Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180517105525.GA13296@openwall.com>
Date: Thu, 17 May 2018 12:55:25 +0200
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Keeping old passwords

Not taking sides (being a user of various Internet-based services and
also consulting service providers I'm actually on both sides), but to
explain some trade-offs involved:

On Wed, May 16, 2018 at 07:16:13PM -0400, Denny O'Breham wrote:
> If someone chooses a 4-character password, you can tell him his
> password is not safe.  But if he wants to keep it, let him.  If you
> suspect suspicious activities, you can tell the user.  But don't lock
> him out of his account and ask him to jump through all sort of hoops
> to regain access.

That's how I would have wanted it from my perspective as a user, too.
But from perspective of a company like Google, they also have to care
about the ecosystem and indeed about themselves.  A 4-character password
without limiting online password cracking attacks could result in spam
being sent through the account.  If protocols such as SMTP AUTH are
supported, this will happen even without the attacker targeting the
specific provider - the SMTP servers will be found through mass scans of
the Internet, then weak passwords probed.  (I've seen that happen on
much smaller e-mail servers of Openwall clients.  We had to
mass-change/block all of the extremely weak passwords just to stop the
re-occurring problems of spam being relayed through the servers.  It's
user-friendlier, and has lower customer support cost, to disallow such
passwords being set in the first place than to block access later on.)
When spam starts being relayed, it obviously hurts the ecosystem and the
company providing the service and their other users (as the servers' IP
addresses start getting blacklisted).  And then there's phishing, which
may also abuse users' address books for extra efficiency.  This hurts
not so much the person with the weak password (although they may later
find they "borrowed money" from a friend), but their contacts.  This is
finally provider-specific, but Gmail is large enough for it to also be
targeted explicitly.  (And I've heard of this happening.)

Now, they could allow moderately weak passwords (perhaps not e.g.
"123456", as that's a ~1% chance of unauthorized login from first try)
and combine that with detection of suspicious activity - but then
they'd have to actually lock the account upon some rather low threshold
of messages sent or whatever, and this would go against our other
preference that they also don't lock the user out.

So it's a trade-off between stronger authentication (uncommon password
and/or 2FA) and detection of and response to suspicious activity.  If
you allow weaker authentication, you have to use those more subjective
behavior clues more aggressively, and vice versa.  Given this trade-off,
personally I prefer to use an uncommon password over the provider being
more suspicious about my activity.

If a provider does allow weak passwords, then to explore this trade-off
they'd have to somehow tag accounts with more-common-than-threshold
passwords, which makes eventual offline password cracking (if the
database leaks) even easier (targeting just those salts first).  This is
another reason to disallow weak passwords (except maybe those set prior
to introduction/hardening of the password policy, where a tough decision
would have to be made about tagging those accounts as having lower
threshold for suspicion, which also makes them even more of a target for
offline attacks).

Finally, unfortunately (from my perspective as a user) not every
provider would actually credit my uncommon passwords towards being less
suspicious about my activity.  This is in part them not exploring this
trade-off yet (I guess some providers do and some don't), and in part
it's because of other risks (from the provider's perspective) of the
account getting compromised anyway (password reuse elsewhere,
compromised user's computer, etc.)

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.