30

In an extra from Edward Snowden's interview with John Oliver, Snowdon advises that a good password to use is one such as MargaretThatcheris110%SEXY..

Also, on the Errata Security blog, Robert Graham says on the matter:

NSA leaker Edward Snowden recent suggested that a strong password would look like "MargaretThatcheris110%SEXY". he's been criticized for this, but actually, it indeed pretty strong. Yes, there are lots dictionary and Markov weakness, but they are compensated for by length. All else being equal, longer is better. Indeed, whatever password you have now, simply adding "xxxxxxxxxxx" onto the end of it it likely to make it unbreakable, and it's extremely easy for you to remember. A password like "MaThis110%SX" is a 12 character password such that even the NSA is unlikely to be able to break it if it were your Lastpass password -- Snowden's longer form doesn't make it worse. (Note, some people claim this Snowden example isn't so secure, but they are wrong).

Now, on previous discussions on here we have learnt that the human brain is bad at being random. We also know that password entropy isn't based on what's in the actual password, but how the password was generated. For example, the following password may be considered strong on first glance:

zTzG5rUev2fBBkp6dEMJHNEQWWmFTSjBBn26cQCgkVXSydep3nUx6pF4uf6Pu59RYKDEwkwnTdFJht2n

However, say that Bob always generates his passwords by combining the following words in his password generation text file together in a random order, and the attacker knows that, then the password is not so strong.

kVXSydep3nUx6pF4uf6P
zTzG5rUev2fBBkp6dEMJ
HNEQWWmFTSjBBn26cQCg
u59RYKDEwkwnTdFJht2n

One of the comments on the Wired article is:

if I was trying to crack a hash I wouldn't just assume from the beginning that all passwords follow a female_names+surnames+english_word+english_word+known_passwords pattern and then wait up to 7 days to see if I was correct. If I knew it was that pattern, then Snowden's password would have 33.041 bits of entropy. Otherwise, the entropy would be considerably higher (>100 bits).

This describes the crux of my question. If I made such a password like MargaretThatcheris110%SEXY., a "strength meter" such as zxcvbn gives the entropy as 39.6 (including the full stop). However, nobody knows that I generated the way zxcvbn breaks it down. And even if they did know I'd used that method in the past, I might use a different method for my next password (e.g. male_name+number+english_word+french_word+known_password+diceword).

As tylerl notes in another answer:

We can guess at what dictionaries will be available to the attacker, but we can't know for certain. Therefore, as a proxy for dictionary size, we instead use entropy. It's a poor substitute because it doesn't reflect the actual attack mechanics, but it's potentially better than nothing.

If an attacker knows that I might use "human brain made up" sequence definitions, possibly with "human brain made up" values to fill in those sequences, does this actually help them in any practical sense? What I mean is the entropy value of 39.6 doesn't really mean it can be attacked by a brute force attack filling that keyspace, because the attacker does not know the structure. I realise in security the only things that should be secret are passwords and secret keys, the mechanisms themselves should be considered known and public. However, the way the password is generated could be considered private because know one else knows the exact method. Obviously Snowden has revealed this publically, but for his next password he'll do it slightly differently. Is this why Graham disagrees that Snowden's example is more secure than the entropy analysis suggests?

Also related: Has human-generated entropy ever been a real problem?

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • 2
    I sense a lot of confusion about some basic points here. So, just to head some of it off, let me remind folks: it is meaningless to talk about the entropy of a (single) password; that's not well-defined. You can't talk about the entropy of a single value; instead, what is well-defined is the entropy of a *distribution* or a *random process*. So, if we hypothesize a particular random process for generating a password, then we can compute the entropy of that process. Those online "entropy calculators" don't actually calculate the entropy; they just compute some (possibly lousy) approximation. – D.W. Jul 01 '15 at 01:47
  • 1
    I think relying on the secrecy of your password generation scheme for security is a violation of Kerckhoffs's principle. That said, 39.6 bits of entropy seems okay for something like a remote web service, assuming that's an accurate calculation (I'm not sure whether it is or not). 4 random common words still seems like a better scheme IMO. – Ajedi32 Jul 01 '15 at 15:48
  • If nobody would ever come up with it as a password, doesn't that mean that the entropy is effectively infinite? So, all you need to do is substitute a different percentage and you're good to go... (*n.b.:* this is obviously said in jest. Real life is a lot more complicated than that.) – user Oct 19 '15 at 15:39

4 Answers4

11

As tylerl noted, entropy isn't really a measure of password strength, but it is the best that we've got:

The purpose of password complexity is to stand up against a brute-force attack. The size of the smallest available dictionary that contains your password determines the amount of time required to crack your password. We can guess at what dictionaries will be available to the attacker, but we can't know for certain. Therefore, as a proxy for dictionary size, we instead use entropy. It's a poor substitute because it doesn't reflect the actual attack mechanics, but it's potentially better than nothing.

Comparisons of passwords based on entropy calculations may potentially be fruitful, but you should be careful to avoid ascribing too much value to a number which is, in the end, only indirectly related to how well the password will hold up.

Even though the MargaretThatcheris110%SEXY. password, when analysed, has an entropy of 39.6 bits, the generation method is randomised (albeit by the human brain). This makes it difficult to gauge its actual strength. This faux randomisation will also make it difficult for an attacker to put together a wordlist without knowing the structure itself of that particular password. Unless the end-user is using the same structure for multiple passwords (which might accidentally happen should they generate enough that they need to remember), then this lack of entropy doesn't really help the attacker. This is why Graham disagrees that Snowden's password is weak.

It is impossible to judge whether any given single password is "weak" or "strong".

DyZ29ZQ8JswmeKutXHDHh77YqpkmD

might be a secure password, however if it is in the attacker's dictionary then it is not. Password "strength" meters like zxcvbn can give a breakdown of how your password might be constructed, and if it falls into a common sequence then that may prompt you to go for a different one.

The sequence of

female_names + surnames + english word + english word + digits + common password + character

that zxcvbn determines from MargaretThatcheris110%SEXY. is not likely to be very common, therefore an attacker would only choose to attack the keyspace of this entropy distribution if they have a specific reason to do so. This means MargaretThatcheris110%SEXY. is probably as NSA proof as Graham suggests.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • 1
    so, you asked the question so that you could answer it, for points or what? i know its allowed, but seems silly – n00b Jun 30 '15 at 17:33
  • @n00b I was wondering the same. However, on SO, I have asked a question and then a few hours later actually figured it out. – Jared Burrows Jun 30 '15 at 18:09
  • 7
    Answering your own question: http://meta.stackexchange.com/questions/17845/etiquette-for-answering-your-own-question – circuitBurn Jun 30 '15 at 21:02
  • "entropy isn't really a measure of password strength" - Not sure what your justification for that statement is. There's no source or citation or explanation. Sounds like a dubious conclusion to me. Why *wouldn't* it be a measure of password strength? – D.W. Jul 01 '15 at 01:44
  • @D.W.: Answer updated with citation (it was linked and partially quoted in the original question though). – SilverlightFox Jul 01 '15 at 08:26
  • "entropy isn't really a measure of password strength, but it is the best that we've got" – I would say that entropy is a perfect measure of password strength, but you can't measure the entropy of a password, just like you can't determine whether a coin is fair given the result of one flip. Web sites that claim to analyze the entropy of a password that you type in are actually guessing how you generated the password, like guessing that "Heads" was the result of flipping a fair coin. If they're right then their entropy estimate is right, and if they're wrong then it's wrong. – benrg Jan 17 '19 at 05:22
1

Sure Snowden's password "algorithm" is now known and that reduce the potential keyspace to an attackable range. Now Snowden is smart enough to know this and I would presume would not use a password based on the same algorithm or even one similar in the future. There are however two issues to consider.

The first is information leakage when sharing derived secrets. The only advantage of using an algorithm over just random words (diceware) would be the to produce multiple secure secrets from the algorithm. An example would be deriving two passwords which would be easier to memorize than two purely random values.

Lets assume that without knowing the algorithm that both derived passwords are too complex to be broken by brute force. The issue is that there are other ways to obtain one of the passwords and that reduces the strength of the other noe. For example if someone one password to encrypt a document and the other as their facebook login that would be very bad. Law enforcement could use legal powers to intercept the facebook password and based on the results derive the algorithm or a substantial portion of the algorithm and then cut the entropy of the secret document password from >100 bits down to 40. From unbreakable to breakable due to leakage.

So yes in an abstract analysis it is very secure but the real world is complex. We have to consider where the derived passwords will be used. When two values are linked there is more risk because leaking information can compromise the underlying algorithm. If you are assuming the algorithm will remain a secret then that is a problem. If you assume the algorithm will not remain a secret then you will need more complex passwords and you lose the value of the algorithm over say just using multiple random passwords.

When we pass a secret to a third party (i.e. a login to a website) we lose control over it and that is the problem in a nutshell. I used the example of law enforcement compelling facebook to record the next login but it could be the website has bad security and stores it in plain text, or one of the employees in malicious and recording all logins as they happen, or the site gets hacked doesn't know it and a third party (possibly one w/ 3 letters) is covertly recording the logins.

If I can't control the security of a secret I don't want that secret tied to other secrets. I can't control if facebook will compromise the security of that one secret but I can compartmentalize the damage. A password manager protected by a strong password that stores randomly generated site passwords ensures there is no upstream linkage. A compromise of the master password, compromises all stored passwords but there is no way for the leaked facebook password, can compromise the secret document password.

Still with a "master password" while there isn't upstream linkage there is linkage of all the secrets and the master password which is potentially bad for similar reasons. For a higher level of security it may be useful to isolate higher security secrets from lower security secrets by using an algorithm plus random value stored in the password manager for the high level secrets. Thus a compromise of the master password would compromise all the low level secrets but not necessarily the higher level ones.

Gerald Davis
  • 2,260
  • 16
  • 17
  • It may be a known algorithm now, but the key space of "a relatively short English sentence that may or may not make sense" is one hell of a large key space to attempt to bruteforce. PGP/GPG isn't any less secure just because people know how it's calculated. – Shadur Jun 30 '15 at 17:58
1

The problem with entropy as a measure of password strength is it really does have to be applied to the input not the output.

If I base64 encode the word "password" I get something that looks strong, but really isn't.

So measuring entropy bits is really a best case. If you look at purely random generation the per symbol entropy for even relatively small keyspaces is actually not as bad as you might imagine.

With reference to: https://en.wikipedia.org/wiki/Password_strength#Random_passwords

Case insensitive letters are 4.7 bits per symbol. All ascii is 6.5 per symbol. So as long as my password using just 'normal letters' is 50% longer, it's 'more secure'.

But realistically - even a randomly generated password may not be that random. It looks good, but it isn't. A human brain generated password is similarly ... not all that random, but there's an important caveat - unless I know how your brain works, I can't tell the algorithm you may have used.

I may be able to guess - and indeed, this is how dictionary attacks work. You make a a set of dictionary driven 'password rules', which is very simply a case of sticking together symbols and trying to 'guess' those. This massively reduces your entropy from a 'best case' of random characters. I think XCKD quotes "correcthorsebatterystaple" as bring around 44 bits instead of the theoretical 122 that a string that length could be.

So ... short answer - it's next to impossible to tell. Don't let people brute force your passwords even if you are confident :).

Sobrique
  • 186
  • 6
1

I think the most important component to trying to analyze this quantitatively is

"a "strength meter" such as zxcvbn gives the entropy as 39.6 (including the full stop). However, nobody knows that I generated the way zxcvbn breaks it down."

So with that in mind, the permutations of password generation algorithms need to be included as bits of entropy since it is possible the attacker is out there putting together a stable of brute forcers for each possible generation scheme (the xkcd scheme, the zxcvbn scheme, the schneier scheme, etc. which all trade some amount of entropy for ease of memory recall) and will ultimately just line them all up and fire them at your hash should they get the chance.
Some clever use of google would probably reveal the top 6 or 8 methods for "memorable password creation" and that would be the place to start if you wanted to come up with a more complete entropy analysis.

Jeff Meden
  • 3,976
  • 13
  • 16