Question on Master Password Strength

SDD

Apologies if this has been answered before, but after a brief search I haven’t been able to find an answer. I have a question about master password strength that I’m hoping can be answered. I’ll use examples to better illustrate:

Password 1: X8h+

This is obviously not a strong password, but it does contain the basic “building blocks” that we’re all taught should be used in a password – an upper case letter, a lower case letter, a number, and a symbol. Now, let’s iterate that password five times, giving us:

Password 2: X8h+X8h+X8h+X8h+X8h+

This now gives me a 20-character password, which is a step in the right direction. Now, for comparison purposes, let’s look at a “truly random” 20 character password:

Password 3: CE{74xR?:/Dy49Q]mp3k

In order to have an “apples to apples” comparison, I’ve given Password 3 the same characteristics of Password 2 – that is, 5 upper case letters, 5 lower case letters, 5 numbers, and 5 symbols.

So here’s my question: how much stronger is Password 3 than Password 2?

The advantage of Password 2 is that it’s relatively easy to remember - only 4 characters need to be memorized (along with remembering to iterate it 5 times). But I still (hopefully) get the security inherent in a 20-character password.

Taking the above examples out of the equation, my question can be asked like this: is starting with a small(ish) password and then iterating it two or more times an acceptable / wise practice for creating a strong master password? This could apply to iterating a 5-character password 4 times, a 6-character password 3 times, or any other combination of n-character passwords iterated x times.

Thanks in advance for any insight you may have.

laminwd

Interesting question... I am waiting for the answer too.

khad

"A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." — Kerckhoffs' principle

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

The bad guys know at least as much about how people pick passwords as we do. They are not only reading the same password picking advice that gets posted in places like this, but they have studied millions of stolen passwords. Password crackers already have rules in place to crack these kinds of simple systems very easily. We don't recommend "tricks" or "shortcuts" as they all just make passwords weaker since password cracking tools already know all these sorts of tricks.

For passwords you don't need to remember — nearly all of them since 1Password will secure store and fill them for you; computers are supposed to make our lives easier, remember? — there is no reason to take shortcuts and introduce weaknesses into your password creation system. Random strings of characters are just as easily stored and filled by 1Password as ones that are readable/memorable to you as a human after all. :)

For the one password you do need to remember, we recommend Diceware. The idea is not to hide the system from an attacker but to have a system that — even if known to the attacker — is still strong. Please read our "Toward Better Master Passwords" blog post for all the details as well as the "how to". The strength comes from the system itself. You can read about the math behind it in our "Better Master Passwords: The geek edition" post post.

You should probably also read Dan Goodin's excellent article "Why passwords have never been weaker—and crackers have never been stronger" which explains just how much password crackers already know about how humans think they are being clever. And they are getting smarter all the time.

Let me know if you have any further questions. I would be happy to help further.

khad

Security through obscurity is not something I would rely upon. In fact, we actively recommend against this. :)

If I were attacking a 1Password Master Password I would certainly begin my efforts presuming a Diceware-based password regardless of whether or not I knew that Diceware was the password creation system.

I would have to let someone who is better at math than I am calculate the mean cracking time for a Diceware password if the attacker has tuned the cracking tool for Diceware vs a more standard brute force. A brute force attack will surely take longer, but what the time difference would be is not something I could say offhand. All of our estimates in our John the Ripper blog post presume attempted cracking of the password as Diceware (the more conservative estimate).

khad

By the way, do you sleep?

I try not to if I can help it. :)

"For the technically inclined, each word in your Diceware passphrase yields 12.9 bits of entropy, the way passphrase security is measured. A five word Diceware passphrase would have an entropy of at least 64.6 bits; six words would have 77.5 bits, seven words 90.4 bits. Inserting a letter at random adds about 10 bits of entropy. This assumes, of course, that you actually keep your passphrase a secret." (via http://world.std.com/~reinhold/diceware.html)

khad

Edit: Obscurity actually does help somewhat, because if the attacker knows you've used a Diceware password, he'll try that first. But it's really a fairly small advantage, especially since you could well be lying, or have used a different Diceware list than the attacker presumes.

Yeah, that's what I tried [perhaps unsuccessfully] to convey earlier. But I think you have the right idea despite my own blathering. :)

Also: Do you know how XKCD calculated the entropy on "correct horse battery staple"? It seems way too low to me.

11 bits of entropy were assumed per symbol/word, but I don't know exactly where that number came from.

Konstantinos999

Hi khad, i have read the articles about secure master passwords that you have in the blog, but i still have some questions..

I don't use the Diceware system for my password.. I find it difficult to remember 4-5 random words. I use a password that contains 3-4 words, two of them can be found in an english dictionary and one or two of them are greek (my native language) slag words written with latin letters. Not words that can be found in a greek dictionary. I use upper and lower case characters, numbers and symbols and the password is 38 letters long.

Something like: Exce//ences Xech0rizoun HotBaby$itters

I want to know how secure a password like this really is.

When i put it in the Password Assistant of my mac (System Preferences -> Users & Groups -> Change Password) it says "Entropy 275,8".
I know from the "Toward Better Master Passwords" blog post that it is the bits of entropy that are more important and in the "John the Ripper" blog post the table you have refers to bits of entropy as well.

The problem is that bits of entropy are dependent from the system you use to generate a strong master password. But in my case i don't use any system basically.. Just 3-4 big words that have some kind of twisted logic that is easy for me to remember, but are not a true statement nor have any meaning at all.

How can i calculate the bits of entropy in the password i gave you as an example? Or if this isn't possible can you tell me if this is a very secure password? (Or maybe an overkill? :-) )

jpgoldberg

Hi @Konstantinos999,

The short answer is that there is no way to calculate the entropy of your password. To make the calculation we would have to know the probabilities of getting the particular result you got for each component.

As Khad correctly points out picking words by some "twisted logic" is not a random as people often think it is. Also the fact that you used Greek is hardly unpredictable given your name.

The more personal something is to you, the _less_ random it is.

When people do something clever and personal for password creation, they tend to boast about it. Because you have now described your system, someone could tune a cracker for what you've done. If you picked your words form English and Greek at random, then that would be fine. But if an attacker, who has studied passphrase behavior, knows what kinds of words to look for, then you may not be in such good shape.

In my day, if you asked people to pick a word from a "random" language, you would have half of the computer users pick a word from Elvish. A couple decades later, and it was Klingon. If someone is making a targeted attack against you. I know I am repeating myself, but people aren't random when they think they are. I could pick words from Chamorro (a fairly obscure language), but I've published a paper that used examples from Chamorro, so someone might consider that that is a language I might draw from.

Because we don't know exactly how non-random human minds are when asked to pick passwords at random, we can't calculate the strength of the passwords that they generate. We know that when people add "randopm" capitalization, they tend to do so at the beginning of syllables (as you did in your example). We know that when people add it symbols, they do so in very systematic ways. (Using '$' or 's' for example). Those transformations do help against current crackers, but you need to pick your words are random.

Pick three words truly at random from large lists (or four from not so large lists), and then do your other stuff (symbol substitution, some capitalization). But the cleverer you try to be with meanings (even if only meaningful to you) the less random (lower entropy) will be your result.

Your Master Password may be fine, but we aren't in any position to determine that. If you include something genuinely random, then that provides a way to calculate its minimum entropy.

I hope that this helps.

Cheers,

-j

–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com

Konstantinos999

Thank you both so much Jeffrey & Jim for the explicitness of your answers!! They were very helpful in understanding the mistakes of my master password. I will stick with the Diceware system, especially with this multilingual dictionary so that i don't be so stupidly predictable.. :-)

khad

Awesome! I'm glad that the J & J were able to help out. I always love these kinds of discussions. Even if there are things I already know, it never hurts to look at them from a new angle. Thanks for contributing to the discussion, @Konstantinos999!