Simple passwords are the solution

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

Share
  • http://arik.baratz.org Arik Baratz

    As we discussed in meatspace, 2 factor authentication can help quite a bit there.

  • David

    Either two-factor or few-tries is a strategy that will require changes at each point-of-use for passwords. I.e., every website and application will need modifications.

    Do we seriously think that’s likely to happen, even to any reasonable proportion if not 100%? I don’t.

  • David

    From the end of the ZDNet piece: “Unless we’re willing to move onto 15-16 characters, mixed-case/symbols random password (which will end up on Post-It Notes), passwords will soon only offer protection against honest people.”

    What a doofus. My standard PW template is 20 characters upper/lower/numbers/specials. I suppose this twit thinks I walk around with a pad of Post-Its to keep track of all that.

    So how long will a GPU take to bruteforce this? Oh, only a couple of centuries?

  • http://arik.baratz.org Arik Baratz

    There are ways to do something that has most of the properties of two factor authentication with minimal hassle, David.

    Take for example salesforce.com – they put a cookie on your computer (which becomes the “something you have”) and require that you verify any computer without the cookie by sending you a link by email. It basically delegates the trust to your email, but if that has 2F auth it’s pretty good. It has minimal impact on user interaction. If you have the same password for salesforce and for your email, well, you’re asking for it.

    Facebook can (if you ask it nicely) notify you by SMS whenever you login from a new computer (i.e. one without a cookie). Although not stopping you from authenticating, it allows you to remedy the problem.

    Google’s 2F is more like the classic model, they can use an authenticator on a phone or SMS messages as the second factor. It’s more of a hassle – but it also allows you to connect from non-trusted terminals. It’s a trade-off.

    Bank of America also put a cookie on your computer. On computers without the cookie they ask you a couple of extra questions (the “security” questions) before they put the cookie on. Not really 2F, it does makes it more difficult to attack.

    All those techniques (other than Google’s) potentially introduce a second authentication factor with really very little interaction on the user’s side.

  • Mark Hahn

    it’s just plain weird that you bring up /etc/shadow, but don’t apply it to the topic. that’s what’s so galling about referenced the articles – they don’t touch on the fact that the problem is not password guessing, but exposed hashes.

  • http://www.BeyondSecurity.com Aviram

    @Mark: I agree that the article mainly talks about breaking hashes (or, finding the plaintext given a way to verify it quickly) which is easily solved by /etc/shadow. But I don’t agree that the problem is not password guessing.
    Password guessing is a problem, but the solution is NOT more complex passwords but other methods (Arik suggests 2F auth, I personally prefer other methods that don’t shift the burden on the user, however minimal)

  • rich

    check out steve gibsons take on passwords. the key is length and character set.
    https://www.grc.com/haystack.htm

  • http://www.terminal23.net LonerVamp

    I was going to comment, but I got waaay too long-winded. So I posted it over at my site.

    The TLDR version: I don’t have it out for simple or complex passwords; the crux of my post is that neither is de facto better than the other. It all just depends. But if some “normal” person asks me for my advice, I won’t say simple passwords are the solution.