Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
IT Technology

FBI Recommends Passphrases Over Password Complexity (zdnet.com) 93

Posted by msmash from the what-do-you-think? dept.
An anonymous reader shares a report: For more than a decade now, security experts have had discussions about what's the best way of choosing passwords for online accounts. There's one camp that argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's the other camp, arguing for password length by making passwords longer. This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office leaned on the side of longer passwords. "Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said. "This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."
This discussion has been archived. No new comments can be posted.

FBI Recommends Passphrases Over Password Complexity More

FBI Recommends Passphrases Over Password Complexity

Comments Filter:

  • Already been doing this when I can. (Score:5, Insightful)

    by nightflameauto ( 6607976 ) on Friday February 21, 2020 @06:46PM (#59752394)
    I've been using phrases for a while when I am able to. Unfortunately, a lot of banks are still stuck only allowing ten characters or less. Which seems absurd to me in 2020.

    • Re:Already been doing this when I can. (Score:5, Insightful)

      by Anonymous Coward on Friday February 21, 2020 @06:54PM (#59752420)
      It's all about legacy databases with string length restrictions. When they do this, know that your password is being stored in plain text, because that's the only reason for the limit.

      • 100% as you say, if length matters it may be storing in plain text. Whether it was one character or a thousand, the hash is effectively the same length.

        On the other side of this, the complexity in actual characters used, I've seen weird things in the wild such as forbidden characters in passwords. One example that comes to mind was a poorly implemented Basic Auth handling, where the username and password are concatenated with a colon between them (username:password), and then converted to a base64 string

    • Re: (Score:3)

      by Minupla ( 62455 )

      When I run into that, I use the last character of each word in a passphrase. Or better yet, break out my password manager and generate a random one. My password manager is protected by a massive passphrase and MFA.

      • When I run into that, I use the last character of each word in a passphrase.

        Considering that there is a ~50% chance of the last character of a randomly-selected word[*] being one of 's', 'd', or 'e', you might want to rethink that strategy. The entropy of the final letters of 10 randomly-selected words, each contributing about 3.4 bits, would be less than what you would get from seven random lowercase alphanumeric characters or six case-sensitive alphanumeric characters—easily brute-forceable. Also, most passphrases are not just random words, which makes them even more predic

        • Re: (Score:2)

          by rtb61 ( 674572 )

          You do a nonsense passphrase, something you will remember ie happylemmingsleap, thequickdogjumps, all sorts of fun possibilities, can be quite personal or crude as in HRChorriblerottencunt, something you will remember and you can capitalise or add numbers, Trumpno1arsehole, what ever rocks your boat. Just three words in a nonsence string somewhat personal to you and have fun with it.

    • Re: (Score:2)

      by evanh ( 627108 )

      10 character limit has always been absurd.

    • Passphrases are overrated. Instead of remembering a 15 word passphrase, use a good generator to make a strong 15 character password. Then invent a little story to help remember it.

      • Re: (Score:2)

        by lsllll ( 830002 )
        Your math must not have been strong in school. Here is the problem explained in graphical format so that you can understand. Troubador [xkcd.com]

    • I've been using phrases for a while when I am able to.

      Unfortunately, a lot of banks are still stuck only allowing ten characters or less.

      And requiring a certain count of capitals, numbers and special characters. This prevents you from using both memorable passphrases and the long randomized strings that password managers can generate with their 'suggest' function.

    • My password is a passphrase. Replace some letters with numbers (e.g. i = 1) and replace some other letters with their capital variants. Eliminate spaces and there you go.
      You can also repeat a relatively simple password with its variations, e.g. "TooBadt00badToob4d!"

    • At least, that's what I do.
      Absurdly short un-memorizable passes where banks & al constrain me, which I all store within the open-source, verified Keepass behind a long password.

  • No kidding. That is why my password is "OneTwoThreeFour".

  • I took a security class a *long* time ago and the instructor asserted that pass phrases were more secure and easier to remember. As an example, he said, "My daughter has big, brown eyes." was easy for him to remember and probably pretty secure, especially as her eyes were blue. :-)

    • Re:Idea's been around a while, probably true. (Score:5, Insightful)

      by vux984 ( 928602 ) on Friday February 21, 2020 @07:04PM (#59752464)

      Sure it is. Until you get lazy, and you need another one, and another one. And then humans inevitably start doing simple variations or selecting different lines from the same song/poem/book.

      And then the web form requires at least 1 digits and at least 2 capitals... so your passphrase is rejected anyway.

      And then the site promptly gets compromised, so you have to change it, and using a passphrase doesn't help you vs bad password management at the backend, and MITM/phishing attacks etc, so reusing passphrases is still a really bad idea. And remembering lots of different passphrases that are constantly changing isn't really any easier.

      So... a password app, protected by a passphrase, where all the actual passwords are just random gibberish that you generate randomly and copy/paste as needed and don't even look at or try to remember... is really about as good as it gets right now.

      • All good points beyond the simple pass- word vs. phrase comparison, thanks.

      • This is why I don't bother remembering passwords or using password managers.
        I enter something totally random and do "forgot my password" reset on every login. This way I only need to secure and remember my email password.

        • I have a number of websites that force password changes every 90 days. I often only need to log into these websites except for once, sometimes twice a year. I just let the passwords expire intead of changing them, and then do an email-based password reset. Lame security - might as well just have the login email me a link to login.

      • I think perhaps a physical token is as good as it gets right now, though not always available.

    • Your instructor also read XKCD?

              https://xkcd.com/936/ [xkcd.com]

  • They are wrong - it doesn't matter which (Score:5, Informative)

    by hoggoth ( 414195 ) on Friday February 21, 2020 @06:57PM (#59752424) Journal

    It is very important not to reuse the same password on multiple sites. Therefore it is impossible to memorize all of your passwords and you must use a password manager. Once you use a password manager you should go all in on using completely random passwords or passphrases - it doesn't matter which as long as there is enough entropy. So pick 16 character random letters numbers and punctuation or pick 6 word random passphrases from large dictionaries. Since more current websites accept 16 characters than 30+ characters the password choice makes more sense.

    • And then someone cracks your password manager. Now what?

      • To do so they'd have to hack my home environment which has no incoming ports. So they have to hack my browser on that machine which I only use for banking. So they have to hack my bank in order to hack my browser to get my bank password which doesn't matter because they already hacked my bank.

        Ok, seriously, put important stuff on an isolated device used for nothing but critical logins and your /. login can go on a post it note.

      • use 2FA on all your important financial and identity accounts so your password will be insufficient to login in. protect your password manager with a very strong master password and 2FA. that will be the one and only password you have to remember.

    • Try a phrase that is based on either the site name itself or, my fave, their biggest competitor. Every password is different, yet the algorithm that obfuscates it is the same. Add a bit, rearrange a few, substitute some, and voila, easily remembered when you need it, unique, and long. Password managers aren't so good when the database gets stolen; the hacker can take their time and crack them all. Can't steal them from my brain without physical access and a $5 wrench.

  • Nowadays a password manager with complex passwords and a different password for each account is better

  • Never re-use the user-id/password on other sites.

    On my local network, everything is locked to ssh key access only (no password access), except root, which doesn't allow logins at all.

    And the password for my key is longer than 15 characters.

    I'm still somewhat skeptical about the privacy and security of SSO services like BookFace and Verizon.

  • people tend to use common phrases so if one word is known, it may be easier to guess.

  • I used to like the "first letter of each word in a phrase" algorithm, resulting in passwords like TbonTbTitQ - garbage to anybody looking over your shoulder but easy to remember "To be or not To be, That is the Question".

    I now use passphrases. Pick two or three words at random, especially if they're not common ones. Throw some random punctuation in to pacify password complexity requirements and break brute-force word searches. Done.

    Sample result: pass%w0rdComplex#ityrequ1re(mentS

    ...laura

    • Yeah, Pig Latin also guarantees security.

    • Re: (Score:2)

      by lsllll ( 830002 )
      I make up passwords by associating a book (usually old, so I can ensure the edition hasn't changed) with what I need a password for. I then take a certain page, and use the Nth word from the first four paragraph to make a passphrase. That way, if I ever forget the password, as long as I remember the association of the book with the password, I can gain the password.

  • Correcthorsebatterystaple wins again! (Score:3)

    by Grog6 ( 85859 ) on Friday February 21, 2020 @07:20PM (#59752506)

    Obligatory XKCD reference, for the unwashed few that didn't get it, and haven't implemented it yet.

    I did this when it came out, because some things just make sense.

    • What's amazing that in lists of the most common passwords that get easily hacked, "correcthorsebatterystaple" isn't one of them. I've been using the method for years even before the XKCD comic came out. It just seemed to be the common sense way to go.

    • Obligatory XKCD reference, for the unwashed few that didn't get it, and haven't implemented it yet.

      I did this when it came out, because some things just make sense.

      Really?

      Is Grog6 your username for your bank account? Asking for a friend.

    • I came here to post horse battery staple [xkcd.com] as well.

      "Passphrases Over Password Complexity". This is a great, secure, random phrase that's even open source -- let's ALL use it!

  • NIST SP800-63B, Appendix A was released in June 2017 for the gov't types.

    https://pages.nist.gov/800-63-3/sp800-63b.html#appA [nist.gov]

    In summary:

    • A minimum of eight characters and a maximum length of at least 64 characters
    • The ability to use all special characters but no special requirement to use them
    • Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
    • Restrict context specific passwords (e.g. the name of the site, etc.)
    • Restrict commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words
    • Restrict
    • The first program I authored on a Sinclair ZX-80 (4kROM/1kRAM) was cracking a safe after learning RND and FOR/NEXT from a manual's example of simulating a rolled die-- static images drawn with asterisks. I had been exposed to exponents maybe two years before which allowed me to realize the sum of possible combinations was the function of an exponent-- the range of elements to the power of its "length", i.e. two letters of the alphabet is 26^2. ASCII assignments allowed a greater range.

      A year later with a T

    • Re: (Score:2)

      by thogard ( 43403 )

      Long strings of the repetitive characters are a problem but two or three can help prevent shoulder surfing.

    • Yup, also in there: don't auto expire passwords, change only after a breach. People are more like you use better passwords of they know they won't have to re-memorize every X days.

      Unfortunately, after almost 3 years, it's been wholly ignored by most. We still have 12 character number, special char, upper/lower passes that expire every 60 days.

  • Obligatory xkcd correct horse battery staple [xkcd.com].

    Make a part of it numbers, and separate with one or more special characters, and you are done.

  • Given they’re also pushing for baking in the ability to backdoor any encryption.

    • The FBI can't push for anything. They make statements that it would benefit them and be a good idea, and everybody (including Congress) laughs at them.

  • More Secure? Maybe... (Score:4, Informative)

    by Arzaboa ( 2804779 ) on Friday February 21, 2020 @07:39PM (#59752570)

    A passphrase with 4 common words in it will crack like a 4 character password to a password cracker.

    Password ABCD to the password cracker is [A][B][C][D]
    where
    Passphrase AlphaBetaCharlieDonkey is [Alpha][Beta][Charlie][Donkey]

    Both are 4 strings from a list of 'words.' From that perspective though there are only 26 'words' in the alphabet list where there may be 1000 in a super small word list.

    All of this will be moot in twenty years. By then, AI will be able to guess everyone's past and future passwords in 3 seconds running on a single quantum processor powered by fusion.

    --
    You only think I guessed wrong - Vizzini, The Princess Bride

    • Re: (Score:1)

      by Anonymous Coward

      yes, there is no difference between a possibility space of 456976 options and a possibility space of 1000000000000 options

      • The vast majority of the English speaking population has an active vocabulary of around 20k words, and if you perform a simple frequency analysis you'll find that around 10% of those are used the majority of the time. When subjected to a well weighted dictionary attack, "correcthorsebatterystapler" has a much lower entropy than it does against a random brute force attack such as what xkcd was referring to.

        • 10% of 20k is 2000. A random word about of 2000 is about 11 bits, 4 words equals 44 bits. Exactly as xkcd claims.

    • Re: (Score:2)

      by LesFerg ( 452838 )

      There's no point in being able to put together billions of guesses in 3 seconds, if you can't verify them against the system you are trying to break into, within a reasonable amount of time also. I have never seen any convincing argument for producing authentication software which allows a person to retry their password after a failure, without at least a couple of seconds of delay and counting the number of failed attempts.

      So I don't understand the pop-scare references to that future quantum/AI/whatever a

      • Credential stuffing attacks typically work like this (simplified, and assuming the absence of countermeasures to make this process harder):
        • 1. Hack some poorly secured credentials database with hashed passwords
        • 2. Use a chunky GPU to compute the hashes of a few squillion combinations of passwords
        • 3. Look for matches. Now you've got $LARGE_AMOUNT of username and password combinations.
        • 4. Log in using the same username/password combination on other sites, as many people reuse passwords.
        • 5. Profit!

    • If the FBI recommends a security technique you can be assured that it is one that is easy for them to crack. Why would anyone believe the agency that is dead set against individual privacy?

  • Sometimes, "123456" is good enough. (Score:4, Interesting)

    by edibobb ( 113989 ) on Friday February 21, 2020 @07:40PM (#59752574) Homepage
    Not every site that requires a password needs one. There are lots of sites that require me to login in which I don't care if the whole world shares my account. Those are the ones that require long, complex passwords requiring three page changes on a cell phone keyboard.
  • The entire site as a working product is copied out.
    They get the key and lock due to site settings.
    Staff help the bad guys due to reasons of faith, nation, politics, cash, been criminals, support for banned groups, for the media.
    The company is working for another nation, the NSA, GCHQ. The strong, tested and approved cyrpto is junk by design.
  • Take something like Queen's We Are the Champions. Take the first letter of the first verse or two. Turn those into leetspeek and dick with the capitalization, so We Are The Champions, My Friend becomes Watc,mf -> w@tC,mf. Expand that to 10-12 characters and voila, an ez to remember but hard to crack password.

    • Re: (Score:2)

      by thogard ( 43403 )

      My experiments with using lines from songs suggest that most people will pick a line from a song that many others also picked. I had several tens of thousands of people to ask to do that experiment.

      Lines from songs, common quotes have been used in cracking dictionaries for a long time. Using fortune databases with cracking tools has been done since the 1980s. Leetspeek has been an option for password crackers for decades.

  • The University of Stanford doesn't require password complexity if your passphrase has 20+ characters:

    https://uit.stanford.edu/servi... [stanford.edu]

  • "A random string of numbers and letters."

  • A passphrase IS password complexity.

    English, mother fucker...

  • I mean I know it's longer, say 20 to 30 bytes long, but you shouldn't look at it that way. It's a sequence composed of words and my guess is most people aren't going to have that many different words. I'd guess 300 to 400 for most people but that's a guess. If we did a back of an envelope calculation If people use 4 word combinations and 400 possible words for each part you'd end up with 25600000000 possible combinations. On the other hand a password of 8 characters in length that's number and letters is 62

  • Usually, the sites with the most anal user password requirements are also the sites that expose my data and everyone else's at Some_URL?user=admin?password=password. On the bright side, at least the hackers will bother to encrypt the data.

  • This has been the smart answer for years.

    Which is why security-exam graduates all over the world have been saying the opposite.

  • FBI? Isn't it those guys who always tried to get one of another form of backdoor mandated by law? Who think that their ability to eavesdrop criminals is much more important to public safety that privacy of lawful citizens?

    • It might be important if the bad guys are planning a WMD attack on the east coast that will kill several million if it's successful.

  • Something like, "You're gonna need a bigger boat" or "You keep using that word," or "Here's looking at you, kid." Easy, and password complexity estimators on the web claim that such phrases would take longer to crack than we have time before the sun expands and swallows the earth. One can misspell something or use a double space between words or something if still paranoid, but it would be so much nicer to remember than the idiot stuff we have to come up with now.

  • i think images can be uploaded to websit4es and hashed as passwords. that would make a strong length key hard to brute force. they could be stored in a password manger protected by a passphrase. but for the websites easily remember-able images could be used.

  • ... that wants back doors.

    I'll do "opposite day," thank you.

  • I disagree with the recommendations. It really depends how you solve/attack it. correcthorsebattery = 19 chars lowercase = ~26^19 possibilities if cracked lowercase or correcthorsebattery=3 words = correct horse battery Lets assume our password guess rate is 100,000,000 guesses per second. @ 100M guesses/second bruteforcing with lowercase would take = (26^19)pw/(100,000,000 pw/s)= 7,664,672,652,003,620,000 seconds. If you take Google 10k wordlist you can find correct, horse, and battery. 3 words of go

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close