1

After reading several answers to Are randomly-generated passwords starting with "a" less secure? and the link to JtR keyspace topic, I had a thought/question.

Even though most PW policies are reducing the total keyspace, they are attempting to remove the password from the "dictionary space" and put it into the "brute force" space. Which is much much larger, especially as we increase the password length.

Is that correct?

Aaron
  • 113
  • 4

2 Answers2

2

While that is what many password policies attempt to do, moving the user passwords from dictionaries and into a form that can only be brute forced, they're forgetting the most insecure part of the password: The human mind.

Human minds are terrible at generating true randomness. They're even worse at memorizing random values. If there's a pattern that they can follow to help them remember it, they'll use it.

And, most damning of all, humans will reuse passwords.

Attackers have caught on and, rather than making their dictionaries based on words found in various languages, they make their dictionaries based on previously leaked passwords.

The current advice to users is to remember two passwords: The one to log into your computer, and the one to log into your password manager. Never try to memorize any other passwords, and never try to generate a password on your own. Let your password manager make truly random passwords, as these are the only ones that are guaranteed to not have shortcuts like dictionary attacks, keyboard pattern attacks, and the like.

The current advice to people setting up authentication systems is to follow the NIST standards. Specifically,

  • Do not force users to use different character classes like at least one of each upper, lower, number, and symbol characters.
  • Check that the password hasn't been leaked before when the user sets or changes their password (i.e., use the Pwnd Passwords API).
  • Do not force users to change their passwords for arbitrary reasons, such as periodically.
  • DO force users to change their password for specific reasons, such as a suspected leak of your database (and be honest when such a leak happens).

etc.

Ghedipunk
  • 5,935
  • 2
  • 23
  • 34
1

Yes, that's the goal of password policies. They also seek to expand the required brute-force search space; requiring the presence of numbers and special characters includes those characters in the search space.

However, password policies often fail, for a fairly simple reason: The "dictionaries" in question don't need to be English dictionaries, and increasing the breadth of a search space isn't nearly as effective as extending its depth. One 'dictionary' often used is most common password lists -- note how most of those aren't English words, or words at all.

It's also common for password crackers to, while they're trying any given dictionary entry, try several variations of it, like replacing a with @ or 4, multiple capitalizations, and so on. That immediately weakens a lot of common passwords invented just to satisfy site requirements. If your normal password is password, and a site requires you to use a special character, you might put p@ssword -- which will be tried, and then your account is still breachable.

Nic
  • 1,826
  • 15
  • 22