19

I want to start using a Keepass master password that I can easily remember.

Let's take this sentence: I really hate blue mountains, and let's make it one password: ireallyhatebluemountains.

Is this strong enough as a Keepass master password?

I hear that we should always include capitals, digits and special characters but if this really a requirement?

WoJ
  • 8,968
  • 3
  • 33
  • 51
drake035
  • 453
  • 1
  • 4
  • 11
  • 4
    Related: [XKCD #936: Short complex password, or long dictionary passphrase?](http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase/) – Yuriko Mar 16 '16 at 09:46
  • 1
    Forgoing complexity could make your KeePass database more susceptible to dictionary attacks. Besides, it's only ONE password to remember and it replaces all your other passwords, might as well put some effort into making it a good one. – Fluffy Mar 16 '16 at 10:16
  • 3
    What do you find special about "password complexity for Keepass" as opposed to just "password complexity"? Why does this question require to be so specifc? – techraf Mar 16 '16 at 10:52
  • 2
    @techraf Because this is the master password, the key to all other passwords. That makes it special, because it makes it uniquely valuable. – Xander Mar 16 '16 at 12:57
  • Hmmm... If you would use the same password to protect all your savings, how does it influence its strength? – techraf Mar 16 '16 at 13:00
  • 1
    @techraf One difference is that there are no brute force protections against cracking Keepass or other offline files, and it's worth doing if you can - you get lots of data. Web services can prevent thousands of trials against a single endpoint, and would probably spot unusual traffic. If I can get your Keepass database, though, I can keep attacking that with no limits except my own computer power. – Matthew Mar 16 '16 at 13:08
  • 1
    @Xander In a perfect world, all your passwords should be equally "very complex" and tools like Keepass are there simply for convenience. – WorseDoughnut Mar 16 '16 at 13:19
  • @Matthew I am not questioning the validity of the question, I was asking if it must be phrased in a way that limits it to the Keepass, instead of being more universal. On the other hand, your comment reads more like an answer (and so far no one pointed out that this factor influences "strong enoughness") and I would encourage you to move it to more visible place. – techraf Mar 16 '16 at 13:28
  • 1
    @WorseDoughnut Nonsense. In a perfect world, all risk mitigations (including strength of authentication controls and credentials) would be commensurate with the risks themselves. A control should be no more complex or expensive that the information being protected dictates. – Xander Mar 16 '16 at 13:46
  • 3
    @WorseDoughnut Now, in a *practical* world (read, not perfect) it's relatively easy to use complex passwords everywhere, thanks to tools like KeePass and 1Password. This makes the data they contain very valuable, and thus worthy of a particularly strong password. – Xander Mar 16 '16 at 13:48
  • @Xander I say, OP should just make a few different accounts on services like that, and make their initial Keepass password the bottom-most layer; passception. – WorseDoughnut Mar 16 '16 at 13:52

5 Answers5

18

Let's first establish clearly what should be a common sense truth: A password manager master password is a very high value secret. (This is irrespective of which password manager you are using.)

This is for a rather simple, fundamental reason: this one password, together with the encrypted password database that it protects, essentially allows full access to every account for which you have credentials stored within that database.

Thus, you should ensure that this password has a corresponding level of security. Traditionally, this has led to the use of weird password schemes which have tried to combine the goals of making passwords memorable as well as making them secure. With today's computing resources, that's just not a practically achievable goal with a simple password any longer.

Instead, I like to recommend Diceware style passphrases. (Diceware is similar to the scheme described in XKCD 936, but more explicit on how to gather the randomness. Also, in Diceware, if the generated sequence of words makes sense linguistically, you are actually supposed to start over.) In proper Diceware, you use a random physical process (throwing physical dice) to gather randomness, then convert that randomness into words by looking up the numbers in a list of words. In the specific case of Diceware, you use five throws of ordinary six-sided dice to generate about 12.9 bits (log2(6^5) = log(6^5) / log(2) ~ 12.92481... bits) of randomness per word. While for reasons of physics regular play dice tend to not be perfectly fair (produce every value with equal probability), if this is a concern to you then it is possible to buy "casino dice" that are perfectly fair; however, the error is likely small enough that a single extra word accounts for any reasonable reduction in dice fairness, and you can easily test your own particular dice by making a reasonable number of throws and noting how many times each value comes up (which with perfectly fair dice and a large number of throws should be 1/6 the number of throws, because the dice is six-sided).

Since we normally assume that an adversary knows how you generated your password or passphrase but not the exact input or end result, this means that the adversary knows that you generated it using the Diceware method and dictionary. They might very well even know the length of your password.

Given those assumptions, we can actually directly calculate how difficult a Diceware passphrase is to guess: For a properly generated Diceware passphrase, each word corresponds to something very close to 12.9 bits of security. For a reasonably well generated passphrase using ordinary play dice, this is probably a little less simply because all values are not equally probable.

For a high-value password where an offline attack is a feasible mode of attack, such as that to a password manager, I'd probably want at least 90-100 bits worth of security. 100 bits worth of security using Diceware needs eight words. (100 / 12.9 ~ 7.752, and round upwards.) Since the average Diceware word is about 4.2 characters, and you need a separator (conventionally a space) between them, this means a passphrase giving you about 100 bits of security becomes approximately 41 characters long. (8 x 4.2 characters, plus 7 separator characters, is 40.6.)

For comparison, this is less than twice the length of your example ireallyhatebluemountains (which clocks in at 24 characters) but, as also illustrated by the other answers, is far more secure in practice and not much more difficult to remember. Your example password would essentially need to be generated completely randomly for it to have similar security (100 / log2(26) ~ 21.3 characters to get to about 100 bits: log2(26^21.3) ~ 100.12).

user
  • 7,700
  • 2
  • 30
  • 54
  • 2
    Does the fact that KeePass uses a key derivation function, with a configurable number of iterations, introducing a delay in testing the validity of the password mean that we can get away with a password with less entropy and still maintain the same level of security? – Xavier Poinas Apr 30 '18 at 23:12
  • I'm sorry, but a 41 character password that I need to type after every restart sounds horrible! Even a random [a-zA-Z0-9] password would reduce the length to 16 characters (95 bit) and I'd argue the little extra time I need to memorize 16 characters instead of 8 words is worth it. – JFB Sep 26 '19 at 09:23
6

It all depends on entropy as seen in @Yuriko's link but also on a related concept: the basis.

Entropy

The entropy is a concept coming from thermodynamics. It basically represents the number of possible states reachable by a given system. In practice, in the computer-security realm, it is related to the number of combinations ("states") that exist, that is to say, the number of possible passwords one has to try before guessing correctly.

For instance, take your 23-letter password. Using only the 95 ASCII printable character, the attacker would need to try at most 2e45 passwords to correctly guess it. This value (2 followed by 45 zeros), is directly related to the entropy we are talking about. If that value goes up (because you added one character in your password for instance), the entropy goes up which means that your password becomes stronger.

This is the exact reason why you can hear that people should use longer password, not complex-to-remember ones.

Basis

The concept of basis comes from algebra. Without going into much details, the basis represents the available building blocks to represent a system. In practice here, the basis is your password building blocks: the available letters.

For instance, I've just written about "95 printable ASCII characters". This is a basis: to create a password, your are allowed to use letters from those 95 letters. Another basis could be "the 26 lowercase basic letters" or the "52 upper and lowercase basic letters" or "the set of lowercase letters minus 'l' and 'o' with all the numbers".

The basis can be even more complex:

Your password must be composed of a series of existing words.

or

Your password must be at least 8-character long. It must be composed of alphanumeric characters plus ':', ";" or "!". It must contain at least one uppercase letter.

can also be expressed as a basis.

Minimal basis

The minimal basis is the smallest basis that can be used to express the password that the attacker wants to guess. In our case, the minimal basis for your password is a set containing your password only. :)

However in the case of a real attack, this is exactly what we want to know. Yet attackers will choose a basis that is deemed large enough but not too large in order to avoid expensive calculations.

Now let's imagine that the attacker uses the basis "all the 26 basic lowercase characters" to crack your password, it would require at most 4e32 (4 followed by 32 zeros) guesses to be sure to get your password. Even at a testing rate of 1 billion passwords per seconds, it would still be quite safe.

Now let's imagine the attacker uses the basis "common english words" (2000), then it would require at most 3e16 guesses, which can be done within a year.

This is one of the reasons why some people still recommend to force the use of a larger minimal base by imposing rules at password creation time. That means that if you are using a basis element (character, word, etc.) that is not included in the basis the attacker chose, he just cannot guess your password. That means that the only attackers able to find your password would need to use a larger basis which will require a lot more time.

Strong enough password

Now I guess that you understand the relationship between the entropy and the basis: the larger the basis, the larger the entropy. Said otherwise, the entropy is related to:

(basis size)^(number of basis elements)

The whole point of the XKDC comics is to understand that increasing the basis size is something our brain is not good at: the result seems more random but it is not (and it is generally harder to remember).

To paraphrase what the author already said, take an 8-character password: it will be 2000 faster to try all the possible combinations if the attacker knows that the password is made of "the 26 lower case letters and 10 numbers" than if he thinks there can be any ASCII characters in it.

In comparison, just add 3 extra character to the original password and you already are 20 slower than the 8-character ASCII password.

Randomness

Most password cracking programs contain a statistical analyser (or the results of previous analysis). The purpose of this kind of code is to adapt or tweak the attackers minimal basis to the human mind and habits.

For instance, most people capitalize the first letter of their password when they have to. This is so common that this is tested in priority. Most people who use words as basis elements tend to create sentences. Some letters are more likely followed by some other letters, etc.

To avoid that and get the maximal entropy out of your password (and therefore the strongest passwords), you need randomness to defeat all these statistical attacks.

This is one thing that your current passphrase lacks.

Should I include capital, digits, etc?

  • If it is easy for you, why not: this contributes to increasing entropy and it forces the use of a larger attack basis set, which are good things.
  • If it is not easy for you, just add a new word to the mix and you would get roughly the same effect on computing times.
  • However you should make your password more random.

A few warnings:

  • I have always talked about "time to test all combinations" or "would require at most...": this is the realm of statistics. There is a probability that you guess right at your first try, second try, etc. There are remarquable values that people throw like the square root of the number of combinations (birthday paradox should ring a bell here). However these are useless for qualitative discussions like this one.
  • I have always talked about quantities "related" to entropy: these are not directly entropies but they are easier to understand.
JPatta
  • 664
  • 4
  • 5
2

Basically Yuriko already told you the answer to this question.

Complex passwords are dead for some time already. In fact, I get really mad when some service forces me to use some complexity because it's just useless. You always end up either forgetting the password or with very similar passwords (which is not the same as reusing the same password, which is even worse).

So the bottom line is, it's better to use a simple but longer password than a short complex one. If you want to add some complexity, for example for not using just small case chars, capitalize some of them, for example the beginning of each word (IReallyHateBlueMountains), the first and the last chars (IreallyhatebluemountainS), or whatever other pattern (ireallyHATEbluemountains).

No one would be able to guess any of those passwords with any cracking tool.

WoJ
  • 8,968
  • 3
  • 33
  • 51
The Illusive Man
  • 10,587
  • 16
  • 58
  • 89
  • 2
    Not entirely accurate - length is good, and the best way to prevent brute force attacks. However, password safe tools don't have brute force protection. That means that it's possible to use longer term attacks if you can get the database, which might be sentences with common case variations (e.g. CamelCase). The attack methodology is slightly different to a web service, in that you can generally try as many attempts as you like - it's just a file to decrypt, with a well known structure. I'd be tempted to add some special chars to frustrate that - and as 1 password, it should still be memorable – Matthew Mar 16 '16 at 13:05
  • Just adding predictable capitalization to a predictable phrase does not add any meaningful security. Although a predictable phrase is better than a *really bad* one-word password even with 1337-style substitutions, it's still not a very good master password. – Ben Mar 16 '16 at 16:09
2

For your exact example, "I really hate blue mountains": no, it's not a strong enough password. But probably not for the reasons you think.

It has nothing to do with the complexity of the password, i.e. it is not weak because it lacks capital letters, numbers, special characters, etc.

It is weak for two primary reasons:

  1. It lacks randomness. Written English is very low on unpredictability. Passwords NEED unpredictability to be strong. If a password cracker is trying 5-word phrases, and has already chosen the first two words as "I" and "really", then probably the first word it will try for the 3rd position is "hate" (or "love", "don't like", "like", etc.). The best way to get unpredictability is to choose words randomly from a list, for example using Diceware. But if you like, you can still form a semi-coherent sentence by drawing your first word from a list of nouns, your second from a list of verbs, etc. to make a "Mad Lib" style password. Unfortunately it still takes a lot of effort to track down big lists of words separated by parts of speech.
  2. It only uses five words. Even assuming you selected your words completely randomly (which I doubt, since it's a coherent sentence), 5 words is not enough for meaningful security (unless you drew from a very large word list). You need 6-7 words minimum in a good passphrase if you want to defeat modern password cracking techniques. More if you use smaller dictionaries for your random selection of words. For example, using the standard diceware list, 6 words may suffice (7 or 8 is better); but if you use the NGSL which has something like half the possible words, then you'll definitely need to add a word or three.

Since you're using KeePass, I may as well recommend the WordSequencer plugin for generating your master password. Full disclosure: I contribute to this plugin's development, so I may be a bit biased.

Also important: make sure your database is set up with a high number of key transformation rounds to make it harder on any attackers who may come across your database. The default value is not very secure. A stronger value can make a mediocre password "secure enough", but the default value will cause the same password to fall very quickly.

Ben
  • 3,896
  • 1
  • 10
  • 22
1

You need entropy if you want your password strength to me measurable. It is impossible to estimate the amount of entropy in I really hate blue mountains because nobody knows the method that you used to generate it. You could chance that an attacker won't guess how you generated it assuming all attackers that would target you are not as clever as you, or you could use maths to ensure that any clever attackers that want to target you have an unfeasibly large challenge ahead. If you "just thought of it" it is possible it is not really random at all.

Also note, as JPatta points out, if your chosen password happens to fall within the wordlist or character set that an attacker is using, then the entropy is reduced. The zxcvbn "password strength" meter does a good job of showing which word lists and character sets your password can be reduced to, and the amount of effective entropy thereof.

If you want to go for the latter approach then you do this by having lots of password entropy - the NIST recommendation of password entropy is 80 bits.

80 bits in your password would take a determined attacker 54,764 years on average to crack (the link shows maximum time). Remember this is bits of entropy, not bits in the end-result (e.g. a random word isn't the number of bits taken to represent that word, it is the number of bits taken to represent your choice in your list of words). This means that your password generation mechanism should be totally random (the human brain is not random enough for this, although a cryptographically secure random number generator is).

If you want it to be memorable, use a scheme such as Diceware. For this you need 7 dice words (each word is ~12.9 bits of entropy).

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • 1
    Yes we know how to calculate not only an estimate, but the exact amount of entropy that a password has. It only depends on the chosen basis. The method you used to generate it is irrelevent, it is the method used to attack that is. Example: "aaaaaaaaaaaaa" can be generated randomly from a basis containing all the ASCII characters from a very strong random number generator. Yet it belongs to much smaller basis sets (all lowercase alphabet for instance) which makes it attackable. Yet I second everything else you said. – JPatta Mar 21 '16 at 08:36
  • 1
    Good point. I've now integrated this into my answer. – SilverlightFox Mar 27 '16 at 10:31