Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20151110235038.GA23034@openwall.com>
Date: Wed, 11 Nov 2015 02:50:38 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Passwords poems?

On Tue, Nov 10, 2015 at 02:02:09PM -0500, Alain Espinosa wrote:
> I came across this research to generate complex and easy to remember passwords as tiny poems:
> http://www.isi.edu/natural-language/mt/memorize-random-60.pdf
> http://www.isi.edu/natural-language/people/poem/poem.php
> What do you think? Are this better than the normally recommended passphrase?

Not to me.  These poems feel about as cryptic, yet are longer to type.
I think it's better for a person to choose and memorize passphrase hints
of their own (which they wouldn't have to type in each time) rather than
be forced to use a specific poem by a computer.

That said, I wouldn't mind having these offered as an option, assuming
there are no biases by design and the implementation is sound.

The paper chooses 60 bits for a bogus reason: a 2.8 billion per second
password cracking speed for some fast hash on a GPU.  I think password
hashing (or KDF) should generally be corrected first (and using a fast
hash is just not correct), and password policy next.  Also, as specified
this approach appears to focus on exactly 60 bits, which is inflexible.
With proper password stretching, passwords for most resources (which are
mostly not-too-valuable) don't need to be this large.  OTOH, without
password stretching, 60 bits might not be enough to protect encrypted
sensitive data.

Their "XKCD Baseline" used for testing user preferences used a huge
32768-word dictionary.  This is way too many, resulting in most words
being exotic.  No wonder users would not like those.

They did not test against Diceware (7776 words), nor against passwdqc
(4096 words, or 8192 with first letter case toggling).  I think 4096 is
about the maximum (and Diceware already gets into the exotic words
territory too far).  I think passwdqc's method of increasing entropy per
word with first letter case toggling and random separator characters is
not as unfriendly to users as requiring them to memorize words that are
not normally in their vocabulary.

Thus, I think this paper's empirical results are not sufficiently
relevant, and more relevant testing would be needed.

Here are 5 example poems (generated by the website above in a row, with
none skipped):

Pierre created theorized
assignment sided exercised .

Replace the Rios avenue
exploring Madam revenue .

Decisive Iverson Michelle
arresting fancy clientele .

Avoid heroic enterprise
of centre showing signifies .

A dentist eager getaway
released the laughter anyway .

These are 60 bits each.  Here are 5 example passwdqc "passphrases"
(generated by "pwqgen random=64", with none skipped, to be similar to
the above, even though I think 64 bits is usually excessive yet is
sometimes insufficient):

methyl2Video6Parent*Native
Birch6Drift6mole7prior
Ford4Ample+sunday8blond
Send_assent_never+hand
Horn&Parcel-lens-resent

Here are 47-bit passwdqc "passphrases" that it generates by default
(with no options given):

Plea2knife*spouse
Many-bind!bullet
Tall_detest&Helix
Scar+alpha2Lord
aware=peak+Scout

These are meant to be reasonable to use for password authentication when
the system employs decent password stretching and salting.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.