3

I've tried to sign in to Samsung Cyber Service Center1. Since I'm from Poland, at first I tried Polish version of that service. I have entered a password, that has:

  • 6 numbers in total (in three groups of two numbers each),
  • 6 lowercase characters,
  • 3 uppercase characters,
  • 1 special characer,

in following order: NNccccccNNCCC#.

I was smashed with an error message saying, that I can't continue, because... my password is too weak.

For verification, I went to English version of that sign-up form and after staring for two minutes directly at Password must be at least 8 characters error message, I finally understood, what they really mean. Password must contain at least eight characters in one row, on which my password fails, because it has only six and three characters in one row,(in each of two characters groups).

I'd like to know, how should I treat situatons like this? Is really my example password too weak (and I should consider not using passwords like that anymore) or are these first signs of Samsung ParanoiaTM (or some kind of bug on their site) and I should change password only this time, to match their crazyness.

1 To see mentioned sign-in form, you have to go Cyber Service Center, click - Registration and then Sign Up Now.

trejder
  • 3,619
  • 5
  • 24
  • 35
  • 1
    Are your character strings based on words (in any language)? That makes a large difference; I'll put together the math in the next couple days. – Anti-weakpasswords Jan 09 '15 at 14:12
  • Yeap, my character strings are certainly from a dictionary (non-English). I know, that even non-English, dictionary-based words used in passwords are extremely easy to break. But, then again, what can you say about [xkcd's comic strip](http://xkcd.com/936/). It does sound reliable to total security newbie, like I'm (total security ignorant?) :> – trejder Jan 10 '15 at 21:42
  • 1
    @trejder There's actually a great question on this site regarding that very topic: [XKCD #936: Short complex password, or long dictionary passphrase?](http://security.stackexchange.com/q/6095/29865) (It's actually the currently most-upvoted question on this site.) The short answer is that using one word is most definitely easy to break, but a single word contains a lot more entropy than a single character, and it's probably easier for a human to remember. So using a string of random words is better than a string of random characters. – Ajedi32 Jan 13 '15 at 16:06
  • 1
    @trejder Also, the XKCD comic assumed a brute force attack on a remote web service, not on the password hash itself. If you need to withstand cracking attempts on password hashes, you'll need more than 4 common words. – Ajedi32 Jan 13 '15 at 16:09
  • @Ajedi32 So... the best one is "[THEquickBROWNfoxJUMPSoverTHElazyDOG](https://en.wikipedia.org/wiki/The_quick_brown_fox_jumps_over_the_lazy_dog)", right? :> BTW: Thank you for these clarifications. – trejder Jan 13 '15 at 16:23
  • 1
    @trejder Well, a sentence isn't the same as a sequence of random words, just like a word isn't the same as a sequence of random characters. So, "TheOutrageousDiscoConceivesTheContinualPuzzle" isn't nearly as secure (from the standpoint of password entropy) as "SwampDaringFarewellLanguageMythCenturyJam", but it's probably still very strong compared to "Tr0ub4dor&3" or even "CorrectHorseBatteryStaple". – Ajedi32 Jan 13 '15 at 16:43

2 Answers2

6

Is a password of the format

NNccccccNNCCC#

weak?

Well, let's do some math two ways:

  • Assume it's purely randomly generated (not likely if it has a pattern), and assuming there are 32 choices for the trailing symbol (also unlikely; most passwords choose from a much smaller subset).

    • 10^2 * 26^6 * 10^2 * 26^3 * 32 ~= 1.7E18 ~= 2^61
    • If the site hashes with a single round of MD5 (not unlikely), a modern machine performing an offline attack with oclHashcat will exhaustively search this total keyspace in about 7 months.
    • A cracking group of 7 people each with one of those machines, in about one month.
    • A well funded adversary will spend more time on the paperwork, even if the paperwork is just "push the button".
  • Assume it's purely randomly generated except for the 6 character string, which is a word or string that appears in a common cracking dictionary+ruleset of 200,000 possibilities, and assuming there are 32 choices for the trailing symbol (also unlikely; most passwords choose from a much smaller subset).
    • 10^2 * 200000 * 10^2 * 26^3 * 32 ~= 1.1E15 ~= 2^50
    • If the site hashes with a single round of MD5 (not unlikely), a modern machine performing an offline attack with oclHashcat will exhaustively search this total keyspace in about 0.004 months, i.e. less than 3 hours.
    • If the site hashes with a single round of SHA-256, a modern machine performing an offline attack with oclHashcat will exhaustively search this total keyspace in about 0.035 months.
    • If the site hashes with a thousand rounds of SHA-1 without additional overhead (possible, I suppose), a modern machine performing an offline attack with oclHashcat will exhaustively search this total keyspace in about 14 months.
      • Unless they upgrade their GPU's during that year, in which case it goes down further.
      • If you wait for, say, 3 years, then based on Moore's Law and House's Corrollary, the exhaustive search time would be only 3 and a half months.
      • If you wait for, say, 6 years, then based on Moore's Law and House's Corrollary, the exhaustive search time would be about three weeks.

So, what amount of time does a given level of adversary need to spend on an offline attack for you to consider your password "not weak"? Only you can decide that, but here's the math to help.

  • That one machine with 8 GPU's in January 2015:
    • MD5 one round: 2.5E17 tries/30 days (2^58)
    • SHA-1 one round: 7.8E16 tries/30 days (2^56)
    • SHA-256 one round: 3.2E16 tries/30 days (2^55)
    • SHA-512 one round: 1.2E16 tries/30 days (2^53)
    • WPA/WPA2: 3E12 tries/30 days (2^41)
Anti-weakpasswords
  • 9,850
  • 2
  • 24
  • 52
  • 1
    Your answer directly answers the question. After your math I must admit, that my password is weak! :> – trejder Jan 10 '15 at 21:38
  • 1
    Out of curiosity, how many tries could one expect to be made in 30 days on a modern PC with an algorithm like bcrypt or scrypt? – Ajedi32 Jan 13 '15 at 15:57
  • @Ajedi32, that's going to depend on the work factor associated - both bcrypt and scrypt have a parameter that adjusts how many iterations they use. – Anti-weakpasswords Jun 14 '15 at 17:11
3

Your password pattern looks fine for me. Personally I prefer even more complex passphrases.

I was not able to reproduce your error.

Your scheme (NNccccccNNCCC#) contains only 14 characters, but you wrote that you entered 16.

Their JS test routine (see here) has no problem with neither a 14 character password of your scheme (NNccccccNNCCC#) nor a 16 character one with two added numbers at the end (NNccccccNNCCC#NN).

This is in a minimal running version:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function(){
        var email = "bla@example.org";
        var password = "12abcdefg34HIJ$56";

        if(password.length < 8){
            alert("PWD_VARIFY_MSG");
            return;
        }

        var chk_num = password.search(/[0-9]/g);
        var chk_eng = password.search(/[a-z]/ig);

        if(chk_num < 0 || chk_eng < 0){
            alert("PWD_VARIFY_NUM_ALPHA_MIX_CHECK");
            return false;
        }

        if(/(\w)\1\1\1/.test(password)){
            alert("PWD_VARIFY_SAME_CHAR_4TIMES_CHECK");
            return false;
        }

        if(password.search(email)>-1){
            alert("PWD_VARIFY_EMAIL_SAME_CHECK");
            return false;
        }
});
</script>
<body>

</body>
</html>

So you do not need 8 characters in a row.

Maybe the problem is your special character. Some may be filtered server side to avoid SQL injection (...). It could even be that the password is too long and this gets only checked server side.

Rüdiger Voigt
  • 411
  • 2
  • 7
  • 1
    Thanks for your reply and pointing out my mistake. Yes, of course, I'm talking about 14 characters long password (I fixed title). As per my comment in second-to-end paragraph: In this particular example (_Samsung Cyber Service Center_) you **are required** to have **8 characters in a row**. On second attempt, I used password `onetwoTHREE4#` and it was accepted as "very strong". I did not check their JS code, I'm only writing about end-user impressions. And no, we're not talking about server-side verification. I wasn't even allowed to submit the form -- all checking is done client-side. – trejder Jan 09 '15 at 12:22
  • Also, please take a note, that English version of the sign-up form is quite very different from Polish one (which I used to actually register) -- overall form schema and error messages are different. This seems to be working basing on geolocation. I agreed on it in Chrome (my base browser) and now, each time I click on link in question, I'm redirected to Polish form. When I copy the URL to any other browser, I see English version of sign-up form. – trejder Jan 09 '15 at 12:28
  • 1
    They use the Javascript to check if your password matches their guidelines before you send it to the server. This code is generic. "PWD_VARIFY_EMAIL_SAME_CHECK" and others are only variables that get replaced by the language version. From this point there is no 8 characters in a row requirement. HOWEVER never trust user input is an essential rule. Therefore I hope they check it server-side. Maybe they apply different rules there. If the error does not go away you should drop their support an email and use a longer password as this rule reduces complexity. – Rüdiger Voigt Jan 09 '15 at 13:34
  • Once again, you have proven me, that this is very simple script and that there is no eight characters in a row requirement. At this point, I must admit, that I simply don't know, why I wasn't able to submit this form. Anyway, the fact is, that I wasn't able to register myself using English site and had to do this using Polish site. Thank you for your effort. Unfortunately, I have to accept the other answer, as it is more close to answering this question (is password weak), while your answer deals with their registration form only. – trejder Jan 10 '15 at 21:36