Bad cue choices: don’t skip a point

Phish, Phowl, and Passwords

I spend a lot of time fortifying educational as opposite to utterly technical solutions to security. Not that we don’t trust in a utility of technical solutions: that is, after all, ESET’s elementary business. However, there are many people in a confidence business who trust that preparation is a rubbish of time since it isn’t 100% effective. Unfortunately, we can make a unequivocally same evidence opposite any technological solution. Randy Abrams and we discussed that dispute of ideas during some length in a paper for AVAR: see People Patching: Is User Education Of Any Use At All? And Robert Slade finished some glorious points some-more recently in a blog about Security unawareness.

Static passwords are a flattering good instance of a record that’s valid to be reduction than 100% effective time and time again, nonetheless is deliberate effective adequate to sojourn a authentication buttress of many a web service. Well, we could disagree that it’s not so many about effectiveness, as a trade-off between efficacy in terms of privacy, and a cost of implementing improved authentication mechanisms. But that’s a contention for another time.

There’s a motto to a outcome that ‘if we give a male a fish, we feed him for a day: learn him to fish, and we feed him for a lifetime.” While a provenance of that saw is obscure, it’s value examining some-more closely in a context of security, yet in that context it competence be improved recast as “If we uncover a male a phish, we forestall him from descending for that one: if we learn him to commend phishing, we save yourself and him a lot of hassle.” And, in fact we’ve created utterly a lot about phishing in a past:

• A Pretty Kettle of Phish
• Phish Phodder: Is User Education Helping or Hindering?
• ESET blog posts

Quite a Few Pairs of Breaches

However, right now I’d like to request that suspicion to password practice, an area of confidence (or, some-more accurately, privacy) that’s substantially of some-more evident regard to many of us. In a year that’s so distant been many important for a array of vital cue breaches. On some-more than one arise I’ve quoted Mark Burnett’s tip 500 and one or dual identical lists of a most-overused passwords, and recently I’ve remarkable utterly a few reporters citing their possess lists, yet what does this learn a man-in-the-street (especially if he’s doing his on-line banking on his smartphone as he wanders down to a pub) about cue choices?

Well, it isn’t wholly useless, or we wouldn’t have worried in a initial place (or, to be precise, a second place, i.e. during a time of a Yahoo! debacle. Sometimes a use uses a ‘three strikes and out’ proceed to controlling cue or passcode authentication, suspending an comment after 3 unsuccessful attempts to supply a scold password, so avoiding a tip 25  (say) many over-used passwords competence be good adequate to secure a comment from an opportunistic conflict regulating common passwords, and even where a cessation is automatically carried after a preset time, that does during slightest revoke a intensity efficacy of a compendium or guessing attack. But simply inventory a tip umpteen bad passwords isn’t unequivocally training anyone anything about cue preference solely to equivocate a tiny handful of a billions of probable passwords and passphrases.

Horrific Heuristic

And in fact, that tiny handful, either it’s 25 or 10,000, stays tiny even when we magnitude it opposite a millions of combinations that will be attempted in a dynamic compendium attack. In a new Securiteam blog, we compared a dual approaches in these terms. If we simply offer a list of bad passwords systematic by prevalence, we are effectively charity a array of micro-heuristics like this:

Don’t use ‘a’
Don’t use ‘aa’
Don’t use ‘aaa’
…
Don’t use ‘aaaaaaaaaaaaaaaaaaaaaaa’
Don’t use ‘b’
Don’t use ‘bb’

Valid heuristics, yes, yet it saves an awful lot of typing usually to say: “Don’t use any cue consisting of a singular impression steady N times.”  Or even “password is a really, unequivocally bad choice of password: it’s so apparent that everybody uses it, and letmein isn’t many better.”

So let’s demeanour (for a third and substantially final time – in this blog, during any rate) during that list of 25 passwords again. But rather than ranking them by how ordinarily they’re used (the sorted by prevalence column) let’s demeanour during a alphanumeric sequence and see if that enables us to remove any heuristics some-more useful than ‘don’t use any of these 25 strings’.

Sort of Sorted

Well, that’s engaging and maybe a tiny unexpected. In fact, it demonstrates a dangers of (1) regulating too tiny a dataset and (2) creation assumptions about how germane those information are in opposite contexts. Having finished some analysis on utterly numeric data as good as with incomparable cue datasets, we know that a order we mentioned above – “Don’t use any cue consisting of a singular impression steady N times” – is flattering sound in a context of both alphanumeric passwords and utterly numeric strings (especially PINs – Personal Identification Numbers: see Hearing a PIN drop and PIN Holes: Passcode Selection Strategies), yet that heuristic isn’t privately upheld by this tiny dataset, where usually one such cue – 111111 – is represented. So you’ll have to take my word for it that in incomparable datasets, other singular impression passwords (numeric and alphabetical) are indeed (over-)used and therefore a bad choice.

Rules are Rules

A order that does hold, however, is that passwords consisting of an descending array of numbers starting during 1 are not a good or singular and strange idea. The following all seem in a list above, all yet one being in a tip 6.

• 1234
• 12345
• 123456
• 1234567
• 12345678

Curiously, 1234567 comes in during array 25. That competence be associated to a fact that many authentication mechanisms make (or used to enforce) a smallest of usually 6 characters: people who take this easy track to selecting a cue are not expected to go to 7 characters if they usually need six. A seven-character smallest is flattering unusual. However, when services started to get some-more password-conscious (or entropy-conscious), many started to use an eight-character minimum, that substantially explains since 12345678 ranks so highly. 1234 is also unequivocally rarely ranked in PIN superiority data, by a way.

There competence indeed be two reasons since people foster this organisation of numeric strings.

1. It’s not formidable to remember a elementary increment-by-one array like this: all we have to do is remember when to stop.
2. But we frequency need to remember a array during all: all we have to do on many resource keyboards is finger-step your proceed along a suitable quarrel of a keyboard. Which positively also explains a participation of QWERTY, a initial 6 alphabetical characters on a subsequent quarrel down on a customary keyboard. And yes, people do user QWERTYUIOP or a subset thereof when they need a longer password. In countries that use a somewhat opposite blueprint on that quarrel – AZERTY, for instance – we see reports of a mutated fibre or substring being used instead of a QWERTYUIOP substring. (See PIN Holes: Passcode Selection Strategies.)

What about 2000? Well, that’s too renouned to be a good choice, of course. But since 2000? Probably since people utterly mostly use noted dates, even usually a year where they can get divided with 4 digits, as in a context of many PINs. However, it’s flattering protected to assume that noted years (1066, 1492, 2000, 2001, any new Olympic year) will be high on a cue guesser’s list, and where an programmed conflict can be implemented, it doesn’t take prolonged to cycle by all a probable 4-digit combinations.

Then there’s 696969. we have a speculation about since that one is so popular, and while a recognition of pussy (which is also in this tip 25) is no doubt since cat lovers need passwords too, there are several other difference and phrases expected to be sex–related – including four-letter difference – that aren’t in this list, yet do spin adult in several others. I’m not quite squeamish myself, yet we would advise that if we consider that nobody else ever used an trash or a word associated to passionate practices as a password, we should consider again.

There is usually one churned alphanumeric fibre in this list – abc123 – yet there are several others that spin adult in other lists, including such princely equipment as NCC1701, improved famous as a USS Enterprise. Well, we competence wish to equivocate those two.

Back to a Drawing Board

So we have several sport-related passwords: clearly ball and football are too renouned to be a good idea, yet you’ll find that other renouned sports also make over-popular passwords (Michael and Jordan? Hmm…). But then, any word you’re expected to find in a compendium is going to be guessed eventually (i.e. earlier rather than later) in an programmed attack. We could demeanour during a psychology behind a other choices of compendium word that make adult a rest of this list, yet there doesn’t seem to be a lot of indicate to it. Clearly, there isn’t many intensity for useful heuristics in a tip 25. So for a subsequent blog in this series, I’m going to desert a Top Umpteen proceed altogether and start again from a basis of sound cue selection. If you’d like to try a some-more sprightly approach, though, we competence wish to take a demeanour during A Torrent of Abuse for an try during cue recommendation by parody.

Remember, though, that any cue is usually as good as a use to that it gives access: it doesn’t matter how tough to theory it is, if a use provider is incapable of providing efficient confidence to keep a efficient cue secure.

A Teasing Conclusion

So here’s a discerning outline of a tiny that we can learn from this tip 25:

• Avoiding a many renouned passwords is safer than regulating one of them, generally a tip three. But avoiding even a tip 100, 1000, or 10,000 is usually good adequate if a authentication resource is well-implemented and your passwords are well-protected by a provider on a possess systems.
• Passwords, passphrases and PINs consisting of a singular impression steady are very, unequivocally unsafe.
• Any numeric or digital array descending in increments of one or some-more is exposed to a guessing attack, a compendium attack, or an algorithmic attack. So any substring of 0123456789 or abcdefghijklmnopqrstuvwxyz is expected to destroy flattering quickly.
• Any cue – or passphrase – that can be found in a compendium is simply crackable if a authentication resource allows a compendium attack.
• Passwords with a passionate inference or regulating swearwords are unequivocally widely used, and therefore rarely exposed to a guessing or compendium attack.

In addition, a decent cue manager saves we a lot of meditative in terms of generating a hard-to-crack cue and reduces a enticement to re-use passwords and risk a cascade of breaches when one of your providers slips up, as so many have finished recently. I’m looking during cue government program during a moment, and while I’m demure to make too-specific recommendations, I’ll be perplexing to give we some thought of what to demeanour for in cue government in another stirring article.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

.

Related Posts: