How Secure Are Multi-Word Random Passphrases?

take the guy in the c community that is not an academic that has the best database of academic papers related to passu so I mean if you're looking into you know Finding research sources for anything passw Bru is one the guys you can really J to and few years ago we had Jeff from doing a talk about you know measuring passive strength and when I introduced him I also told the audience that you know that topic is kind of interesting to discuss you know measuring T of strength I told the audience I in the room over that top now we have B since about 2 years ago so how secure M rather races I expect that to be a

really as

well and

[Music] so Staples Staples are fine yeah good good onece all right thanks be uh like ke mentioned I do try I maintain the the password research.com website I do my best effort at trying to keep the database of papers related to passwords and other authentication Technologies but it's I'm I'm always way behind so I'm usually 50 papers or so behind whatever's out currently out there I also do have statistics which some of which are certainly just vendor surveys and some of which are a little bit more scientific um so you know what's the average number of passwords a person has um how many websites do they use them on use the same password on stuff like

that but yeah today we're going to talk about past phrases um Jeffrey Goldberg actually did talk a little bit about this yesterday I don't think I'm going to have too much overlap so if you were in both sessions you're probably going to be fine so what are they very quickly it's kind of hard to Define because it's not a solid once you hit 20 characters it's a pass phrase 20 below it's password once it's three words it's a pass phrase once it's you know it's only two it's pass it's a password we just have some general guidelines um usually they're going to be words separated by spaces there is going to be some overlap like you know one of the top 10 top 100

passwords is let me in you know that's technically a phrase but if it's not spaces and stuff some people would argue it's not a past past phrase so what's the goal behind past phrases we need better security than passwords and we but we know that random passwords are kind of hard for people to memorize as as a general principle so we're trying to find some sort of medium ground people are better at memorizing words so our past phras is the good alternative to that there's different types of past phrases um and I would Jeff kind of mentioned another one of I would call pseudo natural language phrases where they're madeup words or words that are

very similar in his talk yesterday but mostly natural languages if people are going to create their own pastr that's often what they fall to is you know let me in or things like that natural language structured phrases which is something like you know adverb noun verb noun it fits a it fits a structure but you're taking words that aren't necessary um making sense to most of us in that context You' also do things like you know five nouns or things like that mentally chosen random words um the problem with that is you know and a lot of people talk about the xkd XX kcd system where people would forward that onto the friend and say hey use past

phrases and person's like all right well let's see uh let's see my computer Dell uh on a chair it's kind of boring here at work calendar you know they're they're thinking that they have a very limited vocabulary of Rand what's random to them they may not put much effort into that and then securely chosen random words which is where you're using a set word list most of the time and you're making sure that you're using a you know a good cryptographically sound random number generator to to choose those rather than your own your own mindset I'm kind of going back to that mentally chosen random words we have to throw a meme into the the uh equation

here um one of the problems is that of course like I said people come up with the similar information or choose similar things there's a good paper about this this little one notation I have a reference this section at the end U kind of if you really want to look up some of the research papers um there's some good information in them this one there was this paper written called linguistic properties of multi-word passphrases and it basically looked at Amazon's pay words pay phrases so it was a way for people to essentially purchase things without having to have a you know saving their credit card information they combined a a pay phrase and then a

pen so it wasn't just pay phrase by itself but they essentially said you know come up with a secure phrase to help you through this purchase process and so they essentially uh tested by just assembling lists you know sports team names and cities song titles and things like that they they pretty much were able to just guessing through the Amazon API um able to find a lot of those pay phrases that were valid because Amazon would tell you if one was already chosen it was they had to be unique as well anyway so that the idea being that we're often drawing on similar information similar pools of random information to make it memorable which is why again we tend to focus if

we're going to try to make something better than passwords on on going to the randomness route now there's been a lot of popularity here especially this year past year um but pass phases aren't really new this is a excerpt from the 1985 uh DOD password security standard password I I'm forgetting the exact title but they're essentially they introduce passwords and they talked about that password management guidelin that's that's the book uh the lime green book on the rainbow series they talk about like you know hey if we use combined four five and sixlet words we're going to end up with a 23,000 word dictionary and how many you know based on the guessing time um how

many of those words do we need to have in a series before that offers the adequate security Now the one big difference between today and 1985 is that they were their guesses per minute were Capp on the speed of a 12200 bod modem which you know today that's a little things are a little different so diceware uh it's a system that came out in 1985 by a guy named Arnold Reinhold and what I mean it's by a formal system is that he basically tells you everything you need to do to utilize it it's not necessarily just hey use passp phrases he says here's the list of words to use and here's how to randomly generate them and the reason it's called

dice Weare is because he recommends using physical dice to produce those random numbers rather than um you know random number generation on a computer and I think the main reason was because there's not especially back in 1995 there wasn't uh 1985 there wasn't a lot of great sources for random number of generators that were considered good random number generators but it also allows you to have an off completely offline system you can print out the list of words you can rule the dice and if you're using it for a device it's not your laptop or your desktop that password is never seen by that device so technically you know there's some segmentation between that essentially

what you do is you roll either one dice five times or five dice once you know you get a series of numbers one through six you look up that index in the paper and the uh the actual word list and that tells you what your first word is and you do that for as many words as you are going to use for that passphrase [Music] pretty straightforward and if you've ever next screen may cause flashbacks for some of you if you've ever been in any password discussion on the internet you you've got this burned into your retina already because it's undoubtedly going to come up in every every discussion skdc 936 which is the actual page you

can go to to look it up doesn't is a lot less formal it's not specific system it was kind of a rough comparison that got turned into into this Cult of you know passphrase use which is fine um but I think left people with a lot of questions essentially he's comparing you know kind of a lepeak typical or maybe slightly better than typical password format and comparing that from an iny standpoint as far as bits of strength to something like a pass phrase he doesn't really say in the comic how many words he's drawing from or how many words minimum you should have I clearly his example has four uh you look if you read into a little

bit you see that he's saying 44 bits of strength from the total which means each word has 11 you can kind of figure out that means it's 24 248 word dictionary that he's assuming you're you're pulling these words from but that's that came out in 2011 um and that's also helped kind of gain some popularity for it but like I said that we don't we're not really left with a complete system to pull from so there's sites like XKCD password or passphrase I think or uh there's different people that have tried to implement this than a system um based off the same [Music] idea so taxs against past [Music] phrases offline password cracking your typical you know someone downloads a

dumps your database from a site you're on or they get your pgp AR uh archive or drive or your true Crypt or whatever and they've got something that they can try passwords or passphrases against that's that's probably one of our main concerns when it comes to why we think we're going to use passrs online passway guessing is also a threat um but as we'll talk about in a little while um if you're actually using one of these more formalized systems it's just not practical for someone to get your password via an online guessing attack is just way too slow shoulder surfing I'm kind of curious as to whether it'd be interesting to see a study based on

you know if someone's typing in a pass phrase where it's you're using real words and presumably they might be able to type that faster than random characters if it's actually easier or harder for them to shoulder Ser because they also tend to be longer so there's potential for someone not seeing as much as far as keystroke logging man in the middle fishing social engineering um you know they're pretty much compatible with passwords there's nothing having a long strong passphrase is not going to do anything for you if someone has a Trojan on your system so how do we estimate strength and this is only specifically for random pass phrases because if we're drawing from memory or if we're drawing from

common things this doesn't really work out the entropy isn't it doesn't work out quite as well so it's it's much like passwords where you say how many characters do we have to draw from you know 95 is the typical maximum you have to draw from from a keyboard you know uppercase lowercase numbers and symbols um with words when we come with dictionaries it kind of converts that characters turns into words so your words or your characters that you're combining together to make your string so then you take how many words you're in that dictionary you're pulling from to the power of how many words you're choosing to to add so four words you know so a th words times to the power

fours and give you you know if you have a four word long if you're trying to convert that back into bits then to kind of estimate the strength to compare it against other password or um you know symmetric Keys um you've got to convert that to the the base two log of that total that you're pulling from so to kind of go back to the xkcd and diceware suggestions what we're looking at with a you know 2048 bit 2048 word list it's around 44 bits for four words diceware has more words they recommend a base of five so you get a little bit more bits protection so what does that actually mean I mean that's

that sounds great some of you already kind of have probably already know relative to other things how secure that is but we can kind of compare table on the left here is the past phrases we've kind of talked about as well as some longer variations and the passwords on the other side and this is a true the passwords like this is the ones that require a true group Force this is not what people are cracking on a daily basis they're cracking Things based on templates topologies you know dictionary words they're not having to do that full 95 character group Force to try to exhaust that but assuming this is you know truly random passwords we're

comparing to random past phrases this is roughly some of the comparisons you get as far as you know the bit strength the total number of possibilities it would take someone to exhaust that entire set we'll talk a little bit more about password cracking but remember that doesn't mean it's going to always take you know the maximums the average is halfway through that maximums you're probably going to get cracks but you can kind of see that you know even on once we're getting to five word diceware um passphrases we're looking at you know stronger security than like a nine nine character password that's randomly generated and and it goes up from there [Music] so one of the problems or at least

limitations of diceware is the words themselves the if you remember going back to that slide where I show the the excerpts of you know the indexes um you may remember flash back to here on the right side here they've got some single characters they've got some symbols of not just words they've got you know the letter A the letter B um they throw some of those in there I think an attempt to try to meet some complexity [Music] requirements but essentially what that also means is the shorter these words are you also have the opportunity to have you know five if if you're just may hit the bad chance of rolling five single letter characters so you have a choice to make

then as a user you either stick with that and say well random is random um or you say well that's probably not a good passphrase for me to use so I'm going to disregard that um and what that means in that sense is you're then eliminating a pool of possible past phrases from that total pool that we looked at previously if you're looking at you know five words the good thing is it's it's a big number I think it's like 380 million or something like that um but as far as the possible if you're looking at just five word pass phrases you're eliminating a very small percentage of those by avoiding those words so how does that

plan in if you're giving someone the system like a a you know family member or pass it on to someone else you may have to either add the caveat hey you know be smart about if you get five a in a row you know don't use that for a pass phrase or especially if you're using it for an automated system of some type a password reset system or uh if you're generating service account passwords with it or something like that you want to probably do some filtering on the random choices that come out of that but that is going to have like I said even though a very small impact it is going to have some impact on the words so you

decide not to use diceware default dictionary they do tell you how to build your own it's not terribly complicated I'm sure probably most of you could figure it out be a fun programming you know basic programming experiment for you um but you know that is one of the possible conflicts I know SC Jude said something we talked a little bit about this before so during the Q&A section if you got more to add to this about some of the concerns about that just just let me know we could talk about it [Music] then so how do we increase password passphrase strength well the easiest way is to add words to your list so going from four words to five words makes an

idential change in the amount of possibilities then that are there for that P phrase space you can also increase the number of words that makes a much smaller change um so I think let's see 78 bits I think that was related to uh remember what what I was trying to draw that I think that's 12 character 12 like equivalent of a 12 character random password but you can kind of see like if hey it's it's a lot easier for you to say just I'm going to take a you know 9,000 10,000w dictionary and use six words from that as opposed to trying to track down 88,000 words um if I just want to stay within the four word format

but you know in theory it's possible we'll talk a little bit too about compatibility obviously as you're increasing words you're T you're tending to increase the length of your pass phrase which there may be problems with the compatibility of the systems you're trying to use that pass phrase in there's also another way which is to modify the words from the original form and all this we've talked about with c in and things like that we've made the assumption that the attacker knows what system you're using like they are specifically attacking dice dice wear or XKCD they know your word list they know how many words you have those are a lot of given that you know we try to avoid

the security through obscurity that's a lot of Givens that don't exist in the real world so just keep that in mind um that you know we're talking worst case scenario in many in many cases but you can modify words from their original form if you're doing it in a random way if you just say I'm just going to capitalize all my diceware words that's probably going to buy you better security than someone who doesn't just because attackers aren't if they hear you you're using dice word they're going to assume that your words are all lowercase um if you want to be secure about it however you would randomly apply that so not every word is

uppercase not every word is lowercase you're randomly generating which ones are which which kind of effectively can double your word list so instead of you know 20 2048 uh yeah you're one with 4096 so something like this you can also add in um separators instead of the space character you choose one of the random 33 or 32 other symbols and use that instead that helps again add a little bit of the complexity to the P phrase if someone's trying to guess it what's the shortest you can safely use because um it's important you don't waste a lot of energy unnecessarily U and trying to choose your pass phrase I mean you certainly can but uh you

efficient diceware I think the web page still says five um but Arnold came out here I think in the past year with a blog post that says you know really probably that was uh you know 20 years ago we should probably go ahead and increase six for normal use so web pages or logins or things like that he goes on to recommend six words for wireless security file encryption 78 for high value like Bitcoin those are his his recommendations and kind of going back to that strength you saw that that was uh and we'll talk a little bit more about that but it it offers pretty good security for those it does and and the

reason he splits these out by uses is that in many kinds if you're going to have a password for six months on a website or a year on a website you can afford to have much less strong passphrase than if you're trying to have encrypted drive or archive that you want to be uncrackable for 10 15 years that's a very different threat model that you may want to Future proof by choosing some longer passrs um the efff kind of Echoes his advice secure drop is a system that was designed for uh essentially a modification of diceware for um journalists to use to talk with sources anonymously in a secure way so they don't have to everybody doesn't

have to figure out in their own they recommend seven realistically and I'm be careful about this I mean if you're just talking about like logging into Reddit or logging into your discuss comment profile or logging into things especially with just three words if you're doing some modifications those are probably going to work out in many cases so cracking time I was kind of caution and talking about this on Twitter ahead of time you know don't just talk about fast hashes I get that we're not always especially in cases where you're trying to protect things you really care about um fast hashes like md5 are not going to be particularly giveing you good feedback they may give you a false sense of

insecurity when it's not as bad so here's some rough benchmarks and these are estimates this is based on benchmarks not someone actually trying to crack dice Weare because they have to use a type of attack for the password cracker that is slower than this in many cases they probably will especially like I mentioned um if they don't this this is them specifically attacking that the dictionary with your dictionary with full knowledge of how you implemented it so you can kind of see the Snowden mystery box that was where Edward Snowden um caution pus about ass adversary can choose to can try one trillion possibilities per per per second um that's probably realistic for you know a government or large very

extremely large corporation um the 8gpu system is from Jeremy gmy it's Jeremy gy uh aeta systems it's an 8gpu roughly I don't know 18 to $20,000 investment so that's not you know it's probably beyond the regular everyday cracker but um not for someone that has resources so you can kind of get an idea just based off different word counts you know XKCD diceware and just some modified um custom word word lists you might produce an idea of you know realistically what we're talking about as far as something about a crack [Music] things so shortcuts one thing I don't I have not had not seen any research on is if you know surely people have biases like I

don't want to choose endocrinologist within a pass so if you randomly come up with a word inoc chronologist and I not familiar with it or I'm not sure I can spell it right I may choose to regenerate that P phrase um if someone could gather a lot of information about those kinds of biases and preferences and then customize the cracking attack of the past phases that might Pro provide them some shortcuts other than guessing you know a true root Force guessing every single combination you might also get lucky and find a combination that matches you know within four words especially the shorter the phrases you have you may hit hit a phrase that hits in natural language it

also may already be in the in the uh in their wordless or a combination that was leaking think teex Source um so you know don't reuse these strong past phrases if you're going to choose to use it for something else you don't want to have crack so what's you know kind of the resistance to P raises because there are some inherent problems with it um or inherent resistance that I've seen talking to people about it part of the problem is that we discourage these are some password policy excerpts from from different places we obviously very reasonably try to reject word use um the problem is of course that we want people to use words in the right context with

the system so you kind of have to may do some education when it comes to that um disappointingly Bruce schneer also kind of fell into the Trap of thinking that um apparently after reviewing an article from ours had some cracking results from Jeremy and Jen Stu and some others um and seen past phrases like this which are you know common phrases band names um a phrase with you know a guessable uh word on the end of the those are things within the reason of cracking um but this isn't an attack on you know a dice dice wear type system but anyway he ended up coming out and saying well that's why this is no longer good advice

and sadly I've had to argue with lots of different people about that being a good thing um there's some password usability research I'm going to kind of jump through this but there's been several studies I've highlighted a few of them here that have talked this one specifically about the xkcd cartoon and analyzing you know how does that compare to random passwords how does that compare to um using all nouns or trying to use a system that that is you know follows natural language patterns another one uh like I said I'll have references to these if you want to dig into them but one I want want to just finish up with here is actually taking some of these passwords

this the first three of these from diceware and the fourth and fifth from um essentially modified diceware modified XKCD passwords and trying them out on some of the different websites and seeing what types of problems I had some of the the primary websites so you can kind of see the length here in the end 24 characters 16 is the shortest I purposely probably shorter than you would use for a secure system but just to see how that played up to 33 characters in length is is the maximum and that's you know fairly short that's only six words um and one of the words is very short so I started out with social media I tried to figure out what the maximum

password accepted was um Everybody did great everybody accepted all the past phrases that I had Pinterest there was only one note that I had which they silently truncate at 85 characters which is not great so if you plug in 150 character string it accepts it gives you no errors you try to log into it it accepts it no errors but you really only needed the first 85 characters of that to log in and they don't they don't give you that [Music] feedback you just I mean I literally just try like 150 characters and then I try 149 and if I can log in with that I keep reducing it till I figure out what's the maximum uh what's the you

know how that works out than so retailers another group um you start seeing you know little bit more restrictions on what you can use um I've kind of noted here like going back to those numbers which ones are which which ones were rejected eBay they also silently truncate um 64 characters they but if you're they if you get the complexity within the first 64 they won't complain but you know if the complexity was at the end they would tell you that password wasn't accepted but you can kind of see some don't accept spaces some don't accept other kinds of of characters as as separators if you wanted to have you know pound sign between your words as opposed to

spaces um some of them had some max length requirements like you know Walmart's 12 that's pretty rough I mean n that's that's not great at least you know 64 I could kind of work with when you're looking at 12 16 20 that that's hard to get a pass phas in and have it work um Home Depot was another one where I found that they had an error where I could put percent signs in my password and they would accept it fine and I tried to log in and it would airor out because they're not probably doing something with encoding who knows how that worked out so finally financials I didn't get quite as many of these but I looked at some of

the big ones and again with a lot of people on I know we know that these traditional Banks or traditional Financial companies aren't real you know on top of things when it comes to this but you can see again that there was a lot of restrictions they either accepted one um the traditional you know PayPal Chace discover and then some of the Bitcoin related exchanges and other services um they were a little bit better but coinbase also silently truncated at 72 characters um so that's kind of the feedback this is you know you're you're going to have very success espec with online applications offline applications you might be a little luckier with so when should you use them it's

not probably appropriate to use passwords as in case if you have a password manager that can randomly generate strings you're going to have more security within a short space with that random string and then if you don't have to memorize it that's probably the better way to go but if you have to regularly type it like logging into my laptop logging into your password manager or your secure Drive um those are times where it might make sense to have a passage when you when you're kind of required to commits in memory um security question answers when you communicated with your voice when I used to some people pgp self- decrypting archives it was much easier for me to

give them a five-word passphrase than you know 12 string character characters um that's kind of that advice if you are an admin or it security and you're helping make these systems and test these systems certainly try to avoid unnecessary maximums sometimes that's based on vendor software you don't have any control over it restricting symbol use or even requiring symbol use um there's you know variable like uh the next one of the next slides I'll talk about the Standford system where they essentially say you know the longer the pass phrase the less restriced we're going to or less requirements we're going to have you have to have symbols and numbers and letters you can just have all lowercase

if it's you know 20 plus characters all right finish with [Music] this this is my niece Isabella she turns one year old tomorrow I'm going to have to get her a vocabulary book and work with her right now she's got a very small word list to work from but it seems it seems to be pretty effective so there's the references I'm going to be around um certainly feel free to contact me and I'm happy to answer questions

[Music] sorry no question sorry [Music]