Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

[Eric Case <ecase () EMAIL ARIZONA EDU>]

I call them pass-acronyms:


Pass-acronym

Pass-phrase


Ihp,tmmc!

I hate passwords, they make me crazy!


TyIwl10#

This year I will lose 10 pounds


Mw&katb!

My wife and kids are the best!


Tnplh,tnplh

There's no place like home, there's no place like home


Ilmd,m&s

I love my dogs, Max and spot


Tkosssi2tf

Time keeps on slippin', slippin', slippin' Into the future
- Steve Miller


Tmb50w2lyl

There must be fifty ways, To leave your lover
- Paul Simon, 50 Ways To Leave Your Lover


Dwyc,wya,wwyg

Do what you can, where you are, with what you've got.
- Theodore Roosevelt


Idnw24stf

I do not want to foresee the future. (I am concerned with taking care of the
present. God has given me no control over the moment following.)
- Mahatma Gandhi


Dyfl?Wdyp?

Do you feel lucky? Well, do ya punk?
- Clint Eastwood as Harry Callahan in Dirty Harry (1971)


La,taf,dh2n

Love all, trust a few, do harm to none.
- Shakespeare's All's Well That Ends Well Act 1, Scene i



-Eric





Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allison Dolan
Sent: Thursday, March 18, 2010 5:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right in
rejecting security advice?)



RE: pass-phrases - what about the variant where you use only the first
letter of each word, and then throw in a gratuitous special symbol or two -
eg. using Steven's examples

Ilteprot$%

!#mfdwas



Short, easy to remember - assuming you can remember the passphrase



......Allison  Dolan (617-252-1461)









On Mar 18, 2010, at 3:45 AM, Steven Alexander wrote:





If we assume the hash isn't compromised, then the passwords don't really
have to be nearly as strong stand up to attack, especially with any sort of
lockout or delay.



 I don't think we should wait until they are before we worry about
passphrase security.  Attackers may be using better tools well before we
become aware of them.



The last time I looked, the standard password cracking tools were not
capable of doing the sort of phrase guessing that I mentioned, but it would
not be hard to create separate word/phrase lists and adapt a program like
John the Ripper to create passphrases based on those lists.  The lists could
even be generated by doing a word count on the text of a sample of current
news articles, fiction, etc.  Assuming someone takes the time to modify or
create a program to do basic guessing, phrases like "I like football" would
probably fall pretty quickly, much faster than an average brute force
attempt against a 40-bit key.



I think we should encourage people to longer more unusual passphrases,
things like "I like to eat purple rhinos on Tuesdays!"  or "My first dog was
a stegosaurus."



-Steven



________________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
[ecase () EMAIL ARIZONA EDU]

Sent: Wednesday, March 17, 2010 9:03 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right in
rejecting security advice?)



<snip>

Is it obvious to a brute force password cracker?  If we assume the password

hash has not be compromised and a key logger was not used, is it obvious

that

        four score and seven years ago

is an awful choice?  Based on how the U of Arizona implemented NIST

SP800-63, the above password/passphrase would score 53 bits of entropy.

        4 score and 7 years ago

Would only score 48 bits of entropy even though it uses three character

classes and the first one only uses two classes.





<snip> But we're also going to run into problems with users

picking phrases that are too simple and end up being subject to

predictions based on language analysis.



I agree, once the password crackers start using language analysis or AI, the

game will change.  Until then, can we get by with long 'simple' passphrases

that are easy for users to remember?





Based on how the U of Arizona implemented NIST SP800-63 . . .

        I swim waffles          = 37 bits of entropy

        I like pancakes.        = 40 bits of entropy

        I like football.        = 40 bits of entropy

        My husband is boring.   = 46 bits of entropy

        Alice in Wonderland     = 44 bits of entropy

        TriSsmitp               = 27 bits of entropy

        My lawn is always green = 48 bits of entropy

        My lawn is sempre verde = 48 bits of entropy





I'm not suggesting that passphrases are bad, just that they are

unquantified.  Without good language analysis and lots of real-world

examples of chosen passphrases, we don't know whether people actually

choose better passphrases than passwords or how a passphrase of length

X compares to a password of length Y.



At least for now, you can quantify them based on length, character classes

and dictionary/complexity checks by using NIST SP800-63.  When the crackers

evolve, we will play catch-up (again).



NIST SP800-63 uses the research the Brian points out.

-Eric







Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



This email has been scanned by a Spam/Virus Firewall. If your email has been
classifed as Spam please contact the HelpDesk at (209) 384-6180.