rather long password. The password safe file is stored in a crypto container file that I carry around on my USB stick. For every account I use a different 20-character random password. I know this is paranoid, but it's better than my former method of juggling around with dozens of passwords that are either easy to crack or easy to forget. A long random password has the additional advantage that I can use it openly without running a big risk of someone remembering it - and if he does, he has deserved it ;)

    Thanks for your inspiring article!

    ReplyDelete
  7. Well, using john is of course an offline attack, where you have "unlimited" time to test billions of passwords against the found hashes.

    NIST (SP800-118) has one of the better ways of estimating the strength of a password; looking at entropy when doing an online attack.

    Anyway; most of the listed passwords are weak in my opinion as well.

    ReplyDelete
  8. Thanks for your comment on my blog. This was very interesting might rewrite my post to include some of your points

    ReplyDelete
  9. And thank you Troy for your reply as well! Its not that password meters shouldn't be used, as they in many cases will give you an approximate of your password strength. You just shouldn't fully trust them. :-)

    ReplyDelete
  10. The problem as I see it with these types of password meters, beside the obvious hacking potential, is that they seem to be a "one time thing", meaning a user visits the site, inputs their password and goes "great, my password is okay to use another four years". It basically doesn't put passwords in the context of security and whatever answer the meter returns will probably have little if any effect on the user.

    I do however believe that they are a valuable tool for sign-up processes. As a developer I have started enforcing only an eight character minimum for passwords, meaning a user can in fact register with the password 12345678. Next to the field though is a short description of the estimated strength of their password. Making people use good passwords/passphrases (let's not go into a discussion of what's good now :D) is near impossible, so as a web developer I think the only way is to enable users to make their own decision.

    Wow, that was a long comment for an old post.. Summary: password meters are good for sign-up forms. Feel free to have a look at my own password meter at https://github.com/erikbrannstrom/jQuery-Password-Entropy :)

    ReplyDelete
  11. Password list for @jpgoldberg:


    g01111001110011101100e
    011235813213455134
    deathknight55
    algoreisright
    ncc1701
    starrynight
    enzoferrari
    ggekko
    thx1138
    babygirl
    flipper
    goodmorning
    ihatemylife
    business
    dreams
    abc123
    rockstar
    michael
    snoopy
    iloveu
    dragon
    money
    princess
    monkey
    121212
    biteme
    qwerty
    diamond
    pass
    letmein
    secret
    football
    access
    123456
    master
    password
    Lisbeth&Amalie&PerØyvind»

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.