Educause Security Discussion mailing list archives

Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

From: Allison Dolan <adolan () MIT EDU>
Date: Thu, 18 Mar 2010 08:18:57 -0400

RE: pass-phrases - what about the variant where you use only the
first letter of each word, and then throw in a gratuitous special
symbol or two - eg. using Steven's examples
Ilteprot$%
!#mfdwas

Short, easy to remember - assuming you can remember the passphrase

......Allison  Dolan (617-252-1461)



On Mar 18, 2010, at 3:45 AM, Steven Alexander wrote:

If we assume the hash isn't compromised, then the passwords don't
really have to be nearly as strong stand up to attack, especially
with any sort of lockout or delay.

 I don't think we should wait until they are before we worry about
passphrase security.  Attackers may be using better tools well
before we become aware of them.

The last time I looked, the standard password cracking tools were
not capable of doing the sort of phrase guessing that I mentioned,
but it would not be hard to create separate word/phrase lists and
adapt a program like John the Ripper to create passphrases based on
those lists.  The lists could even be generated by doing a word
count on the text of a sample of current news articles, fiction,
etc.  Assuming someone takes the time to modify or create a program
to do basic guessing, phrases like "I like football" would probably
fall pretty quickly, much faster than an average brute force
attempt against a 40-bit key.

I think we should encourage people to longer more unusual
passphrases, things like "I like to eat purple rhinos on
Tuesdays!"  or "My first dog was a stegosaurus."

-Steven

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
[ecase () EMAIL ARIZONA EDU]
Sent: Wednesday, March 17, 2010 9:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase (was: Are users
right in rejecting security advice?)

<snip>
Is it obvious to a brute force password cracker?  If we assume the
password
hash has not be compromised and a key logger was not used, is it
obvious
that
        four score and seven years ago
is an awful choice?  Based on how the U of Arizona implemented NIST
SP800-63, the above password/passphrase would score 53 bits of
entropy.
        4 score and 7 years ago
Would only score 48 bits of entropy even though it uses three
character
classes and the first one only uses two classes.


<snip> But we're also going to run into problems with users

picking phrases that are too simple and end up being subject to
predictions based on language analysis.


I agree, once the password crackers start using language analysis
or AI, the
game will change.  Until then, can we get by with long 'simple'
passphrases
that are easy for users to remember?


Based on how the U of Arizona implemented NIST SP800-63 . . .
        I swim waffles          = 37 bits of entropy
        I like pancakes.        = 40 bits of entropy
        I like football.        = 40 bits of entropy
        My husband is boring.   = 46 bits of entropy
        Alice in Wonderland     = 44 bits of entropy
        TriSsmitp               = 27 bits of entropy
        My lawn is always green = 48 bits of entropy
        My lawn is sempre verde = 48 bits of entropy

I'm not suggesting that passphrases are bad, just that they are
unquantified.  Without good language analysis and lots of real-world
examples of chosen passphrases, we don't know whether people actually
choose better passphrases than passwords or how a passphrase of
length
X compares to a password of length Y.


At least for now, you can quantify them based on length, character
classes
and dictionary/complexity checks by using NIST SP800-63.  When the
crackers
evolve, we will play catch-up (again).

NIST SP800-63 uses the research the Brian points out.
-Eric



Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase

This email has been scanned by a Spam/Virus Firewall. If your email
has been classifed as Spam please contact the HelpDesk at (209)
384-6180.

Current thread:

password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)