PW - Your Passwords Should Be Shorter

um so I really love uh to be on the program Committee of pastorscom uh and this one from Jeremy Brown your password should be shorter when I received that and I just saw the title I was like oh dude like this is gonna be hell on Earth uh because we've had talks before discussing password strength and password length and it usually ends up with a lot of discussions after the talk so I this was a you know given to me I had to say yes to this one uh and Jeremy you know here we go take it away thank you all right let's see check check you can all hear me uh you can all hear me from here

right oh iffy in the back okay [Laughter] how about now can you hear me in the back all right that's good so uh after that introduction I'm Jeremy and I just want to uh thank you for coming to my talk welcome I know it's the last one before lunch but uh I'm gonna try and get through this quickly to get us all out of here uh so as I said I'm Jeremy and if you're listening to me right now your passwords probably should be shorter now I want to begin my talk with a vignette uh if you don't know who Drake is he's an Entertainer He makes music and some of his music has titles like uh

9 A.M in Dallas or 6 p.m in New York so it's 9 30 p.m in Las Vegas you're at hacker summer camp probably two watered-down drinks in at some random vendor party and you're just walking around casually eavesdropping on conversations uh you have currently focused your attention on Two infosec Bros who originally started a conversation based off comparing password managers but have since pivoted to comparing the passwords within them now the first one says oh yeah man like it's tough to be secure sometimes like having to do 20 character passwords on my phone where I have to hit the special button twice to like open the curly brace or an angle bracket just sucks so

hard now the other Tech bro not to be outdone says something like oh yeah sure I know exactly what that's like but you know all my passwords are 40 characters long now the first tech bro feeling a little bit defensive counters with something like well well yeah but all my really secure accounts have 64 character passwords and the second bro again to one-up him says something like oh well you know I use a hundred character passwords for the accounts I just can't lose now if you've been to hacker summer camp uh more than once you've probably heard a conversation like this if you've been more than twice you've probably been on one side of a conversation like this

and you know I'm not here to judge you I'm just here to inform you and the first thing I'd like to inform you about is that password truncation is a thing now thankfully in the year of our forsaken guide 2022 pretty much everybody understands that we don't store passwords today we Store password hashes most likely using bcrypt which is based off the Blowfish encryption algorithm and this in and of itself is not a problem Blowfish is a very strong encryption algorithm and to the best of my knowledge there have been no major breaks against it but it does have one important limitation that I think many people overlook which which is that if you were to read

the original Blowfish documentation from the 90s you would see that the Blowfish key scheduler only uses the first 72 bytes of user provided input before truncating and notice I said 72 bytes there not 72 characters now back in the mid 90s when Blowfish was created this would be a distinction without a difference the only encoding anyone really cared about at the time was ASCII and that was strictly 8-bit characters but nowadays we have this character encoding called utf-8 and utf-8 supports these characters called emoji and in case you don't know Emoji can take up to four bytes to display one so if you want it to get particularly frisky and make your password all Emoji

you could only use up to 18 of them before bcrypt would begin to truncate your password now you might say well sure the cool kids hashing algorithm that all the startups use might suck at storing passwords but I'm sure bigger companies have put in the time and effort to store passwords correctly yeah I don't know why you would think that but just in case you forgot that Microsoft used to shop passwords up into two seven character hashes to make cracking them easier until 2017 at the earliest business Microsoft accounts such as Office 365 only allowed you to use a maximum of 16 characters now I don't know if that was a soft truncation where it would just drop all the

characters after or if it was a hard truncation where I would say you can only use 16 characters but if Microsoft was getting it wrong in 2017 I doubt Oracle or IBM are getting it right today most practical security talks are usually improved by defining a user model I've tried to create one for this talk so our user is your typical infosec bro actually scratch that they're in infosec enthusiast and as an infosec Enthusiast they have a slightly outsized sense of self and perhaps are a bit more paranoid than generally warranted so naturally they assume nation state adversaries are against them and thusly they need strong passwords now this user has not created the threat

model or put any kind of thought into how much effort NSA would actually expand in cracking one of their passwords but what they did do was turn up the generated password length and one password and go hit the bars now if we were to ask our user how long they want their uh passwords to survive an attack from the NSA ears but that's four years on average so it needs to last a maximum of eight now currently in the bad place but for the purposes of this talk I'd like to put us in the mildly worst place where essentially everything is the same except all everybody's stores their passwords in single round unsalted md5 hashes like

yeah it's just mildly worse now I began researching this topic back in 2020 and at the time the most powerful single hash cracking box I could find was the Terra hash and Manus however also at the time I couldn't find much in terms of uh like hash cat benchmarks so I had to use the next best thing which was an advertising tweet for a 45 box cluster of 44 terahash in Manus and one Tera hashbrutalis box comprising a total of 448 RTX 2080 cards that could perform roughly 2 to the 45 md5 hashes per second back in 2020 or so now this was a million dollar cluster at the time not including uh the cost of

the energy to run all these boxes and cards or to cool them but the future is now and everything else is in the cloud so why not put your hashgracking box there and to that end uh Amazon has introduced the ec2 p4d cluster uh specifically here the p4d 24 XL which is essentially a supercomputer in the cloud with 96 CPUs and over one terabyte of RAM along with eight Nvidia a100 gpus this can perform roughly 2 to the 39 md5 hashes per second now all this power doesn't come cheap at a little under 33 dollars an hour but if you were to reserve one for three years the per year cost Falls to a little over a hundred thousand dollars

per year like on the screen you can also see the p4de 24xl which has double the GPU memory and is a little more expensive at 130 000 a year if reserved for three years but at the time of my research I couldn't find any hashcad benchmarks on the p4de so this talk will focus primarily on the p4d now at this point we should probably begin asking ourselves how much effort can we expend uh expect NSA to expand in cracking a password now I think it makes sense to start by giving them a p4d cluster but our user objects well but Jeremy NSA spends a hundred thousand dollars a year on USB tchotchkes that we're all too scared to

plug into our computers they're not going to have just one p4d cluster and you know what our users right NSA is a government agency and the only thing in a government agency loves more than filling out forms in triplicate is blowing their budget so since we're in the mildly worst place let's give NSA 9709 p4d clusters now that's roughly a billion dollars per year on AWS and uh the total of 9709 clusters is good for roughly 2 to the 53 md5 hashes per second but again since we're in the mildly worst place let's give NSA an additional fudge Factor up to 2 to the 57 md5 hashes per second like just to make things a little

harder for ourselves so to recap we have an adversary that can Brute Force at 2 to the 57 hashes per second and we have a user who says their passwords need to be able to last against such an attack for a maximum of eight years so how many how many hashes could such a adversary perform in eight years well if we take out our trusty Dusty calculators we will see [Music]

I have to turn it to the side because we're doing advanced math here soon

that's 2 to the 85 hashes so therefore any password our user needs to generate we'll need 85 bits of entropy to be secure against such an attacker how long does a password have to be in order to have 85 bits of entropy well they can definitely be shorter if you allow keyboard specials because they will bump up our per character entropy and thus let us hit our entropy targets quick more quickly but I don't know about you but every time I've had to like put my TV like when I've had the bad idea to connect my TV to Wi-Fi and I've had to like put in special characters because my my uh Wi-Fi network is like 64 characters long

and it's got like a dollar sign and a curly brace and a back tick and all that like I die inside so let's not even consider those and we'll stick to just uppercase English letters lowercase English letters and numbers so how many how many characters would we need using just uppers lowers and numbers to meet our entropy goal well pull out our calculator again let's say

15. just 15 characters and I want to remind you this hypothetical has favorite NSA at basically at every turn like we are storing all our passwords in pretty much the worst possible fashion today short of plain text we have rounded up nsa's compute power multiple times and given them a fudge Factor on top we are letting them spend a billion dollars a year for eight years to crack just one hash and it still gets beaten by 15 alphanumeric characters and I want to remind you like this assumes NSA knows your password topology a priority so they only try 15 character alphanumeric passwords if they start with shorter passwords or they start with passwords that contain special

characters they'll waste even more time and not get anywhere close to finding the real password now at this point our user has another objection oh but that fails to meet my arbitrary security goals against my adversary whose ability isn't based in reality and I mean that may be true but I want to assure you that all is not lost first off any adversary if we were to leave the mildly worse place and return back to the bad place any mildly competent organization today isn't storing passwords in uh unsolved unsalted single round md5 hashes they will be using bcrypt s-crypt pbkdf2 or if they're particularly fancy argon2 and let me tell you nobody is getting close to 2 to the 57 argon two hashes

per second today secondly if account access is what's important and not just uh finding the pre-image of a particular hash you using a u2f key would be superior to using a longer password along any metric anybody really cares about and additionally provides a fringe benefit against phishing not that our user would think that's uh very useful to them as they are so sophisticated they could never be fished they're sort of like the infosec version of Drax over there and lastly if the data the if the account the password is attached to is related to a US service or the data the password protects is on a server on U.S soil well then the NSA is just one rubber stamp

physio warrant away from getting it anyway kind of rendering all of this mood uh however our user comes up with one half decent objection which is that they have to use a computer that won't accept a password without special characters and you know I understand that like I too have had to work on systems whose admins haven't read a nist guidelines since 1996 but to that end the solution is simple you just generate a 15 character password anyway choose your favorite special character and then put it on the end so the computer gets to check its box but the actual strength of your password is based off the 15 characters that came before and not the special

this additionally allows you to avoid the situation where you have to keep regenerating uh random passwords because the random password you've been getting have special characters that the computer doesn't like uh now at this point our users still somewhat reluctant to accept the light of reason and math so I'm gonna break out the big guns and let them know that hashcat developer Tara hash founder and Defcon password Village Stafford Jeremy Gosney agrees with me now you might say well sure of course the founder of a password cracking company wants people to use shorter passwords but I mean he's not wrong about the math a 20 character uh password with keyboard specials has more entropy in it than the

TLs key that will protect it in transit so you could go from any longer password to 20 characters with real with no real loss in security and if anybody could crack one of those they could just break TLS and at that point we're all regardless of how long our passwords are now I'm sure by this point everyone is going to run to update your generated password settings but let's not be so Hasty now this scenario has NSA spending a billion dollars a year for almost a decade to crack a single hash if we were back into a more realistic scenario where NSA only has 10 of these p4d clusters spending a million dollars a year on AWS for 2 to the 43 md5 hashes

per second 20 years to crack a single hash then you can still defeat them using only 13 characters and again I want to remind you nobody's doing 2 to the 43 pbkdf2 bcrypt s Crypt or argon2 hashes today and by the time we can it's highly likely that the that the service the password hash is connected to will have folded due to not being able to make money inclusion no you don't need to make your bank password 64 characters long with specials and Emoji even if you'll always use your password manager to enter it now you might say well Jeremy it it's not hurting anyone if I keep doing this right and no it isn't but I have a

feeling if you're at hacker summer camp you probably have opinions on security theater and let me tell you a password with more entropy than the TLs keep protecting it is the height of security theater so you can keep using 64 character passwords and like the password police aren't going to come for you but if you do I don't want to hear you talk any kind of about TSA anymore and with that I end my talk uh my I do tweets sometimes if you wanted to read them I don't know why uh the QR code on the left links to my Twitter account uh if you wanted to point someone to this talk but you didn't want to have them

listen to me ramble on for 20 minutes the QR code on the right links to a blog post version of this talk and with that I think we can open it up for questions

thank you well you know I I don't even know where to start if I should say I feel harassed or abused or uh uh again also the NSA like dude have you ever met the hashcard team I mean like those are the process tracking stuff not that the other side but questions lots of them okay so the question was what if my password is all A's and like if your password is all A's I mean you could have 128 A's and I'll still probably get uh cracked in like under five minutes like I don't know if I if your password is longer but still very oh put it this way correct horse battery staple is like 40 characters but

that's not gonna last long there there are other benefits to longer passwords like five word diceware type phrases uh that make it easier not to not to crack or not crack a password crack or defend a password I guess but to manage it in the context of humans that have to do something with it oh yes I uh so the point there was uh using like having longer passwords is fine if they are things like uh use generated via diceware because that uses human words and then humans can memorize those words and that's true I was focusing more on uh randomly generated passwords like the type you get from uh like one pass LastPass and those I don't know if

any of those do diceware style passwords oh bid Wharton does so you might want to like I would if I wanted to if I cared about human memorable passwords then yes this doesn't necessarily apply but the way you generate entropy is different for diceware passwords versus the typical randomly generated passwords that I that this talk is about so I happen to be the person who wrote the diceware like uh generator in what oh sure yeah so I'm the one who actually wrote the diceware like generator in one password so I can say we have it and we've had it for quite some time uh but closely to the point of your talk and I'm fully agreeing with the last two

minutes that I heard as I walked in late um uh when we set in one password the default length for generated gibberish passwords we knew that 13 14 characters would be enough and we just said look we've got to make it more than 16 or people will think they're too weak right okay so the point there was humans are dumb and we had to make them stronger than they needed to be so humans wouldn't freak out and and that's I that's fair I was focusing mostly on the actual entropy inside the password but if you have to make it if you have to make your passwords longer so your CSO doesn't flip a brick then

I guess that's what you'll have to do but hopefully your CSO well you can point your seats out to this talk and then they can see oh they don't have to be 16 characters they can just be 15 characters with no specials and that's more than enough Heather I was just wondering in your opinion what would be the best way to draw Upstream service providers or supply chain Partners to this talk what's the best way to get non-technical people in tune with your your recommendations here like I think the best thing might be to like I would need to write a white paper or something and then get a booth at RSA to give it to them but I don't have that

kind of money so maybe you can like I made a Blog on this you can maybe Point them to the blog and then have them read it and then hopefully it'll get through to them so you know like there are dark patterns that we all Experience day to day what if a really long annoying complicated password is actually just a dark pattern to try to get my users to use my Federated single sign-on thing because in incident response you know a huge number of incidents that I experience are with people that are not using the single sign-on thing like if we actually make it harder to do short passwords maybe we can direct people towards the easier

answer which is have one password for everything and then single sign-on everywhere I think that goes back to a point I made earlier in the talk which is that if you want like in that sort of situation where you really care about security you'd probably be better off by giving everybody like a u2f dongle and then like require two Factor so it doesn't really matter how long their passwords are because like somebody won't be able to get to that you know u2f token to get in and you could possibly roll that into your single sign-on system or whatever but I would probably say do that instead of make people use stupid long passwords hi great talk Ira Victor I live here in

Nevada I helped write the bill that made the center for Internet Security controls considered the standard for data security in Nevada and it's now in four other states like that I think an alternate to getting a table at stupid RSA would be to have the center for Internet Security put this into their controls and I'd be willing to do an introduction to those people there thank you yeah if if we could somehow get it into law that yeah you don't have to do ridiculous passwords like that so people can point to that that'd be great the question the item is that anybody can do whatever they want with their data but with these laws and states it gives a Safe Harbor

from litigation when you follow a standard like the center for Internet Security so we don't need a law that says make your password short or long we need to say hey you're not going to get sued if you follow a good standard the good standard in many states is now Center for Internet Security then we put this as part of cons of the consideration for what is a good standard for data security like yeah that could work uh you you talked about trying to protect um something for eight years or 20 years or something like that it doesn't sound as though you were considering I mean I I doubt that Amazon is going to be

having exactly the same offerings in eight years or 20 years they're going to have much faster things by then did you consider what happens when you factor in a Moore's Law effect on the uh on the cracking uh to an end yes that's slightly uh I deal with that slightly by giving NSA the fudge Factor but additionally like the numbers the numbers I chose like the numbers I targeted were so ridiculously overpowered that Moore's Law isn't Gonna Get Us close to them anytime soon like like I said we're not doing like close to 2 to the 43 s-crypt hashes anytime soon uh the numbers I the numbers I was talking about before were for uh just md5 alone

and that is Far and Away the fat like the fastest uh algorithm to crack today but like B Crypt and S script are like three to five orders of magnitude slower like it's gonna take a long time just for b-crypt to get to where md5 is today and even at that point you're still safe by using just 15 characters okay uh well I'll give it one more uh one more question last one okay so I gotta say that um a solid argument you know it's very entertaining but the thing that I've learned in this business is that any recommendation you have people will take it kind of to the extreme you know like we said

no you know password passwords must expire and then all of a sudden people are doing a 30-day expiration on passwords so now we're saying passwords don't need to expire that quickly now people are saying there never should expire and you know it should include random characters and then it got to where people you know needed 200 bits of entropy so anyway um you say they should be longer and then people are wanting 100 character passwords now you're saying shorter just you got to be careful with with any kind of advice in this business because people will take it to the extreme and I just want to say that because I don't want to see the next recommendation

being eight character passwords so well I guess if I if I'm making a recommendation it's that all passwords should be 15 character alphanumerics and I think even if like so everybody started expiring passwords because nist wrote it up sometime in the past that you have to do it and then this okay in 2003 and then nist realized that was not useful and they got rid of it very recently so I think people did it because nist said that's what we should do and if we could make this say make all your passwords 15 character alphanumerics then that's what they would do and that would be more than enough for basically any situation today so I mean we could try that or you

know we can say nist is a guideline and not a rule and and I have to give people now the option of going for lunch as well but at two o'clock in one and a half hours we actually have Jim Fenton speaking and his name is standard so he's right over there so I think YouTube needs to talk have a great lunch and I'll see you back at two o'clock [Applause] [Music]