Friday, September 17, 2010

Secure passwords keep you safer

Commentary by  Bruce Schneier  

Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.

My piece aside, there's been a lot written on this topic over the years -- both serious and humorous  but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.

The attack I'm evaluating against is an offline password-guessing attack. This attack assumes that the attacker either has a copy of your encrypted document, or a server's encrypted password file, and can try passwords as fast as he can. There are instances where this attack doesn't make sense. ATM cards, for example, are secure even though they only have a four-digit PIN, because you can't do offline password guessing. And the police are more likely to get a warrant for your Hotmail account than to bother trying to crack your e-mail password. Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password.

Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it's attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.

So the security of your password depends on two things: any details of the software that slow down password guessing, and in what order programs like PRTK guess different passwords.
Some software includes routines deliberately designed to slow down password guessing. Good encryption software doesn't use your password as the encryption key; there's a process that converts your password into the encryption key. And the software can make this process as slow as it wants.

The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse -- well over a million guesses per second for version 7.0 -- but with version 9.0, the cryptosystem's ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second.

When attacking programs with deliberately slow ramp-ups, it's important to make every guess count. A simple six-character lowercase exhaustive character attack, "aaaaaa" through "zzzzzz," has more than 308 million combinations. And it's generally unproductive, because the program spends most of its time testing improbable passwords like "pqzrwj."

According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time).