G1234! - Rethinking P@ssw0rd Strength Beyond Brute-force Entropy - Ross Dickey

everyone is this thing on cool so I'm Ross Dickey I work at rapid7 and today I'm gonna be talking about password entropy so quick damn you there we go so obligatory about me I've worked at places started out as a sysadmin software developer QA support effective development and DevOps sec whatever other word do you want to slice in there currently work at rapid seven so why do I password well a previous security company we were working on a research project where we men in the middle a smart TV for its communications back to their servers and we found this config file that was obviously signed by like an md5 or something so we wanted to crack that

tried to didn't found it in the code anyway so it was fine but that was concurrent with the Ashley Madison hack so I had this perfectly good password cracking server and a bunch of perfectly good you know bcrypt hashes that I could throw a bunch of word list set and play around with password hacking so or cracking so that was fun and it got me interested in like what what makes a password good because obviously the ones that I was cracking or not so that led me to password entropy so entropy is disorder randomness unpredictability in in many different contexts including particle physics as you see entropy is chaotic neutral it's neither good nor bad

and it's measured in terms of passwords in bits so a bit of entropy is a coin flip so the more coins you flip more bits of entropy and it's exponential so if you have two coins you know there's four combinations 38 coin or 28 coins 38 coins is 270 million so you know that's how that works so if you if you know the number of possible combinations that you can get from those coin flips how do you figure out the number of coins if you remember from high school math you have a thing called a log roll so you do the base to log of the N which is the number of possible combinations so as an

example password there's eight characters 26 lowercase 20 68 is 200 million or what a billion and that gives us 37 bits of entropy so another example Pat's word or wizard or however you say it 96 possible characters in that whole range of classes 96 to the 8th is whatever that number is and so you you've got 52 bits of entropy so that's that's cool but but what does this actually mean well the the question is how fat how fast can you flip these coins and that's dependent on the hashing function a hashing function is you take the password put it through the function and then you get this garbage and you always get the same garbage when

you put the password through that same hash so the garbage is what's stored it in the database and you can never get the password back from the garbage so as an example if you take password number each letter in the alphabet add up those numbers get 115 and that's what your garbage would be so that that's a pretty weak hashing algorithm so is ntlm but that's what Windows uses and it's used all over the place and enterprise and so but the reason it's weak is because it it cracks very quickly and of course Microsoft said you know this sucks let's use it for 20 years and not change it but why is it weak so there's this cool

piece of hardware you can go online and buy for 20 grand now not not every password crackers mom has this in her basement but it is a good sort of yardstick for how how quickly passwords can get correct so ntlm hashes it can do about 500 billion is that the number per second so here's some some pretty graphs to graph the logarithm so the log scales on the left the regular scales on the right thousand days is about three years you know so you can kind of see three years thirty three thousand so on and so forth but so given the number of bits of entropy that's how long it would take this particular piece of hardware to crack it

I chose this piece of hardware and not a regular laptop or CPU or whatever because that's not what professional password crackers actually use even though it's what every freaking password strength meter on the internet uses which is just dumb but anyway so passwords secure right no because you don't actually try every possible combination of those characters right you you pull a password from a list try that change it slightly and then try that and then change it slightly and try that so that that's how real password cracking is so it's great to guest passwords faster but you have to guess them smarter as well so if you think about entropy as the number of possible

combinations if your password is actually in one of these password lists then that's the corresponding bits of entropy and the amount of time it would take to crack that password if it's in TLM you know what that piece of hardware so the the rockie list is a very commonly used password list because it was leaked plaintext to the internet so what if i leet-speak a password well that does help but it only adds a couple of bits of entropy right so if you take even like a long word like ambidextrous sounds like it would be a good password because it's so long but since it's in the english dictionary and it's simple predictable transformations it's really

not that much better random capitalization it's usually not random it's usually the first character of password is capitalized and they say yay now I'm password compliant so doesn't help much so punctuation and numbers people if they're not leet speaking they're just adding it to the end and like that that only has a couple of bits of entropy at most and especially because it's usually like a birthday or one two three four or something done like that so what about random words well this can be secured if the words are actually random everyone knows the correct horse battery staple I don't have to put the whole comic here so randall munroe the the guy who drew

it claims that this is a 44 bit password and he got that number by basically saying these are four of the 2000 most commonly used English words or something like that and so that's that's not too bad it's but you know 44 bits if you recall can still be correct fairly quickly but it needs to be random and not something like Shakespeare because the the that's not random you can make a password dictionary of all the Shakespeare quotes but even better is you can just take the top 50 or 100 that is everyone's favorite and you know that's that's a very low entropy you know password so I hate rotating passwords doesn't everyone it encourages

very low entropy passwords like like these right I mean spring 2017 bang oh you use that that is your password up here now okay so I did give this a version of this talk to a friend who works in the healthcare industry and she said oh that's actually a really good idea people forget their passwords all the time I just need to tell them to use this on their HIPAA compliant devices and no that is not that what's not my point you missed it anyway so yeah rotating passwords doesn't help maybe adds a couple bits of entropy because rather than company name one I have to try company name four doesn't help so can we still use entropy if it's

if the measurement sucks so bad well gave this talk at aha in Austin which is the Austin hackers Alliance the guy who started the company that makes the brutalus that password cracking system came up to me afterwards and said hey great talk except that we don't use entropy anymore like okay so what do you use well we've been working with Microsoft to you know figure out a new way of calculating how good you know making a programmatic password strength meter and I said oh that that's really cool what have you come up with oh nothing every everything that they've tried didn't work like that you could they could find a password that was a terrible password that the strength

meter said was awesome and so I think the issue is that sort of the old way of thinking of entropy is that you just look at the character classes and like that that's your entropy right and we're trying to get a better definition of it and and so mine is more of assuming all possible knowledge of how the password was created how difficult is it to guess so if I know that a password is or I can assume that a password is like 20 characters random randomly generated then sure I can use that old interviewed calculation but if I know that people commonly use like their name their company name their birthday that sort of

thing and that passwords then that that shrinks the the possibilities of what their password could be considerably so and that's the problem with with making a programmatic password strength meter is that the computer needs to have all of this knowledge of how you generated the password and think like a human and so that that's why I think that it'll be very difficult if not impossible to create a password strength meter programmatically so moving on from that how long should my password be I was told that you know length is more important than complexity which is not pletely false but it's it is misleading right I mean having a longer password misleading sorry i miss i mispronounced

that so length is an emergent property of entropy so it is not an indicator of how good a password is so uh well there's some good passwords here and these were all randomly generated but if you notice the shortest ones have the highest entropy so the longest one has the lowest one and i threw in a pronounced bulb password i bid a volt easter standard which i memorized for this talk just to show that it was possible to memorize randomly generated passwords but I mean that's those are fairly short and pretty good so bad passwords can be really long's like this this is actually a misspelled supercalifragilisticexpialidocious but it's in the rocky list exactly like that

there were ten different misspellings of supercalifragilistic expialidocious but but no correct spellings of it so I had in the rocky list so I had to pick one of the incorrect ones and it's crap like it because it's in the list and a lot of people like picking Bible verses or whatever so I found the longest Bible verses s they're eight nine or something is 447 characters which sounds like it would be like a 2400 bits of entropy password but it's really no better than the shortest Bible verse which is jesus wept write that like that's it I happen to know that for reasons but so 447 characters nine characters same entropy length does not always help you and just

for fun I threw super Kelly whatever into two different password strength meters and it they told me like it'll take ten not on whatever the that number is years and no it'll take millisecond microsecond even everyone got your pictures that yeah cool so long passwords won't save you but so a pen tester actually told me hey you know make sure you make the point that length is more important than complexity of for example I use SAT questions as my passwords and I thought oh that's great you use the SAT words to generate your word list for Dysport no no actual SAT questions so it word to the wise go find a dump of SAT questions put that

in your password database and and use those as well so so it but his point with that was hash can't can only crack passwords of up to 27 characters and you know it's actually either 27 or 16 or 8 or 52 or 55 depending on the hashing algorithm used but hash codes not the only tool right I wrote a ruby script and ran it on this laptop and I got 700,000 md5 hashes per second on this laptop so just it you don't have to rely it you can't say this cool this particular tool can't correct my password you have to think can a person think of a way to correct my password so and along with that state

equations obviously song lyrics literature that sort of thing so a little story about Alice and Bob so Alice is our security person Bob is not an idiot right he's a computer science guy engineer you know scientist lawyer teacher something and he's smart but his skills and Alice's skills don't completely overlap right there's some overlap but he's not a dumb guy so if you if you take nothing away nothing else away from this talk remember that your users are not idiots they just don't have the knowledge that you do so Alice tells Bob well you can trust that with Don every organization has a Don there's Don's from the peon to the presidential level that are just idiots

there's no getting through to them anyway assume that you're working with Bob's so Alice says okay generate a password or you know come up with a good secure password and I'll try to guess it and she does on the first try so of course because Bob is going to pick something like his pet's name or his name or his wife's name or his kids name right on the assumption that this is personal information like it's a thing that I know but no one else does and that's it's not true right first of all if your password is if your password hash is leaked from a database dump there's gonna be username your name your address your social or email address or

you know other personalized information and even if they don't have that they can guess it right and you also don't just want to protect your you know your data from people you don't know like random password crackers you want to protect it from your friends to write a fun story about that that I don't have time for so these are all bad passwords for obvious reasons I'm 65 big dude last name is deke high school nickname big deke probably probably not the best password for me to use my birthday is also January 23rd so adding one two three at the end not not the best say it same problem if you're you know June 9th

1969 or April 20th like these these are personal information but it's still things that people are going to commonly use for other reasons so you can debate whether or not these are good user names but so what do you do obviously password managers are great I use them for every password that I don't have to memorize but for the ones that you do have to memorize I still use a password manager just generally use it to generate passwords that I can actually remember like our friend I bet a Phil teaster said nard and if you need if you need the you know word complexity compliance you know just capitalized the I and throw a bang at

the end and golden it's it's already random right so just adding a little dumb crap at the end doesn't matter so there's also dice wire which I mentioned earlier I lifted a dice where generator Ruby because that's what I have been programming with but I I added the the password complexity requirements in there so you know you can tell it insert random digits or capitalized characters randomly and that sort of thing so I mean that's kind of nice because it's fewer words that you have to memorize you just have to remember Oh where's where was that carrot was it between this word of that word so anyway feel free to uh you know fork that and

make fun of me and that sort of thing so of course don't forget about mfa because even the best password is useless if it's leaked in plain text and you know the whole point of mfa is if one of your factors it falls over at least the other ones still standing there pouring milk down at the pants so there was a good password let's talk last night I'm sure it was good I didn't attend but I'm gonna assume it's good I don't think password list is really gonna be a thing near term because you want to have multiple factors for authentication when you can write there's something you know something you have and something you are right so

there's something you you know is a password password by nerd any other name still a password you can change that you can learn new things right you can buy a new UV key or a new phone or whatever as your second factor but for biometrics you you can't change what you are right you've got one thumbprint and if that leaks you can rotate it nine times but then that's it you can't you can't rotate these things indefinitely barring surgery right so you I think it for the time being will be a good idea to keep the thing that you know factor so that we're not just to have in our because like it obviously are you can't rotate enough so

how do you how do you measure password entropy well it's it's hard for me to measure your password unless I crack it right so you can you can think okay how do I come up with this what information did I use is it personal is it random is it not you know some combination of those things so you basically have to figure out like this piece of the password is randomized this piece is not this piece is not this is you know some transform of my name or a thing that I know or lyric and you have to really think through like if if I wasn't me but I knew me as well as I knew could I have

come up with this password so anyway yeah that's it [Applause] [Music] and that that password down there I actually I didn't generate that exactly I just wanted the mnemonic of trolls start lag Leroy Jenkins for those of you who catch the reference anyway questions come on this is a very contentious topic there we go this is a great talk the issue is it's a 25-minute talk if you introduce us down to a soundbite a snippet I thinking show the user before they pick their password what would that be well your one piece of advice be for that user I would I would show them how to generate random pronounceable passwords with something like LastPass or what

have you you know doing the the exercise of pick a password and I'll try to guess it like that that's cool if you can make that work but it's it's not out you know you're not always going to be able to guess it on the first 10 tries or whatever but yeah that that's that's what I'd say or add I swear if you like having lots of words there's I think green shirt was first um so I was at the talk last night that you were saying was good and that you do not attend one of the one of the big things that he was saying moving forward with password lists authentication was the use of

magic links he talked a lot about how slack was doing that and I'm just I'm curious about your perspective on magic links I know that doesn't directly relate to password entropy but so you mean magic links as in like they send you a link via email yes the password for the email that you know so could you say that one more time so you you get a magic link in your email yeah but you have to log into your email somehow right to get that magic link correct using a password right yes or do you know do you get like an SMS with a magic link to log into your email and then you're like at some point you have to

have something that you know indicate you to a thing like or some some other factor right I mean yes that that can be nice but yeah if you're getting an email you still have to log into your email somehow sure yeah okay just raise call it a fourth factor what about the idea of using large black lists to prevent users from entering bad passwords so say like I've had the idea of you take I don't know the thousand most common passwords didn't you use John the Ripper to get them thousand most common variations of those passwords store them in like some sort of mapping or even a bloom filter and then just if they try the N or something

that's in that just tell them no and take something else yeah so I think Twitter does that with the 500 worst I would like for them to see I would like to see them do it with you know a lot a much bigger list I actually had the idea of like creating a web service that had you know millions or you know billions of passwords that you could check against or like some kind of product or whatever never materialised brutalus guy I had the same thought so I think that would help you know basically show that your this password is vulnerable to a dictionary attack you know there's there's some fundis around securing that and you know do you check the password

plaintext do you try to like transform it before you check it you know so yes I do think that that would help and I wish that more services would actually do that but I mean it is kind of it's an extra step that you personally can't take but like a web of web app or something could and should so so how would you calculate entropy on like a dice wireless if you had say a three thousand word lists that dice where uses or something so so the dice word list uses 7776 words because that's six to the fifth so take five die and roll them so that that's really easy now you know that there's you know in number

there's that number of words so the base to log of that is thirteen point seven so for each additional word that you add there's thirteen point seven bits of entropy for for that so yeah that's how you do that and so oh yeah point I was gonna make this because this is from kaspersky the the one on the right they actually do kind of do a form of the the word list check but then they still get confused about how long it'll take to crack it so with with the dice where thing I actually do calculate the entropy and I've cut it off on the right it has entropy as calculated by like intelligently and

then entropy has calculated stupidly and it's like 150 for each of those or something like that so yeah take a look at the source code if you're a ruby person sure in the world of the corporate how about the communication aspects so instead of you're having this with the capper screen you each months challenge the users and crack that passwords and then this is the one that where's the best mmm cold world yeah so so my company actually does that to ourselves as far as I'm aware we we do try to crack our own passwords and so anyone that not consistently but it has it is a thing that has been done you know my dad's company as well they

started doing that and started sending people like hey this is your password in an email please please change your password I absolutely love that idea of you know if if I'm able to crack your password then an attacker is gonna crack your password so please change your a freaking password and hope that someone else doesn't see that email before you do is there another one you sure um do you have any advice or comments on what to do when you're facing compliance requirements that force password rules on you that might not actually be beneficial for security and especially how that deals with I forget the name of the research but kind of a shape distribution of the passwords

are you familiar with that at all yeah so I have actually there's been once or twice that I've generated a random password that was like 24 characters or something like that in LastPass or something and I pasted it into a website and it says oh you've got three characters in a row that are the same character having a requirement like that actually reduces the the problem space right so rather than there being you know ninety six to the 24th possible combinations you're taking away a bunch of combinations that have you know some some dumb rule like you can't have you know X number of letters you can you must have at least five numbers or some

like that like that they all reduce security in in the process of trying to increase security so you know dice where for example is they're all lowercase right there's no uppercase and you could have like no numbers or symbols in in your password but if you've got you know six dice where words then you know no one's gonna guess that right that's so I'm not a fan of having those kind of complexity requirements those kind of you know rules on what the password might look like because they're frankly incorrect like that they're not they're not increasing the security so how about like syllable dictionary so the users not putting really common syllables saying their passphrase just say well

we're gonna block off a lot of English you gotta use something that's got a lot more randomness to it well blocking off English would also block off the dice bar word list or like our you know cool I bet a fill T star satin art I mean that is actually a decent password it's got like sixty bits of entropy or whatever which for ntlm even is we would take it a pretty long time to crack so again you're you're putting some kind of complexity requirement on there to be annoying and not to you know increase security because it just doesn't so do you have any comment on the frequency of changing passwords and how it affects entropy especially given

the movement towards not changing passwords on a regular basis so basically all the research says don't make people rotate their passwords because the the problem is it if you tell a user that you're going to have to rotate your password then they're going to do something crappy unless you basically force and train everyone to you know here is your password written down in a sticky note or whatever and it is a secure random password memorize it you know then now it's of course written down on a sticky note but that the fact that you have to keep coming up with new ones you know I've been able to do it with generating dice where passwords for

because we have that that same corporate requirement of every 90 days change your password but at least so it doesn't help because most people don't do what I do and generate you know actually random passwords and it it encourages bad password practices so you you should only need to change your password if you suspect that it was leaked right or compromised in some way or written down on a sticky note okay that has to be the end of the questions I'm afraid because the session is now closed but I'm sure maybe if I stay around yes [Applause]