Troy Hunt believes that it is time that we stopped kidding ourselves that we are capable of remembering different secure passwords for all the sites we use. We can't use the same password in more than one site, and passwords must be fit for purpose. So what's the solution?
I’m sorry, but were you actually trying to remember your comical passwords?
I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world).
His password strength comic was no exception; very funny stuff about the pain people will go to in order to try to create what they think is a strong password which they’ll ultimately forget. Anyway, the crux of the comic was this piece about using four random words as a way of creating a password that is both memorable and strong:
It goes on to calculate the bits of entropy in this password versus shorter versions using(unmemorable) character substitutions and concludes that:
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
Difficulty to remember: Hard.
Although this one password can probably be remembered easily, using an icon as Randall suggests, you can’t apply that approach consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. Because of the number of passwords you need to retain, you’re really back at the conclusion in the first part of the strip that shows the the character substitution password where Randall concludes “Difficulty to remember: hard”.
This is not the first time a solution has cropped up. Often when I write about password management I get a whole lot of comments about how someone has the perfect system. These have included:
- Writing a short sentence (how are you going to remember which unique phrase belongs to which account across the whole gamut of your online identities without resorting to password reuse? )
- Using Diceware to generate passwords (Unless you're a Rain Man style savant, it's fundamentally flawed ("incomplete" is probably fairer), in that all it does for you is generates pass-phrases. Your problem now is that you need to remember which phrases belong to which sites which is fine for a small handful but get up to 10, 30, 50 and you've got a problem. Plus you're also assuming that each site you create a password for will actually allow both the length and character range (even just letters) generated by the dice rolls and there are many which won't(
- Creating complex algorithms (The problems come with the many sites and services that have arbitrary restrictions, such as limiting passwords to eight characters or less and/or prohibiting special characters)
- Breaking up a word with a random character
- Creating a “seed” password then adapting it to each site (When you need to need to change your password for a site you're forced to break the pattern. If you have multiple accounts for a site (i.e. business and personal Twitter accounts), then at least one of them needs to break the pattern or it needs to be adapted. There are many sites which simply won't allow you to use the character range - and sometimes length - that this method generates. All this means that you're going to end up with exceptions which need to be managed. Simple pattern-based processes for password creation are extremely vulnerable if two or more of your accounts are exposed. If I had, say, your Gawker password and your Sony password and they both followed the pattern above, I'd own every single one of your accounts you applied the same approach to.)
- Using the “offset key” pattern (“d” becomes “r”, “v” becomes “g”, etc. It is very easy to break, and you still need to remember which password belongs to which site.)
- Using the first letter of each word in a sentence. (How will you remember which password belongs to which site? And how will you handle sites which don't allow letters in the password? )
- Generating random strings from a Linux command line (Unnecessary to do the time-warp back to this sort of technique since password managers like 1Password - just hit the "Generate" button and you'll get a string matching your predefined entropy criteria.)
- Picking words at random and combining them (a derivative of other approaches above)
...and that’s just the comments directly on my blog from one post.
The patterns repeat themselves across other posts and then across the likes of Reddit and Hacker News. It’s strange how often these turn up, often several times in comments on the one post, and how frequently the author thinks they’ve struck on something truly innovative and unique. I’ve even been asked to quote one of these “innovators” if I reproduced the password technique in other writing!
There are several problems that apply to all these solutions:
- Many sites limit password character length to small sizes.
- Many sites also limit character range – sometimes they’ll only allow digits.
- Sometimes you have multiple accounts for one website.
- Sometimes you need to change the password on a website (i.e. after a breach).
But the mother of all problems, the one which trumps all the others hands down, is that you simply can’t remember any of these practices consistently and uniquely across all your accounts. Consequently, it means the people following these approaches either have total recall, or they’re reusing passwords. (normally when this is pointed out the discussion goes a bit quiet). Let me demonstrate the scale of the problem for the internet user nowadays.
The Scale of the problem
What makes this whole password shenanigan difficult is that it’s not just one password we need in our online world, its many, many, many passwords. Yes, OAuth or OpenID across everything would be nice but other than the inherent problems they pose, there’s just no way your average bank is willing to hand over something as critical as authentication or authorisation to another party.
Now I’m probably not your average online user by virtue of the industry I work in, but let me try and illustrate the scale of the problem by talking about the accounts I have. This is based on what I have configured in 1Password – one of the leaders in password management software – where I’ve created half a dozen folders I categorise my accounts into:
Going back to the original XKCD comic, we need to follow this pattern and generate unique passwords for every account:
Firstly, I have to apply this principle across my banking – this is absolutely, positively not an area to be taking shortcuts on so I’ll need eight sets of words:
Why so many banking logins? Savings accounts, couple of credit cards, property finance, PayPal then some of my wife’s accounts as well which, incidentally, are often with the same institutions. Oh, and my Amex password is limited to 16 characters so I can’t apply the principle anyway. Oh cripes, there’s also my St. George bank account and that’s only 12 characters. Uh oh, there’s also IMB who’ll only take digits so now I’ve got another problem. At least it’s only eight accounts!
Let’s move on to shopping accounts and given these can have a direct financial impact on me, I kind of want to look after them pretty well so I’ll need a dozen more four word combinations:
This probably isn’t that many accounts compared to serious online shoppers but still, stuff like eBay is pretty important to me, plus of course most of these have all my billing details on file so they’ll track me down if someone starts buying stuff on my behalf.
It’s a little bit the same with my accounts related to entertainment; misuse of these can screw with me financially so I’m going to be careful with them which means I need another fourteen combinations:
Many of these have my credit card on file not to mention the fact that it can make life pretty painful if the account details fall into the wrong hands. Scott Hanselman’s recent iTunes experience is an example of this and that’s one of the accounts I need to protect. Now add in other stores where I’ve purchased music, played games or ordered tickets online and the numbers start stacking up pretty quickly.
Then there are the airlines and their reward programs. I don’t really want people seeing where I’ve been flying to and I particularly don’t want them booking any flights on my behalf with my hard-earned frequent flyer points so let’s create another half dozen unique passwords for them:
Oh, and almost without exception airlines will only let you create passwords with four or six digits so throw out any password strategy which doesn’t let you do this.
Then there are the online forums of which I seem to have accumulated quite a few. These are often pretty loosely put together apps and I know many of them are storing plain text passwords (just try the password reminder feature), so I’ll need another twenty two unique passwords please:
Some of these aren’t particularly significant to me, but in many cases they’re a small – albeit important – part of my online identity. I’ve obviously spent a lot of time in technology based discussions, but also in other places talking about cars, real estate and even coffee where I don’t want someone jumping in and reading my private messages or impersonating me and potentially messing up the work I’ve put into my online persona. I know that many people espouse “throwaway accounts” where they don’t care about the security but my online identity is important to me and I don’t want someone jumping up and being obnoxious (or worse), using my name, email, possibly photo and other online attributes.
But possibly one of the most vulnerable – or at least “important” categories of account I have are the social media ones of which I’ve accumulated another eighteen accounts:
These accounts include information on everything from the conversations I’ve had with my wife to my kid’s photos to my Twitter identity. It’s really important stuff to me and it’s possibly the accounts I most want protected, in some cases it’s on a par with things like banking (which generally have pretty good fraud protection these days). There’s a few accounts in there I really don’t use (never could get into foursquare), but again, I still don’t want other people messing with them and gaining access to personal data.
Finally, there’s everything else that doesn’t fit neatly into a category so that’ll be another fifty unique passwords to remember please:
Why so many and what on earth is in there? Everything from email to FedEx package tracking to RescueTime to Dropbox and Mozy backups to the formula1.com account I needed to be able to use the iPhone app. Heaps of stuff I care deeply about, other stuff I care less about but still, that’s a whole lot of passwords.
So in total, I’m tracking one hundred and thirty accounts. Very few people will read this and have less than 30 accounts, even if you can’t think of them all off the top of your head right now (can you really remember every account you’ve ever created?) Be honest, add them all up and see what you get to, even the ones you don’t use that often. And if you don’t have 30 accounts now, just how long will it be until you do? Having recently gone through the password management exercise with my father in his 60s and not coming from a technology background, I know that at worst, any regular online user will almost certainly have more accounts than they can count on their fingers and toes and definitely more than they can apply their memory to.
The point of all this is to graphically illustrate the volume of online accounts we inevitably accumulate and that memory based password management doesn’t work. There are always exceptions, be they with sites with overly restrictive password rules, instances of multiple accounts per site or when you simply want to change a password. It’s simply infeasible.
It’s not about memory; it’s about the ability to retrieve
A lot of the problem with passwords seems to stem from folks thinking they need to be able to remember their passwords. Who on earth ever gave them this idea?! The concept is flawed by design; memorable is the antithesis to secure.
Of course there are a very small number of accounts you do need to remember; the master password on my 1Password account, for example. The password on my PC which I enter directly many times per day is another example and in both cases, I simply can’t create the entropy I do for my online accounts using a password manager. But then again, these don’t have the same exposure and risk profile as online accounts, although what they both protect is rather valuable.
In case it’s not already clear, my argument isn’t at all against the security of the comic’s mechanism in and of itself, even though Randall is kind enough to add a little alt text disclaimer for those who may not be happy with it:
To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
No, my argument is simply that you can’t apply this mechanism – or any human memory-bound mechanism – consistently and uniquely. This is a rather big problem for both security and usability.
When the discussion switches from memory to retrieval, it’s suddenly a whole different ball game. All the elaborate but flawed plans designed to create passwords that make sense to humans can go out the window and we can start focussing on the password schemes which make sense to computer security. Naturally, usability is an essential consideration as without this you begin to compromise the core objective of secure password management. This is why the likes of 1Password make both password management and password usage easy – certainly much easier than trying to stretch your memory muscle into doing inconceivable things.
Get with the (password management) program
It’s amazing how fast news about something people want to hear travels. It was only a few months back that people were basking in the euphoria that all they needed for a password was something akin to “this is fun”. That was quickly debunked by myself among others working in the security field but it still got a lot of airtime and no doubt caused many people to make foolish decisions. This is no more than the Atkin’s Diet of password management (who’d have thought bad password advice would have come from a fashion designer turned social media pundit?!)
And now we’re going through the cycle again following the XKCD comic. There’s already simplestrongpasswordgenerator.com which appears to have sprung up in direct response to the cartoon, certainly it references the original work in the “Why is this a great password” link. But if you really want to see how quickly people are buying into this tactic, just check out the tweets referring to the URL. Lots of excitement out there.
As I said via Twitter after seeing the comic, “When your entire rationale for a password strategy is dependent on one comic, you're probably missing something”. Mind you, if you read the right material you’ll find suggestions that this approach needs to be done in unison with a password manger (that sort of defies the point of a “memorable” password anyway), or as the master password of a password manager. Somehow that small but critical detail doesn’t really come through in the comic.
There’s more than enough evidence out there to suggest that people are consistently choosing bad passwords and reusing them (the last two links at the bottom of this post are good examples). It’s been a very active year for publicity about website hacks and those who haven’t employed good password practices have often come unstuck not just on the breached website, but on subsequent sites where reuse has occurred. Unfortunately, if you follow “fun” advice or take your comics too seriously, there’s a good chance you’ll fall to one of these hacks sooner or later. And that’s no fun at all.
Related reading by Troy Hunt on passwords
- Who’s who of bad password practices – banks, airlines and more
- The only secure password is the one you can’t remember
- The 3 reasons you’re forced into creating weak passwords
- Bad passwords are not fun and good entropy is always important: demystifying security fallacies
- A brief Sony password analysis
- The science of password selection
This was originally a post on Troy's blog, but we liked it so much that we wanted to republish it here.