25

I came across this Intel How Strong is Your Password? page which estimates how strong your password is.

It has some advice on choosing better passwords including that you should use multiple passwords.

But then after it says this:

Step 3: Diversify your social passwords for added security
"My 1st Password!: Twitr" "My 1st Password!: Fb" "My 1st Password!: Redd"

Does this increase security over just using "My 1st Password!"?

I thought the reason not to use the same password more than once is so that if a site compromised, your passwords for other sites are still safe.

But if your password here was "UltraSecurePassword: StackExchange" wouldn't it be easy to guess your Facebook password would be "UltraSecurePassword: FB"?

user25751
  • 269
  • 3
  • 5
  • 34
    Horrible. Just horrible, horrible, terrible advice. This is some shocking crap from Intel, usually they do quite a bit better. This must be direct from the marketing department with no engineers involvement. Do not listen to them, pay them no heed. See [XKCD](http://xkcd.com/936/) (and [discussion here](http://security.stackexchange.com/q/6095/33)) instead. – AviD May 09 '13 at 12:24
  • 9
    Nice to see them hosting the site on SSL as well so that no one can sniff your passwords as you merrily type them in... oh wait! – Matthew Steeples May 09 '13 at 12:35
  • 11
    It's better than using an identical password everywhere since it will reduce your vulnerability to automated attacks; but is next to useless if a human is targeting you directly and has access to one of your passwords created with that system. – Dan Is Fiddling By Firelight May 09 '13 at 14:17
  • 5
    @Matthew Steeples - The site states that your password ".. is not sent over the Internet", its strength is computed client side with JavaScript. – gpresland May 09 '13 at 17:36
  • More importantly, if you willy nilly submit your actual passwords to any random site that asks for it - what would SSL help, anyway? – AviD May 09 '13 at 18:20
  • 1
    @AviD & Adnan It would at least help assure you that the claims regarding the site's operation are made by a relatively trustworthy source. As it is now, we cannot have any confidence that the site we're viewing is being served to us by Intel. Joe User isn't savvy enough to inspect the JavaScript, but most are at least a little familiar with how to check for SSL indicators in their browser. [SSL is not (just) about encryption.](http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html) Whether they should be punching their passwords in there at all or not is a bit of a different issue. – Iszi May 09 '13 at 18:26
  • @Fase - Good point, I hadn't actually noticed that. Having said that though, clicking on the link now does actually take you to a page protected by SSL! – Matthew Steeples May 09 '13 at 19:10
  • 1
    Do hackers really look at cracked passwords and try them manually at other sites? I assumed when they stole hashes and cracked a few thousand passwords, they had a script automatically test those passwords on a few hundred high value sites (online banking, etc) to come up with a short list of targets. Do they really publish the list of hacked passwords or look at the passwords for patterns? – Johnny May 09 '13 at 21:03
  • @Johnny - They sure do if they're trying to spear-phish you. If you're just part of a bulk password breech, you'd *probably* be fine (you should change any similar passwords anyways), but if someone is targeting you specifically, there would certainly be people manually looking at your passwords. – Fake Name May 10 '13 at 03:40
  • @Johnny Yes they do. Google 'Mat Honan' –  May 10 '13 at 06:46
  • Mat Honan was a social engineering attack, not a stolen password: http://gizmodo.com/5931931/hackers-got-into-honans-icloud-account-with-deception-no-password-required – Kris C May 10 '13 at 14:08
  • 1
    The good thing about this tactic: you have a bunch of strong passwords that will be fine as long as no one sees any of them in plaintext. The bad thing about this tactic: it takes one mistake on your part to compromise every account you have. Just one. – KnightOfNi Feb 27 '14 at 21:30

10 Answers10

22

Yes you are right. Using a pool of passwords is definitely recommended but the passwords should not follow a pattern, but that is how we think (we are security guys). May be the writer was thinking from a common user's point of view because most common users simply don't want to take the headache of remembering multiple passwords and having a common pattern in all the passwords may encourage them to use different passwords because now the passwords are much easier to remember (and easier to guess by a smart hacker).

I personally prefer to maintain a pool of passwords.Nowadays you have to create an account with a number of random websites and you don't know how they are handling your passwords. I remember once on a job portal (read monster.com) I clicked on forgot password and then they mailed me my original password in plain text (they are still doing it!!!). Here in our community we have some great discussions on password management but there are people out there who do not care for your security.

One should never use his bank related and other important passwords any where else. You can always remember a comparatively simpler password for these random websites.

Shurmajee
  • 7,335
  • 5
  • 28
  • 59
  • 1
    As it was Intel I thought maybe I was missing something obvious. I did think it might be something to do with increasing the time required to crack/reverse the password hash but I didn't think it would that since sites which don't hash passwords are more likely to be compromised through not caring about security. – user25751 May 09 '13 at 15:54
  • 3
    Wow. One more reason to stay far, far away from Monster! – Matt Ball May 09 '13 at 23:24
  • Mr. Downvoter, please leave a comment to help me improve this answer – Shurmajee Nov 10 '14 at 05:32
9

Yes, using different passwords for different sites is a good idea.

Yes, having a common theme which you use to generate your passwords is ok. With two caveats. It must not be so stupidly easy to guess as the one suggested by the Intel site. You MUST keep is a secret.

The best solution of course is to just remember one long, highly random password which will grant you access to a password safe containing randomly generated passwords for your different accounts. Various solutions like LastPass or KeePass exist and works well.

See this arstechnia article for a nice insight on how horrible that Intel site actually is.

7

Not the best advice ever, true, but I guess we should be grateful for any help from the big players in trying to raise public awareness regarding password security.

Your concern regarding the 3rd step is justified, though. We should expect better from names like Intel. If you'd take their advice too literally, all that is needed for all your passwords to be compromised is to use one of its such iterations on an untrusted or compromised website, and an attacker could easily anticipate all other passwords you use with other services. This is an Intel's oversight and their advice should indeed be questioned.

Another questionable choice is also the way the password check works - there is absolutely no need to type it two times and then press a button. Even if they mention it won't be sent and the password strength will be calculated on client-side, this could be further emphasised by a user interface that calculates password strength as we type, clearly showing a presence of a client-side script involved in these calculations. I find their choice rather peculiar, to be honest.

TildalWave
  • 10,801
  • 11
  • 46
  • 85
7

The short answer is yes. However, human beings tend to be a creature of habit. Therefore they tend to use the same password for multiple accounts. I believe this article is trying to make it a little more palatable for those who don't want to change passwords.

Just using "My 1st Password!" on every site is less secure than using "My 1st Password! FB" on one site and "My 1st Password! twitr" on another for the fact that if a hacker got your first password and added it to his dictionary he wouldn't necessary be able to break the second one.

If your passwords were the same then if the hacker obtained your first password and added it to his/her dictionary and got the hash of your second password then he/she could break it easily.

Jason H
  • 294
  • 1
  • 5
  • 2
    I like this answer the best. Trivially varied passwords would protect you against any automated attempt on your other accounts, even if it provides no extra protection against a targeted attack on your accounts. – Bobson May 09 '13 at 17:41
7

Intel should know better - but this seems to be a recurring theme: how can we get end users, especially non-technical users, to improve aspects of their behaviour without alienating them completely.

Here, and on other security communities, we already know all this stuff, and hopefully our families get some of the guidance that rubs off, but how do you get someone with no security or risk experience to understand that using their grand child's name as a password is a bad idea? It certainly helps them remember it, so that is important, right?

If you want a sensible view on password strength, look at our blog post on the topic, and follow all the links! Some very smart people have provided guidance - inspired by the famous xkcd cartoon.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
6

I think the general advice about starting with a base password and embellishing it with different characters based on the site (or computer name) you're visiting is good. This can provide the benefit of being easy to remember and still being secure because it would probably stop most automated methods of checking a compromised password list against multiple sites.

That being said, the problem with their specific implementation of this model is that with a single compromised password, a hacker could guess your other passwords with a quick glance.

Instead, they should recommend a strong base password like:

j3PL9$#U(B

This is something that is not trivial, but you would only have to memorize it once. Then you could come up with a non-obvious algorithm based on the characters in the URL. The algorithm could be: capitalize the first letter of the URL and put it at the end, and put the lower case version of the last letter of the URL at the beginning. So, in my example, your passwords would look like this:

Facebook - kj3PL9$#U(BF

Twitter - rj3PL9$#U(BT

Reddit - tj3PL9$#U(BR

Looking at any single one of these, it would be largely impossible to guess that the password has any relationship to the domain of the site. To most people, this just seems like a random string of numbers and letters.

Of course, you could make this more complex by doing something like "put the second letter of the URL at the next to last character of the password".

Javid Jamae
  • 161
  • 3
  • Ideally people would come up with their own method. If everyone starts using your method, if there is a database compromise on a big site with insufficient password hashing security, then attackers who figure out one of your passwords will be able to guess your passwords for other sites too. Also I'd definitely have different passwords altogether for online banking sites and a different one again for my email. Generic forum sites, social media etc can share the same password scheme as I don't really care if they get compromised as much. – zuallauz May 09 '13 at 22:44
4

Totally agree - using ANY predictable pattern, no matter how complex it is, would undermine the whole idea of strong passwords. I am doing it this way:
- Random passwords generated in Keepass (and stored there) for 99% of the passwords
- Very few passwords generated with the help of Gasser generator, i.e. passwords that are pronounceable, but still not from dictionary, for the critical websites, passwords which I do not store ANYWHERE.
e.g. of generator of such passwords: http://www.multicians.org/thvv/gpw-js.html

Yuri
  • 117
  • 3
0

I skimmed the majority of comments and I think as IT Security people we tend to over react when we see a password that appears to be simple, but isn't really. While there are many techniques for password attacking I actually somewhat agree with Intel in their thinking.

Using My 1st Password!: Twitr according to GRC's Interactive Brute Force Password “Search Space” Calculator it would take approximately 9.88 billion trillion centuries doing 100 trillion guesses per second to brute force this password.

Using the same password for even 10 different accounts with slight variations would still yield an near unimaginable time frame for attempting to brute force attack it.

Just for reference, using a password such as j3PL9$#U(B would yield within a week for the 100 trillion guesses per second so what would seem impossible is easier.

Now this is simply brute force methods. Obviously getting the hash and using rainbow tables would be a much better solution, but once they have the hash you're probably done for anyhow regardless of the complexity of your password.

Travis
  • 341
  • 1
  • 5
  • 2
    you are considering only brute force which IMHO won't be used by the attackers in most of the cases. What they do is creating large dictionaries and just by looking at the Intel advisory, many attacks would be generating dictionaries for such passwords patterns right now. In short, any publicly known password pattern is bad no matter how long because at the end you are attacking the pattern which is a lot easier than attacking individual randomly generated 10+ character passwords. – void_in May 09 '13 at 20:45
  • 1
    Also, could you elaborate why you think it is a game over if they get hold of your hash? In Windows environment it is true due to the pass-the-hash phenomena but the same is not true for web applications. A properly hash password (such as through PKDF or bcrypt) together with a random salt can take forever for the attacker to crack. – void_in May 09 '13 at 20:48
0

I believe what they are implying is a compliance issue. Granted ALL of you are suggesting much stronger passwords and ARE TOTALLY RIGHT.

However, normal human beings don't comply. And won't comply. And if they don't and won't comply they will find a way to cheat back to something simple that breaks badly.

So if it is going to break badly anyway, at least make it break badly hard and take 2 (or more times) to break badly hard before the bad guy figures out the pattern - and be simple enough people can comply. If you look at what Intel proposes, the passwords are remember-able; it takes at least 2 before a bad-guy can begin to infer a pattern (maybe they start guessing with 1); and even once they infer, they still have non-standard sequences to figure out (5 chars in one, 2 in the second, 4 in the third...) so its still some work to do. Yes the dictionary start scoping down, but work none-the-less.

And you get potentially better compliance than rj3PL9$#U(BT. By my age, I would forget that daily. And yes, I use password managers, but occasionally, I don't have them with me - so I need to remember too!

Tek Tengu
  • 1,699
  • 11
  • 13
-2

Something a lot of people seem to forget. Using a huge password is better then confusing the user. eg

the password: mySuperSecurePasswordKeepsMeSecuredAgainstHackersCrackersAutomatedToolsAndMoreStuff

is more secure than: P@S$W0rD

I can support with this numbers/math etc if required. For the downvoter: XKCD #936: Short complex password, or long dictionary passphrase?

Stolas
  • 333
  • 1
  • 13