Password weakness

Randall Munroe opines in xkcd on password strength, noting that we’ve trained people to “use passwords that are hard for humans to remember, but easy for computers to guess.” He’s both right and wrong.

First off, the security industry owes Randall a debt of gratitude for this comic; people who don’t normally interact with security technologies (or only grudgingly) are discussing and debating the merits of various password algorithms, and whether “correct horse battery staple” is, in fact, more memorable and more secure than “Tr0ub4dor&3”. That’s an important conversation to have.

Is it more secure?

Randall plays a trick on the audience, by picking a single strawman password implementation, and showing how weak it is compared to a preferred model. He also limits himself to a specific attack vector (against an online oracle), which makes the difference between the two seem larger than it really is.

Consider the following (obvious) variants of the “weak” password algorithm presented in the comic: “Tr0ub4dor&3!”, “Troubbador&3”, “2roubador&3”. None of these match the algorithm presented – so they don’t fit into the 28 bits of entropy of concern. That doesn’t make them perfect, I merely note that Randall arbitrarily drew his line around “likely passwords” where he wanted to. That’s not necessarily unreasonable: for instance, if a password scheme requires 8 characters, including at least one upper case, one lower case, one number, and one symbol, assuming people will pick “Upper case, five lower case with a number thrown in, symbol that is a shifted-number” probably isn’t a bad idea, and lets you ignore 99.9975% of possible 8-character passwords. But it is unreasonable if you’re arguing that your specific model might be better.

Let’s say that we give users the simple model proposed: pick four random words. People fail at picking random things; see Troy Hunt’s analysis of the passwords revealed in the Sony Pictures breach. So if you let the user pick the word list, you’ll end up with common phrases like “patriots football super bowl” or “monkey password access sucks”, and adversaries will start there. Or, we can give users their passphrases, and probably discover later that there was a bug in the random number generator used to select words, and half of our users have the passphrase “caffeine programmer staccato novel”.

Randall is correct that, when it comes to user-memorized secrets, longer is better. So is less predictability. Most password rules are designed to move from easy predictability (common words) to harder predictability (common words plus some interspersed silly keystrokes).

The real risk

Going back to Troy Hunt’s analysis, the real risk isn’t that someone will use an online oracle to brute force your password or passphrase. The real risk is that some password holder will be breached, and like 67% of users, you’ll have used the same password on another site. Password strength doesn’t help at all with that problem.

But which one?

The answer is neither. If you’re using either password scheme demonstrated by Randall, change it (e.g., add some random symbols between your words), as it’s now more likely to be an adversarial target. The real question is how do we get away from passwords? SSL certificates – for all their issues – are one option. One time passwords – generated either by a dedicated token or application, or out-of-band, via SMS – also are an interesting choice.

But if the only threat you’re worried about are online oracle attacks, you can defend against those by looking for them, and making them harder for adversaries to conduct. But that’s a mostly losing battle in the long run.