6

I'm generally against too strict or complex rules to accept passwords (rules like "It must contain at least one upper-case character, one number and one symbol" and things like that, see also XKCD #936: Short complex password, or long dictionary passphrase?). Usually I prefer calculate a strengthness metric (based on special characters included and length) and if it's above a give threshold then I accept the password, no matters if it's strong because it's a 32 characters plain lower-case text or because it's 10 characters but it also contains digits in Chinese characters).

I like this approach because it's easy for end-users and, assuming well-educated users will choose passphrases, I tend to consider their passwords reasonably secure.

However:

  • Users may wrongly use incredibly common sentences (my name is adriano or things like that). As soon as good statistics will be available (maybe they're even available now but I'm just not aware) an attacker who gained list of hashed passwords may use those statistics to guess passphrases.

  • I can't be sure about other sites security and I'd like to prevent users to reuse same password for every site they have a registration.

I thought to ask them to include a given random word in their password, something like: Type your password, be sure to include word "honey" in it. Is it reasonable? AFAIK it shouldn't weak hashing with repetitive word/pattern because word is chosen randomly from a big enough (and language specific) dictionary.

Yes they may simply append required word to existing text (for example "my name is adriano, honey") but from cracker point of view it shouldn't matter because word is random and eventually extra separators will also improve security.

Adriano Repetti
  • 261
  • 1
  • 10

3 Answers3

6

Type your password, be sure to include word "honey" in it. Is it reasonable?

No, it's not.

  • Random password generators might not support the addition of a specific word.
  • It's harder to remember for users who don't use password managers.
  • It encourages users to choose a shorter password than they could have used without the condition, just because they want to remember it easily.
Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
4

If you have a public registration page, then you should assume that any password restrictions you require your users to follow will be known by an attacker. This is because anyone can begin the registration process to see what the password restrictions are. Simply by visiting the page many times an attacker could build their own dictionary of required words and effectively wipe away any possible advantages of having it in the first place.

Now consider that there are some disadvantages, (already mentioned in other answers), the net result of this idea is: Not Recommended.

TTT
  • 9,132
  • 4
  • 19
  • 32
  • 2
    I disagree that providing an attacker with a list of system words removes the advantage of inserting those words into passphrases. The attacker still must guess the correct base passphrase as well as the correct system word (and possibly where it was inserted). Assuming thousands of possible system words this exponentially increases the effort required from an attacker to find a valid passphrase. – PwdRsch Mar 14 '16 at 17:18
  • @PwdRsch - Suppose your password has a minimum length of 10. Which is easier to crack, a 10 character password which you know contains a word from a known list somewhere in the password, or a 10 character password that doesn't necessarily have any words? (Full disclosure: I'm baiting you to reply a certain way...) – TTT Mar 14 '16 at 17:56
  • 1
    Most passwords do contain words, so I don't know how much practical difference there is between your choices. The requirement could produce worse passwords on average, or it might not. I'm not aware of any studies on how user behavior changes if they're required to insert a supplied word into their normal password creation process. They might just add the word on the end of their normal password or they might create a brand new password around that word with familiar modifications. However, I suspect you just want me to say that an attacker benefits from knowing a password contains a word. – PwdRsch Mar 14 '16 at 18:22
  • @PwdRsch - Actually I was expecting you to say my comparison wasn't fair. You could argue that I should be comparing a 10 character pw with a 10 character pw which is made longer by inserting a word into it somewhere. If you compare it that way, then I would agree with you. – TTT Mar 14 '16 at 18:28
  • 1
    @PwdRsch - but then my reply would be to simply increase the minimum length by the length of the word instead. Instead of having a 15 character minimum requiring the use of the word "honey" (or other words) in the pw somwhere, you could just make it a 15 character minimum in the first place and skip the word requirement. – TTT Mar 14 '16 at 18:31
1

One problem with that idea is that users are really predictable. If you get them to include a word, chances are they will make a short phrase with that word in, and, given that they are on the internet, it'll probably be obscene.

For example, if given the word "honey", you're likely to get variations on "BloodyHoney", "F**kingHoney", "I hate honey". You can pick as large a dictionary as you want, but you're likely to infuriate users, so running a dictionary attack against it with expletives prepended and appended to common words is likely to give at least a few hits.

You also annoy people who use password managers - they have to set up specific rules for your site, so are more likely to just leave. I do that with sites which have limited special character rules, and I'm more lenient than some people I know!

Matthew
  • 27,263
  • 7
  • 89
  • 101
  • I think expletives are only going to be more common to a certain demographic of user. What may be *more* common in general is simple substitution for zero being O and 1 being I or L, *etc* . `h0neybuns` is I suspect more common than `f**khoney` etc. – Martin Mar 14 '16 at 11:12
  • @Matthew you're right but I'd still apply existing rules to calculate password strongness then "BloodyHoney" will be rejected because of _low entropy_ but "this is my common BloodyHoney password" won't. – Adriano Repetti Mar 14 '16 at 11:16
  • @Martin Wouldn't be so sure... Have a look through lists such as https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt and there is a depressing number of expletives. – Matthew Mar 14 '16 at 11:27
  • 1
    Of 10k passwords my browser finds only "36 f--ks, 13 sh-ts, 13 c-ck, 6 bitch and only 2 c--ts" . And depressingly, only 1 blowjob and 1 whore. Overall there seems to be significantly less than 1% containing any permutation of rude or offensive words. This is actually a really interesting list of 10k words and would be curious seeing which characters/syllables are more common on a distribution graph . – Martin Mar 14 '16 at 11:34
  • Correction: not "significantly less than", but in total about "1% of 10k passwords contain any permutation of words generally found offensive". – Martin Mar 14 '16 at 11:57