What makes a good Pass-Phrase??

[DoubleDee]

I would like to up-the-notch on my security practices and try to start using "Pass-Phrases" instead of a simple "Password". (A friend told me that using "password123" isn't as secure as I once thought?!)


1.) How long does a Pass-Phrase have to be, to be effective?

2.) If it is long enough, can it be a simple English sentence, of does it have to be... "AG13 di%n@#md394786!!*dkDHpnwQ"

3.) What are some practical tips to remembering it?

4.) Any other bits of wisdom you security experts can share?

Sincerely,


Debbie

[cydewaze]

If you consider this article, then length is what's most important.

This cool tool seems to concur.

I usually use a sentence containing seemingly random combinations of words that makes some sense to me.

[felgall]

If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

I remember reading somewhere that Windows chunks the password in 7 character sections for processing which has the unexpected result that an 8 character long password there can be easier to crack than a 7 character one and 15 characters can be easier to crack than 14 - since depending on what you know about the person cracking the single character may provide clues as to what the rest are likely to be.

If the site places limitations on password entry - such as locking the account completely after three wrong guesses or locking the account for a few seconds after each wrong guess - then a brute force attack is far less likely to work and alternate approaches to trying to crack a password are less reliant on the length of the password - so that a three character password and a thirty character password regardless of what they contain are not significantly different in how secure they are.


Using a password or pass phrase by itself is not as secure as was once thought. Systems requiring greater security now require more than just a value supposedly known only to you in order to gain access. Often they require that you also enter a code generated or sent to a device that you carry where that code is only valid for a minute or two - meaning that gaining access also requires that you have the device available to generate the unique code. Some are even looking at fingerprints and similar as further identification.

[DoubleDee]

If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

Provided you hash the entire value (plus a salt) in one go the longer the value that is used the longer it would take a brute force attack to break it - assuming that you don't have security in place to prevent infinite guesses at high speed. Simply calling it a passphrase rather than password would help encourage people to enter longer values. One site I saw some time ago (can't remember where) suggested using four words strung together without spaces.

Currently, I require Passwords to have....

Code:

	At least 1 Upper-Case Letter
		- At least 1 Lower-Case Letter
		- At least 1 Number
		- At least 1 Special Character
		- Between 8-15 Characters

And when a user registers or re-sets a Password, I use this code...

PHP Code:

        // Create Salt.
        $salt = substr(sha1(uniqid(mt_rand(), true)), 0, 10);


        // Create Hash.
        $hash = hash_hmac('sha512', $pass . $salt, VINEGAR); 


Unfortunately, I have not had the time or resources to add code that locks things out after multiple or rapid attempts, although I could do this down the road.


So how does what I just described fit into what you are saying, plus my OP about "What makes a good Pass-Phrase"??

Sincerely,


Debbie

[cydewaze]

To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"

[DoubleDee]

To me, a good passphrase is something easy for me to remember, but difficult for a machine to crack.

So "I ate 1000 bowls of chicken soup" is easier to remember and harder to guess than "Sit3p0iNt^"

So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?


Debbie

[cydewaze]

So do you think that a Pass-Phrase that is maybe 15, 20, or more characters made up of just simple A-Z, 0-9 and spaces is good enough?

Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.

[DoubleDee]

Assuming it's not something easily guessable by a human, yes. I've used things like the first four cities I visited in Europe. Unless I'm being hacked by my mom, no one's going to guess that.

I'm all for strong passwords, but when sites enforce rules (especially varying rules), they're forcing me to write down a password that I'll lose, and I'll end up doing a reset. One site will enforce password standards like yours up above, and another one (like my phone company) will forbid special characters, so now whatever mental policy I use to set passwords is out the window, and the next time I visit the site I'm doing a reset.

Not sure I want to take the time to change my Password code to Pass-Phrase code before I go live, but I will definitely start using that soon enough.

BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?

Sincerely,


Debbie

[cydewaze]

BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?

To be honest, I pay more attention to minimum lengths than maximum ones, so I can't really answer that. I generally use passphrases for SSH access to Linux machines, and they usually have a huge max length.

Don't forget that (like felgall mentioned) hashed passwords are all the same length when stored.

[felgall]

BTW, based on your own experiences, what is the average UPPER-LIMIT for Password Length on most websites these days?

The upper limit should be infinite. The practical limit will be the maximum length that can be passed in a form field.

Once it gets to the server a trillion character password will take up as much space as a one character password once it has been hashed so there is no reason to set arbitrary maximums.

[DoubleDee]

The upper limit should be infinite. The practical limit will be the maximum length that can be passed in a form field.

Once it gets to the server a trillion character password will take up as much space as a one character password once it has been hashed so there is no reason to set arbitrary maximums.

I'm not understanding you here...

If Person #1 sets a Pass-Phrase as "Hi", and it gets hashed to, so, a 40 character Hash, and Person #2 sets a Pass-Phrase" to "I ate 1000 bowls of chicken soup for breakfast this morning at my grandma's house in Miami", and it also gets hashed to, so, a 40 character Hash, then I don't see how the Length matters?!


Also, could you please comment on whether the approach and code I posted above is secure?

Sincerely,


Debbie

[felgall]

then I don't see how the Length matters?!

1. You need to at least add a salt to the password when hashing it - that then means that two passwords that would otherwise have mapped to the same hash will now map to different hashes and that if someone has reused the same password across different sites that because your site uses a different salt to the other sites where they used it that finding a value that works for one site will not allow the finder to break into another site that uses the same password.

2. A longer password is harder to guess than a shorter one. This makes little difference to brute force attacks processing thousands of guesses a second but makes a big difference if the site only allows three guesses before locking the account or only allows one guess every ten seconds (and will ignore all but the first guess if the guesses are made faster than that)

Switching from a short password to a longer passphrase is what the users can do to build on the security of their login provided that the site has already implemented salted hashes and blocks brute force attacks. If those security measures are not implemented by the site then their account will be insecure regardless of what password or passphrase they choose.

[scout1idf]

then I don't see how the Length matters?!

If you have an upper limit of say 50 characters, then your user can't use a pass phrase like "I ate 1000 bowls of chicken soup for breakfast this morning at my grandma's house in Miami" if they want to.

Felgall's suggestions about "salting" and a minimum character limit of 30 would help with security.

Just my opinion...

[DoubleDee]

Stephen, you're not reading what I said above...

1. You need to at least add a salt to the password when hashing it

And I showed code above that does that us a Salt... (If you look above, you'll also see I use Vinegar...)

2. A longer password is harder to guess than a shorter one.

Again, if all passwords get hashed to a hash that is the same length, then I am not understanding where length comes it???

If the password "Hi" gets hashed to "1234567890xxxxxxxxxx1234567890xxxxxxxxx"

...and the password "This is a much longer pass-phrase which should be more secure" gets hashed to "0987654321yyyyyyyyyy0987654321yyyyyyyyyy"

...then is seems to me that the hackers just have to hack a 40-digit password in each case??


It also seems to me that if my Pass-Phrase is 150 characters, and it gets hashed to 40-characters, then I lose 110 characters of Pass-Phrase security...


Debbie

[ScallioXTX]

If the password "Hi" gets hashed to "1234567890xxxxxxxxxx1234567890xxxxxxxxx"

...and the password "This is a much longer pass-phrase which should be more secure" gets hashed to "0987654321yyyyyyyyyy0987654321yyyyyyyyyy"

...then is seems to me that the hackers just have to hack a 40-digit password in each case??

That's not the case, because hackers need to find the password that maps to the hash, they don't need to fill in the hash that you store in the database in the login form (I hope ). So in order to log in they need to find that one string [password] that -combined with salt, vinegar, what have you- maps to the hash you have stored in the database (in some hashing algorithms like md5 there may be multiple strings that map to the same hash, but the chances are extremely low and most have people have moved on to something like sha1 anyway).

So in that case a longer password really does make it more secure because there are lot more possibilities that with a shorter password. For simplicity sake if you only consider letters (lower and upper case) and numbers, every position you add to the password multiplies the number of possibilities a hacker has to go to by 62, and in general the number of possibilities is 62^(number of characters). Use some graph software to draw that function, see what happens

[DoubleDee]

If you are hashing the password/passphrase when storing it then you don't have to place any limits on length in what you allow people to use. Whether they use a one character password or a million character password the value stored will be the same length in the database.

That's not the case, because hackers need to find the password that maps to the hash, they don't need to fill in the hash that you store in the database in the login form (I hope ). So in order to log in they need to find that one string [password] that -combined with salt, vinegar, what have you- maps to the hash you have stored in the database (in some hashing algorithms like md5 there may be multiple strings that map to the same hash, but the chances are extremely low and most have people have moved on to something like sha1 anyway).

So hackers are trying to guess just the Password, and obviously, a shorter Password is easier to guess than a long one, right?

And the fact that a Password of Length=2 or Length=200 gets reduced to a Hash Length=40 shouldn't really be a concern of mine, right?

But tell me more about these "collisions"?

If "password123" and "cotton candy" both resolve to "1234567890xxxxxxxxxx1234567890yyyyyyyyyy", then do I have to worry that User 1 could hack into User 2's account?

And could that collision break my PHP code or my database?

I guess I am not understanding where this would cause issues?

So in that case a longer password really does make it more secure because there are lot more possibilities that with a shorter password. For simplicity sake if you only consider letters (lower and upper case) and numbers, every position you add to the password multiplies the number of possibilities a hacker has to go to by 62, and in general the number of possibilities is 62^(number of characters). Use some graph software to draw that function, see what happens

Do you use pass-phrases?

If so, how long on average?

And if so, can you share in general terms the "formula" you use to achieve a level of security that you are happy with?

For example, would a Pass-Phrase like this be good enough for starters...

"I love spending my Saturday's at the library"

Thanks,


Debbie

[felgall]

Do you use pass-phrases?

I don't. I try to avoid using sites that don't have proper security installed. For sites that do have proper security anyone trying to break in gets at most five guesses as to what the password or passphrase is and so the length doesn't really matter - ATMs that would provide access to your money only allow four digit numbers as passwords and three guesses and they are considered to be secure enough for that purpose so provided that the number of guesses is limited and the password length is greater than three characters the account isn't likely to be compromised that way.

It is the lack of proper security where someone can make a million guesses every few minutes that a longer password or phrase would take significantly longer to guess than a shorter one (centuries rather than days).

Of course it is easier to break in when they don't have to guess completely at random what the password is and instead use social media to work out what your password is most likely to be or use some means of actually capturing it (such as installing a keylogger on your computer) - in those cases it can make little or no difference what your password is.

[ScallioXTX]

So hackers are trying to guess just the Password, and obviously, a shorter Password is easier to guess than a long one, right?

Right

And the fact that a Password of Length=2 or Length=200 gets reduced to a Hash Length=40 shouldn't really be a concern of mine, right?

Right

But tell me more about these "collisions"?

If "password123" and "cotton candy" both resolve to "1234567890xxxxxxxxxx1234567890yyyyyyyyyy", then do I have to worry that User 1 could hack into User 2's account?

No. The only thing that could happen is that multiple passwords work for a user, but as I said the chance is extremely small. If you use sha1 you shouldn't worry about this.

And could that collision break my PHP code or my database?

Nope.

[Mrwalli]

Well good password is the combination of Alphabets ,number and special character . you can protect your password for hacker if you know the way of hacking and weak point of password .


See http://shoutingblogger.blogspot.com/...om-hacker.html