Passwords Are Too Short!

Started by oradba4u, November 24, 2021, 04:29:08 PM

Previous topic - Next topic

oradba4u

All:

For those of you designing password schemes... or for those of you choosing a password

A recent report on 25,000,000 brute force attacks by Microsoft Head Of Deception Ross Bevington reveals:

Distribution of passwords:
30% of all passwords are 6 characters in length
77% guessed a password between 1 and 7 characters
6% of passwords are 10 characters or more
7% of passwords contained a special character
39% of passwords had at least 1 number
0% of passwords contain a white space


td

Use a good password manager and it is not an issue.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

oradba4u

Tell that to the 103 million users that use '123456' for their password! And people wonder why/how they got hacked!

ChuckC

Hmm... in the past 18 to 24 months, pretty much every web-hosted service that I use has modified their password policies to absolutely require passwords to be composed of a minimum of 1 each of  uppercase letter, lowercase letter, number and special character, with an overall minimum password length of 8 characters.  There's simply no choice to use '123456' or any other such simple & short password.  Additionally, beyond using a password manager, most password field controls on "modern" web-hosted services now have the little "eye" icon on the right side that allows you to see what you typed, which makes usage of a very complex password much easier since you can check what you typed before clicking the "login" button.  Even Windows 10 is doing this, now, when logging on to a domain where you don't have the option of using a PIN or a biometric fingerprint reader.

That's not to say that there aren't older web sites or older applications & versions of Windows where outdated code still accepts & stores simpler passwords that can be readily hacked/broken.  But, when it comes to security related to passwords, if you're not going to be more proactive and voluntarily adopt usage of strong passwords, then you deserve what you get when you do get hacked.

As for devising password schemes, at this point, I'm of the opinion that no code should be written for a normal end-user application that stores passwords and implements its own password policy.  Use a backend service, such as allowing the user to identify themselves thru an accepted 3rd party service via their Google account, FB account or some other such online account.  Worst case, use a LDAP interface to a directory service such as AD, or create local user accounts in the O.S. on which the application runs, and allow the O.S. itself to store passwords and enforce policies.  Reinventing the wheel on this stuff is simply not worth the time and the one-off password-related code will never get the level of testing, validation & peer-review necessary to ensure that the code itself is not yet another security vulnerability.


td

Another advantage of a good quality password manager is that besides creating very long strings of random* characters is that you never use the same password twice. That way even if a site with a password database is hacked and the password database is cracked you are only compromised on one site.

* The randomization methods used with a good manager are based on sound mathematical formulae with statistical proofs of randomness.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

Quote from: ChuckC on November 25, 2021, 05:59:04 AM
Hmm... in the past 18 to 24 months, pretty much every web-hosted service that I use has modified their password policies to absolutely require passwords to be composed of a minimum of 1 each of  uppercase letter, lowercase letter, number and special character, with an overall minimum password length of 8 characters. 
.


Funny thing about that. I still have Mindspring email accounts [since 1996] for myself, wife and daughter. Last month daughter changed her password to a 15-char random string.... Earthlink locked her account for exceeding password length... so the overall minimum was the maximum.  ::)


Otherwise we still pay bills with checks. Have the double identify stuff for any banking we do.. which doesn't matter since our Bank of America card gets hacked 2-3 times a year [no cost to us, just a wait for a new card, and I'm glad they know we don't do online betting in South Africa].   


As for the Op's statement about 103 million people... I still think 94 million people here are still unvaccinated....

oradba4u

It's way more than 103 million... those are just the '123456' passwords
The Top 8 yields about 255 million brute-forceable targets (not just web-hosted sites)
and, an estimated 100 million voters didn't vote last November either! But over 900 million people watched Super bowl 55!

Granted, 25 million is a relatively small sample size compared to the number of devices online, but it is probably a good indicator.

It's just a friendly reminder to folks to THINK about their password security.

I wonder how many PC's attaching to the internet on a daily basis falls into this top 8 category? Also:
IoT devices
Commercial business such as SCADA systems/devices and ICS.
The list goes on...

All I'm saying is perhaps people should/could review their own personal password schemes.

P.S. One of the things that stood out for me was the fact that NO ONE USES WHITE SPACE IN THEIR PASSWORDS!
I know that it may not be possible everywhere, but I wonder how many have tried!