|
|
| Line 1: |
Line 1: |
| '''Password strength''' is a measure of the effectiveness of a [[password]] in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.<ref name=CERT>{{cite web | url = http://www.us-cert.gov/cas/tips/ST04-002.html | title = Cyber Security Tip ST04-002 | work = Choosing and Protecting Passwords | publisher = US CERT | accessdate = June 20, 2009 }}</ref>
| | Andera is what you can contact her but she never truly liked that title. I've usually cherished residing in Kentucky but now I'm contemplating other choices. My spouse doesn't like it the way I do but what I truly like doing is caving but I don't have the time recently. Office supervising is my occupation.<br><br>Also visit my web blog - [http://www.january-yjm.com/xe/index.php?mid=video&document_srl=158289 online psychic reading] |
| | |
| Using strong passwords lowers overall [[risk]] of a security breach, but strong passwords do not replace the need for other effective [[security controls]]. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include [[Telephone tapping|wiretapping]], [[phishing]], [[keystroke logging]], [[Social engineering (security)|social engineering]], [[dumpster diving]], [[Shoulder surfing (computer security)|shoulder surfing]], [[side-channel attack]]s, and [[Vulnerability (computing)|software vulnerabilities]].
| |
| | |
| [[File:PassWord Strength.png|thumb|300px|[[Gmail]] registration screenshot, indicating password strength for different passwords.]]
| |
| | |
| == Determining password strength ==
| |
| There are two factors to consider in determining password strength: the average number of guesses the attacker must test to find the correct password and the ease with which an attacker can check the validity of each guessed password. The first factor is determined by how long the password is, how large a set of characters or symbols it is drawn from and whether the password is created randomly or by a more predictable process. Users of password-protected resources often have control of this factor. The second factor is determined by how the password is stored and used. This factor is determined by the design of the password system and beyond control of the user.
| |
| | |
| The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords. However the system must store information about the user passwords in some form and if that information is stolen, say by breaching system security, the user passwords can be at risk.
| |
| | |
| ===Password creation===
| |
| Passwords are created either automatically (using randomizing equipment) or by a human; the latter case is more common. While the strength of randomly chosen passwords against a brute force attack can be calculated with precision, determining the strength of human-generated passwords is challenging.
| |
| | |
| Typically, humans are to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or Internet Web site. Only rough estimates of strength are possible, since humans tend to follow patterns in such tasks, and those patterns can usually assist an attacker.<ref name=NIST /> In addition, lists of commonly chosen passwords are widely available for use by password guessing programs. Such lists include the numerous online dictionaries for various human languages, along with other common passwords. All items in such lists are considered weak, as are passwords that are simple modifications of them. For some decades, investigations of passwords on multi-user computer systems have shown that 40% or more are readily guessed using only computer programs, and more can be found when information about a particular user is taken into account during the attack.
| |
| | |
| ==Password guess validation==
| |
| Systems that use passwords for authentication must have some way to check any password entered to gain access. If the valid passwords are simply stored in a system file or database, an attacker who gains sufficient access to the system will obtain all user passwords, giving the attacker access to all accounts on the attacked system, and possibly other systems where users employ the same or similar passwords. One way to reduce this risk is to store only a [[cryptographic hash]] of each password instead of the password itself. Standard cryptographic hashes, such as the [[Secure Hash Algorithm (disambiguation)|Secure Hash Algorithm]] series, are very hard to reverse, so an attacker who gets hold of the hash value cannot directly recover the password. However, knowledge of the hash value lets the attacker quickly test guesses offline. [[Password cracking]] programs are widely available that will test large number of trial passwords against a purloined cryptographic hash.
| |
| | |
| Improvements in computing technology keep increasing the rate at which guessed passwords can be tested. For example, in 2010, the [[Georgia Tech Research Institute]] developed a method of using [[GPGPU]] to crack passwords much faster.<ref name="gtri"/> [[Elcomsoft]] invented and started using common graphic cards for quicker password recovery in August 2007 and soon filed a corresponding patent in the US.<ref name="belenko">{{ cite patent | country=US | number=7929707 | status=patent | title=Use of graphics processors as parallel math co-processors for password recovery | assign1=Elcomsoft Co. Ltd. | inventor= Andrey V. Belenko | gdate=2011-04-19 }}</ref> As of 2011, commercial products are available that claim the ability to test up to 2,800,000,000 passwords per second on a standard desktop computer using a high-end graphics processor.<ref name=elcomsoft>[http://www.elcomsoft.com/eprb.html#gpu Elcomsoft.com], [[ElcomSoft]] Password Recovery Speed table, [[NTLM]] passwords, [[Nvidia Tesla]] S1070 GPU, accessed 2011-02-01</ref> Such a device can crack a 10 letter single-case password in one day. Note that the work can be distributed over many computers for an additional speedup proportional to the number of available computers with comparable GPUs. Special [[key stretching]] hashes are available that take a relatively long time to compute, reducing the rate at which guessing can take place. Although it is considered best practice to use key stretching, many common systems do not.
| |
| | |
| Another situation where quick guessing is possible is when the password is used to form a [[cryptographic key]]. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data. For example, one commercial product claims to test 103,000 [[Wi-Fi Protected Access|WPA]] PSK passwords per second.<ref>[http://www.elcomsoft.com/ewsa.html Elcomsoft Wireless Security Auditor, HD5970 GPU] accessed 2011-02-11</ref>
| |
| | |
| If a password system only stores the hash of the password, an attacker can pre-compute hash values for common passwords variants and for all passwords shorter than a certain length, allowing very rapid recovery of the password once its hash is obtained. Very long lists of pre-computed password hashes can be efficiently stored using [[rainbow tables]]. This method of attack can be foiled by storing a random value, called a [[cryptographic salt]], along with the password. The salt is combined with the password when computing the hash, so an attacker precomputing a rainbow table would have to store for each password its hash with every possible salt value. This becomes infeasible if the salt has a big enough range, say a 32-bit number. Unfortunately, many authentication systems in common use do not employ salt and rainbow tables are available on the Internet for several such systems.
| |
| | |
| ===Entropy as a measure of password strength===
| |
| It is usual in the computer industry to specify password strength in terms of [[information entropy]], measured in bits, a concept from [[information theory]]. Instead of the number of guesses needed to find the password with certainty, the [[Binary logarithm|base-2 logarithm]] of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 2<sup>42</sup> attempts to exhaust all possibilities during a [[brute force search]]. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker's task twice as difficult. On average, an attacker will have to try half of the possible passwords before finding the correct one.<ref name=NIST />
| |
| | |
| === Random passwords ===
| |
| {{Main|Random password generator}}
| |
| | |
| Random passwords consist of a string of symbols of specified length taken from some set of symbols using a random selection process in which each symbol is equally likely to be selected. The symbols can be individual characters from a character set (e.g., the [[ASCII]] character set), syllables designed to form pronounceable passwords, or even words from a word list (thus forming a [[passphrase]]).
| |
| | |
| The strength of random passwords depends on the actual entropy of the underlying number generator; however, these are often not truly random, but pseudo random. Many publicly available password generators use random number generators found in programming libraries that offer limited entropy. However most modern operating systems offer cryptographically strong random number generators that are suitable for password generation. It is also possible to use ordinary [[dice]] to generate random passwords. ''See [[Random password generator#Stronger methods|stronger methods]].'' Random password programs often have the ability to ensure that the resulting password complies with a local [[password policy]]; for instance, by always producing a mix of letters, numbers and special characters.
| |
| | |
| For passwords generated by a process that randomly selects a string of symbols of length, ''L'', from a set of ''N'' possible symbols, the number of possible passwords can be found by raising the number of symbols to the power ''L'', i.e. ''N''<sup>''L''</sup>. Increasing either ''L'' or ''N'' will strengthen the generated password. The strength of a random password as measured by the [[information entropy]] is just the [[binary logarithm|base-2 logarithm]] or log<sub>2</sub> of the number of possible passwords, assuming each symbol in the password is produced independently. Thus a random password's information entropy, ''H'', is given by the formula
| |
| | |
| :<math>H = log_2 N^L = L\log_2 N = L {\log N \over \log 2}</math>
| |
| | |
| where ''N'' is the number of possible symbols and ''L'' is the number of symbols in the password. ''H'' is measured in [[bit]]s.<ref name=NIST/><ref>Schneier, B: ''Applied Cryptography'', 2e, page 233 ff. John Wiley and Sons.</ref> In the last expression, ''log'' can be to any [[Base (exponentiation)|base]].
| |
| | |
| :{| class="wikitable" style="text-align: right;"
| |
| |+ Entropy per symbol for different symbol sets
| |
| ! Symbol set || Symbol count ''N'' || Entropy per symbol ''H''
| |
| |-
| |
| | align=left|[[Arabic numerals]] (0–9) (e.g. [[Personal identification number|PIN]]) || 10 || {{Rnd|{{#expr:ln10/ln2}}|3}} bits
| |
| |-
| |
| | align=left|[[hexadecimal]] numerals (0–9, A-F) (e.g. [[Wired Equivalent Privacy|WEP]] keys) || 16 || 4.000 bits
| |
| |-
| |
| | align=left|[[Case sensitivity|Case insensitive]] [[Latin alphabet]] (a-z or A-Z) || 26 || {{Rnd|{{#expr:ln26/ln2}}|3}} bits
| |
| |-
| |
| | align=left|Case insensitive [[alphanumeric]] (a-z or A-Z, 0–9) || 36 || {{Rnd|{{#expr:ln36/ln2}}|3}} bits
| |
| |-
| |
| | align=left|[[Case sensitivity|Case sensitive]] Latin alphabet (a-z, A-Z) || 52 || {{Rnd|{{#expr:ln52/ln2}}|3}} bits
| |
| |-
| |
| | align=left|Case sensitive alphanumeric (a-z, A-Z, 0–9) || 62 || {{Rnd|{{#expr:ln62/ln2}}|3}} bits
| |
| |-
| |
| | align=left|All [[Printable characters|ASCII printable characters]] || 95 || {{Rnd|{{#expr:ln95/ln2}}|3}} bits
| |
| |-
| |
| | align=left|All [[Extended ASCII|extended ASCII printable characters]] || 218 || {{Rnd|{{#expr:ln218/ln2}}|3}} bits
| |
| |-
| |
| | align=left|[[Diceware]] word list || 7776 || {{Rnd|{{#expr:ln7776/ln2}}|3}} bits
| |
| |}
| |
| | |
| To find the length, ''L,'' needed to achieve a desired strength ''H,'' with a password drawn randomly for a set of ''N'' symbols, one computes
| |
| | |
| :<math>L = {H \over \log_2 N}</math>, rounded up to the next largest [[natural number|whole number]].
| |
| | |
| The following table uses this formula to show the required lengths of truly randomly generated passwords to achieve desired password entropies for common symbol sets:
| |
| | |
| {| class="wikitable"
| |
| |+ Lengths ''L'' of truly randomly generated passwords required to achieve desired a password entropy ''H'' for symbol sets containing ''N'' symbols.
| |
| |-
| |
| ! Desired password entropy ''H'' !! [[Arabic numerals]] !! [[Hexadecimal]] !! [[Case sensitivity|Case insensitive]] [[Latin alphabet]] !! Case insensitive [[alphanumeric]] !! [[Case sensitivity|Case sensitive]] Latin alphabet !! Case sensitive alphanumeric !! All [[Printable characters|ASCII printable characters]] !! All [[Extended ASCII|extended ASCII printable characters]] !! [[Diceware]] word list
| |
| |-
| |
| | 32 bits || {{#expr:ceil(32/(ln10/ln2))}} || {{#expr:ceil(32/(ln16/ln2))}} || {{#expr:ceil(32/(ln26/ln2))}} || {{#expr:ceil(32/(ln36/ln2))}} || {{#expr:ceil(32/(ln52/ln2))}} || {{#expr:ceil(32/(ln62/ln2))}} || {{#expr:ceil(32/(ln95/ln2))}} || {{#expr:ceil(32/(ln218/ln2))}} || {{#expr:ceil(32/(ln7776/ln2))}}
| |
| |-
| |
| | 40 bits || {{#expr:ceil(40/(ln10/ln2))}} || {{#expr:ceil(40/(ln16/ln2))}} || {{#expr:ceil(40/(ln26/ln2))}} || {{#expr:ceil(40/(ln36/ln2))}} || {{#expr:ceil(40/(ln52/ln2))}} || {{#expr:ceil(40/(ln62/ln2))}} || {{#expr:ceil(40/(ln95/ln2))}} || {{#expr:ceil(40/(ln218/ln2))}} || {{#expr:ceil(40/(ln7776/ln2))}}
| |
| |-
| |
| | 64 bits || {{#expr:ceil(64/(ln10/ln2))}} || {{#expr:ceil(64/(ln16/ln2))}} || {{#expr:ceil(64/(ln26/ln2))}} || {{#expr:ceil(64/(ln36/ln2))}} || {{#expr:ceil(64/(ln52/ln2))}} || {{#expr:ceil(64/(ln62/ln2))}} || {{#expr:ceil(64/(ln95/ln2))}} || {{#expr:ceil(64/(ln218/ln2))}} || {{#expr:ceil(64/(ln7776/ln2))}}
| |
| |-
| |
| | 80 bits || {{#expr:ceil(80/(ln10/ln2))}} || {{#expr:ceil(80/(ln16/ln2))}} || {{#expr:ceil(80/(ln26/ln2))}} || {{#expr:ceil(80/(ln36/ln2))}} || {{#expr:ceil(80/(ln52/ln2))}} || {{#expr:ceil(80/(ln62/ln2))}} || {{#expr:ceil(80/(ln95/ln2))}} || {{#expr:ceil(80/(ln218/ln2))}} || {{#expr:ceil(80/(ln7776/ln2))}}
| |
| |-
| |
| | 96 bits || {{#expr:ceil(96/(ln10/ln2))}} || {{#expr:ceil(96/(ln16/ln2))}} || {{#expr:ceil(96/(ln26/ln2))}} || {{#expr:ceil(96/(ln36/ln2))}} || {{#expr:ceil(96/(ln52/ln2))}} || {{#expr:ceil(96/(ln62/ln2))}} || {{#expr:ceil(96/(ln95/ln2))}} || {{#expr:ceil(96/(ln218/ln2))}} || {{#expr:ceil(96/(ln7776/ln2))}}
| |
| |-
| |
| | 128 bits || {{#expr:ceil(128/(ln10/ln2))}} || {{#expr:ceil(128/(ln16/ln2))}} || {{#expr:ceil(128/(ln26/ln2))}} || {{#expr:ceil(128/(ln36/ln2))}} || {{#expr:ceil(128/(ln52/ln2))}} || {{#expr:ceil(128/(ln62/ln2))}} || {{#expr:ceil(128/(ln95/ln2))}} || {{#expr:ceil(128/(ln218/ln2))}} || {{#expr:ceil(128/(ln7776/ln2))}}
| |
| |-
| |
| | 160 bits || {{#expr:ceil(160/(ln10/ln2))}} || {{#expr:ceil(160/(ln16/ln2))}} || {{#expr:ceil(160/(ln26/ln2))}} || {{#expr:ceil(160/(ln36/ln2))}} || {{#expr:ceil(160/(ln52/ln2))}} || {{#expr:ceil(160/(ln62/ln2))}} || {{#expr:ceil(160/(ln95/ln2))}} || {{#expr:ceil(160/(ln218/ln2))}} || {{#expr:ceil(160/(ln7776/ln2))}}
| |
| |-
| |
| | 192 bits || {{#expr:ceil(192/(ln10/ln2))}} || {{#expr:ceil(192/(ln16/ln2))}} || {{#expr:ceil(192/(ln26/ln2))}} || {{#expr:ceil(192/(ln36/ln2))}} || {{#expr:ceil(192/(ln52/ln2))}} || {{#expr:ceil(192/(ln62/ln2))}} || {{#expr:ceil(192/(ln95/ln2))}} || {{#expr:ceil(192/(ln218/ln2))}} || {{#expr:ceil(192/(ln7776/ln2))}}
| |
| |-
| |
| | 224 bits || {{#expr:ceil(224/(ln10/ln2))}} || {{#expr:ceil(224/(ln16/ln2))}} || {{#expr:ceil(224/(ln26/ln2))}} || {{#expr:ceil(224/(ln36/ln2))}} || {{#expr:ceil(224/(ln52/ln2))}} || {{#expr:ceil(224/(ln62/ln2))}} || {{#expr:ceil(224/(ln95/ln2))}} || {{#expr:ceil(224/(ln218/ln2))}} || {{#expr:ceil(224/(ln7776/ln2))}}
| |
| |-
| |
| | 256 bits || {{#expr:ceil(256/(ln10/ln2))}} || {{#expr:ceil(256/(ln16/ln2))}} || {{#expr:ceil(256/(ln26/ln2))}} || {{#expr:ceil(256/(ln36/ln2))}} || {{#expr:ceil(256/(ln52/ln2))}} || {{#expr:ceil(256/(ln62/ln2))}} || {{#expr:ceil(256/(ln95/ln2))}} || {{#expr:ceil(256/(ln218/ln2))}} || {{#expr:ceil(256/(ln7776/ln2))}}
| |
| |-
| |
| | 384 bits || {{#expr:ceil(384/(ln10/ln2))}} || {{#expr:ceil(384/(ln16/ln2))}} || {{#expr:ceil(384/(ln26/ln2))}} || {{#expr:ceil(384/(ln36/ln2))}} || {{#expr:ceil(384/(ln52/ln2))}} || {{#expr:ceil(384/(ln62/ln2))}} || {{#expr:ceil(384/(ln95/ln2))}} || {{#expr:ceil(384/(ln218/ln2))}} || {{#expr:ceil(384/(ln7776/ln2))}}
| |
| |-
| |
| | 512 bits || {{#expr:ceil(512/(ln10/ln2))}} || {{#expr:ceil(512/(ln16/ln2))}} || {{#expr:ceil(512/(ln26/ln2))}} || {{#expr:ceil(512/(ln36/ln2))}} || {{#expr:ceil(512/(ln52/ln2))}} || {{#expr:ceil(512/(ln62/ln2))}} || {{#expr:ceil(512/(ln95/ln2))}} || {{#expr:ceil(512/(ln218/ln2))}} || {{#expr:ceil(512/(ln7776/ln2))}}
| |
| |-
| |
| | 1024 bits || {{#expr:ceil(1024/(ln10/ln2))}} || {{#expr:ceil(1024/(ln16/ln2))}} || {{#expr:ceil(1024/(ln26/ln2))}} || {{#expr:ceil(1024/(ln36/ln2))}} || {{#expr:ceil(1024/(ln52/ln2))}} || {{#expr:ceil(1024/(ln62/ln2))}} || {{#expr:ceil(1024/(ln95/ln2))}} || {{#expr:ceil(1024/(ln218/ln2))}} || {{#expr:ceil(1024/(ln7776/ln2))}}
| |
| |}
| |
| | |
| === Human-generated passwords ===
| |
| People are notoriously remiss at achieving sufficient entropy to produce satisfactory passwords. Some stage magicians exploit this inability for amusement, in a minor way, by divining supposed random choices (of numbers, say) made by audience members.
| |
| | |
| Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. A [[uniform distribution (discrete)|uniform distribution]] would have had each character being used about 900,000 times. The most common number used is "1", whereas the most common letters are a, e, o, and r.<ref name=perfect />
| |
| | |
| Users rarely make full use of larger characters sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.<ref name=myspace-passwords>{{cite news | url = http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300?currentPage=2 | title = MySpace Passwords aren't so Dumb | author = Bruce Schneier | publisher = Wired Magazine | accessdate = April 11, 2008 | date=December 14, 2006}}</ref>
| |
| | |
| Note that the full strength associated with using the entire ASCII character set (numerals, mixed case letters and special characters) is only achieved if each character in the password is chosen randomly from that set. Capitalizing a letter and adding one or two numbers and a special character to a password will not achieve the same strength. If the numbers and special character are added in predictable ways, say at the beginning and end of the password,<ref name=microsoftadvice>[http://www.microsoft.com/protect/fraud/passwords/create.aspx Microsoft.com]</ref> they could even lower password strength compared to an all letter random password of the same length.
| |
| | |
| A novel approach to generate strong passwords that seem like random ones was proposed by P. Cipreso et al.<ref name=":10">Cipresso P, Gaggioli A, Serino S, Cipresso S, Riva G: How to Create Memorizable and Strong Passwords. J Med Internet Res 2012;14(1):e10; http://www.jmir.org/2012/1/e10/ DOI: 10.2196/jmir.1906 PMID: 22233980</ref> and improved by Brumen et al.<ref name=":11">Brumen B, Heričko M, Rozman I, Hölbl M: Security Analysis and Improvements to the PsychoPass Method. J Med Internet Res 2013;15(8):e161. http://www.jmir.org/2013/8/e161/ doi: 10.2196/jmir.2366 PMID: 23942458</ref> The idea is that a password can be created, memorized and recalled by just thinking of an action sequence instead of a word or string of characters. The user selects a letter on the keyboard and from that letter on he or she memorizes a sequence of actions, like “the key on the left, then the upper one, then the one on the right”, and so on. The point is that the user remembers the sequence and not the letters themselves. The method was shown to produce passwords that have equivalent strength and comparable length to random passwords.
| |
| | |
| ==== NIST Special Publication 800-63 ====
| |
| [[NIST]] Special Publication 800-63 suggests the following scheme to roughly estimate the entropy of human-generated passwords:<ref name=NIST>{{cite web | url = http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf | title = Electronic Authentication Guideline | format = PDF | publisher = NIST | accessdate = March 21, 2012 }}</ref>
| |
| | |
| * The entropy of the first character is four bits;
| |
| * The entropy of the next seven characters are two bits per character;
| |
| * The ninth through the twentieth character has 1.5 bits of entropy per character;
| |
| * Characters 21 and above have one bit of entropy per character.
| |
| * A "bonus" of six bits is added if both upper case letters and non-alphabetic characters are used.
| |
| * A "bonus" of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.
| |
| | |
| Using this scheme, an eight-character human-selected password without upper case letters and non-alphabetic characters is estimated to have {{#expr:1*4+7*2}} bits of entropy. The NIST publication concedes that at the time of development, little information was available on the real world selection of passwords.
| |
| | |
| Later research into human-selected password entropy using newly available real world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords.<ref name=WeirEtAl>{{cite web | url = http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html | title = Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords | format = PDF | author = Matt Weir, Susdhir Aggarwal, Michael Collins, Henry Stern | accessdate = March 21, 2012 }}</ref>
| |
| | |
| ===Usability and implementation considerations===
| |
| Because national keyboard implementations vary, not all 94 ASCII printable characters can be used everywhere.<!-- The situation of assorted 7-bit ASCII character sets is long and sordid, quite indeterminate, and basically a dog's breakfast. The advent of Unicode / UCS has at least 'settled' what the lowest 128 characters are, though this is not exactly what most of the prior character sets had. --> This can present a problem to an international traveler who wished to log into remote system using a keyboard on a local computer. ''See'' [[keyboard layout]]. Many hand held devices, such as [[tablet computer]]s and [[smart phone]]s, require complex shift sequences to enter special characters.
| |
| | |
| Authentication programs vary in which characters they allow in passwords. Some do not recognize case differences (e.g., the upper-case "E" is considered equivalent to the lower-case "e"), others prohibit some of the other symbols. In the past few decades, systems have permitted more characters in passwords, but limitations still exist. Systems also vary in the maximum length of passwords allowed.
| |
| | |
| == Bit strength threshold ==
| |
| As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk.<ref name=Gartner>{{cite web | url = http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf | title = Passwords are Near the Breaking Point | format = PDF | publisher = Gartner | author = A. Allan | accessdate = April 10, 2008 }}</ref> In contrast, others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to [[Bruce Schneier]], most people are good at securing their wallets or purses, which is a "great place" to store a written password.<ref name=Schneier-writedown>{{cite web | url = http://www.schneier.com/blog/archives/2005/06/write_down_your.html | title = Schneier on Security | work = Write Down Your Password | author = Bruce Schneier | accessdate = April 10, 2008 }}</ref>
| |
| | |
| Some basic benchmarks have been established for brute force searches in the context of attempting to find keys used in encryption. The problem is not the same since these approaches involve astronomical numbers of trials, but the results are suggestive for password choice. In 1999, [[EFF DES cracker|an Electronic Frontier Foundation project]] broke 56-bit [[Data Encryption Standard|DES]] encryption in less than a day using specially designed hardware.<ref name=EFF-deep-crack>{{cite web | url = http://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html | title = EFF DES Cracker machine brings honesty to crypto debate | publisher = EFF | accessdate = March 27, 2008 }}</ref> In 2002, ''[[distributed.net]]'' cracked a 64-bit key in 4 years, 9 months, and 23 days.<ref name=distributed>{{cite web | url = http://stats.distributed.net/projects.php?project_id=5 | title = 64-bit key project status | publisher = Distributed.net | accessdate = March 27, 2008 }}</ref> As of October 12, 2011, ''distributed.net'' estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years.<ref name=distributed-72>{{cite web | url = http://stats.distributed.net/projects.php?project_id=8 | title = 72-bit key project status | publisher = Distributed.net | accessdate = October 12, 2011 }}</ref> Due to currently understood limitations from fundamental physics, there is no expectation that any [[digital computer]] (or combination) will be capable of breaking 256-bit encryption via a brute-force attack.<ref name=schneier-cyptogram>{{cite web | url = http://www.schneier.com/crypto-gram-9902.html | title = Snakeoil: Warning Sign #5: Ridiculous key lengths | author = Bruce Schneier | accessdate = March 27, 2008 }}</ref> Whether or not [[quantum computers]] will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.<ref>{{cite web|url=http://stackoverflow.com/questions/2768807/quantum-computing-and-encryption-breaking |title=hash - Quantum Computing and Encryption Breaking |publisher=Stack Overflow |date=2011-05-27 |accessdate=2013-03-17}}</ref>
| |
| | |
| As a result, there can be no exact answer to the somewhat different problem of the password strength required to resist brute force attack in practice. [[NIST]] recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95-character alphabet (e.g., the original ASCII character set) with a 12-character random password (12 x 6.5 bits = 78).<ref name=NIST /> A 2010 [[Georgia Tech Research Institute]] study also recommended a 12-character random password, but as a minimum length requirement.<ref name="gtri">{{cite web|url=http://www.gtri.gatech.edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System|title=Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World's Password Security System|publisher=[[Georgia Tech Research Institute]]|accessdate=2010-11-07}}</ref><ref name="msnbc">{{cite news|url=http://www.msnbc.msn.com/id/38771772/|title=Want to deter hackers? Make your password longer|publisher=[[MSNBC]]|date=2010-08-19|accessdate=2010-11-07}}</ref>
| |
| | |
| == Guidelines for strong passwords ==
| |
| | |
| === Common guidelines ===
| |
| | |
| Guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing. Common guidelines include:<ref>Microsoft Corporation, [http://www.microsoft.com/protect/yourself/password/create.mspx Strong passwords: How to create and use them]</ref><ref name="schneier07">Bruce Schneier, [http://www.schneier.com/blog/archives/2007/01/choosing_secure.html Choosing Secure Passwords]</ref><ref>Google, Inc., [https://www.google.com/accounts/PasswordHelp How safe is your password?]</ref><ref name="Bidwell000">{{cite book
| |
| | first = Teri
| |
| | last = Bidwell
| |
| | title = Hack Proofing Your Identity in the Information Age
| |
| | publisher = Syngress Publishing
| |
| | year = 2002
| |
| | isbn = 1-931836-51-5
| |
| }}</ref>
| |
| * A minimum password length of 12 to 14 characters if permitted
| |
| * Generating passwords randomly where feasible
| |
| * Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).
| |
| * Including numbers, and symbols in passwords if allowed by the system
| |
| * If the system recognizes case as significant, using capital and lower-case letters
| |
| * Avoiding using the same password for multiple sites or purposes
| |
| * Avoiding using something that the public or workmates know one strongly likes or dislikes
| |
| Some guidelines advise against writing passwords down, while others, noting the large numbers of password protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, not attached to a monitor or in an unlocked desk drawer.<ref>[http://www.schneier.com/blog/archives/2005/06/write_down_your.html schneier.com]</ref>
| |
| | |
| The possible character set for a password can be constrained by different web sites or by the range of keyboards on which the password must be entered.<ref>E.g., for a keyboard with only 17 nonalphanumeric characters, see one for a BlackBerry phone in [http://www.hardwaresecrets.com/fullimage.php?image=18705 an enlarged image] in support of [http://www.hardwaresecrets.com/article/795/2 Sandy Berger, ''BlackBerry Tour 9630 (Verizon) Cell Phone Review'', in Hardware Secrets (August 31, 2009)], both as accessed January 19, 2010. That some websites don’t allow nonalphanumerics is indicated by [http://forums.theregister.co.uk/post/527230 Kanhef, ''Idiots, For Different Reasons'' (June 30, 2009) (topic post)], as accessed January 20, 2010.</ref>
| |
| | |
| === Examples of weak passwords ===
| |
| {{See also|Password cracking}}
| |
| | |
| As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds:<ref name=perfect>{{cite book
| |
| | last = Burnett
| |
| | first = Mark
| |
| | editor = Kleiman, Dave
| |
| | title = Perfect Passwords
| |
| | publisher = Syngress Publishing
| |
| | year = 2006
| |
| | location = Rockland, Massachusetts
| |
| | isbn = 1-59749-041-5
| |
| | page = 181
| |
| | editor-link = Dave Kleiman }}</ref>
| |
| | |
| * [[Default password]]s (as supplied by the system vendor and meant to be changed at installation time): ''password'', ''default'', ''admin'', ''guest'', etc. Lists of default passwords are widely available on the internet.
| |
| * Dictionary words: ''chameleon'', ''RedSox'', ''sandbags'', ''bunnyhop!'', ''IntenseCrabtree'', etc., including words in non-English dictionaries.
| |
| * Words with numbers appended: ''password1'', ''deer2000'', ''john1234'', etc., can be easily tested automatically with little lost time.
| |
| * Words with simple obfuscation: ''p@ssw0rd'', ''l33th4x0r'', ''g0ldf1sh'', etc., can be tested automatically with little additional effort. For example a domain administrator password compromised in the [[DigiNotar]] attack was reportedly ''Pr0d@dm1n.''<ref>{{cite web|url=http://thehackernews.com/2011/09/comodohacker-responsible-for-diginotar.html |title=ComodoHacker responsible for DigiNotar Attack - Hacking News |publisher=Thehackernews.com |date=2011-09-06 |accessdate=2013-03-17}}</ref>
| |
| * Doubled words: ''crabcrab'', ''stopstop'', ''treetree'', ''passpass'', etc.
| |
| * Common sequences from a keyboard row: ''qwerty'', ''[[Spaceballs#Plot|12345]]'', ''asdfgh'', ''fred'', etc.
| |
| * Numeric sequences based on well known numbers such as 911 <sup>([[9-1-1]], [[September 11 attacks|9/11]])</sup>, 314159... <sup>([[pi]])</sup>, or 27182... <sup>([[E (mathematical constant)|e]])</sup>, etc.
| |
| * Identifiers: ''jsmith123'', ''1/1/1970'', ''555–1234'', one's username, etc.
| |
| * Anything personally related to an individual: license plate number, Social Security number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.
| |
| | |
| There are many other ways a password can be weak,<ref>Bidwell, p. 87</ref> corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and ''not'' be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user. On-line services often provide a restore password function that a hacker can figure out and by doing so bypass a password. Choosing hard to guess restore password questions can further secure the password.<ref>{{cite web|url=http://www.lockdown.co.uk/?pg=password_guide |title=Guidelines for choosing a good password |publisher=Lockdown.co.uk |date=2009-07-10 |accessdate=2013-03-17}}</ref>
| |
| | |
| == Password policy ==
| |
| {{Main|Password policy}}
| |
| | |
| A password policy is a guide to choosing satisfactory passwords. Some are controversial. They are usually intended to:
| |
| * assist users in choosing strong passwords
| |
| * ensure the passwords are suited to the target population
| |
| * provide recommendations for users with regard to the handling of their passwords
| |
| * impose a requirement to change any password which has been lost or compromised, and perhaps that no password be used longer than a limited time
| |
| * (in some cases) prescribe the pattern of characters which passwords must contain
| |
| | |
| For example, password expiration is often covered by password policies. Password expiration serves two purposes:<ref name=LOPSA>{{cite web | url = http://lopsa.org/node/295 | title = In Defense of Password Expiration | publisher = League of Professional Systems Administrators | accessdate = April 14, 2008 }}</ref>
| |
| * if the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.
| |
| * if a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker
| |
| | |
| Some argue that password expirations have become obsolete,<ref name=CERIAS>{{cite web | url = http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ | title = Security Myths and Passwords | publisher = The Center for Education and Research in Information Assurance and Security | author = Eugene Spafford | accessdate = April 14, 2008 }}</ref> since:
| |
| * asking users to change passwords frequently encourages simple, weak passwords.
| |
| * if one has a truly strong password, there is little point in changing it. Changing passwords which are already strong introduces risk that the new password may be less strong.
| |
| * a compromised password is likely to be used immediately by an attacker to install a [[backdoor (computing)|backdoor]], often via [[privilege escalation]]. Once this is accomplished, password changes won't prevent future attacker access.
| |
| * mathematically it doesn't gain much security at all.
| |
| :* moving from never changing one's password to changing the password on every authenticate attempt (pass ''or'' fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack - one gains ''much'' more security just increasing the password length by one character than changing the password on every use.
| |
| | |
| === Creating and handling passwords ===
| |
| | |
| The hardest passwords to crack, for a given length and character set, are random character strings; if long enough they resist brute force attacks (because there are many characters) and guessing attacks (due to high entropy). However, such passwords are typically the hardest to remember. The imposition of a requirement for such passwords in a password policy may encourage users to write them down, store them in PDAs or cellphones, or share them with others as a safeguard against memory failure. Some people consider each of these user resorts to increase security risks. Others suggest the absurdity of expecting users to remember distinct complex passwords for each of the dozens of accounts they access. For example, security expert [[Bruce Schneier]] recommends writing down one's password:<ref>[http://www.schneier.com/blog/archives/2005/06/write_down_your.html Schneier.com]</ref>
| |
| | |
| {{Quote|''Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.''|Bruce Schneier, 2005}}
| |
| | |
| The following measures may increase acceptance of strong password requirements, if carefully used:
| |
| * a training program. Also, updated training for those who fail to follow the password policy (lost passwords, inadequate passwords, etc.).
| |
| * rewarding strong password users by reducing the rate, or eliminating altogether, the need for password changes (password expiration). The strength of user-chosen passwords can be estimated by automatic programs which inspect and evaluate proposed passwords, when setting or changing a password.
| |
| * displaying to each user the last login date and time in the hope that the user may notice unauthorized access, suggesting a compromised password.
| |
| * allowing users to reset their passwords via an automatic system, which reduces help desk call volume. However, some systems are themselves insecure; for instance, easily guessed or researched answers to password reset questions bypass the advantages of a strong password system.
| |
| * using randomly generated passwords that do not allow users to choose their own passwords, or at least offering randomly generated passwords as an option.
| |
| | |
| === Memory techniques ===
| |
| | |
| Password policies sometimes suggest memory techniques to assist remembering passwords:
| |
| | |
| * mnemonic passwords: Some users develop [[mnemonic]] phrases and use them to generate high-entropy (more or less random) passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Silly ones are possibly more memorable.<ref>[http://uc.iupui.edu/uploadedFiles/Learning_Center_Site/Mnemonic%20Devices.pdf ''Mnemonic Devices'' (Indianapolis, Ind.: Bepko Learning Ctr., University College)], as accessed January 19, 2010</ref> Another way to make random-appearing passwords more memorable is to use random words (see [[diceware]]) or syllables instead of randomly chosen letters.
| |
| * after-the-fact mnemonics: After the password has been established, invent a mnemonic that fits.<ref>[http://changingminds.org/techniques/memory/remembering_passwords.htm Remembering Passwords (ChangingMinds.org)], as accessed January 19, 2010</ref> It does not have to be reasonable or sensible, only memorable. This allows passwords to be random.
| |
| * visual representations of passwords: a password is memorized based on a sequence of keys pressed, not the values of the keys themselves, e.g. a sequence !qAsdE#2 represents a [[rhomboid]] on a keyboard. The method to produce such passwords is called PyschoPass<ref name=":10" /> and if applied correctly it was proven that the strength of such generated passwords are comparable to the randomly selected passwords.<ref name=":11" />
| |
| * password patterns: Any pattern in a password makes guessing (automated or not) easier and reduces an attacker's work factor.
| |
| ** For example, passwords of the following case-insensitive form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example ''pinray45'') are called Environ passwords.<ref>{{cite book
| |
| | first = Ross
| |
| | last = Anderson
| |
| | year = 2001
| |
| | title = Security engineering: A guide to building dependable distributed systems
| |
| | publisher = John Wiley & Sons, Inc.
| |
| | isbn = 0470068523
| |
| }}</ref> The pattern of alternating vowel and consonant characters was intended to make passwords more likely to be pronounceable and thus more memorable. Unfortunately, such patterns severely reduce the password's [[information entropy]], making [[brute force attack|brute force]] password attacks considerably more efficient. In the UK in October 2005, employees of [[Departments of the United Kingdom Government|the British government]] were advised to use passwords in this form.{{Citation needed|date=January 2012}}
| |
| | |
| === Protecting passwords ===
| |
| {{howto-section|date=March 2013}}
| |
| Computer users are generally advised to "never write down a password anywhere, no matter what" and "never use the same password for more than one account."{{citequote|date=March 2013}} However, an ordinary computer user may have dozens of password-protected accounts. Users with multiple accounts needing passwords often give up and use the same password for every account. When varied password complexity requirements prevent use of the same (memorable) scheme for producing high-strength passwords, overly simplified passwords will often be created to satisfy irritating and conflicting password requirements.
| |
| A [[Microsoft]] expert was quoted as saying at a 2005 security conference: "I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."<ref>[http://archive.is/20120713160252/http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html?tag=nefd.pop Microsoft security guru: Jot down your passwords], ''News.com.com'' Retrieved on 2007-05-07</ref>
| |
| | |
| If passwords are written down, they should never be kept in obvious places such as address books, [[Rolodex]] files, under drawers or keyboards, or behind pictures. Perhaps the worst, but all too common, location is a [[Post-It]] note on the computer monitor. Better locations are a [[safe deposit box]] or a locked file approved for information of sensitivity comparable to that protected by the password. Most locks on office file cabinets are far from adequate. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form. Another approach is to [[Encryption|encrypt]] by hand on paper and remember the encryption method and key.<ref>Simple methods (e.g., [[Rot13|ROT13]] and [[Cipher#Historical ciphers|some other old ciphers]]) may suffice; for more sophisticated hand-methods see [http://www.schneier.com/solitaire.html Bruce Schneier, The Solitaire Encryption Algorithm (May 26, 1999) (ver. 1.2)], as accessed January 19, 2010, and [http://www.ibm.com/developerworks/power/library/pa-bigiron5/ Sam Siewert, ''Big Iron Lessons, Part 5: Introduction to Cryptography, From Egypt Through Enigma'' (IBM, July 26, 2005)], as accessed January 19, 2010.</ref> And another approach is to use a single password or slightly varying passwords for low-security accounts and select distinctly separate strong passwords for a smaller number of high-value applications such as for [[online banking]].
| |
| | |
| Another effective approach for remembering multiple passwords is to memorize a single "master" password and use software to generate a new password for each application, based on the master password and the application's name. This approach is used by Stanford's [[PwdHash]].<ref>{{cite conference |url=http://crypto.stanford.edu/PwdHash/pwdhash.pdf |title=Stronger Password Authentication Using Browser Extensions |author=Blake Ross |authorlink= |coauthors=Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell |year=2005 |publisher=USENIX |booktitle=Proceedings of the 14th Usenix Security Symposium |pages=17–32}}</ref> In this approach, protecting the master password is essential, as all passwords are compromised if it is revealed.
| |
| | |
| ==Password managers==
| |
| {{Main|Password manager}}
| |
| A reasonable compromise for using large numbers of passwords is to record them in a password manager, which include stand-alone applications, web browser extensions, or a manager built into the operating system. A password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere). Most password managers can automatically create strong passwords using a cryptographically secure [[random password generator]], as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as [[key logging]], clipboard logging and various other memory spying techniques.
| |
| | |
| ==See also==
| |
| {{Portal|Computer security}}
| |
| * [[Keystroke logging]]
| |
| * [[Phishing]]
| |
| * [[Vulnerability (computing)]]
| |
| * [[Passphrase]]
| |
| | |
| == References ==
| |
| {{Reflist|30em}}
| |
| | |
| == External links ==
| |
| * [http://tools.ietf.org/html/rfc4086 RFC 4086: Randomness Requirements for Security]
| |
| * Steve Gibson. [https://www.grc.com/haystack.htm GRC's | Password Haystacks: How well Hidden is Your Needle?]
| |
| * [https://www.microsoft.com/security/pc-security/password-checker.aspx?WT.mc_id=Site_Link Microsoft's Password Strength Checker]
| |
| * [http://howto.cnet.com/8301-11310_39-20069069-285/how-to-check-the-strength-of-your-passwords/ How to check the strength of your passwords] Beware that the suggested tests are done by submitting a proposed password to one or more of several Web servers. This is, with high confidence, reliably insecure.
| |
| * [http://www.architectingsecurity.com/2010/09/11/password-patterns/ Password Patterns:The next generation dictionary attacks]
| |
| * [https://howsecureismypassword.net/ How secure is my password]
| |
| * [https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html How strong is your password?]
| |
| | |
| {{DEFAULTSORT:Password Strength}}
| |
| [[Category:Cryptography]]
| |
| [[Category:Password authentication]]
| |