10

Google is a repository of Internet data, as it indexes tremendous amount of data. It uses a prediction service to determine the rest of the search query.

With such a huge repository in place, can we take advantage of it to determine the password strength?

Can we use the password as a search query to determine its popularity? Based upon the number of hits we get for the password, can we give a score to the password? Is this model feasible?

I think the passwords that are popular, occur more frequently on web-pages or as search queries. This doesn't mean that rare words of smaller length will be given a strong score. This is for obvious reasons, smaller passwords can be brute-force searched or can be queried in a finite time.

I think this model will work well for determining the strength of longer passwords that adhere to natural language such as English.

Is this approach to measure the password strength trivial? Or, in other words, is there any easy attack if such a model is used for measuring the password strength?

Note: If there is a trust issue with Google, assume that we can build our own service.

Edit: Research (https://madiba.encs.concordia.ca/~x_decarn/papers/password-meters-ndss2014.pdf) has shown that most of the strength meters deployed today mislead users while creating the passwords. Using repository of search engines like google, can we measure the password strength more accurately? There will be false positives, as pointed out by many, but won't it be better than existing strength meters?

Curious
  • 1,452
  • 2
  • 14
  • 26
  • 1
    I don't really see a value in this that exceeds using a dictionary & checking against a few password wordlists. It'd be a lot of effort to go to for very little benefit IMO. – AlexH Jan 16 '15 at 12:10
  • there is no good wordlist for longer passwords. For example "hookthesnowout" – Curious Jan 16 '15 at 12:12
  • Well, that's sort of the point. If you're checking against the same wordlists that the attacker is, does it matter? Personally I test against a handful of common password wordlists, and if it's not in those I assess based on length & complexity. – AlexH Jan 16 '15 at 12:14
  • how do I know the attacker possess the same wordlist as mine? Isn't there risk involved? – Curious Jan 16 '15 at 12:17
  • Also effort of checking will be only once, when user creates his password. Also efficient datastructures can be used to save the effort. – Curious Jan 16 '15 at 12:21
  • You can't know that without having every wordlist in the world. But the most common ones will account for the most common attacks/attempts. When referring to effort I meant more the effort of building the system, especially of building it for yourself because sending user passwords to Google is probably not ideal. IMO the best approach is just to enforce good password policies, and minimize your risk. Combined with things like lockout periods, proper hashing etc then searching for instances of the password on the entire internet is not necessary. – AlexH Jan 16 '15 at 12:52
  • 12
    Which is stronger, 2z63hg79fg79 or tf3m89j67hw396g3qh96g3q8b9 ? both have the same amount of google hits. – PlasmaHH Jan 16 '15 at 16:20
  • @PlasmaHH Maybe it could by used as a prefilter criteria: passwords whose search result isn't zero, were not allowed (without any further calculation). – peterh Jan 17 '15 at 00:24
  • 4
    I could see a google search being useful for phrase based passwords to rule out passwords like "correct horse battery staple", "the dark side of the moon", "rage against the machine", etc that people think are strong passwords because they are long, but they are actually quite common phrases. Google even seems to recognize common phrases without spaces like "ilovethesoundofmusic" and "icouldhavehadav8" – Johnny Jan 17 '15 at 01:36
  • Once you search for it it will be in the cloud... – RoraΖ Jan 17 '15 at 16:13
  • I agree doing a google search will not be true indicator of password strength, but won't it quantify the password's strength better than strength meters used today? – Curious Jan 19 '15 at 10:58
  • @Curious But the answer you get, such as it is, pertains to the strength of the password before you googled it. So you can say, "OK, that was a password with no hits; I could have used it if I hadn't just googled it". – greggo Jan 19 '15 at 14:34
  • @greggo, I understand the security issues due to using google search. But I want to know if the password strength meter implemented this way better than current strength meters? – Curious Jan 20 '15 at 06:59

5 Answers5

27

There is plenty of research on which passwords are "popular." You can find a lot of it here: https://xato.net/passwords/more-top-worst-passwords/

You have no way of knowing what Google does with queries. It is almost certain that such queries are logged, and are associated with the originating IP address. That would mean Google has a list of the passwords you tested. That list could be misused by a Google employee, and might be subject to search warrant, subpoena, discovery, or some other legal demand: https://www.aclu.org/blog/technology-and-liberty-national-security/how-private-your-online-search-history

If I were Google, I'd be looking into search terms that produce no hits; that's how they write the rules that let them do their magic. So, your practice is likely to come to the attention of Google researchers.

Finally, to address whether there is an easy attack, password attackers first try word lists of various sizes, then go for brute force and heuristic attacks. Short passwords not on any list or in Google's indices will fall to brute force. Longer passwords may fall to heuristics. Ars Technica did a series of articles on this. The most relevant is here: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Give it up.

Bob Brown
  • 5,293
  • 1
  • 19
  • 28
  • 18
    Please allow me to simplify Bob's second paragraph as follows: **The very act of sending the cleartext password to a third party (which your app would assume to be Google) makes it a weak password** no matter how strong it was before. Even if it is really Google and not a MITM, if major corporations can have large password lists and credit card number lists leak, then Google can have much less sensitive lists of searches leak. – Anti-weakpasswords Jan 17 '15 at 03:07
19

There is no result for a Google search on the extremely low-strength "pa55w0rd987": https://www.google.com/#newwindow=1&safe=off&q=pa55w0rd987

Further, Google can only report data that is known to it, and there are a lot of very bad passwords that, nonetheless, do not appear on any websites.

For these reasons, I assert that Google is not a useful tool for checking password strength. (The same would be true of Bing and other search systems.)

Joe DeRose
  • 396
  • 1
  • 5
  • 17
    well, now there is one result :P – antony.trupe Jan 16 '15 at 20:45
  • 8
    @antony.trupe Nice. It always amuses me when SE references to Google end up showing up in future Google results. I've actually seen a few programming questions where one of the answers was a "let me Google this for you" link... which ended up pointing right back to that answer as the first hit. – reirab Jan 16 '15 at 21:36
  • I agree doing a google search will not be true indicator of password strength, but won't the scheme like google search quantify the password's strength better than strength meters used today? – Curious Jan 19 '15 at 10:59
  • @Joe if the password is really bad, most probably it will appear on someone's list. For instance, https://xato.net/passwords/more-top-worst-passwords/ – Curious Jan 19 '15 at 11:37
10

Any sufficiently strong password (and many insufficiently strong passwords) will have 0 hits on Google, so, no, it's not really a feasible method. If your password consists entirely of English language words, it can be brute forced easily with a dictionary attack. If a password has any Google hits at all, it is almost certainly insufficiently secure, but lack of Google hits does not mean that it is secure.

Also, you should ideally never send your password over the wire ever to anyone. And definitely not over an unencrypted connection. The correct way to transmit a password is to hash it first so that even the person receiving the hash will never know what the original password was. Of course, there still exist many websites that don't use the correct way, but that's another matter. I always cringe when I sign up for an account with some website and they send me a confirmation e-mail including my password in plain text. facepalm

reirab
  • 2,693
  • 1
  • 13
  • 21
2

Warning: there are serious security problems sending passwords out of your direct network, especially to google. Do it only if somehow it is not a problem for you! (F.e. you are working in an isolated security context which anyways is deeply google-dependent!)

@PlasmaHH user did the very clear comment: "Which is stronger, 2z63hg79fg79 or tf3m89j67hw396g3qh96g3q8b9? Both have the same amount of google hits."

Which is, of course, true.

But: practically, you can use that as a pre-filter criteria. Anything having a hit on google, shouldn't allowed as a password.

The strength of the passwords passed his test, soon can be measured by a relative simple entropy-based examination, or by a minimal Levenshtein-distance calculation by the wikipedia article titles (here is my idea about this topic).

Community
  • 1
peterh
  • 2,958
  • 6
  • 26
  • 32
  • 3
    Downvote because sending the password to Google in the first place makes it weak (now Google knows it, anyone watching Google knows it, and anyone with access to however Google stores searches knows it). Sending a user's cleartext password to a third part (which your app assumes is Google) is a horrible idea, may violate privacy policies, probably violates the user's expectation of how you should protect their passwords, and definitely violates reasonable password handling wisdom. – Anti-weakpasswords Jan 17 '15 at 03:03
  • @Anti-weakpasswords You are right in most cases (I also never sent passwords to google), but not always. The simpest exampe for that if we are in an isolated security context, which is soon highly google-dependent. I inserted a serious warning about this to the beginning of my answer. Maybe it were enough to a vote change? – peterh Jan 17 '15 at 15:42
  • 1
    Thank you; downvote removed; between the warning and my comments, I'll call that sufficent warning that while you answered the question, it's a horrible idea. – Anti-weakpasswords Jan 17 '15 at 17:01
  • 1
    The warning about sending out the password to any service not explicitly designed to handle passwords would be worth of an upvote, but implying that sending it to Google is a larger security risk than any of the other services not designed to handle passwords would be worthy of a downvote. So overall I could not vote either way for this answer. – kasperd Jan 18 '15 at 20:16
1

A password's results on a Google search for itself isn't very indicative of its strength. Others have already given examples of low-strength passwords that have no hits.

That said, I wonder if doing a Google search on the username (or real name, if it's known) might be a good idea. Words that come up more often than some threshold on the first, say, three pages of results could be rejected as potentially easy to guess. The results would, to some degree, be tailored to each user, but this could make an interesting defense against an attacker somewhat more determined than is typical.

The Spooniest
  • 1,647
  • 9
  • 11
  • I agree doing a google search will not be true indicator of password strength, but won't it quantify the password's strength better than strength meters used today? – Curious Jan 19 '15 at 10:58