XKCD & Password Security

Posted on August 15, 2011 by Michael Koby

If you were on the internet last week, you probably saw an article, twitter, or Facebook post about the xkcd comic on password strength. The comic, which was (most likely) inspired by an article entitled, “The Usability of Passwords” basically says that using a multi-word password (3 or more words), is more secure than what I have referred to as “complex passwords” in past articles on this blog. The writer of the original article makes the point (which is what the xkcd comic points to) that passwords using three or more dictionary words, has more entropy and is thus harder to crack, therefore making them more secure. While there is a bit of truth to the article, it leads to some false understandings of how hackers actually go about hacking passwords, and make assumptions that aren’t entirely accurate.

Hacking Passwords

The original article explains several methods for hacking passwords. These are, asking, guessing, brute force, common word attacks, and dictionary attacks. You can look at the article to see how the original author describes these methods, but many of them should be self explanatory. Asking and guessing for passwords are what regular non-hacker type people will do. Hackers will also ask for passwords, but they’ll do so in the form of social engineering. Social engineering is basically tricking the person into giving you the password by (most often) pretending to be someone they can trust, like an internal security or IT employee.

The brute force, common work, and dictionary attacks will be performed by hackers, but not necessarily in the manner described by the author.

How the Author Says These Work

The author of “Usability of Passwords” says that these methods are most likely performed at the computer, network, or website that the hacker is attempting to gain access to. And because of this fact the author leads the reader to believe that by allowing only a small number of attempts, followed by a “lock out period” that stops the hacker from logging in for an hour, is enough to keep his password strategy safe.

Before I go further, I want to say that limiting the number of attempts and instituting a lock out period is a good security practice, and should be implemented by large corporations.

How Hackers Really Hack Passwords

The author of “Usability of Passwords” is correct in the fact that hackers will use brute force and dictionary attacks to hack a password. But he’s incorrect in that they are used primarily at the login screens.
Most hackers (at least the good ones) will attempt to acquire the password through social engineering, and then failing that will work on getting the password hash file off a computer. What is a “password hash file” you ask? It’s a file that’s on a computer where the username and the hashed password of the user(s) of the computer is stored. Getting this file is generally a lot of work for the hacker and this is why they’ll usually just attempt to use social engineering.

Once the hacker has the password hash file, they’ll use various programs (I won’t link to them here, you can Google to see what I’m referring to) to then crack the password hashes on their local computers. It is this process where the hacker will use the brute force and dictionary attacks.

The other problem is that some of the dictionary hacking programs can be modified to try combinations of words thus making the idea of using multiple words in a password not nearly as secure as the author would lead you to believe. Is it secure? Not really. Will it take longer for the hacker to crack said password? Yes it will.

The Graphics Card Problem

Another fact that the author ignores (but is mentioned in the article’s comments”, is that graphics cards are incredibly fast. And there are applications available that allow a hacker to utilize their graphics card(s) processor (GPU) to crack password hashes at an alarming rate. More information on this process can be found by reading this article.

What this means is that utilizing brute force and dictionary attacks can be done in even less time.

Why Complex Passwords Are Better

So basically I told you all that to tell you this. Complex passwords are better than using dictionary words. Period.

A complex password is a password that meets following requirements:
At least 8 characters (a minimum of 12 is preferred)
Contains BOTH upper case and lower case letters
Contains numbers
Contains at least 1 special character (examples: !@#$%{^]&*)

Why are these better? Because they can’t be easily figured out with a dictionary attack. They also make brute force attacks more difficult. It’s hard to guess passwords if they have weird characters in them. Long passwords, that meet the other requirements will take years to crack, even when using graphics cards.

The idea is to make it difficult for the hacker to guess, or hack your password, even if they get that password hash. But complex passwords, or multiple word passwords don’t help get around the social engineering problem (the user willfully giving someone their password).

But I Can’t Remember Complex Passwords

The author’s point about using multiple dictionary words, along with the punchline of the xkcd comic, is that such passwords are easier to remember over complex passwords. And while this is an extremely valid point, it defeats the purpose of passwords. Passwords a form of security (some would argue they provide a false sense of security, but that’s a different topic). So passwords should themselves be as secure as possible. This idea of secure passwords comes at the cost of easily being able to remember your passwords, especially since to be really secure you should have a different password for each website that requires one.

This is where “password safes” come into play. Applications like Keepass, LastPass (what I use), and 1Password, allow you to store passwords for individual sites, and they all integrate into your web browser to some degree. All of these applications also have password generators that allow you to create complex, non-dictionary passwords. These generated passwords are then saved with the corresponding site you’ve generated for. What these applications allow you to do is to have a different complex password for each website you visit.

You’re probably asking “how can storing all my passwords in a single place be secure” and it wouldn’t be a bad question. The thing about the applications I’ve listed is they all use high quality encryption to store the passwords and they all require the use of a good “master password” and will warn you when your master password is insecure. You want to have a very secure (around 15-20 characters) complex password as your master password. And you want to make sure that you use that password only for accessing your password safe.

Conclusion

In the end, the author of “Usability of Passwords” makes a convincing case, but not if you know how hackers really operate. His intentions are good though, the idea of using harder to guess/hack passwords is noble regardless of how you say it should be done. But I believe that some of his ideas lead to a false sense of security because of a lack of understanding.

Hopefully, I’ve explained to you why some of the ideas presented in the original article were not so great, and have in turn caused you to think about your passwords, and how to create more secure passwords. I highly recommend that you begin using a password safe, and changing your passwords around the internet to more secure, complex passwords.

This entry was posted in Security and tagged , . Bookmark the permalink.
  • Anonymous

    Interesting point about the rainbow tables (dictionary attack) versus login screen attack. What this discussion fails to address are the basic problems that passwords create, considered as a technology: the secret key is the technological equivalent of a skeleton key. They are always guaranteed to be fallible — given enough time and computing power. Yet we secure the most ridiculously important data this way, then get mad when we lose our keys and someone breaks in. Why do we still use them, when other options have existed for years?

    I think: for the same reason is it illegal to export virtually unbreakable encryption software… If the internet were to become truly secure, that would be a huge impediment to law enforcement and intelligence agencies.

  • http://www.mkoby.com Michael Koby

    You’re correct to argue that passwords themselves create basic problems and you could definitely argue that they’re antiquated.

    However, even modern encryption works off some kind of password, or passphrase for verification.  If someone encrypts something with my public key, I more than likely have to enter a password/phrase to decrypt once I receive it.

    Most places seem to be moving towards 2 factor authentication schemes. Paypal, Google, and a few banks have moved to this method for handling access and it’s a decent step in the right direction.  Unfortunately all the places I mention make it an optional feature, rather than requiring it by default, but I think this might be due to a lack of understanding on the consumer’s part and as hacks become more prevalent we’ll see average consumers move towards looking at better security models.

  • Andreas Klauer

    The subject is misleading as your blog post refers more to “The Usability of Passwords” and not at all to the XKCD comic. (At least I guess so – I haven’t looked at “The Usability of Passwords” so I don’t know what it’s about).

    You have an entire paragraph on how hackers really hack passwords, but that’s what the XKCD comic assumes in the first place – bruteforcing a hash using whatever is the best method available (in the example of the comic with 1000 tries per second). The comic even assumes that the hacker knows he’s looking for a specific word permutation and a set of dictionary words and not just random characters. So there’s no contradiction here.

    Basically the comic says it’s entropy that matters, not password length or how hard it is to remember. And I have to agree with that.

    Completely random passwords still have more entropy than the dictionary example in the comic, but the comic doesn’t state otherwise. It compares not against a real random password but a deviation of an uncommon word password. Which is probably what lots of people use.

    My personal conclusion is:

    If you have to remember passwords, then the XKCD method is probably best. It simply offers the best entropy / easy to remember ratio.

    If you can store them somewhere, naturally you’d use completely random passwords and make them as long as possible. And you’d not even attempt to remember them because it’s entirely pointless to do so.

    Password storage systems always come with their own security pitfalls, though.

    Sadly, to this day many systems simply don’t give you the choice. Lots of sites allow you only 8-12 characters for a password and then you have to go random in order to get a bit of entropy in it.

  • http://www.mkoby.com Michael Koby

    The XKCD comic is based on the article “The Usability of Passwords” and when I wrote this post, the XKCD comic was making the rounds on Twitter and Facebook (at least in my circles).  And I felt that the XKCD comic and more specifically the article its based off of leads people into a false sense of security about their passwords.

    So, basically, no, given those two items as context, I don’t feel that the title is misleading. Also I tie the two items together in the first paragraph of my post.

    I currently use LastPass to store and generate my completely random passwords. And I try to have a different password for every site that requires one.  This is what I encourage people to do as, having multiple passwords (specifically 1 for each site) means that should that password be compromised then they only have the password for that site.  See the Gawker hack as an example of why having different passwords for different sites is a good idea.

    I do agree that sites need to get over the idea of limiting password length and allowable characters for their passwords, it would go a long way in helping beef up security. At least to a degree anyway.

  • Andreas Klauer

    I use Password Hasher. It uses the name of the site (mkoby.com), you provide an easy to remember passphrase (correct horse battery staple merry go round), and the plugin combines the two into a unique “random” 8 character password (F3%xO9ld).

    It’s best of both worlds (or at least a compromise) – each site sees a unique password, you have an easy to remember yet long passphrase (it’s up to you whether you use same passphrase for all sites or different ones), and no need for a storage system so you can access your stuff from anywhere even if you didn’t bring your own computer along with you.