75

If I type my password twice (like: PwdThingPwdThing), OR type every character twice (like: PPwwddTThhiinngg) will that make it substantially more secure than it already is?

Assume that it is already 8 or 9 characters, consisting of upper and lower case, digits and one or more special characters.

(Also assume that I didn't tell anyone that I am doing it this way, although I just told the world... Doh!)

I ask because I would like more security in a way that I can still remember, and this would be an easy change to make and recall.

bad_coder
  • 129
  • 4

11 Answers11

101

Let's try skipping theory and going straight to practice.

Will typing the same word twice (or N times) substantially help?

  • John the Ripper Jumbo has a variety of "simple rules" about this

    • d duplicate: "Fred" -> "FredFred"

    • f reflect: "Fred" -> "FredderF"

  • oclHashcat rules based attack has simple rules just for this, too

    • d Duplicate entire word d p@ssW0rd p@ssW0rdp@ssW0rd

    • pN Append duplicated word N times p2 p@ssW0rd p@ssW0rdp@ssW0rdp@ssW0rd

    • Reflect f Duplicate word reversed f p@ssW0rd p@ssW0rddr0Wss@p

  • Therefore, no, this bit of cleverness is so common it's included explicitly in both common rulesets already for use by itself, or in combination with other rules.

OR type every character twice

  • John the Ripper Jumbo has an example specifically about this in the documentation

    • XNMI extract substring NM from memory and insert into current word at I is the core rule

    • "<4X011X113X215" (duplicate every character in a short word) is the example in the documentation to cover exactly your case for short passwords

.

  • oclHashcat rules based attack has simple rules just for these kinds of attacks

    • q Duplicate every character q p@ssW0rd pp@@ssssWW00rrdd

    • zN Duplicates first character N times z2 p@ssW0rd ppp@ssW0rd

    • ZN Duplicates last character N times Z2 p@ssW0rd p@ssW0rddd

    • XNMI Insert substring of length M starting from position N of word saved to memory at position I lMX428 p@ssW0rd p@ssw0rdw0

  • Therefore, no, again, this is such a common bit of cleverness that it's called out explicitly in both major open source cracking products.

Assume that it is already 8 or 9 characters, consisting of upper and lower case, digits and one or more special characters.

The other rules in those products very likely cover everything you're doing already, and it's also likely that whatever combination you have is already included in a ruleset applied to a reasonable cracking wordlist.

  • oclHashcat alone comes with twenty five different files full of .rules, including d3ad0ne.rule with more than 35,000 rules, dive.rule with over 120,000 rules, and so on.

  • a large number of wordlists are available, some of which may include your exact password - the Openwall wordlist alone has a single 500MB file of more than 40 million words including mangled ones

  • and I'm personally aware of both small, very good wordlists (phpbb, et all) and huge, comprehensive wordlists with literally billions of entries, taking up many gigabytes of space total.

As with everyone else, you need to use try randomness or something like an entire sentence worth of personal anecdote that does NOT use words in a top 5000 list of common English words, and does use long, uncommon words (to force combinatorial attacks using much larger dictionaries).

Specifically look, for example, for words selected at (good) random included in Ubuntu's insane english ispell dictionary list that are not included in the standard english ispell dictionary, for example.

Anti-weakpasswords
  • 9,850
  • 2
  • 24
  • 52
  • 42
    @nocomprende To some people, this is enjoyable. To most people, this is highly profitable. –  Feb 02 '16 at 23:01
63

Security.StackExchange is full of questions proposing "home-brew" password strategies. The short answer is always the same: doing something to differentiate your password from the standard dictionary attacks is good - as long as

  1. Very few other people on the planet are also using your strategy. If your "home-brew" strategy turns out to be common - like replacing 'a' with '@' - then it'll get included in the standard dictionary attacks and you're back to square one.

  2. You're not being personally targeted. If you are enough of a high-value target that attackers are specifically trying to break your account, then any pattern you use is a liability because once they know your pattern (say from your leaked passwords from previous leaks) then they'll build dictionaries based on your pattern.

Another trend with this type of question here on infosec, is that someone inevitably references XKCD, so here goes. Remember that computers are good at searching databases and generating lists based on patterns. By using a simple strategy like "doubling every letter", or "the initials of the chorus of my favourite song", etc, you are using a strategy that's easy for computers to guess. The best practice for coming up with a simple password strategy is always: don't. Use a password manager like LastPass to generate and remember a 32-char random password for you. If you insist on having something that you can memorize, then the next best practice is diceware.

If you want to defy all best-practices and invent your own scheme, then I would recommend something emotion-based rather than pattern-based, or something that can be mined out of your personal information. For example a password based on "websites I like", or "TV shows I watch" would be easy to guess for anybody with access to your internet activity, but "things that remind me of ______" where you pick a very different ______ for each password could be hard to guess. (If I thought about this scheme a bit longer, I could probably argue that even this is easy enough to guess, but the point is that it's still better than something purely pattern-based.)

enter image description here

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • As I understand it, a password manager is either an application on my computer (which may or may not be secure) or on a portable device (which could be stolen, might not be secure and which I would then have to carry everywhere). Apparently, there are not any human-friendly ways to make computers more secure or... well, friendly. So the technological approach to improving the computer user experience is to add more technology. You can already see that this will not end well, so perhaps we should come up with another way for humans to use computers securely without adding things to their life? –  Feb 01 '16 at 18:31
  • 15
    I agree that password managers lack user friendliness. No arguments there, but they do work, and are more secure than making a password so complex that you can't remember it. Ultimately we need to do away with passwords entirely and move entirely to public key / biometric authentication, but the world is not ready for that. In the meantime, things like password managers, and changing public perception from _passwords_ to _passphrases_ is a good start. – Mike Ounsworth Feb 01 '16 at 18:35
  • @MikeOunsworth How can you use biometric data to get completely rid of passwords? – Maurycy Feb 01 '16 at 20:54
  • 1
    @Maurycy I'm not sure because the commercial offerings are still pretty basic, but "unlock by fingerprint" or "unlock by iris scan" give us an idea of what's coming. The main ideas is that biometrics contain far more bits of entropy than anything that you can conveniently type. Same argument for tokens / cards with public keys on them: far more entropy than you can memorize. The candidate technologies exist to obsolete passwords, but none of them are mature enough for mainstream use. Hence why we keep having these discussions about how weak and stupid passwords are :P – Mike Ounsworth Feb 01 '16 at 21:03
  • 7
    Speaking of "the initials of the chorus of my favourite song": there was a story where someone opened a random book on their shelf, picked a random page, and used a random sentence on that page as a Bitcoin brainwallet password, *and it got guessed* (and they lost all their bitcoins). – user253751 Feb 01 '16 at 21:16
  • 8
    @MikeOunsworth But you can't change the bits of your finger if someone sniffs the data you send, not to mention afaik we don't really calculate a value from the finger image but use the image to check a few points in stored in the database to make sure they match (NOT to mention people frequently have problems with fingerprint unlocking after some exercise, or in some other not extremely rare cases). I guess it kinda falls under "not mature enough", but I find it unlikely you can solve their unchangeability. I could imagine fingerprint being used to unlock my keepass db though! – Maurycy Feb 01 '16 at 21:27
  • 2
    @Maurycy Right, I'm imagining a fingerprint scanning chip on your motherboard that releases an SSH key to the OS, where you could rotate your SSH key daily if you want. I'm not an expert in biometrics though, so I'm guessing just as much as you are. – Mike Ounsworth Feb 01 '16 at 21:32
  • 1
    @Maurycy I remember finding out that the US government will actually allow people to get a new social security number if their identity has been stolen. I was surprised. Of course, the government keeps records of the old number, because your history has to continue to exist. I suppose the the biometric data would be like the User ID part, publicly known, with no reason to change it. Something else would have to serve as the private, undisclosable (even by me) "password" aspect. My DNA or something. –  Feb 02 '16 at 00:04
  • 2
    @nocomprende Except it's even easier to get your DNA than your fingerprints or iris scan. That's part of the reason why passwords actually work - in the best scenario you can keep them in your head and no one can force them out (at least yet). – Maurycy Feb 02 '16 at 01:02
  • 2
    @Maurycy I think the CIA has something to say about that :p – d0nut Feb 02 '16 at 01:31
  • 1
    Never ever use something as authentication secret what you can not change and what you are spreading around everywhere. With other words: Please don't use biometrics as an authentication secret. – Noir Feb 02 '16 at 15:48
  • @Noir who is that comment aimed at? If you read the comments, what I'm proposing i- a biometric chip on your motherboard that would release an SSH key to the operating system. You're free to change that key as often as you'd like. – Mike Ounsworth Feb 02 '16 at 15:52
  • @MikeOunsworth But if someone wants to break into that protected storage it's the same scenario like breaking the fingerprint reader of a smartphone. Protecting the SSH key with a strong passphrase has the same effect but you can change the passphrase. – Noir Feb 02 '16 at 16:09
  • 1
    @Noir I was objecting to you saying "spreading around" since the biometric data's not leaving the device, but I see your point that with a physical token (ie smart card) you can destroy the card and get a new one, but if someone gets my fingerprint then any fingerprint scanners I use in the future are also vulnerable. Fair. – Mike Ounsworth Feb 02 '16 at 16:13
  • 3
    @Maurycy continuing with the XKCD theme... https://imgs.xkcd.com/comics/security.png – duzzy Feb 02 '16 at 19:41
  • 1
    I guess no one realizes the first 9 letters in the first password in the comic actually represents a Pokemon... no wonder it is easy to guess :) – Anthony Pham Feb 02 '16 at 21:58
  • 5
    @MikeOunsworth, you may also want to read ["Your Unhashable Fingerprints Secure Nothing"](http://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/). – Wildcard Feb 03 '16 at 07:42
  • 2
    @Wildcard Thank you for that link, that is an excellent article. I now feel silly for my previous comments. – Mike Ounsworth Feb 03 '16 at 14:35
22

In general, no, doubling the password does not substantially increase (or decrease) your security. What it doubles is your typing effort. Doubling your password may decrease your security if it incites you to choose a shorter/easier base password so that your typing effort is not too cumbersome.

In broad terms, password security comes from its randomness, i.e. how much the attacker does not know. In the case of "doubling", this is a one-bit information (i.e. whether you applied it, or not), so, mathematically speaking, it is one extra bit of entropy. That's not much. Typing eight extra characters to gain a single bit of entropy is meagre; this is not a good bargain.

All witty tricks share the same fundamental problem: they are witty. They rely on the attacker being stupid, incompetent or archaic. This does not hold in practice, except against attackers who really are stupid, incompetent and archaic -- the gods know that they are many of them, but they are not a big problem, because they would not know what to do with your password. The attackers that you should worry about are the smart ones, who can enact substantial damage to your digital assets in a short time; these smart attackers won't be much deterred by your password doubling trick.

Consider reading this famous question to get some information about what makes a password "strong", in particular the entropy maths in that answer.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 8
    It's more than one bit, unless at least 50% of people double their password. – user253751 Feb 01 '16 at 21:14
  • 2
    @immibis: ah, that's the catch. Doing something that "most people won't do" is not the same as doing something that "the attacker won't try first because most people don't do it". Claiming that you gain more than one bit through password doubling is making a bet on the attacker's indifference or incompetence. Unfortunately, this does not hold against the most dangerous attackers, who are after _you_, personally. – Tom Leek Feb 02 '16 at 15:30
  • 6
    Also, the field is very dynamic. E.g. if most attackers try passwords in alphabetical order, then users begin to start their passwords with 'zzz'. Pretty soon, attackers adapt and start doing enumeration in reverse order. Or in _random_ order, which guarantees attackers against worst cases. Trying to play tricks depending on average attacker behaviour tends to backfire. The notion of entropy is what remains when the attacker knows _perfectly_ how you generate passwords -- thus, entropy is the only robust foundation for password security. – Tom Leek Feb 02 '16 at 15:32
  • 1
    I think that hackers are working too hard. They should just try an ordinary job, it is much easier! –  Feb 02 '16 at 17:32
  • 3
    I like your point about eight letters to gain 1 bit of security. Compare to some random English 8 letter word, which would gain you maybe 10 or 12 bits of entropy. – corsiKa Feb 02 '16 at 19:16
15

My password cracker already tries letter doubling, word doubling, word reversing and doubling, word-case-flipping and doubling...

...and many more.

Yep. Doubling adds some to the difficulty: about four bits worth, tops. It'd take me sixteen times longer to crack, than a raw dictionary attack with letter replacements.

But I'd eventually get BAdpA55!!22AqbA8.

Dewi Morgan
  • 1,340
  • 7
  • 14
  • So, what strategy would defeat your password cracker? –  Feb 02 '16 at 02:13
  • 8
    The strategy that everyone is recommending: a long *truly random* string. And use a keyfile or other kind of auth at the same time too, if at all possible. I like password managers myself (I use LastPass but haven't really done any kind of a review of what's out there, I just used the first product that worked. Various of my friends swear by various other products). But the thing that worries me about them is that you then have a single point of failure: one password protects all the others. – Dewi Morgan Feb 02 '16 at 03:28
  • 8
    This is why I advocate that the "real" password should be something that nobody knows, including you. It IS you. Your dog would know an imposter in about 500 millisec. That is what we need. And, if the dog did get fooled, it would get plenty mad when it found out. So we need computers to be intelligent, with full sensory capability, and as strong as a gorilla. Wait a minute... –  Feb 02 '16 at 17:37
  • 1
    @no comprende: And then you come home drunk and your dog doesn't recognize you (because you smell funny, and speak funny, and walk funny, and act funny; as far as the dog is concerned, you ARE NOT "you." BTW this scenario actually happens quite often IRL). And *it gets plenty mad*. What exactly did you train the dog to do to intruders? Oops. (In other words, your scenario is built on the invalid premise "false negatives never happen.") – Piskvor left the building Feb 04 '16 at 13:35
5

Humans are surprisingly predictable creatures. The way we think is not nearly as unique as we would like to believe. Chances are, any clever thing you can think of to make your password more secure, has already been thought of by lots of other people, and hackers are well aware of all of these clever tricks.

The only way to make a password properly secure, is to make it long and random. Remove the human fallibility from the equation. If a password is so complex you can't possibly memorize it, then it may be secure enough.

Password managers are extremely helpful. They allow you to make every password you use unique, and every password completely random.

You obviously need to ensure that your password manager database is secure though, and cannot be accessed remotely.

user1751825
  • 915
  • 4
  • 10
  • So, the answer is to protect the passwords and the software with another password and more software? I have two bridges in New York to sell you... –  Feb 02 '16 at 17:40
  • 2
    The services requiring secure passwords are remotely accessible. My password manager program is not. – user1751825 Feb 02 '16 at 23:39
3

There are a lot of factors but it ultimately breaks down to what type of password cracking are you trying to protect against. Against a brute force hack increasing the length of the password will make it harder to crack. Assuming their hashing isn't horrible a decent 8 or 9 character password should already be very hard to impossible to brute force crack. That means doubling it by typing each character twice or typing the same password twice really doesn't do much.

Once your password is long enough to be safe against a brute force attack then you have to start worrying about dictionary attacks, combination attacks and other things like that. Either of the things you suggest would be easy to include in a rules based attack and any value in additional security from that is depending on it not being commonly done and not being included in their set of rules.

  • Here's a great article that backs up your point: [link](http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/). – Mike Ounsworth Feb 01 '16 at 22:10
3

Link to zxcvbn password entropy demo.

According to zxcvbn, your initial password's stats:

Normal: PwdThing

 Guesses:
    100 / hour:     5 months    (throttled online attack)
    10  / second:   58 minutes  (unthrottled online attack)
    10k / second:   35 seconds  (offline attack, slow hash, many cores)
    10B / second:   less than a second  (offline attack, fast hash, many cores)

Doubled: PwdThingPwdThing

guess times:
100 / hour:     9 months    (throttled online attack)
10  / second:   2 hours (unthrottled online attack)
10k / second:   1 minute    (offline attack, slow hash, many cores)
10B / second:   less than a second  (offline attack, fast hash, many cores

Letter Doubled: PPwwddTThhiinngg

guess times:
100 / hour:     centuries   (throttled online attack)
10  / second:   centuries   (unthrottled online attack)
10k / second:   centuries   (offline attack, slow hash, many cores)
10B / second:   12 days (offline attack, fast hash, many cores)

zxcvbn might not be perfect, but I feel like it gives you a pretty good ballpark estimate of your password strength. Play around with it to get a nice memorable password with a high rating.

I prefer sentences to use as passwords. They're long, and inherently difficult to guess and easy to remember.

EX: "My 2nd favorite fruit, on Mondays, is mango!" (spaces included where allowed)

If you're worried about the NSA brute forcing your password... I'd go with the generated passwords everyone else is talking about.

SethWhite
  • 131
  • 3
  • 4
    Although this is a great comparison of the different options, it does not take into account the pattern being known. If the pattern is known, there is no difference between "PwdThing" and "PPwwddTThhiinngg". The required element is that the password pattern is kept secret along with the password content. – schroeder Feb 02 '16 at 22:22
  • 3
    Apparently, the best solution is to destroy the attackers. –  Feb 02 '16 at 22:33
1

Two things make a password more secure: Length and randomness. So, the answer to your question is definitively Yes, you are increasing security of your password.

But in general, your initial password is not super secure because it uses words that can be found in a dictionary. And, the doubling is just a repetitive pattern that an cracking algorithm can easily do to too. So, not only double your password, make sure what you double aren't actual words.

  • Right, I did say in the question: "*Assume that it is already 8 or 9 characters, consisting of upper and lower case, digits and one or more special characters.*" I guess the even password length is the big giveaway that I typed it 2x, right? I mean, lots of people probably do that. 50% of all passwords are even length... –  Feb 01 '16 at 23:56
  • Yea, sorry, didn't read carefully enough. But still, the longer the better. I prefer passwords > 12 char (including the stuff you are mentioning). –  Feb 02 '16 at 03:03
  • "50% of all passwords are even length..." May I ask what you think that percentage SHOULD be? – J Kimball Feb 02 '16 at 13:38
  • 1
    @JKimball "40% of all employee absences are on Mondays and Fridays! It's a scandal!" (from a Dilbert comic) –  Feb 02 '16 at 17:38
0

adding length to a password does substantially increase the security of a password so I think typing your password twice or doubling every character is better than not doing it and using a shorter password of 8 or 9 characters. Refer to this link to read more about how increasing password length significantly improves its security: https://www.grc.com/haystack.htm

user98942
  • 17
  • 1
  • 3
    I don't buy their basic premise. Their premise is "Once an exhaustive password search begins, the most important factor is password length!". This is not realistic: who does exhaustive searches!? Real-world password crackers do dictionary lists, and if that fails, they do permutations of dictionary lists, and if that fails, they construct phishing (or spear-phishing) emails. As a counter-example, that site would argue that "password" is significantly stronger than "passw" because of its length, despite it being the first thing that any dictionary attack will try. – Mike Ounsworth Feb 01 '16 at 20:41
0

The length of the password is always a key factor in password security but try to improve the content also, doubling the password may help against the pratice with HYDRA/Dictionary attacks

silentcallz
  • 11
  • 1
  • 1
  • 5
-2

@SethWhite - believe you have given the most accurate answer.

Many users don't understand the avenues and methods used to break a password. Also there are additional security measures such as port blocking for unknown http/ftp callers. Someone better versed should explain.

Seth shows that there are at lease four different avenues to breaking a password the hard way. Easiest way is to Phish, look under keyboard, sticky notes on monitor for slip of paper etc.

Passwords are only part of what is protecting your data from attack. Your password(key phrase) is used to generate a random long binary(machine code) sequence that can only be decoded with your password and the sofeware algorythm that encoded it. So anyone just trying to guess this binary sequence (HASH) on the base data (without using the decoder software that a login page uses) will have to try randomly starting with the first byte until they randomly guess all bytes. This is what Seth shows as Brute force and you need lots of time and many cores for 64,128,256,512 byte HASH lengths. Time to hack goes up exponentially with length. The HASH length is based on the password size so longer password longer HASH longer brute force time.

I believe Wikileaks took many months to break the code but most HASH can be broken. I would think the data-service center hacks were dictionary attacks where the hacker used the login decoding software to guess the passwords. Dictionary attacks therefore usually have some kind of access to the system your data is on not just the data.

Fore instance as I understand the throttled online attack picks away over an http connection, possibly supported by a hacked cookie(small usually helpful program installed by web-servers) to "Dictionary attack your system".

Conclusion: long random passwords ("PPwwddTThhiinngg" counts) help a great deal to stop both kinds of attacks. Password length and complexity should reflect the danger to dictionary attacks and sensitivity to the information stored.

P.S. My family hates me because our home-wireless-network is protected by a 128 byte random key-phrase.

hdunn
  • 1