18 Jun
2009
18 Jun
'09
2:29 p.m.
On Jun 17, 2009, at 9:00 PM, Dan Gahlinger wrote:
I include "patently obvious" and "only chosen by idiots" in the
category of "social attack".
See above; unless you're dumb enough to expose the stored passwords
the strength of the cryptosystem is irrelevant save for failures of
implementation or physical security.
I didn't say cleartext, I said *cryptotext*. If you have access to the
cryptotext and if the underlying cryptosystem is weak then you can
trivially discover passwords without having to play 20 questions with
the operating system and without leaving an audit trail behind you.
If you do not have access to the cryptotext you have nothing to test
your trial passwords against; if you have access to cryptotext and the
cryptosystem is not brain dead you won't be able to extract partial
matches. The fact that you can on Windows simply says that in this
specific case Windows is brain dead.
The definition of "hard password" is
generally one that is resistant
to dictionary or social attack. By that definition you've failed to
demonstrate that the passphrase I supplied in my previous example is
any more vulnerable that "C0pp3rB0tt0m" or "i013ac$Z". In the
absence
of the ability to conduct a successful dictionary attack the
difficulty of brute-forcing a passsphrase is a direct function of the
length of the passphrase and the character space from which the
passphrase is chosen. In such a context passphrases have a clear
advantage, as it's easier for humans to remember sequences of words
as
opposed to semi-random collections of characters, thus encouraging a
much longer length while discouraging the tendency to write down
passwords that are difficult to remember.
I disagree and would say that's not correct either.
the definition of "hard password" generally includes things that are
not easily
cracked by brute-force, eg "1234567890" while long, wouldn't be hard.
brute-forcing a passphrase is not necessarily a
function of the length
especially where windows is concerned, or if another system, where
there are weaknesses in
the cryptographic functions themselves.
If you have no access to the cryptotext then you are forced to submit
each candidate password to the system for validation. Weakness in the
cryptosystem is irrelevant if you never have access to the cryptotext;
in fact if one assumes perfect physical security, a security policy
created by someone with something greater than a room temperature IQ
and correct software implementation then storing passwords in
plaintext would be as strong as storing them in cryptotext.
one portion of windows password stores saves the
password as an 8
character uppercase string,
that's hardly very secure and can easily provide clues as to the
true password.
The original argument had nothing to do with Windows. The fact that
Windows is brain-dead in this regard is irrelevant to the discussion
of whether passphrases have strengths that in some cases make them
superior to passwords.
For passwords we want something that is easy to remember but hard to
guess and which has a high degree of entropy from the set of valid
passwords (it is entropy, not length, which is relevant to the
strength of a password). Humans do poorly at remembering random
vectors of characters of length much longer than seven but do
reasonably well at remembering higher-order grouping, which is the
mental crutch that passphrases provide. While longer is not
inherently better, the increased entropy of true passphrases helps
defeat probabilistic attacks and collapses the problem again down to
something that is largely brute force.
I doubt you're seriously advancing the notion that in the case of
brute force attacks that longer is not generally better. There are 94
symbols on the standard PC keyboard; at eight characters there are
6,161,234,432,566,330 possible passwords, at 14 (the length of my
current passphrase) there are 4,250,449,449,028,840,000,000,000,000
possible passwords. Using reasonable entropy assumptions (2^ bits of
entropy based on password length) there are 8,589,934,592 "likely"
passwords out of the total number of purely random passwords.
Assuming that I change passphrases every 90 days I'll need to do
around 33,140 probes/sec in order to compromise the 14 character
passphrase vs 64.7/sec for an eight character password. Both are
perfectly tractable if there is access to the cryptotext to test
against; both are intractable if it's not (since in the latter case
you'd have to be feeding them to the OS to test) , which is why
systems that expose cryptotext or hashed passwords are really
inexcusable.
If I really cared about this I'd use the SHA1 of my passphrase as my
"password" and use an SHA1 app on a PDA to compute the SHA1. As it
turns out, I don't; the combination of the math and the fact that I
don't use systems that expose cryptotext passwords coupled with a weak
crytopsystem is enough for me to not care (and if I did I'd be using
two or three factor authentication rather than passphrases).
and you just reinforced my suggestion, the methods
I've been using.
the password generators I've written produce not only hardened
passwords,
and also passwords which are next to impossible to remember,
BUT are incredibly easy for the user to type in.
this does several things
it means the user never has to write them down,
they can never give out their password
however, the user has no issues logging in.
they're based on the natural flow of the users hands as they type.
not keyboard patterns, but a function of how words are formed
across the hands and fingers, combinations of left and right hand
typing.
That's brilliant. Tell me, how does that work when I go from a
machine with a QERTY keyboard to a dvorak keyboard? When using flying
thumbs of fury with a Blackberry? When doing the painful one-finger
hunt-and-peck with an iPhone? Biometric authenticaion of users based
on keyboard behavior dates back to *at least* 1984 (that's when I was
researching it), but it proved unacceptable due to things like
changing keyboards, having multiple workstations of different
manufacture, sporting injuries, being sick and being hung-over (yes,
we sampled them all).
You really should tell Bruce Schneier about this scheme of yours. I
bet he'd tell the world all about it.
FWIW,
you're the one who introduced Windows into this discussion;
Gene's original comment had precisely nothing to do with Windows and
while your comments are valid relative to Windows that's not the
context for the conversation.
windows was an example, but it's not to say there are not other
systems
with equally or similarly weak cryptographic functions and FWIW, you started out (I believe) making the
comparison of linux
vs windows
and saying they were equally strong (which is not correct).
Not me; the only operating system I've mentioned has been Windows, and
that in response to your holding it up as some sort of universal
counterexample. Please get your attributions right.
but that's water under the bridge now, it's purely for point of
providing
an example everyone is familiar with.
I said nothing of the system in question. I said that you were
confusing two things that are distinct. Gene's original posting was
not relevant to a given system, it was relevant to passphrases vs.
passwords in general. If you want to recast the discussion to be "On
Windows random garbage passwords are inherently superior to
passphrases", fine, but that's not the conversation we're having.
You seem to be confusing a bad implementation of
the translation of
plaintext to cryptotext and the poor storage of said cryptotext with
the relative security of passphrases vs. passwords. The two are
utterly distinct.
no, I'm not, and they are not necessarily distinct, dependent on the
system. any good security person has to take the system as a
whole, there are
many "paths" to finding ways through the system, flaws in
implementation,
weaknesses in cryptography, the human element, and of course, others.
This is news? That's why (like the rest of us) you encrypt your boot
volumes and all storage devices, both fixed and removable, right?
You cannot truly understand a system unless you look
at it
holistically.
No one is talking about the system, we were talking about passphrases
vs. passwords in the abstract, which is a perfectly reasonable
conversation to have. You do inadvertently bring up a good point;
you'll note that brute force attacks against ATM machines are
virtually nonexistent despite having "passwords" that are usually
chosen from a universe of four to eight *digits*. Why is this? Oh,
right -- there's no way to play 20 questions with the underlying
system to test candidate passwords, leading us back to the same
point: a well designed system should require that candidate
authentication information be presented to the system itself, rather
than allowing a circa-1976 dictionary attack.
ObClassicCmp: Does anyone recall when AT&T and BSD Unix outgrew this?
In order to
produce a partial password the program in question must
either have access to the resulting cryptotext for the password in
question or have the Great Karnack module installed which allows it
to
know things without having any way to know them. For the purposes of
the point that Gene raised getting hung up on Windows (or, for that
matter, Unix v7 or anything else that makes encrypted authentication
information visible) as a counterexample is useless. Any
authentication system designed in the past decade by anyone with
intelligence exceeding that of a pine martin is going to employ a
relatively sophisticated transform (i.e., not crypt() and not an
MD5sum) and isn't going to allow you to see the stored cryptotext,
meaning that you're actually going to have to submit each password to
the system for authentication rather than have some program magically
spew it out to you.
This doesn't apply, at least in the case of windows (and perhaps
others).
On windows systems I've seen it decrypt the first (or second) half
of a password,
or the first 8 characters, I've seen it do portions in sections.
all this with no access to cleartext. I'd have to double-check if this has any
similarity for md5
passwords, I don't recall, though I doubt it.
Perhaps you mean "md5 summaries of passwords"? md5 is known to produce
collisions and thus is defective as a secure hash but it's not so
defective as to allow the sort of behavior you've described.
windows is a good example because it is (still) the
most used OS in
the world,
and a large percentage of people have a false sense of security in
using it
Who cares? Again, the question was regarding passphrases vs, password
in an abstract sense, not in the case of Windows or any other system,
past, present or future.. If you can't have a conversation regarding
the relative strengths of passwords vs. passphrases without having to
reference a specific platform then you've missed the point.
--
Chris Kennedy
chris at mainecoon.com AF6AP
http://www.mainecoon.com PGP KeyID 108DAB97
PGP fingerprint: 4E99 10B6 7253 B048 6685 6CBC 55E1 20A3 108D AB97
"Mr. McKittrick, after careful consideration..."