Password Irony

As far as I can tell, Bruce Schneier’s current Wired column, MySpace Passwords Aren’t So Dumb, is intended to be taken seriously. The article is supposed to be about how "good" passwords on MySpace are these days, and there isn’t a hint of irony in his statement:

"But seriously, passwords are getting better."

I am at a loss to explain how he can come to this conclusion when every single one of the 34,000 passwords he analyzed were stolen through a phishing attack. What he should have said was: "This shows that a 1-character password (the shortest they harvested) is just as secure as a 32-character password (the longest they harvested)".

To be fair, there are some good points in his article, too, like the ones that mirror what I said in the recent webcast I gave: "Death to Passwords".

Some key points from my webcast:

  1. You need a really long password and/or a really short lifetime to protect against cracking attacks.
  2. As soon as you try to do #1 the users rebel and write things down or forget them
  3. This opens up worse holes than 1 closes.

If you aren’t going to go multi-factor, then your risk level is low to begin with. In that case, you are better off picking a 4-6 character password with a long lifetime that can’t be guessed manually in 3-5 attempts, coupled with ACTIVE LOG REVIEWS. If your restrictions are this "weak" then your false positive rate plummets and the work done is actually meaningful.

Btw, your auditors would never endorse it, but I am happy to speak with them to argue the point. ;-)

You can still view the webcast here (registration required).

8 comments for “Password Irony

  1. December 22, 2006 at 12:15 am

    ” “But seriously, passwords are getting better.”

    I am at a loss to explain how he can come to this conclusion when every single one of the 34,000 passwords he analyzed were stolen through a phishing attack.”

    that’s simple – the strength or quality of the passwords have absolutely nothing to do with phishing…

    the strength of a secret is measured by how well it withstands a certain class of attack, and phishing isn’t in that class… no secret, no confidential information, no piece of data of any kind is any more or less susceptible of being leaked by people who don’t realize the consequences of their actions…

    judging passwords against a problem that passwords were never meant to solve and can never hope to solve is pointless… and just because there are problems that passwords can’t solve that doesn’t mean there aren’t also problems that passwords can solve…

  2. Pete
    December 22, 2006 at 8:40 am

    @Kurt -

    In general, I don’t disagree with what you are saying. Specifically, however, I have a big problem with it. This falls in the category of improper threat modeling. The “problem” that passwords solved was never that they would be cracked; the problem has always been a compromised account. If you aren’t going to weigh the relative effects of all the possible solutions on all the possible types of attacks, you will still end up with the same result – compromised account.

    But let’s assume for a second that the problem was “crackability” and ignore the gaping “side effects” of all the other attacks that open up against accounts as you make your password less crackable. It looks like the large majority of these passwords are crackable anyway.

    Only at the very highest end of characters and password length (and shortest lifetime)do you make your password strong enough to be something approximating “uncrackable” for its lifetime, and even then you are playing the odds that the computer doesn’t get lucky and guess the password sooner (it is a 50-50 chance it gets cracked in half the ‘published’ time, remember).

    So, password crackers are getting faster (wow – 76 billion attempts/second is amazing). Also, note that in order to actually implement these “strong” passwords, you actually make them weaker by forcing certain character types.

    All in all, I am sticking by my assessment.

  3. December 22, 2006 at 1:04 pm

    Better password strength just one factor

    Pete over at Spire Security points out the obvvious(which alluded me): As far as I can tell, Bruce Schneier’s current Wired…

  4. December 22, 2006 at 5:49 pm

    @pete
    “This falls in the category of improper threat modeling.”

    i disagree… i think the threat model here has been done to death, and we’ve moved on from building the model to analyzing the model… as one often does in analysis, the model has been broken down into constituent parts and classical notions of password strength happen to be one of those parts…

    “Only at the very highest end of characters and password length (and shortest lifetime)do you make your password strong enough to be something approximating “uncrackable” for its lifetime,”

    the only one talking about uncrackability of passwords is you… schneier simply said they were stronger/better, not that they were uncrackable nor even that they were *strong enough*… don’t read into his expression of surprise any notions of satisfaction – after all, he explicitly says that passwords ‘have outlived their usefulness as a serious security device’…

  5. Pete
    December 22, 2006 at 7:18 pm

    @Kurt -

    In my opinion, the security profession often still suggests that “strong” passwords will reduce your risk. What I am suggesting is that, while I agree that the passwords are “stronger” from a crackability standpoint, they are not “better” from a reduced risk standpoint. And, in fact, you can get “better” passwords from a threat modeling standpoint by reducing the “strength” of the password.

    Even though Schneier does denigrate passwords, the simple discussion around “strength” also implies that if you don’t use multi-factor authentication you SHOULD still use strong passwords. My point is that these “strong” passwords do not reduce risk; it is much more likely that they increase risk (of compromised accounts).

    In any case, it is surprising to me how many people still think stronger is equal to better and don’t take into account the threat to compromised accounts. We are better off not evaluating password strength to begin with so as not to send people on a wild goose chase.

    Btw, are you arguing on Schneier’s behalf or your own?

  6. December 23, 2006 at 12:22 am

    @pete
    “And, in fact, you can get “better” passwords from a threat modeling standpoint by reducing the “strength” of the password.”

    i think i know what you’re referring to here – shorter passwords are easier to remember and therefore less likely to wind up on a post-it on the side of the monitor… schneier has a different solution that doesn’t involve shortening the password and actually does involve writing it down, however he suggests putting it in your wallet and guarding it like you would any other security *token* (because that’s effectively what it then becomes)…

    “Btw, are you arguing on Schneier’s behalf or your own?”

    if you’re wondering if i’m just a schneier fan-boy out to protect his image online then you obviously haven’t seen where i’ve accused him of spreading FUD… however, schneier simply said passwords were getting stronger, and in the classical sense (which is all i really expect from schneier anymore) they are…

    if you’re arguing that it’s a pointless observation then you’re right… it’s little more than grist for a security version of trivial pursuit… in case it hasn’t become glaringly obvious, schneier is becoming an anachronism (frankly, i think the entire notion of the ‘security expert’ is anachronistic)… that said, i don’t think what he said was wrong, just not very relevant…

  7. Allan Friedman
    January 4, 2007 at 11:41 pm

    Anyone out there seen good evidence on the efficacy of Active Log Reviews in practice? Or the costs and organizational complexities?

  8. Pete
    January 5, 2007 at 8:49 am

    @Allan -

    I know of no studies regarding efficacy of active log review but I used to do them way back in 1998 – actually sent out written notices every week to people who had locked out accounts requesting verification that it was them.

    One good thing about this type of thing is that the log event represents good news since the “attacker” was blocked. That said, every single one of the 10 lockouts per week that I was checking over about a year were false positives.

    If the password policy were such that it would significantly reduce false positives, I don’t see this as a significant burden. In the meantime, one could do some behavior analysis or sampling to try to cut the workload down – the hard part is not the looking at the logs, per se, it is the out-of-band verification.

Comments are closed.