0

People say don't use passwords in the dictionary but if you use two words isn't it alright? Dictionaries have at least 10,000 entries so just two words will be 100,000,000 possibilities (and that's given if the attacker somehow knows it is an English word).

Is there something about the way passwords are stored that make them easier to crack if they are all numeric or all alphabetical characters?

curiousguy
  • 5,038
  • 3
  • 25
  • 27
Celeritas
  • 10,089
  • 22
  • 79
  • 144
  • 2
    possible duplicate of [XKCD #936: Short complex password, or long dictionary passphrase?](http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase) – Gilles 'SO- stop being evil' Jun 27 '12 at 00:58
  • 2
    and yes, that's not the exact same question, but it has the answer. – Gilles 'SO- stop being evil' Jun 27 '12 at 00:58
  • 1
    "_passwords in the dictionary_" what does that mean, really? Did you open a 10000 words dictionary **and picked a word at random in it?** – curiousguy Jun 27 '12 at 02:24
  • 1
    possible duplicate of [Can a dictionary attack crack a Diceware passphrase?](http://security.stackexchange.com/questions/10294/can-a-dictionary-attack-crack-a-diceware-passphrase) – David Cary Jun 27 '12 at 05:15
  • I refer you to Schneier's "The Security of Multiword Passphrases:" http://www.schneier.com/blog/archives/2012/03/the_security_of_5.html – Sam Whited Jun 27 '12 at 13:41
  • Another article: [Analyzing the XKCD Passphrase Comic](https://xato.net/passwords/analyzing-the-xkcd-comic/) – Mark Burnett Jun 27 '12 at 16:58
  • 2
    100,000,000 possible combinations isn't very many. That is like counting to 10 for an average human. – Ramhound Jun 29 '12 at 14:06
  • @Ramhound but the account will be locked out – Celeritas Jun 29 '12 at 19:09
  • @Celeritas, only if you're talking about an online attack against a live website. That's not how most passwords are cracked anymore. – Ben Dec 04 '17 at 15:46
  • @MarkBurnett, oddly enough, unlike most analysis I've seen, the author seems to misunderstand the comic, get the math completely wrong, but arrive (incorrectly) at the correct conclusion. THE KEY TO THE XKCD SCHEME IS TO PICK THE WORDS RANDOMLY. Bruce is correct, the scheme sucks if the words are not random, but does not take into account that randomness is key to the scheme. The author of the other link uses obviously non-random phrases, but does math as if the words were chosen randomly, coming to the correct conclusion that the XKCD scheme is strong. – Ben Dec 04 '17 at 15:52
  • @Celeritas that IS how most accounts are attacked. However, you are correct in that you can't just defend against online attacks and call it a day. You must defend against offline attacks in the event that your password database gets compromised. You also have to assume that the website in question has a Fail2Ban type service running. – Monica Apologists Get Out Dec 04 '17 at 15:56
  • Why not use 4-5 words with a couple numbers mixed in? Looking around my office, an easy to remember password made up in a few seconds might be: 19BlackKeysUnderBlazingMonitors – Douglas Gaskell Dec 04 '17 at 16:30

7 Answers7

4

An Nvidia GTX 560 Ti costs about $250 USD, and with something like http://www.golubev.com/hashgpu.htm enables you to try matching about 1.5 Billion NTLM password hashes a second.

This varies some depending on the hashing algorithm used but I wouldn't rely upon using two words from a dictionary of 10,000 entries.

Phillip Nordwall
  • 1,024
  • 9
  • 13
4

A random passphrase is a good idea as has been said numerous times here. Two random dictionary words (from a 10000 word dictionary) is roughly as secure as a six random lower-case letters password, in practice this is quite weak (10000*10000 ~ 108, while 266 ~ 3 x 108).

If the hash is obtained and is a simple non-key-strengthened hash (regardless of whether their is a salt or not) it will take about a second to crack with a single modern GPU (which generates simple hashes (MD5, SHA-128/SHA-256/SHA-512, etc) at a rate of ~billion (109) hashes per second, assuming they know the method you generated your password (Kerckhoff's principle - always a good conservative assumption to make when analyzing a crypto-system).

Instead, I'd suggest a minimum of a four or five word passphrase; and for secure stuff e.g., encrypting your hard disk or an encrypted password list something like 7 to 9 words:

A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits, four words 51.6 bits. Inserting an extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.

(Seven words from a 10000 word dictionary would take a billion modern gpus attacking at a billion attempts per second 317 years to brute-force).

But again beware reusing memorized passphrases at random places. First, you should never reuse passwords between different entities (any entity you give your password to, in theory could eavesdrop and record in plaintext). A malicious entity can even log incorrectly typed passwords and reuse at other places. Also a stupidly configured site may not allow long passphrases (spaces aren't allowed; or you need uppercase+symbols) or could silently truncate your passphrase (e.g., you only need to get the first/last 12 letters right and then it doesn't care).

That's why I suggest only using remembered passphrases for local stuff, passphrases for things I really need to remember (but still don't share amongst entities) like my email, and then having an encrypted list of unique randomly generated passwords/passphrases in the cloud on all my computers for everything else (besides a weak passphrase for stuff I don't care about being hacked). (I use keepassx as my password manager dropbox to keep the encrypted database shared amongst computers). I used to just use GPG and a bash script, but I find it has some handy features (like random password generation).

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • The fundamental problem is that the human brain is not made to remember random stuff. We remember meaning, not data. As such, you are right that it is much better to remember a LONG passphrase with little entropy per word, but which is meaningful in some strange way to owner, rather than trying to do "random stuff" we are not good at. But as you say, you must have a long phrase with at least 7-9 words or even more. "the first day of my life I went fishing my uncle caught a banana" is such kind of good pass phrase. 14 words. Easy to remember. Probably more than 60 bits of entropy. – entrop-x Dec 04 '17 at 10:15
2

Whether or not a password is in a dictionary matters if and only if the attacker uses that dictionary to direct their attack. If I pick a Klingon word for my password, it will fare rather well if the attacker runs through a dictionary of English words, but it will fall pretty quickly if he tries the Klingon dictionary instead.

Likewise, if I compose a password out of several english words, my password will do fine if the attacker tries all the single english words in the dictionary, but does not try combining words. Alternately, if his attack dictionary consists of any set of words which contains my exact password, character-for-character, then my password will be guessed whenever he gets to it.

This may seem obvious and banal, but the point is that there is no magic to it. You want to make sure that any dictionary containing your password would have to be so large that the attacker will never get to your password anyway. The idea is to add lots of letters and avoid common, obvious patterns.

That's where all the password suggestions come from -- use mixed case, avoid names and words, use lots of letter, include symbols -- all of these suggestions decrease the likelihood that your password, letter-for-letter, symbol-for-symbol, will appear in the attacker's dictionary.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • Of course it is also trivial to combine different dictionary sources. So you combine English and Klingon words and still be vulerable depending the approach to bruce force the password. – Ramhound Jun 29 '12 at 14:08
  • @Ramhound Then you're creating a new dictionary (on-the-fly) of klingon and english words combined together in some specific pattern... and how large is that dictionary? How far down is your password? That's the determining factor. – tylerl Jun 29 '12 at 18:07
  • The "hope this single word I've chosen isn't in a dictionary" method is pretty much security through obscurity. Even combining two or three such words would be a huge improvement as it relies on math instead of obscure words. – Ben Dec 04 '17 at 15:55
0

The strength of the password is defined by its entropy. By choosing the dictionary words, you are out of special/numeric characters, which reduces the value of that entropy. However by concatenation of two dictionary words, your password length is increased, which increases the value of the entropy.

You should consider a few kinds of brute-force attacks. The first one is common, brute-force which tries to guess your password character after character. The second one is dictionary brute-force attack. The attacker knows that your password is a dictionary-word. Why should he try to crack it letter after letter? Faster method is obviouse: try every word from the dictionary. The third method is a hybrid brute-force. The attacker knows the structure of your password, for example: {dictionary word}{3-digit number}. Knowledge of your password structure is a powerful stuff to faster his cracking method.

To sum up, the strenght of the password made of dictionary words is that it's easy to remember and its structure is unknown for the attacker. He should assume, that your password consists of unknown, random letters, without any pattern. However if your password policy is public and everyone knows how your password structure looks like (that it's a concatenation of dictionary words) then, the strength of your password is dramatically lower, 'cos the attacker could speed-up the cracking process by choosing the hybrid brute-force method.

Having any algorithm without randomness to generate your passwords is bad. 'Cos you need to keep in secret not only your passwords, but also this algorithm. If your algorithm leaks, attackers would be able to crack your passwords easier. Your algorithm is to take N words from the dictionary and concatenate them.

p____h
  • 1,537
  • 7
  • 11
0

People tend to chose common words, words that are categorically similar, words arranged such that follow a form (e.g. "I [verb] [noun]" or "[adjective] [noun]"), and/or words that appear on the registration page. This cuts down the number of guesses needed drastically.

If you're going to take the route of combining words, go with 4 or 5 uncommon unrelated words and realize that humans tend towards patterns so really think about what you've come up with.

chao-mu
  • 2,801
  • 18
  • 22
0

People say don't use passwords in the dictionary but if you use two words isn't it alright?

Let's backup a bit. There is nothing wrong with using several dictionary words to create a passphrase. After all, the Diceware system uses nothing but dictionary words. However, there is everything wrong when those dictionary words are not chosen randomly. And by random, I don't mean you dreaming up 7 words out of your head.

Now, if you took any dictionary and...

  • randomly chose a page number,
  • randomly chose a column on the page, and
  • randomly chose an entry in the column

then your passphrase, created from your list of words, will have the maximum entropy (uncertainty, chaos, guess-factor) possible.

Strong passwords/passphrases are strong because they have a lot of entropy. Entropy is a product of the creation mechanism, not the passphrase contents! That's why every password you ever concocted in your head is basically worthless, because it has so little entropy, because the creation mechanism was not a random one.

Unconvinced? Let's try an example with an online analyzer that can measure the difference in entropy between a randomly made password and a "human" password. Let's analyze Cool Super Password.

And because we're so clever, we will change it up a little to k0Ol suP@h p4$$wUrd.

Now, on its face, if this were 100% randomly created, this 9519 keyspaced passphrase would clock in at around 112.34529 bits, because each symbol would have about 6.5699 bits of entropy (6.5699 × 19 graphemes). That's a max. (Set the analyzer to calculated Uncertainty to see this.)

But... I just made this passphrase up; it's not really random at all. So, I can't objectively assign each symbol that much entropy. I have to go with something closer to reality like 2.3 bits of entropy per symbol (Shannon, 1948). And if I were feeling merciless, I would choose 1.1 bits of entropy (Takahira, 2016), but let's use the 2.3 metric. (The analyzer lets you choose.)

At 2.3 bits per symbol, I have no more than 39.33 bits of total entropy. My 19-character passphrase is garbage, and would take a Brutalis about 987 milliseconds to crack! (See in analyzer).

The difference between a random password, and a human one, cannot be stressed enough. The issue is not whether you use dictionary words in your passphrase, the issue is how those words are selected. It's all about the creation mechanism, not the contents.

[DISCLAIMER] I created the passphrase.Life analyzer [/DISCLAIMER]

Mac
  • 163
  • 5
0

If the password hashing mechanism is any good then yes, building your password from randomly chosen words is a good password generation method, even if the list of possible words is short. Some notes, though:

  • "Randomly chosen" is important. Don't select the words with your mind; human brains cannot do proper randomness. Use a random generator (coins, dice...) to select each word and stick to the result (don't rethrow the dice if you do not like the selected words).

  • You will want to choose more than two words, rather three or four, because modern hardware is freakingly fast at trying a lot of combinations.

So you end up with the same method as the one described in this famous comic and it is fine. It has the drawback that a long password, well, is long; as such, you may find it irksome when typing it (depending on your typing speed and the input device, of course). Some password entry interfaces arbitrarily limit the password size to low values (e.g. 16 characters at most), for no good reason, but they nevertheless do it, and this makes them incompatible with list-of-words passwords.

Bad password hashing mechanisms exist. In particular, the infamous LanMan hash in old Windows system "hashes" a 14-character passwords as two separate 7-character words, and the two hashes are independent of each other. This allows for breaking them one at a time, which is of course much easier than trying to find the correct combination right away. See this answer for some more analysis on this subject.

If the password hashing mechanism really operates like a cryptographic hash function, as it should, then use of lowercase letters and English words offers no shortcut to the attacker.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955