Wednesday, March 5, 2014

Time to add a word

Time to add a word

For the average user I now recommend a passphrase with six Diceware words, or five words with one extra character chosen and placed at random. 

This is a change from my previous advice. Since Diceware was created in 1995, I have recommended five words as a suitable passphrase length for an average user.  For people with more stringent requirements and where the passphrase was being used directly to form a cryptographic key, I have suggested 6 words or more.

I had previously written that longer Diceware passphrases might be vulnerable by about 2014. Well it's 2014. Today criminal gangs probably have access to more computing power then the NSA did when this page first appeared. So I am upping my passphrase length advice by one word.

To understand why, here is an article about a password cracking machine built using 25 AMD Radeon graphics cards. It can test 350 billion possible password per second using Microsoft Windows’ NTLM password algorithm. They claim they can crack a random 8-character password in under six hours. At that speed, attacking a 5-word Diceware passphrase would take on average of 7,300 hours or 10 months to find the correct passphrase, assuming they knew you were using Diceware and developed equally efficient software designed to try only valid Diceware words. And NTLM is one of the easier password hashing algorithms to attack.

Criminal gangs have built botnets from thousands of computers infected with their malware. Marshaling large numbers of these computers they control might allow them to crack a five word passphrase in a reasonable amount of time. But tying up thousands of computers is probably more effort than criminals would want to expend on an average person’s data. They have many potential victims with weaker passwords that take much less work to exploit.

Still computer power keeps increasing, especially in advanced graphics processors, which are easily adapted to cracking work. Five words would still be enough for most uses if software designers used good key stretching, but too many do not and it is hard to know for sure which do. So I felt it was time to recommend that longer passphrases start being used. If you are using a 5 word passphrase, consider adding a random character as I suggest at diceware.com. It will make your passphrase about a thousand time more difficult to crack. Adding a sixth word makes it 7776 times harder. Take your pick, and read the Diceware.com FAQ for more information.




Wednesday, December 25, 2013

Making Random Letter Passwords Memorable


Making Random Letter Passwords Memorable

Arnold G. Reinhold
Cambridge, Massachusetts, USA

August 28, 2011

Abstract
A method is presented that accepts a random string of up to 10 letters and uses a look-up table to produce a mnemonic English sentence having those letters as the initial letter of each word. This method offers more predictable security than asking users who wish to create a strong password to think of a sentence and use the initials of each word in that sentence as the password.

Introduction
As personal computers become more powerful, attacks on password management systems are becoming difficult to prevent. Many authentication systems protect passwords by only storing a cryptographic hash of each password. However, if an attacker gains access to stored password hashes, they can attempt to crack the hashes using dictionaries of common passwords or brute force searches of all character combinations. The availability of high performance general-purpose graphics processors (GPGPUs) that can be programmed to carry out hash attacks exacerbates the problem. (Davis 2011) Cybercriminals have assembled large networks of computers they control (botnets) and can use CPUs and GPUs on the compromised machines to attack password hashes they have collected. Passwords used to generate cryptographic keys, such as those used for disk encryption or to protect wireless networks, have similar vulnerabilities.

In response to these threats, users are often encouraged (or coerced) to employ stronger passwords. Common ways of doing this include requiring a minimum length and a mix of upper and lower case letters, number and special characters. The latter approach can have mixed results. Users often follow predictable strategies to meet those requirements, modifying their passwords in minimal ways that have only modest impact on an attacker’s search difficulty.

Another common strategy suggests users think of a phrase that is memorable and use the initial letters of each word in that phrase to form their password, perhaps substituting words or letters with numbers or symbols, 2Bor~2B? for example .However this approach depends on the user being sufficiently clever and creative.  Many users will choose common phrases, such as lyrics from popular songs, and use predictable letter and word substitutions, such as “$” for “S”, “1” for “L” and “3” for “E”. Also the distribution of initial letters of words in English and other natural languages is far from uniform, giving attackers an additional advantage.

A more rigorously secure method is to offer users a password made up of characters chosen completely at random. Selecting uniformly distributed random characters offers the maximum possible entropy for a given password length and character set. However, this approach is not widely employed because of concerns that users find such passwords too difficult to remember.

The sentence generator approach
This paper proposes a different approach that offers the best features of the last two methods. A fully random password is created first and that password is then used to generate a mnemonic sentence – one where the initial letters of each word form the password. Since the random password is generated first, the selected sentence cannot diminish security, as long as it is kept secret. 

The sentence is generated from the password using s look up table, Table 1, which consists of 10 columns and 26 rows. Every column has 26 English words in alphabetical order, each starting with a different letter of the alphabet (a-z). The one exception is the “x” row where words starting with “ex” are used. Each column contains one grammatical form. The columns are arranged to produce a proper English sentence regardless of which row each word comes from. The column pattern from left to right is: proper name, adjective, noun, adverb, verb, adjective, noun, gerund, adjective, noun.

Give any string of 10 letters from the English alphabet, Table 1 can generate an English sentence consisting of ten words whose initials are those letters (with words that start with “ex” standing for “x”). Thus any random password of 10 letters produces a unique mnemonic sentence for that password. For example the password vmyhvxklke generates the sentence:

Vivian's merry yankees hopelessly view excellent kings leaving keen energy.


While not all sentences generated in this way are immediately meaningful, they can be easier to remember than the password itself. Simple techniques, such as visualizing the scene suggested by the sentence, can further aid memorization.


Table 1. Sentence generating matrix

‑‑
Name
adj
noun
adv
verb
adj
noun
gerund
adj
noun

1
2
3
4
5
6
7
8
9
10
A
Arnold's
amazing
artists
always
arrest
angry
ants
arousing
awful
admiration
B
Bob's
big
brothers
boldly
batter
bossy
boys
bringing
boastful
bliss
C
Charlie's
cuddly
cats
craftily
cover
crazy
crooks
causing
cold
comfort
D
Dona's
deadly
ducks
deftly
drop
dumb
doctors
defying
dumb
delight
E
Ed's
empty
editors
easily
engage
eager
eels
enjoying
easy
energy
F
Frank's
fine
frogs
foolishly
fight
fat
foxes
finding
fast
fame
G
Gloria's
golden
goats
gaily
grab
green
goons
gaining
glorious
growth
H
Hana's
hot
hippos
hopelessly
hold
heavy
horses
helping
happy
health
I
Ivy's
interesting
infants
intensely
inject
incompetent
idiots
insulting
intense
interest
J
Jane's
jolly
judges
joyously
join
jealous
jokers
joining
juvenile
joy
K
Ken's
kissable
kittens
kindly
keep
kinky
kings
killing
keen
karma
L
Lucy's
lonely
llamas
laughingly
lash
lowly
librarians
leaving
lurid
love
M
Mary's
merry
mermaids
morosely
mangle
mad
monsters
making
messy
music
N
Nancy's
nice
nuns
noisily
nab
naughty
nerds
noting
neglected
nothingness
O
Olga's
old
owls
often
ogle
oily
orcs
owning
open
obsession
P
Pete's
pink
peacocks
playfully
pester
poor
pigs
packing
proud
power
Q
Quincy's
quiet
quails
quickly
query
quaking
queens
questioning
queer
quality
R
Randy's
red
rodents
regretfully
ruin
rude
robbers
rejecting
redolent
refreshment
S
Sue's
smooth
snails
swiftly
slay
snarky
slugs
seeking
simple
success
T
Tom's
tiny
tigers
timidly
tackle
tired
thugs
testing
tenuous
truth
U
Uri's
urban
umpires
urgently
upset
ugly
uncles
urging
useless
unity
V
Vivian's
vivacious
vampires
vividly
view
vicious
vandals
viewing
velvet
victory
W
Walt's
wild
wolves
willingly
wrestle
wimpy
wardens
wishing
witty
wisdom
X
Xavier's
eXotic
eXecutives
eXcitedly
eXpel
eXcellent
eXperts
eXtracting
eXtreme
eXcess
Y
Yolanda's
yelping
yankees
yearningly
yank
yellow
youths
yielding
yummy
yogurt
Z
Zed's
zigzagging
zebras
zealously
zone
zany
zombies
zooming
zesty
zeros


Strength of all-letter passwords

A 10 letter random password has 10 x log2 (26) = 47.0 bits of entropy. For higher security, two sentences can be generated. If both are 10 letters long, the resulting password will have 94 bits of entropy, well exceeding NIST 800-63 guidelines for cryptographic strength (80 bits).

The table can be easily adapted to generate shorter sentences. Thus a 9 letter password would simply omit column 9, Vivian's merry yankees hopelessly view excellent kings leaving energy. An 8 letter password could omit columns 8 and 9 while making the word from column 8 possessive: Vivian's merry yankees hopelessly view excellent kings’ energy. For 7 letters, omit the last three columns, and so on.

Thus a 17 letter password, offering 80 bit security, could be represented by a 10 word sentence and a 7 word sentence, or a 9 and an 8 word sentence.

Random passwords consisting of only English letters have less entropy per character than random passwords selected from a larger character set, but additional letters can be added to make up the difference.  For example, a random 10 English letter password has a bit more entropy than a 7 character random password selected from all printable 7-bit ASCII characters (95 possibilities), which has 45.9 bits of entropy. To match the 65.7 bit entropy of a 10 character all-printable-ASCII password such as U{l>gPzH:Z requires an English letter password with 14 letters, which is longer, but arguably more memorable, at least when used with the method proposed here. Note that on many mobile devices, such as the Apple iPhone, it is more difficult to type a password randomly selected from all printable ASCII characters because multiple shifts are needed to access different groups of characters.


Other security impacts

The sentence generating approach table has few security limitations. Of course, the sentence generated must be afforded the same level of security protection as the password itself. And asking users to submit their password over the Internet to get their sentence has obvious security risks. It is better to display the sentence at the same time the password is generated or perform the table lookup locally.

The choice of words has no security implication as long as there is one word for each letter in the alphabet in every column. The words in Table 1 were selected to maximize the likelihood of a somewhat meaningful sentence, while minimizing the likelihood of a sentence with sexually suggestive or scatological meaning. While some might find an X-rated sentence easier to remember, others might find such sentences offensive and organizations might be reluctant to employ such tables to avoid creating a hostile work environment.

Tables for other languages and alphabets are feasible. Different tables could be created for variety, particularly when more than one sentence is needed to meet strength objectives. Other possibilities for password mnemonics include random poems, songs, haiku, limericks and similar short literary works.

Implementation

A 10 letter random password can be selected uniformly from the English alphabet using a strong random number generator, such as CryptGenRandom on Microsoft Windows systems, and /dev/random on Unix, Linux or MacOS X systems. The Python programming language has a SystemRandom class that uses either CryptGenRandom or /dev/random, depending on the operating system on which it is running.

An ideal implementation would be to offer a user a randomly generated password and a mnemonic sentence when a new account is created or a password is to be changed on an existing account.

Users wishing to use this system needn’t wait until it is adopted by password management systems. Strong random passwords can be generated manually using dice, playing cards or letter tiles. (Reinhold 2000)

If numbers, upper case letters and special characters are needed to meet password composition policy, they can be added easily. Nouns can be capitalized and normal sentence punctuation added. Such steps add security only if an attacker is unaware of the method used, however they never diminish security. Net additional security can be achieved by prefixing the first and second adjectives with a random number, in which case 3.3 bits of entropy are added per digit. Such a sentence would still be meaningful to a user, for example, Vivian's 23 merry yankees hopelessly view 7 excellent kings leaving keen energy would yield the password v23myhv7xklke.

Conclusion
The difficulty of getting users to employ strong passwords is a major challenge to cyber security. The method presented here can help in that effort by giving users an easier way to remember a random password.

References
Davis 2011, Joshua Davis and Richard Boyd, Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System, Georgia Tech Research Institute Case Study, 2011

Reinhold 2000, Arnold Reinhold, Picking a strong Passphrase using Diceware, Internet Secrets, 2nd Edition, John R. Levine, Editor, Chapter 37, p. 831 IDG Books, 2000, ISBN 0-7645-3239-1, also www.diceware.com.


Copyright notice:
Copyright © 2011 by Arnold G. Reinhold. This paper, including Table 1, is hereby released by the author under the terms of the Creative Commons 3.0 with Attribution License (CC-BY).