Bruce Schneier

Why You’re Doing Passwords Wrong

If you use passwords, there’s a good chance you’re doing them wrong and exposing yourself to unnecessary risk.

My intent is provide some basic information on how you can do passwords better1, suitable for grandma to use (no offense grandma), because there’s no reason that you can’t do passwords better.

Why We Have Passwords

In the beginning, the internet was a benevolent place. If I said I was fergbrain, everyone knew I was fergbrain. I didn’t need to prove I was fergbrain. Of course, that didn’t last long and so passwords were created to validate that I was, in fact, fergbrain.

Passwords are one of three ways in which someone can authenticate who they are:

  1. Password: something you know
  2. Token: something you have that can’t be duplicated (such as an RSA token or YubiKey)
  3. Biometric: something you are (such as a fingerprint or other biometric marker unique to you)

Back In The Day™, passwords were the de facto method of authentication because they were the easiest to implement and in many ways still are.

At the time, token-based methods were just on the verge of development with many of the technologies (such as public-key encryption) not even possible until the mid 1970’s. And once suitable encryption was more completely developed2, it could not be legally deployed outside of the United States until 1996 (President Clinton signed Executive Order 13026).

Finally, biometric authentication was an expensive pipe dream3.

The point being: passwords where the method of choice; and as we know, it is quite difficult to change the path of something once it gets moving.

Having just one password is easy enough, especially if you use it often enough. But how many places do you need to use a password? Email, social media, work, banking, games, utilities…the list goes on.

It would be pretty hard to remember all those different passwords. So we do the only thing we believe is reasonable: we use the same password. Or maybe a couple of different passwords: one for bank stuff, another for social media, maybe a third one for email.

Why Passwords Can Be a Problem

Bad guys know that most people use the same username, email address, and password for multiple services. This creates a massive incentive for bad guys to try and get that information. If the bad guys can extract your information from one web site, it’s likely they can use your hacked data to get into your account at other web sites.

For bad guys, the most bang for the buck comes from attacking systems that store lots of usernames and passwords. And this is how things have gone. Over just the last two years Kickstarter, Adobe, LinkedIn, eHarmony, Zappos.com, last.fm, LivingSocial, and Yahoo have all been hacked and had passwords compromised. And those are just the big companies.

In my opinion, most people know they have bad passwords, but don’t know what to do about it. It’s likely your IT person at work4 keeps telling you to make “more complex” passwords, but what does that mean? Does it even help? What are we to do about this? Can we do anything to keep ourselves safer?

How to do Passwords Better

There is no single best way to do passwords. The best way for any particular person is a compromise between security, cost, and ease of use.

There are several parts to doing passwords better:

Have Unique Passwords

If one web site is hacked, that should not compromise your data at another web site. Web sites generally identify you by your username (or email address) and password. You could have a different username for every single web site you use, but that would probably be more confusing (and could possible lead to personality disorder). Besides, having to explain to your friends why you go by TrogdorTheMagnificent on one site but TrogdorTheBold on another side would get tiring pretty quick.

For reasons which I hope are obvious, making your passwords unique is better than making your usernames unique. Unless you don’t want people to find you, then make both your username and password unique.

General Rule of Thumb

Passwords should be unique for each web site or service.

Why: If a unique passwords is compromised (e.g. someone hacked the site), the compromised password cannot be used to gain access to additional resources (i.e. other web sites)

If you’re asking yourself, “But how do I remember all those passwords?!” just hold your horses.

Choose better passwords

People suck…at picking good passwords.

If you choose your own passwords, here’s a little test:

  1. For the 1st character in your password, give yourself 4 points.
  2. For 2nd through 8th character in your password, give yourself 2 points for each character.
  3. For the 9th through 20th character in your password, give yourself 1.5 points.
  4. If you password has upper case, lower case, and numbers (or special characters), give yourself an additional 6 points.
  5. If your password does not contain any words from the dictionary, give yourself an additional 6 points.
  • If you score 44 points or more, you have a good password!
  • If you score between 21 and 44 points, your password sucks.
  • If you score 20 points or less, your password really sucks.

If my password was, for example, Ferguson86Gmail, I would only have 34.5 points:

  • F: 4 points
  • erguson: 2 points each, 14 points
  • 86gmail: 1.5 points each, 10.5 points
  • I have uppercase, lowercase, and a number: 6 points
  • “Ferguson” and “gmail” are both considered dictionary words, so I get no extra points

Instead choosing Ferguson86Gmail as my password, what if my password was Dywpac27Najunst? The password is still 15 characters long, it still has two capital letters, and it still has two numbers. However, since it’s randomly generated it would score 89.3 — over twice as many points as the password I choose.

What’s going on here?

When you make up your own password, such as Ferguson86Gmail, you’re not choosing it at random and thus your password will not have a uniform random distribution of information5.

Passwords chosen by users probably roughly reflect the patterns and character frequency distributions of ordinary English text, and are chosen by users so that they can remember them. Experience teaches us that many users, left to choose their own passwords will choose passwords that are easily guessed and even fairly short dictionaries of a few thousand commonly chosen passwords, when they are compared to actual user chosen passwords, succeed in “cracking” a large share of those passwords.6

The “goodness” of a password is measured by randomness, which is usually referred to as bits of entropy (which I cleverly disguised as “points” in the above test) the reality of the situation is that humans suck at picking their own passwords.

More Entropy!

If more entropy leads to better passwords, let’s look at what leads to more bits of entropy in a password. The number of bits of entropy, H, in a randomly generated password (versus a password you picked) of length, L, is:

H=log_{2}N^{L}

Where N is the number of characters possible. If you use only lowercase letters, N is 26. If you use lower and uppercase, N is 52. Adding numbers increases N to 62.

For example:

  • mougiasw is an eight-character all lowercase password that has log_{2}26^{8}=37.6 bits of entropy.
  • gLAviAco is an eight-character lowercase and uppercase password that has log_{2}52^{8}=45.6 bits of entropy
  • Pr96Regu is an eight-character lowercase, uppercase, and numeric password that has log_{2}62^{8}=47.6 bits of entropy.

Adding uppercase gets us 8 additional bits, but adding numbers only nets us 2 additional bits of entropy. However, look what happens when we just add additional characters instead:

  • vubachukus is a ten-character all lowercase password that has log_{2}26^{10}=47.0 bits of entropy.
  • neprajubrawa is a twelve-character all lowercase password that has log_{2}26^{12}=56.4 bits of entropy.

For every additional character, you add log_{2}N bits of entropy. And unlike expanding the character set (e.g. using uppercase letters and/or numbers and/or special characters), you get more bits of entropy for every additional character you extend your password by…not just the first one.

The good news is that for randomly generated passwords, increasing the length by one character increases the difficulty to guess it by a factor of 32. The bad news is that for user selected passwords, every additional character added to make a password longer only quadruples the difficulty (adds roughly 2 bits of entropy which, based on NIST Special Publication 800-63 Rev 1 for the first 12 characters of a password).

More bits of entropy is better and I usually like to have at least 44 bits of entropy in my passwords. More is better.

Having to break out a calculator to determine the entropy of your passwords is not easy, and passwords should be easy. So let’s make it easy:

General Rule of Thumb<

Longer passwords (at least ten characters long) are better than more complex passwords.

Why: Adding complexity only provides a minimal and one time benefit. Adding length provides benefit for each character added and is likely to be easier to remember.

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Track Your Passwords

The inevitable reality of doing passwords better is that you need a way to keep track of them. There simply is no way a person can keep track of all the different passwords for all the different sites.

This leaves us with two other options:

Write Down Your Passwords

Yes. Writing your passwords down in a safe place is an acceptable method of keeping track of your passwords:
From www.schneier.com:

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Bruce Schneier, 2005

Writing down passwords can be appropriate because the most common attack vector is online (i.e. someone you’ve never even heard of trying to hack into your account from half-a-world away) with the following caveat: you make them more unique and more entropic.

By writing down passwords, you can increase their entropy (i.e. making them harder to guess) since you don’t have to memorize them. And since you don’t have to memorize them, you are more likely to create a better password. Additionally, if you write your passwords down, you don’t have to remember which password goes with which account so you can have a different password for each account: this also increases password uniqueness.

Encrypt Your Passwords

It would be reasonable to obfuscate your password list — instead of just writing them down in plaintext — so that if someone were to riffle through your wallet, they wouldn’t immediately recognize it as a password list or know exactly which passwords go with which accounts.

Instead of keeping them on a piece of paper, you could use a program to encrypt your passwords for you. There are a variety of ways to safely encrypt and store your passwords on your computer. I have been using 1Password for several years now and have been very impressed with their products7.

KeePass is another password manager I’ve used, however it does not have good support for OSX. There are other systems one could use, including Password Safe YubiKey.

I tend to be leery of web-based systems, such as LastPass and Passpack for two reasons:

  1. Having lots of sensitive data stored in a known location on the internet is ripe for an attack.
  2. The defense against such an attack is predicated on the notion that the company has implemented their encryption solution correctly!

General Rule of Thumb

You don’t have to remember your passwords.

Why: It’s better to have unique and more entropic passwords than it is to never write down your password.

That’s it! Hopefully you found this helpful, now go make your passwords better and report back!

19 February 2014: Added additional clarification about entropy of user-generated versus randomly-generated passwords.

0

  1. Arguably, there is no one right way to do passwords 

  2. it’s one thing to prove the mathematics of something, it’s a whole other thing to release a suitable product 

  3. and still sort of is 

  4. or your son/grandson/nephew/cousin 

  5. this is, in part, how predictive typing technologies such as SWYPE work 

  6. NIST Special Publication 800-63 Rev 1 

  7. as well as their technechal discusions on topics such as threats to confidentiality versus threats to availability 

How to Defeat Terrorists

I was having dinner with family and some good friends, one of whom is an engineer several scores my elder. One of the topics that came up was how engineers see the world differently. This can be a potentially prickly question, especially since engineers are often considered to lack adequate social skills.

I have always been a “glass is twice as big as it needs to be” kind of guy — neither optimistic nor pessimistic…things just are.

The Boston Marathon Bombing a month ago was a horribly tragic event. In the aftermath, I felt powerless. I was scared that I no longer had sufficient control or predictability in my life, that at any moment a bomb may go off and I would be the one killed.

As I let that sit, the conclusion my mind settled on is remembering that life is unpredictable. We can guess what will happen next with relatively good accuracy. And for everything else there is typically various forms of redundancy.

In the end, things just seem to work. Except when they don’t.

Redundancy provides a statistical reduction in probability of failure through investment. It could be considered a form of insurance since it’s a risk shift through payment.

Redundancy is not free, and may often go unused. Sometimes we misjudge the risk and bad things happen.

Bruce Schneier is one of my favorite authorities on system security and once again provides great insight:

From www.theatlantic.com:

It’d be easy to feel powerless and demand that our elected leaders do something — anything — to keep us safe.

It’d be easy, but it’d be wrong. We need to be angry and empathize with the victims without being scared. Our fears would play right into the perpetrators’ hands — and magnify the power of their victory for whichever goals whatever group behind this, still to be uncovered, has. We don’t have to be scared, and we’re not powerless. We actually have all the power here, and there’s one thing we can do to render terrorism ineffective: Refuse to be terrorized.

Empathize, but refuse to be terrorized. Instead, be indomitable — and support leaders who are as well. That’s how to defeat terrorists.

I disagree with Bruce on being scared, in my opinion feeling scared is valid, especially immediately after something like the Boston Marathon Bombing. What I believe Bruce is getting at is our long-term stance, and I agree that in the long-term we must choose not to be scared. We need to understand the bigger picture and choose to not be terrorized. Far to many of those whom we have elected (and continue to elect) are scared, even if they are only are only scared of losing their next election.

We must make better choices. We must choose to be indomitable. We must choose to support leaders who are not afraid. We must choose to make appropriate choices in the redundancy of our systems. We must not let the terrorist win.

0

My Brief Thoughts on Northwest Flight 253

I’m going to keep this short, no more than 250 500 1000 words1.

As you all know by now, there was an attempt to blow up another airplane. Although it was initially reported someone lighting off firecrackers, it was soon discovered to be a makeshift bomb and “Bomb experts say there was more than enough explosive to bring down the Northwest jet, which had nearly 300 people aboard, had the detonator not failed.”2

I haven’t heard much as to the explosive nature of the bomb, other than it was “PETN3 and possibly a glycol-based liquid explosive”4 and it was “carried in a soft plastic container – possibly a condom.”5

While there may have been enough explosives present by mass to destroy an airliner (and I even have some doubts about that6, given the lack of calculations I’ve seen), what are the odds7 of our suspect (or any future suspect) maximizing the effectiveness of such an explosive given their circumstances?

Here’s what I’m really concerned about though: Richard Clarke, former counterterrorism czar and ABC News consultant, has this to say, “We’ve known for a long time that this is possible and that we really have to replace our scanning devices with more modern systems.” Clarke said full body scans were needed, “but they’re expensive and they’re intrusive. They invade people’s privacy.”8

Responding to a need for fuller and more frequent body pat-downs and scanning, Rep. Peter King of New York, the top Republican on the Homeland Security Committee, said, “I think we have to head in that direction… Yes, there is some brief violation of privacy with a full body scan. But on the other hand, if we can save thousands of lives, to me, we have to make that decision.”9

Why are we continuing to move in a direction that is A) ineffective and B) in violation of our constitutional rights10? (See also: A Discussion on the Fourth Amendment and National Security)

In response, the TSA has issued emergency rules that I’m sure will go far in helping keep people safe: From www.businessweek.com:

Airline passengers traveling to the U.S. from other countries were ordered to remain seated for the last hour in flight, and were limited to one carry-on item in response to an attempted terrorist attack yesterday on a Northwest Airlines flight to Detroit from Amsterdam.
New U.S. Transportation Security Administration rules also prohibit passengers from getting anything from their carry-on bags or having anything in their laps in the final hour of flight, the agency said.

Bruce Schneier, an internationally renowned security technologist and author, had this to say in response to Northwest Flight 253 and the new TSA rules:
From www.schneier.com:

And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last hour of flight? Do we really think the terrorist won’t think of blowing up their improvised explosive devices during the first hour of flight?

For years I’ve been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

Now is not the time stripping more of my rights away in the name of security; I’m and sick and tired of being treated like a criminal. (My new policy: “Do I have the right to refuse this search?”)

Now is the time establish a new type of a system; a system that works. I don’t have all the answers, but I do know that what we have now and the path we’re on is ineffective and needs to change.

And may God help whoever tries to blowup a plane I’m on; because I will own their sorry ass.

Thumbnail: “I’m as mad as hell, and I’m not going to take this anymore!” from Network (1976), released by MGM. © 1976 MGM.

0

  1. including quotes and footnotes 

  2. Officials: Only A Failed Detonator Saved Northwest Flight 

  3. NB: Same explosive Richard Reid used in 2001; gee, taking my shoes off during screening really helped prevent that from happening again… 

  4. U.S. Airline Security Reviews Under Way 

  5. Official: Explosive PETN Used in Attack 

  6. PETN – hard to detect and just 100g can destroy a car 

  7. The Odds of Airborne Terror 

  8. Officials: Only A Failed Detonator Saved Northwest Flight 

  9. U.S. Airline Security Reviews Under Way 

  10. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” – Fourth Amendment to the United States Constitution