Password strength of short passwords

tonytx05

One of my banks has very poor requirements for a password (8-12 characters, no special characters). When generating a new password with 1Password, it seems that a password with more digits than letters is indicating as being stronger. In fact, I can get a "Fantastic" password with 10 digits and 2 letters. Is this truly fantastic, or just an oddity of calculating the strength of such a short password?

svondutch

@tonytx05 What version are you running? I cannot get the strength of a 12-character password past "good".

I'm going to investigate why adding more digits makes the password stronger. I'm guessing this is an unwanted side-effect of us trying to down-vote diceware.

tonytx05

4.3.0.556. Here's an example:

svondutch

@tonytx05 I have entered 1884074Q4y7C into passwordmeter.com and it thinks your password is super strong, too. This is not an excuse, but it does give us a little bit more insight in what password meters (including 1Password's) are doing.

First of all, your password gets extra points for having an uppercase and a lowercase character. If your password would consist of numbers only, then it would immediately get down-voted to "very weak".

Then your password becomes even stronger because it contains a lot of numbers. Letters do not have a very high rate. Numbers and characters do. I'm guessing this is because a long diceware passphrase isn't necessarily super strong, and password meters are trying to compensate for that.

None of this is an excuse. It only proves how hard it is to calculate password strength. Most meters are reasonably good at it, but nobody gets it right and 1Password is no exception.

I'm going to ping my awesome colleague @jpgoldberg into this discussion. He is much more knowledgeable about this than I am. Thanks!

tonytx05

@svondutch thanks for the feedback. I figured it was an oddity so tried to keep the numbers/letters more evenly split. Just thought you guys would want to know.

AGAlumB

@tonytx05: 'Password strength' is somewhat arbitrary, since we are just trying to guess how hard it would be for an automated system to guess a string of characters. Never underestimate the power of 'randomness'. A password that lacks a discernible pattern is the hardest to crack, because then the attacker has to essentially stumble upon it at random, working their way up to it after first trying n other random combinations -- and isn't made easier by going sequentially. I'll take 1884074Q4y7C over 4400183725471049 any day. Just a thought.

And remember: duck and cover, man; duck and cover. :+1:

RichardPayne

This is an interesting article on the problem:
http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/viewall

AGAlumB

@RichardPayne: Well, I think that maybe the word 'easy' should have been in scarequotes too. The only easy part is that someone else did all the hard work already! ;)

I think the most important line in the article (especially as it relates to 1Password) is this:

What the meters fail to account for is that the patterns people employ to make their passwords memorable frequently lead to passcodes that are highly susceptible to much more efficient types of attacks.

And this, of course, is why 1Password uses PBKDF2 -- a password cracker isn't actually able to brute force against your Master Password directly. :)

RichardPayne

I think the most important line in the article (especially as it relates to 1Password) is this:

Agreed

And this, of course, is why 1Password uses PBKDF2 -- a password cracker isn't actually able to brute force against your Master Password directly

True, but we weren't talking about master passwords. We were talking about bank security specifically and internet account passwords more generally!

MikeT

We were talking about bank security specifically and internet account passwords more generally!

Which is the scary part and not all banks do extra checks such as locking you out automatically after a few incorrect attempts, geolocation blocking (pointless with VPN but still), and so on.

AGAlumB

@RichardPayne: I was referencing the article you linked. If not passwords ('Master' or otherwise), there wouldn't really be anything for people to crack. ;)

RichardPayne

I know @brenty but how many sites use PBKDF2 to hash your password? I would take stab at "not many".

AGAlumB

@RichardPayne: I understand, and agree that you are almost certainly right! But my point was that password strength (or weakness) depends on more than just length. Context matters.

I'd hate for someone (not you) to misinterpret the article as 'proving' that the Master Password they use for 1Password is equally susceptible to this type of attack. :pirate: