Enforcing password strength

By Jake Edge
October 12, 2011

There have been a lot of high-profile site compromises of late (kernel.org, Linux.com, MySQL, WineHQ, ...), most or all of which have led to password disclosure. Hopefully all of the disclosed passwords were stored as hash values, but, even so, sufficiently motivated attackers may well be able to crack some of the passwords via brute force or other means. Because passwords are often reused between sites, these compromises have made projects and others concerned about the security of the passwords granting access to their sites.

That concern led Kevin Fenzi of the Fedora infrastructure team to put out a message noting that all Fedora Account System (FAS) users are required to change their password (and SSH public keys, more about that below). As Fenzi said, the password change is not because of any known compromise of the Fedora infrastructure, but is, instead, a reaction to the recent compromises: "due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to 'best practices' on their machines." Part of those "best practices" is to have a strong password, so Fedora is enforcing some rules on the new passwords:

New Password Rules:

Nine or more characters with lower and upper case letters, digits and punctuation marks.
Ten or more characters with lower and upper case letters and digits.
Twelve or more characters with lower case letters and digits
Twenty or more characters with all lower case letters.
No maximum length.

I asked Fenzi in an email where the rules came from, and he pointed me to a Fedora infrastructure bug ticket and the report [PDF] from the University of Amsterdam that it references. That report looks at various password cracking methods and estimates that using those guidelines (actually just the first three) will result in passwords that will take ten years or more to crack at 2 billion guesses per second. That rate was an average of what the researchers found that a modern GPU-equipped system could guess for several different hash algorithms.

As Przemek Klosowski points out, the number of possibilities for each kind of password differ widely. There is a math error in the length-12 case (should be (24+10)^12), and evidently Klosowski is only considering 24 letters, rather than the 26 in English, but his conclusion still stands: the number of possibilities are ten orders of magnitude apart from the first to the last rule. In the end, that doesn't really matter, as long as the weakest choice is sufficient.

Most who commented on the requirement were not particularly annoyed by the password change mandate, but the same cannot be said about the SSH key requirement. SSH users may tend to be more security savvy and are thus less likely to have lost control of their private SSH key than they are to have an easily cracked password—though of course that's no guarantee. But if the private SSH key that corresponds to the public key installed on the FAS servers has been compromised, it's likely that's because the owner's system has been breached. If that's the case, generating a new SSH key on a compromised system will likely only result in another compromised key. In addition, a massive SSH key flag day has its own dangers as Simo Sorce points out:

OTOH with a massive key change you have no reasonable way to monitor suspicious key replacement activity. Remember that ssh keys can be uploaded by simply knowing the FAS account password which is arguably much simpler to snatch as we have many systems that require such passwords in various different ways.

There is a strong belief that the kernel.org compromise was done via a compromised SSH key, however, so the infrastructure team is requiring folks to change their keys. Many are not happy about it, including Sorce who goes on to say:

The problem is that blindly changing keys if a contributor is being careless accomplishes exactly nothing, and just burdens all careful ones.

If you have evidence of contributors being careless with SSH keys the only recourse is to identify and educate the offenders requiring them to change those keys and not have a 'hit 100 to educate 1' policy that serves little or no purpose.

Sorce's complaint is a reasonable one. Unfortunately, it's hard to know whose keys may have been compromised (or, indeed, if any have been compromised at all) as several folks mentioned. By bringing it up and requiring everyone to change their keys, it may result in better security—and will at least raise the awareness level of the problem, which could result in better security practices by some who were being lax. It is undoubtedly annoying to those who have been careful with their keys, but it isn't that hard to generate and use a new key, even if it is only used for FAS.

Raising the level of awareness of these issues is perhaps the only good thing that has come from these high-profile break-ins. It is pretty easy to get complacent about security, reuse passwords on many sites, have password-less SSH keys, and so on. Events like the kernel.org breach can help break us all of our lax security habits. Certainly many sites, projects, and organizations—even those who haven't suffered a breach—are looking at their security practices; it's a good time for individuals to do so as well.

Passwords are only part of the story, of course, but they tend to be on the "front-line" of the security of our systems, so it is a good place to start. As xkcd so eloquently put it, the time for relatively short but "hard" to guess passwords may well be behind us: pass phrases are more easily remembered and less easily cracked. It's good to see that Fedora is not enforcing a limit on the password length, it's likely that many other sites do have a fairly short limit that will make using pass phrases harder. The Fedora rules do provide some good guidelines to follow when creating passwords or phrases.

Having too many passwords is almost as bad as having too few, because managing them securely can be quite a headache. One suggestion that Fenzi made is to use a password manager program like "revelation, gnome-keyring, seahorse, or keepassx". Looking more closely at those kinds of applications is on my to-do list, for both personal and professional reasons. Look for an article on that topic to appear on your virtual doorstep in the near future.

Index entries for this article
Security	Authentication
Security	Passwords

to post comments

Enforcing password strength

Posted Oct 13, 2011 3:44 UTC (Thu) by Baylink (guest, #755) [Link] (7 responses)

Reminder: Bruce Schneier wrote a password keeper as well; I don't remember what it's called just now.

Enforcing password strength

Posted Oct 13, 2011 5:08 UTC (Thu) by dv1m (guest, #58319) [Link] (6 responses)

PasswordSafe

http://www.schneier.com/passsafe.html

Enforcing password strength

Posted Oct 13, 2011 13:34 UTC (Thu) by tsr2 (subscriber, #4293) [Link] (5 responses)

PasswordSafe appears to be Windows only. KeepassX is cross platform.

http://www.keepassx.org/

There's a quick intro to KeepassX at http://linuxgazette.net/174/youngman.html

Enforcing password strength

Posted Oct 13, 2011 16:30 UTC (Thu) by JohnMorris (guest, #73531) [Link] (2 responses)

There's a Linux clone at http://www.semanticgap.com/myps/. I've been using it for several years. Unfortunately it is getting quite old, and does not seem to be being maintained. I rebuild it from source each time I change Linux version, but it's getting messier each time, as the older libraries it wants fade into obscurity.

Enforcing password strength

Posted Oct 13, 2011 16:36 UTC (Thu) by jldugger (guest, #57576) [Link] (1 responses)

PasswordGorilla is a linux version of PassSafe. And still in active development!

Enforcing password strength

Posted Oct 13, 2011 16:48 UTC (Thu) by Baylink (guest, #755) [Link]

"is a linux version of" is a phrase that carries even less weight on this point than nearly any other time.

I suspect there are a fair number of people out there who haven't given much thought to *just how strong a basket* you want for your password safe...

KeePass, LastPass and two-factor authentication

Posted Oct 14, 2011 7:07 UTC (Fri) by Cato (guest, #7643) [Link] (1 responses)

KeePass (Windows only) and KeePassX are database compatible, and there are many KeePass clones on other platforms, e.g. KyPass for iPhone and others for Android.

When combined with something like Dropbox, it's quite easy to keep your password DB available on various devices, although you multiply the risk of a keylogger grabbing the KeePass password. (Dropbox has a pretty good Linux client that includes a CLI-only install for headless servers (just use lynx on the server), and is very quick at syncing small files.

I also use LastPass for less critical passwords, and by generating a strong random password for every site, the main risk is that the main password is stolen. LastPass supports Yubikey, a low-cost USB token with AES encryption, which emulates a keyboard - so a keylogger attack would have to steal the LastPass password and my token. There's still a risk of LastPass-specific targetted malware, so client systems need to be kept updated and secure. Free as in beer on Linux, Windows, Mac, etc, with paid-for apps on iPhone and Android.

Duo Security is an interesting option to secure your own systems' SSH, web apps, VPNs, etc - they use phone calls, SMS or push notifications to smartphones as a second factor, and can be integrated with PAM. Free for up to 5 users or open source projects.

KeePass, LastPass and two-factor authentication

Posted Oct 17, 2011 13:17 UTC (Mon) by sorpigal (subscriber, #36106) [Link]

I use PassPack myself, but LastPass is also a good choice. It's too bad there isn't an open source version of this kind of thing so that I can self host; trusting a third party's security and honesty doesn't sit well with me.

Enforcing password strength

Posted Oct 13, 2011 5:49 UTC (Thu) by pabs (subscriber, #43278) [Link] (3 responses)

One of my family members recently gave up on creating a Skype account because their password requirements were too much.

I wonder if Fedora could use GPG keys and client-side SSL certs generated by Monkeysphere for web authentication instead of passwords?

Enforcing password strength

Posted Oct 13, 2011 16:02 UTC (Thu) by NAR (subscriber, #1313) [Link] (2 responses)

Actually I have no idea what my Skype password is. The client stores it somewhere and when it forgets (once or twice a year) I generate a new one.

I use English keyboard layout, but the family members use Hungarian, so some punctuation marks, numbers and even letters are in the wrong place. Because passwords are generally not echoed, I might not notice if I type something wrongly, so it's wise to avoid z, y, 0, etc. which makes the usable character set even smaller. Then there's at least one public webmail service that accepts only the first 8 characters of the password (maybe they've changed it in the last few years)...

On the other hand what are the odds to make a typo in a 20 characters long passphrase? Because it's not echoed, it's not easy to notice, especially for beginners who're still looking for the right keys all the time. So the situation is a mess.

Enforcing password strength

Posted Oct 14, 2011 7:22 UTC (Fri) by Cato (guest, #7643) [Link]

You could try LastPass, which is a cloud-based password manager with plugins for most browsers, and Yubikey, which is a hardware token emulating a keyboard. Set up LastPass to require use of Yubikey (and disable offline use), then set an easily typed password, on all keyboard variants, for LastPass - this will then send the password to all websites.

LastPass doesn't yet cover local applications on Linux, but you can copy/paste the password into Skype etc.

Enforcing password strength

Posted Oct 20, 2011 11:16 UTC (Thu) by pabs (subscriber, #43278) [Link]

My point was that strong passwords are too hard for normal folks and if bad passwords are not allowed such people will walk away from your service.

Enforcing password strength

Posted Oct 13, 2011 7:15 UTC (Thu) by hisdad (guest, #5375) [Link] (3 responses)

I have a note book (paper) and I write them down.
If anyone breaks into my home and steals that, they would probably have stolen everything and left my wife and I dead on the ground.

--Dad

Enforcing password strength

Posted Oct 13, 2011 12:39 UTC (Thu) by Im26 (subscriber, #48749) [Link] (2 responses)

What happens if it is a house guest who is trying to access the accounts?

Enforcing password strength

Posted Oct 14, 2011 23:23 UTC (Fri) by giraffedata (guest, #1954) [Link] (1 responses)

I have a note book (paper) and I write them down.
If anyone breaks into my home and steals that, they would probably have stolen everything and left my wife and I dead on the ground.
What happens if it is a house guest who is trying to access the accounts?

Including the cable guy, the plumber, etc.

Also, most burglars don't kill the homeowners. So you're still alive, and in addition to having lost all the valuables you keep in your house, you've now lost the money you keep in financial institutions, your private medical records, etc.

So that reasoning does not work well, but I still think your strategy is reasonable because unless you have strong or numerous enemies, the probability of someone stealing your password from your desk drawer is probably insignificant.

In fact, most people go further: they set up all but the most sensitive services on their home computers to log on without a password. The chance of someone breaking into your house to log on to your Facebook account is too small to justify having the computer hassle you every time you want to log on yourself.

But I think better than keeping a notebook at your house is to keep a piece of paper in your wallet. That way you have access when you're away from home, and it's even less likely that someone will attack you to get your password than that someone will break into your home.

Enforcing password strength

Posted Oct 18, 2011 0:47 UTC (Tue) by jamesh (guest, #1159) [Link]

Or better yet, have a piece of paper that contains half of each password. Combine these half-passwords with some other word you've memorised, and you can have unique passwords for multiple services without having to remember multiple passwords. And if someone does get access to your password list, it wouldn't be sufficient to log in to those services.

Enforcing password strength

Posted Oct 13, 2011 9:29 UTC (Thu) by k8to (guest, #15413) [Link] (2 responses)

I don't like trying to create passphrases for random sites, because I have no way to easily test how much of the input is actually used. A lot of old or naive password systems ignore everything beyond the first N characters.

Enforcing password strength

Posted Oct 14, 2011 7:20 UTC (Fri) by Cato (guest, #7643) [Link]

It's still a lot better to try to use a 12-character random password with punctuation etc, even if only 6 or 8 characters are used, than to use a fixed password. If the site does have weaknesses, only that one password is compromised.

Enforcing password strength

Posted Oct 14, 2011 12:27 UTC (Fri) by robbe (guest, #16131) [Link]

Why not try to login with your passphrase minus the last character? This will catch chopping-of at any length from 1 to N-1 characters. If you get in this way, complain to the admin and/or never use the service again.

Password chopping to anything less than 100 characters means one or more of the following:
* clear-text storage in a database column of fixed maximum width
* bad hash implementation
* poor understanding of security overall

Enforcing password strength

Posted Oct 13, 2011 11:45 UTC (Thu) by Trou.fr (subscriber, #26289) [Link] (7 responses)

Note that using a good hashing algorithm is as important as using strong passwords. I hope Fedora uses something like SHA-512 crypt() or bcrypt.

Also, they should recommend to people using ssh-agent to always specify the "-c" flag to ssh-add, which asks for confirmation on each use. This only adds a keypress but allows you to get notified if someone tries to use your ssh-agent without you knowing.

Enforcing password strength

Posted Oct 13, 2011 13:56 UTC (Thu) by corvus (guest, #82) [Link]

I agree. Unfortunately many people no longer have easy access to the constrained identities feature because it is not implemented in the gnome keyring. Here is a very old bug:

https://bugzilla.gnome.org/show_bug.cgi?id=525574

Enforcing password strength

Posted Oct 13, 2011 16:37 UTC (Thu) by jldugger (guest, #57576) [Link]

Is the fedora infrastructure not kerberized?

Enforcing password strength

Posted Oct 14, 2011 7:18 UTC (Fri) by Cato (guest, #7643) [Link] (4 responses)

There are two much more important elements:

* Key stretching - http://en.wikipedia.org/wiki/Key_stretching - repeats the hashing/encryption operation on the plain text password thousands or millions of times to make brute forcing very slow (maybe 0.5 sec per attempt) - this is the single most important element that most systems omit. Even using SHA-512 is poor practice if it's not stretched.

* Salt - this stops the well-known rainbow table cracking attacks which can take just a second or so if the rainbow table covers the type of passwords - can be accelerated with large SSDs, search for the vendor of Ophcrack for an online test that is scarily fast. Bizarrely, even Windows 7 doesn't use salt, unlike *nix.

I find it extraordinary that so many people aren't aware of key stretching when it's so simple to implement. Any password hashing scheme that enables 'billions of operations per second' is extremely dangerous.

The stretching iterations can even be varied for each installation of a web app, making it very hard for the attacker if they are only able to retrieve the passwords via a basic SQL injection.

See http://www.openwall.com/articles/PHP-Users-Passwords for a good introduction to the concepts in the context of the excellent phpass library (adopted by Drupal and others.) It supports bcrypt, but also uses MD5, which can be quite secure with salt and enough stretching.

Enforcing password strength

Posted Oct 14, 2011 13:27 UTC (Fri) by erwbgy (subscriber, #4104) [Link]

I hadn't heard of key stretching before so this was very useful info. Thanks.

Enforcing password strength

Posted Oct 14, 2011 15:24 UTC (Fri) by skvidal (guest, #3094) [Link] (2 responses)

Unless I've misread this:
http://stackoverflow.com/questions/6058019/storing-user-a...

it sure looks like anyone using normal crypt with $6$ is going to be key-stretched.

Enforcing password strength

Posted Oct 14, 2011 17:03 UTC (Fri) by jonabbey (guest, #2736) [Link]

Yup, the $6$ password format is about the best thing going right now. The $2a$ bcrypt algorithm is good too, but not as widely supported on Linux.

Enforcing password strength

Posted Oct 14, 2011 19:49 UTC (Fri) by Cato (guest, #7643) [Link]

That's true, but that depends on the version of glibc and whether the high level language such as Python makes it available, and of course the programmer must choose the $6$ format. PHP on some web hosts is still version 5.1 (still the standard version for RHEL 5.x), which means that phpass must use one of bcrypt, extended DES and MD5, depending on what's available.

It's best if everyone checks that the crypto library they are using makes use of key stretching - defending against FPGA attacks is particularly hard as they can be built to be very much faster than CPUs for only a few thousand USD.

XKCD

Posted Oct 14, 2011 23:28 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (4 responses)

I think the XKCD reference is a great one. The truth is that most passwords or passphrases are very weak at using all the available entropy for a string their length. Requiring passwords to have at least one capital and one number will usually result in passwords that use a dictionary word starting with a capital and have 1 tacked onto the end- and that's predictable enough to incorporate into a cracking algorithm. Unless you use a completely random, very difficult to memorize password, the (available characters)**length approach will grossly overestimate password strength.

XKCD

Posted Oct 15, 2011 12:19 UTC (Sat) by nlucas (subscriber, #33793) [Link] (3 responses)

There is also this method about "password padding" [1], where you basically pad an easy to remember word. As long as the length is big enough, and the padding method is secret, it forces a full brute force attack, where the length of the key is the only factor.

Another interesting bit on that site is a method to encrypt/decrypt sites domain names into strong passwords using only a sheet of paper. [2]

[1] https://www.grc.com/haystack.htm
[2] https://www.grc.com/offthegrid.htm

XKCD

Posted Oct 18, 2011 0:02 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] (2 responses)

I'm a bit skeptical about the password padding idea. Adding one extra random character may increase the search space by a factor of 85, but adding between 1 and 10 characters of padding with a single character only increases it by 850 fold. That's still a substantial increase in strength, but it's not even close to the 85**10 fold increase they seem to imply.

That gets back to the XKCD cartoon's idea about estimating password entropy by looking at how the password is constructed. Estimates based on (character choices)**(password length) will grossly overestimate password strength because they assume you're using a truly random password. In practice, most people use things like dictionary words with predictable permutations, numbers appended, etc. which result in passwords that can be cracked much faster than predicted using dictionary or modified dictionary attacks. To get the full strength of your password length, you need to use truly random and hence very hard to memorize passwords. If people could actually memorize 10 random characters easily, we wouldn't have all these discussions about how to make stronger passwords in the first place.

XKCD

Posted Oct 18, 2011 0:25 UTC (Tue) by dlang (guest, #313) [Link] (1 responses)

remember that predictable to the attacker is not the same as predictable to the user. something may be very predictable to one particular user, but attackers can't assume that users will do that.

that being said, I see a common mistake in a lot of people making passwords where they are attempting to make good passwords.

if you _always_ replace a with @, o with 0, l with 1, t with 7, etc you aren't really much better off than using the plain text. enough people make these substatutions, and make them _every_ time the potential comes up, that doing so doesn't significantly increase the problem space.

XKCD

Posted Oct 18, 2011 1:42 UTC (Tue) by nlucas (subscriber, #33793) [Link]

Right, but the article doesn't say the padding must be simple things like "......" or "+++++".

You can decide to pad "dog" with "qw34rty", like "dogqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rty", and even if they are repetitions I doubt this will be on any rainbow table.

The magic is just to decide on a padding that in effect is random to the attacker, like "9fe8jn" repeated 20 times, added to simple dictionary words.

The point of the article is that, as long as one doesn't copy padding techniques from a friend, they are more secure passwords than a simple 10 characters random one.

The major problem with this is stupid sites that restrict password length, which by itself shows that the site security is not trustworthy, whatever secure password you choose.

PasswordMaker

Posted Oct 16, 2011 14:28 UTC (Sun) by CChittleborough (subscriber, #60775) [Link]

I recommend a Firefox extension named PasswordMaker, as long as you customize the character set you use. One advantage is that you can set the length of the generated passwords to 12 (or 15, or 20 ...) but never have to remember them or type them.

Enforcing password strength

Posted Oct 18, 2011 12:23 UTC (Tue) by ekj (guest, #1524) [Link]

Passwords are fundamentally broken, and only getting more so with every passing month. To be secure they must be:

* Long.
* Random.
* Different on different sites.
* Changed now and then.

But people are not actually capable of doing that, as in, they just plain CANNOT do it. Thus "solutions" like storing the passwords in a database, and encrypting this with a single password. This works to some degree, but a single keylogger on that machine still gets access to all sites, thus for some attack-scenarios it's actually worse than simply writing the passwords down on paper.

seven basic rules for developers setting up password systems

Posted Oct 22, 2011 6:56 UTC (Sat) by alecmuffett (guest, #80935) [Link]

If any part of your user interface or code truncates password plaintext input at a length of less than 255 characters, it's a bug.

If you can't cope with password plaintexts that contain SPACE and TAB characters, it's a bug.

If your passwords are not hashed, it's a bug.

If you're hashing your passwords with anything other than Bcrypt, it's a bug; bcrypt() maxes out at 55 character passwords, but that's not your fault...

If you allow people to use a password of less than 12 characters, it's a bug.

If you do not encourage people to select a unique password for your service, it's a bug.

If you do not encourage people to use passphrases, it's a bug.

Yes, the rules are opinionated. They are even biased and make sweeping assumptions. They don't even address issues like UNICODE. But if you address these seven points in every application in the world, you'll make password cracking a phenomenally tougher job.

Background: http://goo.gl/iL9EP

Enforcing password strength

Posted Nov 14, 2011 20:08 UTC (Mon) by paulmfoster (guest, #17313) [Link]

A guy named Carl Welch did a GPG password wallet for a Linux Journal article a couple of years ago. No perfect, but perhaps worth a look: http://www.linuxjournal.com/article/9861