Passwords are weaker than you believe - 2023-01-07

Ever since the great LastPass breach of 2022, several takes landed online about how bad their security must be. Rather than focusing on LastPass, I'd like to discuss a misconception about passwords that people keep repeating.

Passwords suck. Passwords made by humans suck. It does not matter what kind of length or complexity requirements you impose, what comes out is not random.

Take a look at what happens when I restrict a known password list to have

cat rockyou.txt \
  | egrep "[a-z]" \
  | egrep "[A-Z]" \
  | egrep "[0-9]" \
  | egrep '[!@#$%^&*\(\)]' \
  | grep -v "myspace" \
  | awk 'length($0)>10' \
  | head -n 50
ABCabc123!@#
abcABC123!@#
Tinkerbell@174
I_love_g08!
123qwe!@#QWE
123!@#qweQWE
so7j\\'Amyp
Password@123
Luckystar8*
Kebishere355!
Junior@last2
JaY14$P.rBoricua
H@mish300595
Fr0gy*54321
Foshizzle1$
Dest@rv1977
ABCabc!@#123
@#OnyinyE26
6r@t3fulD34d
&7Ujm*8Ik,(9
#1GhettoFabolous
!@#123QWEqwe
te*amarex100preL
t3amoDURBY@
r6mTk\\'d^i
nyeQ@161292
ninzieeM#17
myWIFE10ve$$ME
love100%C&B
liliANDY251310**
lbj\\'le8yP
lOcA4rm913@
l,xitl\\'8N
kkMoreno13$
jlmj020991GUS!"
iydohv\\'wo]N0y\\'
iloveROBBIE100%
ihLghU/32^o0174631243
g[P0,ik=^mbL
fazhOn4ever*
dsgbDSGB247!!
aprilLynn8*
Y0p4eI(l)m3
Wedding@00qik
Wang0Tang0!
WTown07**18
VXA$$!vxa441
VIkings04**
UNOdos3456@789..
Travis&&taylor74

Are you curious? This password list is called "rockyou.txt". You can download rockyou.txt at naive-hashcat releases. This has 14,344,391 passwords inside. Fourteen million passwords! That does not mean it is complete! For example, it lacks the passwords I used for RuneScape in middle school. Who would have guessed zelda1b?

These passwords fall into several categories:

Is ABCabc123!@# and abcABC123!@# all that different? No, not at all!

Likewise, is "fazh0n4ever" all that distant from "fashion4ever"? Its levenshtein distance is 3! Guessable twists like P@ssw0rd reliably weaken the passwords we choose as humans. We can easily read "myWIFE10ve$$ME" as "my wife loves me", which is cute and heartwarming. But guessable.

Why am I bringing this up?

Great posts like Last Call for LastPass go on and copy Hive System's password table, which I will include below for critique reasons only.

Note:
If you are about to bail because the chart below is horribly wrong: the point of this post is how horribly wrong it is! - Bless 🍊 site.

A table that shows that as complexity increases the password becomes infeasible to guess

According to this table, passwords like "myWIFE10ve$$ME" would take 16 million years to guess!

Clearly something must be wrong with our assumptions!

Here's what everyone else is skipping out on: Humans make bad passwords! We cannot rely on some mathematical notion of numbers + lowercase letters + uppercase letters + symbols to say "Oh your password is safe! No one can possibly guess it by the time this world ends!"

hunter2 is considered 'strong'

PBKDF2-SHA256 with 100100 rounds in @hashcat will run at 90kH/s on a single @NVIDIAGeForce RTX 4090. Not fast by any means, but also not super slower either. You can clear rockyou.txt(14M passwords) in about 2 minutes 45 seconds at that speed. RE: @LastPass

If someone can run fourteen million common passwords under three minutes on a single GPU with the same password settings as LastPass, clearly it is not strong enough to deter a threat!

A short digression: If you want recommendations on how to configure your password settings, check out Minimum Password Settings by Sc00bz.

Another digression: would you like to prevent weak known passwords from being used on your service? Integrate with ';--have i been pwned? It is relatively easy and does not reveal your users passwords to this service.

Password complexity truths

The table above only holds up if characters were randomly selected from a uniform set of all passwords matching certain configurations.

Look at the above ripped passwords like VIkings04** and tell me with certainty they were pulled from a uniformly random set of all possible passwords. You cannot.

Both the companies out there that sell password management products and experienced professionals keep forgetting that humans are behind all these passwords! Humans do not follow some mathematical equation. We are all highly biased in what we experience, from language, culture, heck even the layout of our keyboards!

We warn about password reuse across services for a reason. Most humans are like sigh, fiiiine. And they choose a base password. Let's say "Pumpkin". For an "AnonCo" support forum they use "Pumpkin@AnonCo". Seems legit.

Then for their bank, they use "Pumpkin$$1997". Whoa, money for a bank? Who would have guessed. And, is that a birth date of someone they love?

You may remember during @defcon I was tweeting about hacking someone through their reused passwords (or passwords we cracked) β€” well my target was @donie (he asked me to, I promise lol)

All it takes is the weaker service, a support forum, to get breached and have its passwords cracked. Now "Pumpkin@AnonCo" is known and tied to their email. Obviously "Pumpkin@AnonCo" is not being used at the bank! The passwords weren't reused! All is well! Except this belief is totally wrong!

Attackers can buy passwords tied to a known email address, a known target, and that can be you. In this fictitious example, "Pumpkin" is reused. Any commonality between passwords, be it "Pumpkin" or "zelda" will weaken your passwords. In isolation it may be unguessable.

Our world is not isolated. We use the same email addresses across services. We use similar passwords across services.

Wait, that's why we have password managers! They make truly unique passwords!

A certain password generator generating passwords

That strength meter is maxed out!

Guess what, so is this one:

Password meter for '123qwe!@#QWE'

This tells us a few things.

  1. Password generators can generate "strong" passwords according to uniform metrics
  2. Humans can generate "strong" passwords according to uniform metrics

The catch is, human generated passwords are not uniformly selected. People are biased and it shows up in their passwords. We cannot rely on these tables and charts that suggest 12 character "complex" passwords are okay.

All the way back in 2011, XKDC published correct horse battery staple (archived in 2011, another archive). It is a shame that even twelve years later we still have false beliefs of what makes a secure human memorable password!

XKDC comic 'Password Strength' where 'correct horse battery staple' is a more secure password than 'Tr0ub4dor&3'

A password manager can select a random password for you. You cannot. Do not drink the "Time it takes a hacker to brute force your password in 2022." An attacker is not going to brute force your password, they will research your name, your place of birth, your security questions from hacked websites, and use your history against you.

What are humans?

A miserable little pile of secrets? Hardly.

The truth is we are biased. The passwords we choose are predictable. Our demographics, birthplace, etc. will affect what kinds of variations we choose in passwords.

Things that are familiar to us are what bias our memories. If we have a memorable password, it is likely highly biased and likely weak.

"What's the name of your childhood pet?" Equifax asks. **leaked**

Did my family use "cooper" (an example dog's name) in the wifi password and shared family accounts?

WE ABSOLUTELY DID

Anything tied to us in particular, tied to our preferences, tied to our history makes a password weak in the face of data breaches and personal information leaks.

We cannot reduce our lives to some mathematical heuristic and should not attempt to do so.

Recommendations

A password-less future is coming. At the same time, passwords are here to stay.

For passwords that you cannot avoid, use a password manager to generate it. It does not need to be long. Twelve to fourteen characters with all the complexities enabled should be sufficient. The password manager can uniformly choose a random password. It will never use the password across services. It will never use the same prefix or "base word" in passwords. Unique unrelated passwords are powerful, let the machine do the hard work of making powerful passwords.

As for your password manager, not many are "passwordless" yet. Use something like Diceware Password Generator (archived) to come up with a human memorable "passphrase" rather than a "password" for your password manager.

Diceware suggesting 'drainable smugness perceive pacify'

And finally, if you are using a password manager, here's some actions you should consider now:

  1. If you're using LastPass like me, get out now. I am working on it...
  2. If your password manager password is something you invented, change it to something a machine invented. Diceware is a good choice.
  3. Review all passwords in your vault. See if any of them look like something you or any other human would have invented. If so, rotate them to a machine invented password!
  4. Your password manager vault might not be the only one... Check the chrome password vault and your iCloud keychain too.

And finally: if you used LastPass ever for your own secrets management, move to another vault and then rotate your secrets.

At this point, can you really trust LastPass to protect your data?

Unfortunately the situation is this: your vault is encrypted and your passwords are accessible only with your primary "master" password. That password is most likely biased because you invented it. Careful research will reveal what biases you have in choosing passwords. This will be used against you and without you or LastPass ever finding out. The attacker can perform an offline attack (archived) with your vault.

A commenter on my blog asked a really good question did #LastPass leak contain master password hints? It most likely did. Depending on how people used them these might make bruteforcing passwords a whole lot easier…

Use a machine invented password for your new password manager. If you have to write down "drainable smugness perceive pacify" and tuck it into your wallet, you are better off is better than remembering "myWIFE10ve$$ME".