Your Password Is Not Secure, and It's Not Your Fault
I consulted internet security expert Nik Cubrilovic and XKCD's Randall Munroe about how they would fix the problems in the world of passwords. Their ideas are simple, compelling, and almost impossible to implement.
Image via Flickr user Christian Ditaputratama
When it comes to passwords, we're all tolerating a broken system. The problems range from the irritating—it's strange needing to remember some obscure code you created years ago in order to access some trivial thing like your Greyhound Road Rewards account—to the horrifying—no matter how much security goes into creating passwords and concealing their secrets, in too many cases, the fucking things don't even work.
I set out to find the cure for this plague. I started by creating what seemed to me like a clever system for generating randomness in a way I could remember. I'm not going to write about it in detail because I'm still using it, but suffice it to say it involves using the name of the service to generate a code that only makes sense to me.
Then, with an open mind, I explained my system to security expert Nik Cubrilovic in case it needed tweaking. After all, there must be a system for creating good passwords that security experts agree on. And surely a layman like myself can implement such a system, right?
When I told him the confusing cipher I'd been using to generate passwords that can only be cracked inside my amazing brain, he very kindly shot down my system as confusing, stupid, and not very secure. I would soon find out that there are debates raging about the right way to do this, but the best solutions can't really be implemented yet, and a functioning, universal system might never exist.
Authorized selfie of Nik Cubrilovic, courtesy of Nik Cubrilovic
The conversation picks up just after I explained my top-secret password system:
VICE: What do you think of my password system?
Nik Cubrilovic: Just to clarify, if somebody saw one of your passwords, would they be able to work out the rest of them? I’ve heard similar schemes where you take X letter of the service name, and then from your favorite bands, a line of their song lyrics, and you use that as the beginning or as the seat of the password.
Oh, I would never use dictionary words.
That’s bad advice because four words combined together—and there’s math on this—is probably stronger than anything that a person could generate.
But words can't be better than the randomness I'm generating, right?
Here’s the thing: The human brain is horrible at generating randomness. If you ask someone to pick a random number between one and 100, and you ask them to do it 1,000 times, it wouldn’t be random at all. It gets even worse with passwords. When you put someone on the spot and ask them to come up with a password, it usually ends up being really bad. We know this. There’s data to back this up.
What kind of data?
Password databases leak, they get cracked, and then people sit down and analyze password choices. The most famous one is rockyou.com, 40 million passwords leaked, and 87 percent of them were cracked using nothing more than an English dictionary and doing variations such as switching an O with a 0, adding a question mark at the end, or an exclamation mark at the end, and adding the numbers 12345 at the end. So that was all cracked within a matter of hours.
I have to admit my system is kind of like that. How are dictionary words better?
So here’s the thing: Using four English words, like "big hay straw stack," is actually a strong password. I know this might seem anathema to everything you’ve been told and heard your entire internet life, but The Oxford Dictionary has however many words in it—200,000? (Note: It's actually 252,200) So 200,000 to the power of four, with all the different permutations, is a lot stronger than a single word with 12345 at the end, exclamation marks, question marks at the end of it, and anything else that people come up with.
That seems like it would create passwords you can actually remember.
You need to have a password you can remember. The best scheme for a memorable password, is to take four random words out of an English Dictionary or a Spanish dictionary—whichever you choose—and then just use that as your password.
I thought there was supposed to be one capital letter, plus a mix of letters and numerals, and it needed to have certain punctuation marks, but not other punctuation marks because certain passwords don’t allow certain punctuation marks...
We’ve been obscenely cornered into this. If you think of the history of it, it’s kind of crazy how we’ve ended up here. Just having eight characters wasn’t enough, then having a capital letter wasn’t enough. Then adding a number wasn’t enough, and adding a symbol... and every step of that just makes the passwords harder and harder to remember.
You’re kinda blowing my mind. There are some services that will say, “No, put something else in. You can’t use dictionary words!"
That’s not good. I actually started a website called badpasswords.org and it highlights websites that practice poor password recommendations or poor password policies, and that’s one of the things they shouldn’t be doing. You should even include this comic in any post that you do about passwords because I think it conveys the idea of using words in a password.
At this point he showed me this XKCD Comic:
OK. Can you sum up the message of the comic?
[These restrictions] make passwords more difficult to generate, and it makes them more predictable. So if you look at the first frame of that comic, it says, “common substitutions.” So, because so many passwords have leaked now, and we have so much data on how humans come up with passwords, the computer programs that do those substitutions have become very, very good at what they do. Frighteningly good.
The entropy—the range of possibilities—is 44 bits as opposed to 28. To sort of visualize that, every “bit” is doubling the amount of time it takes. So the difference between 28 bits and 29 bits is very significant. If a 28-bit character password takes a day to crack, a 29-bit would take two days to crack. If you keep doubling that, you compound it to 44, you end up in a scenario where it’s literally going to take decades and centuries for someone to crack a password that’s just four words, and it’s easier to remember.
Correct me if I'm wrong, but I think you're saying password systems fly in the face of all logic.
[They're] asking people to generate a password they’re never going to remember, and it’s actually easier for a computer to crack, [when they could have] a password that’s easy to remember and difficult for a computer to crack. Assuming that they’re random, because it has to test 200,000 words to the power of four.
So we should never have been using our own passwords—we just should have been given four words?
Everything we’re doing right now is wrong. The other thing that’s wrong is forcing people to change their passwords every X period of time. That’s wrong as well because all that ends up happening when you force people to change their passwords, and to generate new passwords, is they just end up writing them down or picking something that’s simpler. Or they lock themselves out. So, pretty much everything that we do, or that’s commonly accepted today as far as passwords and security is wrong. That’s the bad news. The good news is that it’s steadily changing.
But I hadn't heard of this. How are you not shouting in the streets about this, trying to convert people to the XKCD Method?
A lot of services haven’t adapted to this yet and will actually reject the four word passwords. Apple is one of the services that does reject the four word passwords.
Right. The systems are the problem. How should new password creation systems work?
These services shouldn’t be checking based on rules, they should be checking based on how random the password is, and they’re not doing that at the moment. What they’re doing is a very simple check of: is it at least eight characters long? Does it have an uppercase? Does it have a lowercase? Does it have a number? Does it have a punctuation mark? And that’s not the way that passwords should be checked for randomness. They should be evaluated mathematically. Not based on some silly rules.
Calling it the XKCD Method might help it along.
You’re right. It does need better branding.
After I talked to Nik, I got in touch with XKCD creator Randall Munroe who made the comic strip, and is more or less the poet laureate of the nerdier parts of the internet. I figured he would confirm my assumption that adopting the system he recommended would solve everything. As you might have guessed, it's more complicated than that.
"Almost nothing I've written has started so many arguments," he explained. "Everyone on the internet is an amateur security analyst."
He pointed me toward Diceware, saying "It offers a specific wordlist and procedure, whereas my comic is the argument for the general practice." Diceware is a system that satisfies some very intense demands for randomness in generating dictionary words for the kinds of passwords he's recommending. Unfortunately diceware involves rolling actual dice—physical, six-sided dice—to create strings of truly random numbers that correspond to truly random words. "Do not use a computer program or electronic dice generator," the site warns.
I had high hopes when I got a hold of Munroe, but the idea that you would have to pull out your Dungeon Master's tools to generate passwords sort of made my heart sink. No one is going to do this. "The other thought I have," Monroe went on, "is a general suspicion that the whole password concept might be a lost cause, which I'm guessing isn't what you want to hear."
During our conversation, Cubrilovic brought up another part of the password problem that might be the solution to this mess: The "second factor." He explained second factors as "everything from finger scanner, eye scanner, smart card, security token, text message, they’re all second factor solutions that work after your password. That’s definitely the way things are headed."
This sounds about right. If the whole password concept is a "lost cause," like Munroe said, then let's shut it all down. I'm very optimistic about this second factor. This phase in our data security will remain perfect forever, and I am sure that this iteration of online security will never turn into a bunch of needless, petty frustration.
Follow Mike Pearl on Twitter.