Best password improver

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

Tub
Posts: 472
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: Best password improver

Postby Tub » Fri Sep 18, 2015 10:26 pm UTC

Whizbang wrote:Wouldn't the blacklist be hash values?

Of course it would. I think they explicitely mentioned that.
Derek wrote:Storing the hashed passwords is better, but still leaves you vulnerable to dictionary attacks and rainbows tables if your blacklist is stolen.

Rainbow tables are easily defeated with a long salt, since none of your existing tables will work, and computing a new table is as expensive as brute forcing the key space in the first place. It can even be the same salt for all passwords, so checking a pw against the blacklist remains cheap.

Dictionary attacks can work, but then you know that "12345" is on the blacklist. Now what? Are you going to try it against 3 million accounts? Do you really think the passwords you get with dictionary attacks are on the blacklist because they're currently in use on an active account? Also remember that you can compromise at most one account per password, since the blacklist guarantees them to be unique.

Sure, the blacklist introduces a vulnerability that can make offline dictionary attacks cheaper (assuming someone can steal not only the usernames and corresponding (individually salted) pw hashes, but also the list of blacklisted hashes). On the other hand, the blacklist forces users to strengthen their passwords to the point that both online and offline dictionary attacks become a lot more expensive. I think it's an improvement.

speising wrote:Thinking about it, why aren't bloom filters used for password verification? This way, the password list could never be stolen, since there isn't one.

So someone tells you an username and password, you give the password to the bloom filter and it responds: "Yup, that password is currently in use on some account in our system.. probably.". Would you authorize that login? :shock:
You need to link the passwords to the actual accounts, so you'll always have some kind of list that can be stolen and used.

speising
Posts: 2353
Joined: Mon Sep 03, 2012 4:54 pm UTC
Location: wien

Re: Best password improver

Postby speising » Sat Sep 19, 2015 12:24 am UTC

Oh, that part's easy, just test the username and pw combined. But there is the problem that you can't remove an element from the filter, of course, thus can't change your pw.

User avatar
Xanthir
My HERO!!!
Posts: 5410
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Best password improver

Postby Xanthir » Sat Sep 19, 2015 1:15 am UTC

It still means that you'll sometimes get in on a false positive. The false-positive rate on a reasonably optimized Bloom is *far* too high to trust account security too (1 in 100-1000). Long before the expected number of attempts approaches what brute-force would require, your Bloom size blows up to far larger than just tracking the usernames and passwords normally.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 6579
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Best password improver

Postby Thesh » Sat Sep 19, 2015 1:37 am UTC

Bloom Filters may be space efficient, but they are only marginally better than unsalted hashes from a security standpoint.
Summum ius, summa iniuria.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: Best password improver

Postby ahammel » Sat Sep 19, 2015 4:27 am UTC

I'm confused, are we encrypting the list of the thousand most common passwords now? Why? That's not a secret.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 6579
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Best password improver

Postby Thesh » Sat Sep 19, 2015 4:43 am UTC

ahammel wrote:I'm confused, are we encrypting the list of the thousand most common passwords now? Why? That's not a secret.


They are talking about keeping a database containing every password that is actually being used in order to prevent two people from using the same password, which I say is at best useless and at worst a major security risk.
Summum ius, summa iniuria.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: Best password improver

Postby ahammel » Sat Sep 19, 2015 4:44 am UTC

Oh. Carry on, then.
He/Him/His/Alex
God damn these electric sex pants!

elasto
Posts: 3756
Joined: Mon May 10, 2010 1:53 am UTC

Re: Best password improver

Postby elasto » Sun Sep 20, 2015 11:47 am UTC

PeteP wrote:(And I would consider password+the site name/initials/first letters of the site name as only a bit better than using the same one. I doesn't add much entropy (assuming the search for the password includes page specific strings) and is something that enough people do for it to be checked. So if you have cracked one you don't have the password for other pages but a full name or obvious abbreviation is something potentially noticeable by an automatic system. So it could be ordered in a "might be using same pass+website" category and some variations could be tried when trying out login details for other sites.)

That's why you have tiers of passwords. If a password in one tier is cracked, you have to assume the others are potentially compromised, but it's still much better than using the same password. And adding the website isn't to gain entropy so much as just stop the cracked password instantly working elsewhere.

And it's quite easy to incorporate the website name in a way no automated process will spot. For example, you discover my password to xkcd is "Wclj5&q18A". Is it obvious that my bbc password is going to be "Wnnj5&q18A"?

(All I do is take the first two letters of the website name, shift them right on the keyboard, and insert them into the random string I have memorised to use for all sites on that tier...)

Sure, a dedicated enough examination of me specifically might reveal the method I use, but why am I going to be targeted specifically? It's not worth anyone's time when there is sooo much low-lying fruit around.

(Still not sure why recommending people use a password manager isn't gaining traction here. While I personally use LastPass, I guess one could argue 'why should I trust them?', but I'm sure there must be open-source password managers that are basically beyond reproach. Yeah, a quick Googling shows there are loads.)

User avatar
Flumble
Yes Man
Posts: 2248
Joined: Sun Aug 05, 2012 9:35 pm UTC

Re: Best password improver

Postby Flumble » Sun Sep 20, 2015 2:15 pm UTC

elasto wrote:(Still not sure why recommending people use a password manager isn't gaining traction here. While I personally use LastPass, I guess one could argue 'why should I trust them?', but I'm sure there must be open-source password managers that are basically beyond reproach. Yeah, a quick Googling shows there are loads.)

Password managers are my second favorite recommendation after an OAuth/openID provider. But they are second by a long shot, because password managers are a hassle. By which I mean: it takes effort to convince people to pay for an integrated password service ("what are the odds I get hacked? I'm not gonna pay 15$ a year for that!" and the trust issue you mentioned) and even more effort to convince people to set up the integration for a free solution. (and you need that integration, because people have multiple devices all with shitloads of accounts)

So, yeah, I'm more in favor of allowing people to authenticate with their evilcorp account, Estonian ID or yet another provider. One is usually more careful with their Facebook account (and trust Facebook with their lives) and ID card than any other identity.
Moreover, the big providers also have extra measures to verify that the user is actually the right person, e.g. two-factor authentication and geolocation.


And yes, of course you want to identify/authenticate natural persons only. :mrgreen: People in a group should identify individually and then join a group to all get the same permissions and (possibly) act for the group. Bots should be registered/authenticated by the natural person controlling them. How else do we, the internet, properly identify your interests and apply targeted marketing? Please excuse me while I make a free integrated password manager that, errrr, "assists you in choosing usernames, checks if you're actually at the right URL for your log-in and collects some non-personal data to track user experience". (I'm totally not going to save, combine and profilify those data and sell them. You can trust me, for I'll make the project client API open-source.)

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: Best password improver

Postby ahammel » Sun Sep 20, 2015 4:21 pm UTC

elasto wrote:Sure, a dedicated enough examination of me specifically might reveal the method I use, but why am I going to be targeted specifically? It's not worth anyone's time when there is sooo much low-lying fruit around.
You're probably not the only person using your system. Even if you are the only one using your specific system, it's probably just a combination of common, low-entropy techniques which a smart cracking program could discover.

Better to use a method that gives the attacker no help even if they know the algorithm. (Such as, yes, using a strongly-protected password manager to remember random strings).
He/Him/His/Alex
God damn these electric sex pants!

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: Best password improver

Postby ucim » Mon Sep 21, 2015 7:03 am UTC

elasto wrote:Still not sure why recommending people use a password manager isn't gaining traction here.
Well, as the OP, I am not looking for the best password algorithm. I'm looking for the best simple thing I can tell somebody to do when they are actually sitting at the "create password" prompt. I'm not going to be able to convince them to use a password manager to access my little website - such a suggestion will simply have them click away. Users who already use a password manager won't need the little hint I'd give them. But a suggestion that people won't bother to take does no good at all.

I'm looking to help the people who would be otherwise satisfied with typing in "Daisy" for their password, because Daisy is the name of their friend Catherine. I'd consider "CrazyDaisy" to be significantly less awful, despite the fact that the hackers would see the suggestion to create two passwords and mash them together.

I'm trying to do better than that, with a suggestion that people would actually take.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.

User avatar
Whizbang
The Best Reporter
Posts: 2238
Joined: Fri Apr 06, 2012 7:50 pm UTC
Location: New Hampshire, USA

Re: Best password improver

Postby Whizbang » Mon Sep 21, 2015 12:48 pm UTC

Could you have two (or more) password fields, both required, which are really just concatenated together to form a single password? You could make the second field a random number character generator that requires no input, but does require them to remember. Maybe present the second password field as a PIN or something.

I think phrasing it as a suggestion won't result in changed behavior. But phrasing it as a security requirement for using your site might do the trick.

User avatar
PeteP
What the peck?
Posts: 1451
Joined: Tue Aug 23, 2011 4:51 pm UTC

Re: Best password improver

Postby PeteP » Mon Sep 21, 2015 2:11 pm UTC

Whizbang wrote:Could you have two (or more) password fields, both required, which are really just concatenated together to form a single password? You could make the second field a random number character generator that requires no input, but does require them to remember. Maybe present the second password field as a PIN or something.

I think phrasing it as a suggestion won't result in changed behavior. But phrasing it as a security requirement for using your site might do the trick.

If your site is important enough to users that they are willing to do that. For the average site it has a good chance of increasing the percentage who decide that they don't want to bother to register.

Derek
Posts: 2181
Joined: Wed Aug 18, 2010 4:15 am UTC

Re: Best password improver

Postby Derek » Tue Sep 22, 2015 3:59 am UTC

Flumble wrote:Password managers are my second favorite recommendation after an OAuth/openID provider. But they are second by a long shot, because password managers are a hassle. By which I mean: it takes effort to convince people to pay for an integrated password service ("what are the odds I get hacked? I'm not gonna pay 15$ a year for that!" and the trust issue you mentioned) and even more effort to convince people to set up the integration for a free solution. (and you need that integration, because people have multiple devices all with shitloads of accounts)

Why would you have to pay to use a password manager? There are several free options. I use Keepass and sync the database across devices with Google Drive. I use this for important websites and websites that have restrictions that are going to be hard for me to remember (or websites that emailed me my plaintext password after registering... (which I immediately changed to a random string)). For common websites like forums, I use a system similar to elasto.

Dr. Willpower
Posts: 197
Joined: Wed May 28, 2008 3:55 pm UTC

Re: Best password improver

Postby Dr. Willpower » Tue Sep 22, 2015 4:35 pm UTC

Just ask them a security question instead of a password. Something like "What was the first charge you got arrested for?"

You could even allow them to create the questions themselves, and keep them mostly hashed (i.e. "What w... hashed bit ...ested for?").

The hashing of the questions wouldn't get you much as far as security goes. But it would make it so that if the database was cracked, the crackers wouldn't be able to look up the user's info and answer the questions themselves. It also means that you can possibly have them reset the password by remembering the question. If you're worried about them forgetting the question, you could try to create multiple versions (permuting words), or you could just set up some other account recovery method (like ANOTHER security question).
Image
Hat me, bro

User avatar
PeteP
What the peck?
Posts: 1451
Joined: Tue Aug 23, 2011 4:51 pm UTC

Re: Best password improver

Postby PeteP » Tue Sep 22, 2015 4:39 pm UTC

Dr. Willpower wrote:Just ask them a security question instead of a password. Something like "What was the first charge you got arrested for?"

You could even allow them to create the questions themselves, and keep them mostly hashed (i.e. "What w... hashed bit ...ested for?").

The hashing of the questions wouldn't get you much as far as security goes. But it would make it so that if the database was cracked, the crackers wouldn't be able to look up the user's info and answer the questions themselves. It also means that you can possibly have them reset the password by remembering the question. If you're worried about them forgetting the question, you could try to create multiple versions (permuting words), or you could just set up some other account recovery method (like ANOTHER security question).

Why would you consider that more secure?

Dr. Willpower
Posts: 197
Joined: Wed May 28, 2008 3:55 pm UTC

Re: Best password improver

Postby Dr. Willpower » Tue Sep 22, 2015 4:54 pm UTC

PeteP wrote:
Dr. Willpower wrote:Just ask them a security question instead of a password. Something like "What was the first charge you got arrested for?"

You could even allow them to create the questions themselves, and keep them mostly hashed (i.e. "What w... hashed bit ...ested for?").

The hashing of the questions wouldn't get you much as far as security goes. But it would make it so that if the database was cracked, the crackers wouldn't be able to look up the user's info and answer the questions themselves. It also means that you can possibly have them reset the password by remembering the question. If you're worried about them forgetting the question, you could try to create multiple versions (permuting words), or you could just set up some other account recovery method (like ANOTHER security question).

Why would you consider that more secure?


I don't know how secure it is.. I can't believe it would be any more secure than using a password (and hopefully not less secure). But it might encourage users to enter better quality responses. I think that is what the OP is looking for.
Image
Hat me, bro

korona
Posts: 495
Joined: Sun Jul 04, 2010 8:40 pm UTC

Re: Best password improver

Postby korona » Tue Sep 22, 2015 8:40 pm UTC

What about a simple note together with a button saying "It's best to use a randomly generated password like "nxW4JjTw" [Generate another one]"?

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: Best password improver

Postby ahammel » Tue Sep 22, 2015 11:15 pm UTC

Dr. Willpower wrote:I don't know how secure it is.. I can't believe it would be any more secure than using a password (and hopefully not less secure).
I would think that security questions are, in most cases, way less secure than passwords because they tend to be thing like 'what is your mother's maiden name?'. That's not even a secret, never mind a good pw.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
The Great Hippo
Swans ARE SHARP
Posts: 7368
Joined: Fri Dec 14, 2007 4:43 am UTC
Location: behind you

Re: Best password improver

Postby The Great Hippo » Tue Sep 22, 2015 11:19 pm UTC

I always feed false answers to those security questions -- and then end up forgetting what my false answers were.

Dr. Willpower
Posts: 197
Joined: Wed May 28, 2008 3:55 pm UTC

Re: Best password improver

Postby Dr. Willpower » Tue Sep 22, 2015 11:40 pm UTC

ahammel wrote:
Dr. Willpower wrote:I don't know how secure it is.. I can't believe it would be any more secure than using a password (and hopefully not less secure).
I would think that security questions are, in most cases, way less secure than passwords because they tend to be thing like 'what is your mother's maiden name?'. That's not even a secret, never mind a good pw.


Yeah, that's a really good point. Maybe you could suggest that they make the question about something only they remember? Well, no, I don't think the average person keeps the best tabs on who knows what about themselves.

And besides, it'd be way easier to just suggest the password be some horrifying secret. And then you're really not accomplishing anything, because passwords are already "secret"!
Image
Hat me, bro

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: Best password improver

Postby ahammel » Wed Sep 23, 2015 1:11 am UTC

The Great Hippo wrote:I always feed false answers to those security questions -- and then end up forgetting what my false answers were.

I generally use a password manager and then claim that my math teacher in high school was named bC6xPXpcGDS5bQMr3DsQ.
He/Him/His/Alex
God damn these electric sex pants!

User avatar
ucim
Posts: 6859
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: Best password improver

Postby ucim » Wed Sep 23, 2015 7:22 am UTC

ahammel wrote:I generally use a password manager and then claim that my math teacher in high school was named bC6xPXpcGDS5bQMr3DsQ.
Anybody that knowledgeable does not need my hint. But my peeve with these "secret questions" is that they are another back door into the account. And also that they won't tell you the character rules when entering it at the start, or later for verification. (Wait, does this one let you use the apostrophe but not the comma, or is this the one that I had to change the dash to a dot? Sorry, too many tries - you are locked out. To log in, simply call customer service and tell them your mother's maiden name.)

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Heartfelt thanks from addams and from me - you really made a difference.


Return to “Coding”

Who is online

Users browsing this forum: No registered users and 8 guests