Click here to monitor SSC
  • Av rating:
  • Total votes: 12
  • Total comments: 6
Troy Hunt

On Remembering Secure Passwords

08 September 2011

Troy Hunt believes that it is time that we stopped kidding ourselves that we are capable of remembering different secure passwords for all the sites we use. We can't use the same password in more than one site, and passwords must be fit for purpose. So what's the solution?

I’m sorry, but were you actually trying to remember your comical passwords?

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world).

His password strength comic was no exception; very funny stuff about the pain people will go to in order to try to create what they think is a strong password which they’ll ultimately forget. Anyway, the crux of the comic was this piece about using four random words as a way of creating a password that is both memorable and strong:

It goes on to calculate the bits of entropy in this password versus shorter versions using(unmemorable) character substitutions and concludes that:

Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Difficulty to remember: Hard.

Although this one password can probably be remembered easily, using an icon as Randall suggests, you can’t apply that approach consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to.  Because of the number of passwords you need to retain, you’re really back at the conclusion in the first part of the strip that shows the the character substitution password where Randall concludes “Difficulty to remember: hard”.

This is not the first time a solution has cropped up. Often when I write about password management I get a whole lot of comments about how someone has the perfect system. These have included:

  1. Writing a short sentence  (how are you going to remember which unique phrase belongs to which account across the whole gamut of your online identities without resorting to password reuse? )
  2. Using Diceware to generate passwords  (Unless you're a Rain Man style savant, it's fundamentally flawed ("incomplete" is probably fairer), in that all it does for you is generates pass-phrases. Your problem now is that you need to remember which phrases belong to which sites which is fine for a small handful but get up to 10, 30, 50 and you've got a problem. Plus you're also assuming that each site you create a password for will actually allow both the length and character range (even just letters) generated by the dice rolls and there are many which won't(
  3. Creating complex algorithms  (The problems come with the many sites and services that have arbitrary restrictions, such as  limiting passwords to eight characters or less and/or prohibiting special characters)
  4. Breaking up a word with a random character
  5. Creating a “seed” password then adapting it to each site  (When you need to need to change your password for a site you're forced to break the pattern.  If you have multiple accounts for a site (i.e. business and personal Twitter accounts), then at least one of them needs to break the pattern or it needs to be adapted. There are many sites which simply won't allow you to use the character range - and sometimes length - that this method generates. All this means  that you're going to end up with exceptions which need to be managed. Simple pattern-based processes for password creation are extremely vulnerable if two or more of your accounts are exposed. If I had, say, your Gawker password and your Sony password and they both followed the pattern above, I'd own every single one of your accounts you applied the same approach to.)
  6. Using the “offset key” pattern (“d” becomes “r”, “v” becomes “g”, etc.  It is very easy to break, and you still need to remember which password belongs to which site.)
  7. Using the first letter of each word in a sentence. (How will you remember which password belongs to which site? And how will you handle sites which don't allow letters in the password? )
  8. Generating random strings from a Linux command line (Unnecessary to do the time-warp back to this sort of technique since password managers like 1Password - just hit the "Generate" button and you'll get a string matching your predefined entropy criteria.)
  9. Picking words at random and combining them (a derivative of other approaches above)

...and that’s just the comments directly on my blog from one post.

 The patterns repeat themselves across other posts and then across the likes of Reddit and Hacker News. It’s strange how often these turn up, often several times in comments on the one post, and how frequently the author thinks they’ve struck on something truly innovative and unique. I’ve even been asked to quote one of these “innovators” if I reproduced the password technique in other writing!

There are several problems that apply to all these solutions:

  1. Many sites limit password character length to small sizes.
  2. Many sites also limit character range – sometimes they’ll only allow digits.
  3. Sometimes you have multiple accounts for one website.
  4. Sometimes you need to change the password on a website (i.e. after a breach).

But the mother of all problems, the one which trumps all the others hands down, is that you simply can’t remember any of these practices consistently and uniquely across all your accounts. Consequently, it means the people following these approaches either have total recall, or they’re reusing passwords. (normally when this is pointed out the discussion goes a bit quiet). Let me demonstrate the scale of the problem for the internet user nowadays.

The Scale of the problem

Counting accounts

What makes this whole password shenanigan difficult is that it’s not just one password we need in our online world, its many, many, many passwords. Yes, OAuth or OpenID across everything would be nice but other than the inherent problems they pose, there’s just no way your average bank is willing to hand over something as critical as authentication or authorisation to another party.

Now I’m probably not your average online user by virtue of the industry I work in, but let me try and illustrate the scale of the problem by talking about the accounts I have. This is based on what I have configured in 1Password – one of the leaders in password management software – where I’ve created half a dozen folders I categorise my accounts into:

1Password folder structure for groups of passwords

Going back to the original XKCD comic, we need to follow this pattern and generate unique passwords for every account:

Firstly, I have to apply this principle across my banking – this is absolutely, positively not an area to be taking shortcuts on so I’ll need eight sets of words:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

Why so many banking logins? Savings accounts, couple of credit cards, property finance, PayPal then some of my wife’s accounts as well which, incidentally, are often with the same institutions. Oh, and my Amex password is limited to 16 characters so I can’t apply the principle anyway. Oh cripes, there’s also my St. George bank account and that’s only 12 characters. Uh oh, there’s also IMB who’ll only take digits so now I’ve got another problem. At least it’s only eight accounts!

Let’s move on to shopping accounts and given these can have a direct financial impact on me, I kind of want to look after them pretty well so I’ll need a dozen more four word combinations:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

This probably isn’t that many accounts compared to serious online shoppers but still, stuff like eBay is pretty important to me, plus of course most of these have all my billing details on file so they’ll track me down if someone starts buying stuff on my behalf.

It’s a little bit the same with my accounts related to entertainment; misuse of these can screw with me financially so I’m going to be careful with them which means I need another fourteen combinations:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

Many of these have my credit card on file not to mention the fact that it can make life pretty painful if the account details fall into the wrong hands. Scott Hanselman’s recent iTunes experience is an example of this and that’s one of the accounts I need to protect. Now add in other stores where I’ve purchased music, played games or ordered tickets online and the numbers start stacking up pretty quickly.

Then there are the airlines and their reward programs. I don’t really want people seeing where I’ve been flying to and I particularly don’t want them booking any flights on my behalf with my hard-earned frequent flyer points so let’s create another half dozen unique passwords for them:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

Oh, and almost without exception airlines will only let you create passwords with four or six digits so throw out any password strategy which doesn’t let you do this.

Then there are the online forums of which I seem to have accumulated quite a few. These are often pretty loosely put together apps and I know many of them are storing plain text passwords (just try the password reminder feature), so I’ll need another twenty two unique passwords please:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

Some of these aren’t particularly significant to me, but in many cases they’re a small – albeit important – part of my online identity. I’ve obviously spent a lot of time in technology based discussions, but also in other places talking about cars, real estate and even coffee where I don’t want someone jumping in and reading my private messages or impersonating me and potentially messing up the work I’ve put into my online persona. I know that many people espouse “throwaway accounts” where they don’t care about the security but my online identity is important to me and I don’t want someone jumping up and being obnoxious (or worse), using my name, email, possibly photo and other online attributes.

But possibly one of the most vulnerable – or at least “important” categories of account I have are the social media ones of which I’ve accumulated another eighteen accounts:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

These accounts include information on everything from the conversations I’ve had with my wife to my kid’s photos to my Twitter identity. It’s really important stuff to me and it’s possibly the accounts I most want protected, in some cases it’s on a par with things like banking (which generally have pretty good fraud protection these days). There’s a few accounts in there I really don’t use (never could get into foursquare), but again, I still don’t want other people messing with them and gaining access to personal data.

Finally, there’s everything else that doesn’t fit neatly into a category so that’ll be another fifty unique passwords to remember please:

Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!Oh no, yet another four word pass-phrase!

Why so many and what on earth is in there? Everything from email to FedEx package tracking to RescueTime to Dropbox and Mozy backups to the formula1.com account I needed to be able to use the iPhone app. Heaps of stuff I care deeply about, other stuff I care less about but still, that’s a whole lot of passwords.

So in total, I’m tracking one hundred and thirty accounts. Very few people will read this and have less than 30 accounts, even if you can’t think of them all off the top of your head right now (can you really remember every account you’ve ever created?) Be honest, add them all up and see what you get to, even the ones you don’t use that often. And if you don’t have 30 accounts now, just how long will it be until you do? Having recently gone through the password management exercise with my father in his 60s and not coming from a technology background, I know that at worst, any regular online user will almost certainly have more accounts than they can count on their fingers and toes and definitely more than they can apply their memory to.

The point of all this is to graphically illustrate the volume of online accounts we inevitably accumulate and that memory based password management doesn’t work. There are always exceptions, be they with sites with overly restrictive password rules, instances of multiple accounts per site or when you simply want to change a password. It’s simply infeasible.

It’s not about memory; it’s about the ability to retrieve

A lot of the problem with passwords seems to stem from folks thinking they need to be able to remember their passwords. Who on earth ever gave them this idea?! The concept is flawed by design; memorable is the antithesis to secure.

Of course there are a very small number of accounts you do need to remember; the master password on my 1Password account, for example. The password on my PC which I enter directly many times per day is another example and in both cases, I simply can’t create the entropy I do for my online accounts using a password manager. But then again, these don’t have the same exposure and risk profile as online accounts, although what they both protect is rather valuable.

In case it’s not already clear, my argument isn’t at all against the security of the comic’s mechanism in and of itself, even though Randall is kind enough to add a little alt text disclaimer for those who may not be happy with it:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

No, my argument is simply that you can’t apply this mechanism – or any human memory-bound mechanism – consistently and uniquely. This is a rather big problem for both security and usability.

When the discussion switches from memory to retrieval, it’s suddenly a whole different ball game. All the elaborate but flawed plans designed to create passwords that make sense to humans can go out the window and we can start focussing on the password schemes which make sense to computer security. Naturally, usability is an essential consideration as without this you begin to compromise the core objective of secure password management. This is why the likes of 1Password make both password management and password usage easy – certainly much easier than trying to stretch your memory muscle into doing inconceivable things.

Get with the (password management) program

It’s amazing how fast news about something people want to hear travels. It was only a few months back that people were basking in the euphoria that all they needed for a password was something akin to “this is fun”. That was quickly debunked by myself among others working in the security field but it still got a lot of airtime and no doubt caused many people to make foolish decisions. This is no more than the Atkin’s Diet of password management (who’d have thought bad password advice would have come from a fashion designer turned social media pundit?!)

And now we’re going through the cycle again following the XKCD comic. There’s already simplestrongpasswordgenerator.com which appears to have sprung up in direct response to the cartoon, certainly it references the original work in the “Why is this a great password” link. But if you really want to see how quickly people are buying into this tactic, just check out the tweets referring to the URL. Lots of excitement out there.

As I said via Twitter after seeing the comic, “When your entire rationale for a password strategy is dependent on one comic, you're probably missing something”. Mind you, if you read the right material you’ll find suggestions that this approach needs to be done in unison with a password manger (that sort of defies the point of a “memorable” password anyway), or as the master password of a password manager. Somehow that small but critical detail doesn’t really come through in the comic.

There’s more than enough evidence out there to suggest that people are consistently choosing bad passwords and reusing them (the last two links at the bottom of this post are good examples). It’s been a very active year for publicity about website hacks and those who haven’t employed good password practices have often come unstuck not just on the breached website, but on subsequent sites where reuse has occurred. Unfortunately, if you follow “fun” advice or take your comics too seriously, there’s a good chance you’ll fall to one of these hacks sooner or later. And that’s no fun at all.

Related reading by Troy Hunt on passwords

  1. Who’s who of bad password practices – banks, airlines and more
  2. The only secure password is the one you can’t remember
  3. The 3 reasons you’re forced into creating weak passwords
  4. Bad passwords are not fun and good entropy is always important: demystifying security fallacies
  5. A brief Sony password analysis
  6. The science of password selection

This was originally a post on Troy's blog, but we liked it so much that we wanted to republish it here.

Troy Hunt

Author profile:

Software architect and Microsoft MVP, Troy has spent the last 15 years building web applications in the finance, media and healthcare industries. Based out of Sydney Australia, he now spends his days (and frequently nights), working as an architect for Pfizer Pharmaceuticals’ Emerging Markets. Troy’s software interests focus on enabling colleagues and partners to be productive in delivering high quality applications within proven frameworks. He regularly blogs about application security, improving the software development process and all things technology related at troyhunt.com.

Search for other articles by Troy Hunt

Rate this article:   Avg rating: from a total of 12 votes.


Poor

OK

Good

Great

Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.


Subject: The Value of Passwords... or Lack Thereof
Posted by: Anonymous (not signed in)
Posted on: Sunday, September 11, 2011 at 6:00 PM
Message: Personally, I think the whole thing of using only a password (or a PIN, for that matter) for security purposes is laughable. The Boyz at Langley can winkle out any password on the planet in a laughably short period of time (oh, say, an augenblick?) with the resources at their command.

In the end, passwords are an example of "security through obfuscation", a concept which has been proven to be unreliable at best and immediately penetrable at worst. There are better ways to secure sensitive information. Perhaps we should start using them?

Subject: Password Pad
Posted by: Anonymous (not signed in)
Posted on: Monday, September 12, 2011 at 8:43 AM
Message: Take a look at the password pad idea: remember/record a shorter password, type a longer and more random one.

http://ob-security.info/?p=393

Subject: How strong is this?
Posted by: dwalker07 (view profile)
Posted on: Monday, September 12, 2011 at 9:03 AM
Message: The passwords generated by "simplestrongpasswordgnerator.com" are a lot stronger than I would have thought. I was prepared to complain that choosing 4 words from a small list of words is not strong, but the list in the source code for that page has about 2800 words. I think that gives 45 bits of entropy.

If you choose your own four words from your own vocabulary, I think you'll get 59 bits of entropy.

Estimates of an "average person" or "college-educated" vocabulary vary, but I used 30,000 as a conservative estimate, and log base 2 for bits of entropy.

That's pretty good.

Subject: It's about risk management...
Posted by: troyhunt (view profile)
Posted on: Monday, September 12, 2011 at 8:23 PM
Message: "The Boyz at Langley can winkle out any password on the planet"

They Boyz at Langley can also land a nuke in my backyard if they want to! The password debate is not binary and anyone with enough resources will ultimately break through an encryption scheme.

There's a phrase that springs to mind along the lines of security being about "the cost of pwnership" i.e. how much effort it will take to breach. Stronger passwords increase the effort and for the end user, this is the only thing they have any control over.

Generators like simplestrongpasswordgenerator.com are fine, but they doesn't solve the problem of remembering dozens of unique accounts and the sites they belong to so you're back at the need for a password manager again.

Subject: 2 factors
Posted by: timothyawiseman@gmail.com (view profile)
Posted on: Thursday, September 15, 2011 at 3:45 PM
Message: You make several excellent points, but I believe there are still some issues. I do use a password manager and it certainly helps, but there are some sites I may wish to access from computers other than my own. Where I do not have my password manager.

I could of course use something like Passwordsafe with dropbox, but that is less than convenient if I just want to log in and leave a comment on SimpleTalk from the computer lab at school. A truly cloud based password management scheme seems almost as dangerous as reusing passwords.

It seems that at least for places where security is truly significant (banks, credit cards, etc) it would make sense to move to a two factor authentication scheme of some kind, thereby reducing the significance of the password.

Subject: "When the discussion switches from memory to retrieval" - nice point
Posted by: Jim Peak (not signed in)
Posted on: Tuesday, September 27, 2011 at 11:24 AM
Message: Great job showing the complexity of "schemes." Also liked the quick shift to a different approach to the problem- "make 'em really hard- and just stick 'em somewhere."

As obvious as that alternative might seem, I'd discarded it so many years ago that it had never resurfaced, till I read your article.

Thanks for viewing the subject from several angles!

 

Top Rated

We don't need Source Control: we're Database Developers
 As part of our long-running series of articles where we ask working database developers how database... Read more...

The Proposals Conundrum
 When you work for a small software development (or any services) company, one of the major challenges... Read more...

David Heinemeier Hansson: Geek of the Week
 Ruby on Rails, the open-source web application framework, grew out of David Heinemeier Hansson's work... Read more...

Alex Payne: Big in the IT Business
 Alex Payne worked on developing Twitter for three years. When he started, it was a small side-project:... Read more...

Seth Godin: Big in the IT Business
 Seth Godin has transformed our understanding of marketing in IT. He invented the concept of 'permission... Read more...

Most Viewed

The Future of Reflector
 Simple Talk asked freelance writer Bob Cramblitt to sit down with the two people behind the agreement... Read more...

Linus Torvalds, Geek of the Week
 Linus Torvalds is remarkable, not only for being the technical genius who wrote Linux, but for then... Read more...

Bad CaRMa
 From hope and euphoria, to desperation, firings and the ultimate demise of a company. Tim Gorman charts... Read more...

Driving up software quality - the role of the tester
 Have you ever wondered what a software tester does? Helen Joyce, test engineer at Red Gate software... Read more...

Don Knuth and the Art of Computer Programming: The Interview
 Fifty years after starting the 'Art of Computer Programming', (TAOCP), Don Knuth is still working hard ... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.