32

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.

The reason being higher security.

But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that's another topic.

So how is a short password insecure if they limit login attempts? If the password has 5 characters someone cannot try all combinations in just 3 attempts.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Alex
  • 527
  • 4
  • 7
  • 11
    You assume that blindly typing the password into gmail's interface is the only way to log you in. Furthermore, locking an account after X attempts means I could write a script that automatically tries to log in as you and you could never use gmail ever again. –  Dec 21 '19 at 10:05
  • 13
    For the record: 8 characters is not a long password today. – Mast Dec 22 '19 at 16:08
  • 17
    3-4 attempts **per user**. They can set up a botnet that will try easy passwords to millions of accounts. If people use short password the chances of getting one right are extremely high. – Bakuriu Dec 22 '19 at 17:26
  • 2
    You are making an extremely common mistake: you are focusing on attacks that you envision rather than on ones people actually use. Asking the question here is a good step towards learning about the specifics of this instance but please don't neglect the meta-realization. – Jared Smith Dec 23 '19 at 18:32
  • @MechMK1 Most proper lockout systems prevent bots from locking out legitimate users by only blacklisting a user at a specific ip address. That is the way to do it. – kloddant Dec 23 '19 at 23:06

3 Answers3

75

The main reason passwords need to be long and random (i.e. high entropy) is to protect against offline brute force attacks.

Passwords are usually not stored in plain text. Instead, they are hashed. If someone steals the database with the hashed passwords (this is surprisingly common), they can not directly read the passwords. Instead, they have to try loads and loads of passwords to find one that matches the hash. Since the password hashes have been stolen, this can be done on the attacker's machine and not via the website itself (hence offline attack). This means that any limits on retries on the webpage do not apply.

Long and random passwords takes more guesses, so they are harder to crack even if the database is ever stolen. That is why they are encouraged on the web.

Kat
  • 117
  • 6
Anders
  • 65,052
  • 24
  • 180
  • 218
  • Useful insight, UV, yet does not address the "number of login attempts to 3-4 tries before locking your account" – chux - Reinstate Monica Dec 22 '19 at 23:31
  • 17
    @chux-ReinstateMonica yes, it does address it. It's perfectly clear after reading this answer that the number of allowed login attempts doesn't matter at all if the attacker has stolen password hashes. – ElmoVanKielmo Dec 23 '19 at 00:58
  • 1
    @ElmoVanKielmo Fair enough : restate: Answer does not address why the number of login attempts is limited to the 3-4 range - it only says it should not matter for security. – chux - Reinstate Monica Dec 23 '19 at 05:03
  • 1
    @chux-ReinstateMonica There are two attack vectors being defended. Long passwords defends against offline attacks, password attempt limits defends against online attacks. While it's probably the case that long passwords adequately mitigates online attacks, these limits have become traditional as defense-in-depth. – Barmar Dec 23 '19 at 16:06
  • I think this is wrong. Complexity requirements after not enough to reliably stop offline brute force. Compare to Veracrypt which is designed to stop offline brute force and had much higher requirements than most web passwords. The main reason is password spraying – paj28 Dec 24 '19 at 15:01
36

It's not as simple...

About online brute force

If an account becomes completely locked after 3 attempts, it will be easy to make a DOS (Denial Of Service) attack by locking all accounts!

Servers have to base locking decision not only on number of bad tries, but will use IP address, browser ID and include duration for locking, so that if someone just used the wrong keyboard, they will be able to reconnect in some delay...

From there, considering botnets, an attacker could use a lot of different IP addresses and make many different tries. With some smooth options and long delays, short passwords become weak.

  • Example:

    Considering a full brute force against 5 characters chosen from a-z, A-Z, 0-9, $+"*/%&()_: 72 characters

      72^5                 => 1'934'917'632 # all possible combinations
      72^5 / 300000        =>         6'449 # botnet
      72^5*900/300000/3    =>     1'934'917 # 3 attempts -> 15' penalty
    

    In seconds: this represents ~22 days to test all combinations.

Note 1: 300000 machines is some arbitrary mean value from Botnet @Wikipedia. For a 6M botnet, the job will end in approximately one day.

Note 2: the same calculation with a 12-character-long password will result in approximately 615'015'399'199 years.

About offline brute force

Passwords are commonly stored hashed. If someone could steal your password file (by using remote exploit, social engineering or else), they could use brute force against the hash stored in the password file.

From there, the attacker is not limited to 3 attempts anymore!!

If your password length is >= 12 characters: 72^12 => 19'408'409'961'765'342'806'016. This becomes heavy, even through botnet...

But any john-like password cracker will browse the stolen password file and extract quickly all common word based passwords and all short passwords.

Brute force, by using the fastest supercomputer in 2019, could check up to 10^14 tests / second... (see Brute-force attack on Wikipedia). So:

72^12 / 10^14 = 194084099 => more than 6 years.

About long password vs passphrases

Because I prefer (whenever possible) to use passphrases instead of passwords, I really like this XKCD's strip (/936):

XKCD 936

... With 5 words instead of 4. Here is a small mathematical demo:

  • Considering a 12-letter password with 72 characters bunch:

     $ bc <<<72^12
     19.408.409.961.765.342.806.016  -> >6 years
    
  • Considering 5 words randomly chosen in American dictionary with words containing 5 to 9 plain letters (a-z, no accents):

     $ bc <<<"$(
         LANG=C grep '^[a-z]\{5,9\}$' /usr/share/dict/american-english|
             wc -l) ^ 5"
     122.045.635.410.545.172.078.149 -> >38 years
    

even more combinations,

with minimal phrase length: 5x5=25 alphabetical letters:

    bc <<<'26^25'
    236.773.830.007.967.588.876.795.164.938.469.376

(Nota brute force cracking passphrase implie combination of letters, this will reduce the total combination, but stay higher than 41'429 ^ 5... 41429 is the result of wc -l in my previous test)

You could even add some salt by adding caps, numbers, and/or any special characters... while you're still able to remember them!

Pang
  • 185
  • 6
9

To prevent "password spraying" where someone tries a common password against many accounts.

paj28
  • 32,906
  • 8
  • 93
  • 130
  • 3
    There are common passwords longer than 8 characters that could be sprayed; I don't think this addresses the question about short passwords. – multithr3at3d Dec 21 '19 at 14:15
  • 1
    @multithr3at3d - Absolutely there are, and good sites will check against breach databases. But password length is the simplest way to try and make users pick a unique password. – paj28 Dec 21 '19 at 17:57
  • @multithr3at3d - Can you please read [this](https://security.meta.stackexchange.com/questions/3328/short-answers-in-comments) – paj28 Dec 22 '19 at 10:35
  • 1
    To clarify my comment, "limited login attempts" may be mitigation for password spraying, but I don't agree that "password length" is necessarily a mitigation for password spraying, since even the password "password123" is not very short (11 chars), yet it probably turns up in a list of sprayable passwords. – multithr3at3d Dec 22 '19 at 22:59