password advice wiki page enhancements

That article needs more contents.

  • Suggest different password per website. Not password1, password2, Password alike variations. Explain why that is. Attackers use passwords which were leaked in one website as templates so they don’t have to fall back on “totally” brute force attacks.
  • Don’t use online password generators for anything but curiosity / learning. That is because there is a very good chance the server could log them. The only place where passwords should be generated is locally, ideally in a VM without internet connection.
  • We should distinguish between:
    • passwords used at online services - these don’t need to be super long since the server rate limits how many passwords an attacker can try
    • passwords used for offline encryption such as full disk encryption - the threat model here is different. An attacker can parallelize brute forcing the password and is only limited by available system resources. Much more guesses per second are possible.

Realistic scenarios would be great. Actionable advice as well. I would like our documentation to be useful for laymen not just geeks. I learned how non-geek laymen behave. Do you know some? Please try to discuss passwords with non-geek laymen so you know what I mean.

Partially password managers are a great idea. But how does one securely sync these with mobile devices? Suggesting to use unique super secure passwords for messengers etc. if these are supposed to be used on mobile as well would mean to type something like LMsy34z|'A~k/v3+n&trFU4b_T]3s.}4Uko^zra` on mobile. Unrealistic to expect.

2 Likes
1 Like

Another password strength meter XKPasswd - Secure Memorable Passwords worth documenting how to securely use in an offline VM after downloading it using a web archiver such as HTTrack. (So benchmarked passwords are never leaked to the server.)

//cc @HulaHoop

password padding:

  • bad security advice: Steve Gibson's password haystacks
  • if anything - don’t use it for online passwords (passwords used for online services)
  • if anything - only try to further strengthen already strong (highly entropy) offline passwords (such as for full disk encryption, gpg key passwords, password manager master passwords)
  • don’t reuse the pattern for different keys - if one key gets broken it would weaken the other key
  • doesn’t take into account that humans are very bad at inventing unique patterns (since humans are bad at being random)
  • if someone does that pattern and is being observed, this gives in that someone uses a pattern which eases attacks on that password, i.e. a password using padding is much more vulnerable against people who hear a bit of it / see a bit of it
  • it should be expected that a lot pattern will be very common (although they will seem unique to the creator - just like invented passwords seemed unique to their inventors but actually tons of people came up with the same) ways into dictionary alike attacks

Instead of giving users password strength checkers (whose effectiveness we don’t know) why not give them the tools for generating secure but easy to remember passwords? One such tool is diceware (included in Debian) which the EFF has contributed to.

A 10 word passphrase from diceware should be enough for disk encryption. Its bit strength is easily calculated and its security holds up despite an adversary knowing it was used and how many words the passphrase is made up of.

Another similar tool inspired by xkcd is xkcdpass that works offline and is very simple to use.

I will post a brief write up on the wiki about this in a bit.

Steve Gibson has a reputation for giving crackpot security advice. I’d steer clear of anything he says.

https://packages.debian.org/stretch/diceware
http://world.std.com/~reinhold/dicewarefaq.html

https://packages.debian.org/stretch/xkcdpass


Other advice on passwords:


Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).
In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they’ll pick your passphrase each try.
At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.

1 Like

@Patrick which of them do you plan on adding? so I can document the ones we include.

1 Like

I don’t know yet. It’s hard to judge. It’s TODO research. Could you please help with the review? Pros:

  • online login passwords vs
  • offline encryption passwords

Happened that online login passwords passwords can occasionally be brute forced as well:


Schneier style passphrases:
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

I am skeptical of these:
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html#c4820645

On the opposite the Schneier style seems more prone to specific analysis (how many personal sentence there are? thousands? millions? can you create a table of those? Will most people think of the same few or will they be more original?).

(English) language and sentences we can make up are not random enough.

1 Like

quote http://world.std.com/~reinhold/dicewarefaq.html

Needless to say, projections for the far future have the most uncertainty.

Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)

Six words may be breakable by an organization with a very large budget, such as a large country’s security agency.

Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.

Eight words should be completely secure through 2050.

1 Like

Done. Let me know what you think. Also what is the status of password managers in Stretch? Is there something viable we can include and document?

I advised against 2 factor authentication because its fatally broken in the real world and can cause users to give away their identity for anonymous accounts ans so I nominate the 2FA page for deprecation.

Then we need to document that. Because when someone asks me about something (let’s say 2FA), I always love to throw wiki pages around.
(We’re also not fans of Antivirus yet we have it documented here https://www.whonix.org/wiki/Malware.)

I also wonder how come?

  • google authenticator / AndOTP: not using any internet
  • authy / Symantec VIP: uses internet

If used in the right way, I could even imagine using something like OTP as single factor for web logins (i.e. OTP only, no passwords), although I haven’t seen that implemented anywhere yet.

Passphrases That You Can Memorize — But That Even the NSA Can't Guess - The Intercept

(Summary: 7 word diceware passphrase takes 27 million years to crack @ 1 trillion guesses a second. Surely good enough).

This means that with two words, there are 7,7762, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).

The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).

In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they’ll pick your passphrase each try.

At one trillion guesses per second per Edward Snowden’s January 2013 warning it would take an average of 27 million years to guess this passphrase.

Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize. Compare that to “d07;oj7MgLz’%v,” a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.

A five-word passphrase, in contrast, would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second. Keeping Moore’s Law in mind, computers are constantly getting more powerful, and before long 1 trillion guesses a second might start looking slow, so it’s good to give your passphrases some security breathing room.

With a system like this, it doesn’t matter at all that the word list you’re choosing from is public. It doesn’t even matter what the words in the list are (two-letter words are just as secure as six-letter words). All that matters is how long the list of words is and that each word on the list is unique. The probability of guessing a passphrase made of these randomly chosen words gets exponentially smaller with each word you add, and using this fact it’s possible to make passphrases that can never be guessed.

We should just tell users to visit the page below, select how many words will be used in their passphrase, and it gives extremely detailed notes on how many bits of entropy and how many millions/billions of years it takes to crack with brute force. Then they make their own choice.

Easy. Eg for 7 word diceware passphrase

Diceware Secure Passphrase and Password Generator

There are 7 words in your password, resulting in ~90.47 bits of entropy (~12.92 bits/word, ~10 bits/letter, and ~5.16 bits/symbol). That many words equates to a total keyspace of ~1,719,070,799,748,422,500,000,000,000 possible phrases (7776^WordsInPhrase). An adversary might get lucky and guess your phrase on the first try, though the chances of that happening are very slim. On the other hand, the brute-force attacker might be forced to try all of the keys in the keyspace to finally find that the last guess was the correct one. On average, it takes trying 50% of all phrases in the keyspace to find your phrase. The time it takes to discover your passphrase is based on how many guesses per second your attacker can muster. At the lower end in 2016 a small cluster of GPU’s have demonstrated the ability to crack ~350 billion hashes/second. A nation state actor like the NSA may be able to perform quadrillions/second. Conservatively assuming a professional adversary can guess passwords at the rate of a 1,000,000,000,000 keys/second (Edward Snowden suggests being prepared for a Trillion guesses per second), an exhaustive brute-force search on 50% of the total keyspace might take:

~859,535,399,874,211 seconds

~14,325,589,997,904 minutes

~238,759,833,298 hours

~9,948,326,387 days

~27,255,689 years

~405,591 x avg. lifespan

~27,256 millenia

~0.00197533618877323904 x age Universe

Based on that 7-8 word diceware passphrase is clearly strong enough.

Imagine your hard drive encrypted with 7-8 word diceware password. And then stolen. Does it feel safe enough?

Or someone uploading a backup of all their data uploaded to cloud storage.

In these cases, do we trust 7-8 word diceware password will still have safe >= year 2050?

What about the IAD-NSA / NIST recommendation? I misinterpret it or we just discard it?

256 bits = 20 word diceware passphrase. Seems excessive right? Example:

There are 20 words in your password, resulting in ~258.50 bits of entropy (~12.92 bits/word, ~10 bits/letter, and ~5.16 bits/symbol). That many words equates to a total keyspace of ~653,318,623,500,070,900,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible phrases (7776^WordsInPhrase). An adversary might get lucky and guess your phrase on the first try, though the chances of that happening are very slim. On the other hand, the brute-force attacker might be forced to try all of the keys in the keyspace to finally find that the last guess was the correct one. On average, it takes trying 50% of all phrases in the keyspace to find your phrase. The time it takes to discover your passphrase is based on how many guesses per second your attacker can muster. At the lower end in 2016 a small cluster of GPU’s have demonstrated the ability to crack ~350 billion hashes/second. A nation state actor like the NSA may be able to perform quadrillions/second. Conservatively assuming a professional adversary can guess passwords at the rate of a 1,000,000,000,000 keys/second (Edward Snowden suggests being prepared for a Trillion guesses per second), an exhaustive brute-force search on 50% of the total keyspace might take:

~326,659,311,750,035,450,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 seconds

~5,444,321,862,500,590,833,333,333,333,333,333,333,333,333,333,333,333,333,333,333,333 minutes

~90,738,697,708,343,180,555,555,555,555,555,555,555,555,555,555,555,555,555,555,556 hours

~3,780,779,071,180,965,856,481,481,481,481,481,481,481,481,481,481,481,481,481,481 days

~10,358,298,825,153,331,113,647,894,469,812,278,031,456,113,647,894,469,812,278 years

~154,141,351,564,781,713,000,712,715,324,587,470,706,192,167,379,381,991,254 x avg. lifespan

~10,358,298,825,153,331,113,647,894,469,812,278,031,456,113,647,894,469,812 millenia

~750,710,162,715,852,378,145,230,792,130,183,941,981,164,925,924 x age Universe

I may be misunderstanding but cipher keylength =/= password entropy? Quantum computers do not have implications for password bruteforcing but for master key brute search?

Now if it turns out I’m wrong the question becomes: how can a 10 word passphrase be easily enhanced to get as high entropy as possible without having to double its size?

Its best to go by public NIST guidelines and then some, since these guys have some of the best cryp analytic capability but that doesn’t mean we should blindly follow everything they say and so we compare with what the public crypto community has to say.

There is an option for diceware to sprinkle random characters in its output but I don’t know how much entropy bits it adds. Do you know?

Already did on the password page so 2FA one is redundant?

+1 but since its not implemented anywhere there’s no need to mention it

using EFF’s [Diceware Secure Passphrase and Password Generator online tool]

No indication this tool is by EFF. Removed.

That is only SMS based 2FA. I haven’t seen comments on HTOP / TTOP based 2FA (google authenticator / AndOPT / …) nor hardware device based (such as yubikey Dev/yubikey - Kicksecure) nor WYSIWYS - Wikipedia. 2FA is a too broad term to discard it entirely.

I am not sure that’s possible without compromises. I am not sure it’s fair to paraphrase but if that would be possible why wouldn’t the following be possible.

  • how can a 10 word passphrase be easily enhanced to get as high entropy as possible without having to 3 times its size?
  • how can a 4 word passphrase be easily enhanced to get as high entropy as possible without having to power of 2^20 its size?

Reinhold in chapter How long should my passphrase be? links to http://www.keylength.com but perhaps I am misunderstanding him referencing it there.

I saw an online diceware password generator that pointed out how much entropy random characters or random letters written case insensitive would give.

sim-cloning and then conducting social engineering attacks on the cellular provider

I guess that is sim-cloning or conducting social engineering attacks on the cellular provider. Because one capable to clone a sim doesn’t need to trick the celluar provider into porting the number.

1 Like

Reply from JP Aumasson about password entropy quoted here verbatim until it appears on whonix-devel:

Hi!

You want the passphrase to have at least as much entropy as the bit length
of the symmetric key that is derived from it.

In theory, Grover’s quantum search algorithm could lower down the cost of
searching the right passphrase from ~2^128 to (very) roughly ~2^64.

How to get higher entropy passphrase? You can have a longer passphrase, a
longer dictionary (that is, more entropy per word), or both.

BIP 39 for example supports 128 to 256 bits of entropy per passphrase, iirc
with 2048-word lists, thus longer passphrase for higher entropy, see
bips/bip-0039.mediawiki at master · bitcoin/bips · GitHub

Hope this clarifies!

Best,

JP

2 Likes

Fair enough. I wasn’t familiar with these other options that counted as 2FA too.


Seems legit if all components client/server are libre.

https://blogs.forgerock.org/petermajor/2014/02/one-time-passwords-hotp-and-totp/

AndOTP is interesting. Something like OpenAM which is a server side HOTP implementation can be used with an open client like AndOTP, KeePassXC.

Overall a good idea if you are not communicating with a surveilling PRISM server and you’re signing on to an onion.


Does Yubikey security depend on its hardware security? Was its hrdware ever open? It seems its software was at some point but that changed with time.

Code was discovered broken by black box testing. I don’t think YubiKey should be recommended anymore.


WYSIWYS sounds nice. Do you know any implementations of it?

1 Like