More than 15 years ago I started working on a unique password generator that eventually evolved into a small program I now call Pafwert.

Pafwert is an unique tool to help you to select strong passwords that are easy to remember. Using strong entropy, tens of thousands of seed words, more than a hundred patterns with endless variations, and following password best practices, Pafwert can help you to select very strong passwords that are surprisingly easy to memorize. We have all seen random password generators, but Pafwert is very different.

Of course, while I still recommend using a password manager and generating completely random passwords, there are plenty of passwords we need to remember that we just aren’t able to save in a password manager. That is where Pafwert comes in.

Pafwert uses familiar patterns and a variety of memorization techniques to help you create strong passwords that are also easy to remember. Keep in mind that you don’t have to use the passwords exactly as it spits them out, you can use it simply as a tool to spark your own imagination when creating your passwords.

Pafwert is actually much more complex than it appears on the surface and generates passwords based on patterns and wordlists that you can customize. It then runs these passwords through a number of filters to obscure them just enough to make them unique. Yes, I probably wasted many thousands of hours overthinking this thing. Nevertheless, over the years it has gotten buried on my web site and largely forgotten (although I still use it myself every day).

I thought it was about time to update this tool and open source it (under the Apache license) to share it with the community. I would like to see it updated with new features and maybe even ported to PHP, but for now the code is there for anyone to play with. Note that I began work on this version of the code in 1999 so it is written in Visual Basic 6. That means that few of you will have the tools to do anything with the program itself (although I do have a complete dev environment in a VM if someone is serious enough about working on it).

If you would simply like to download the latest compiled version to install yourself, you can always grab it at http://xato.net/pafwert or you can check out the source code at GitHub.

If you want to get a taste for the complexity of this tool, you may want to spend a few minutes and read the Pattern Guide.

Hopefully someone can find this useful, if you do, let me know!

I still remember so clearly the frustration I felt back in the 90′s when starting in the security industry and trying to sell my services. It was so difficult trying to emphasize just how much at risk potential clients were and then get them to pay me to fix their stuff. Too often I came off like the paranoid conspiracy theorist–their sky wasn’t falling and they saw no wolf.

I remember one particular conference call at the peak of my frustration where a network administrator confidently bragged to me and the managers on the call just how secure their network really was. What the managers didn’t know at the time was that as we were all talking, the network administrator was scrambling to lock things down as I was furiously trying to break in. Being that I was pretty good at that stuff at the time, I was able to quickly drop a little program called cdtray.exe onto a number computers, including the admin’s own PC, and used the at command to schedule all of their CD trays to open in one minute. I started asking the admin some questions and could hardly contain my amusement sixty seconds later as he suddenly seemed distracted. Then I went in for the kill: “are you convinced now you need more security?” I asked.

I didn’t get that job.

Nor did I get any work from Bank of America when I notified them of a glaring security flaw that exposed their global.asa file which contained their database username and password. That was over a decade ago but I still remember the password: superchicken. More on email security

I wrote a couple months ago about the many attempts to patent various methods of checking passwords. Now eBay wants in on the game with United States Patent Application 20120284783. Here’s their summary:

A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user’s previous password, to determine similarity between the two passwords.

Reading through the claims, this is by no means novel or innovative and there certainly is plenty of prior art for this. Want to help prevent yet another abuse of the patent system? You can post any evidence of prior art on this Ask Patents post.

Last week, Mozilla announced the first beta release of Persona. Persona, formerly called BrowserID, is a personal authentication system that aims to eliminate passwords to log in to web sites. Of course, you still need one master password to log in to Persona, but it takes care of every site login after that. Persona is definitely interesting, but it likely won’t be signing any death warrants on passwords just yet.

How Persona Works

One thing that Persona has going for it is that on the surface it is relatively simple. When it comes to authentication, simple is good. Here is a simplified explanation of how it works:

1. You visit a site and that site asks for your identity.
2. Your browser goes to persona.org (or whatever identity provider you use but for this example I will use persona.org) and asks you to enter your email address and password.
3. Once authenticated, persona.org signs your public key, basically giving you a seal of authenticity that’s good for 24 hours.
4. Your browser creates a document called an identity assertion, signs it with your private key, then sends that and your signed public key to the site you want to log in to.
5. The site looks at the document, verifies that it was signed by you, verifies that your signature was signed by persona.org, and then verifies that persona.org’s signature was signed by a trusted authority such as Verisign or Thawte.

Note that the identity assertion is valid only for that one site, only from your current web browser, and only for the next 24 hours. At any time, however, you can logout and invalidate all currently stored sessions.

What Makes Persona Great

One thing that makes Persona unique is that the site you visit doesn’t need to communicate with persona.org directly, meaning that persona.org never knows what sites you are logging in to. Another big advantage is that it is solely based on your email address, which is much easier to remember than an OpenID URL, and which means that you can easily remain as anonymous as your email address allows. Even better, Persona is distributed so if you own your domain you can be your own identity provider.

Persona is built on a concept that inherently protects your privacy puts you in control of your identity.

But There Are Problems

Like any authentication system, Persona does need some serious real-world testing to prove itself and work out the bugs. The problem with Persona, however, is that the stuff that makes it so cool is also what exposes it most to attack.

For example, there is the signing key at the identity provider. Normally you want the strictest safeguards  to protect any signing key. Some signing keys are so important that they are not even stored on network-accessible computers. The problem here is that in order to sign user certificates, you would need to allow the web server to access the private signing key. That usually means storing it on the web server itself.

We have all seen the news reports of user passwords stolen from a server and dumped on the Internet. But what happens if someone grabs a signing key? Basically it means they can sign any request and therefore log in as any user to any site that uses Persona. Yes, that is a pretty big issue. If I ran an identity provider, I would be terrified of taking my eyes off the monitoring consoles.

Another big vulnerability is the web browser itself. Of course, if someone’s browser is infected with malware, they already have some serious issues. But what makes Persona especially vulnerable is that such malware could do more than intercept passwords–it could authenticate it to any web site you use with Persona without any intervention on your part as long as your are logged in to Persona.

Yet another significant issue is that there is way too much room for error in implementing Persona. We have learned by now that if people can get it wrong, they certainly will get it wrong. Persona relies way too much on the implementation which means we will no doubt see plenty of vulnerabilities with identity providers, browsers, and relying parties.

A good example of this we can see on persona.org itself. When you login, it first asks for your email address to see if you are a valid user, then if you are it prompts you for your password. The problem with this two-step approach is that it makes it vulnerable to account harvesting. You always have to ask for email and password together and if one is invalid you never say which one it is.

Despite it’s potential flaws I do still like Persona. I don’t think it is the technology that will save us from having to remember passwords, but it is an important step in the evolution of secure authentication. What we learn from it is that emails are better than URLs as identifiers. We learn that it’s good to do stuff on the client side to ensure user privacy. We learn that we can easily leverage long-established and well-tested technologies without having to invent something new on the crypto side of things. Unfortunately, we also learn how incredibly difficult it still is to do authentication right.

 

I always enjoy browsing through password-related patents to see all the flawed, silly, or outright dumb ideas that people come up with in an attempt to improve how we authenticate ourselves in the digital realm. What amazes me though is how many patents I encounter that have been granted for some of the most obvious, well-known and ordinary techniques we use in the authentication process. In fact, every imaginable aspect of password selection, authentication, storage, and recovery seems to be covered by one or more patents. Continue reading “Want to Block Common Passwords? Sorry, That is Patented” »

Considering the increasing attention passwords have been getting lately, I thought it was about time we sit down and establish some new rules to define exactly what is a password. After all, so much of our personal lives, finances, and identities rely on these obscure jumbling of letters, numbers, and punctuation.

1. Password, 1234, letmein, and anything else that you see on this common passwords cloud are not passwords.

Recently I took my son over to a friend’s house and when we got there we found he lived in a gated community that required a PIN to enter. My son was about to call his friend when I told him, “I got this.” I reached over and entered 1234 and the gate promptly swung open. Yeah my son was very impressed at my hacker skills, but the fact is that 1234, 12345, or even 12345678 are not strong enough to be considered passwords.

2. If you google your password and get more than 10,000 results, it is not a password.

It’s really simple, if your password shows up that many times in Google, your password is not a password it is a dictionary or common wordlist word.

3. If your password is 8 characters or less, it is not a password.

An 8-character password just isn’t strong enough these days to be considered a password. Most 8-character passwords consist of a dictionary word or name with a couple numbers added to the end. These are incredibly easy to crack and will not stand up to a brute force attack no matter what type of encryption used. If your password is 8 characters long, you might have a PIN, but it certainly is not a password, which is probably why banks seem to love limiting password length to 8 characters. I recently explained just how much of a difference there is between an 8-character password and a 10-character password, but maybe this would illustrate it better:

This is the equivalent of an 8-character password

This is the equivalent of a 6-character password

4. If you use it on multiple sites, it is no longer a password.

Considering the huge number of passwords hacked and dumped on the internet every single day, I would hope that most of us have learned that you simply cannot reuse the same passwords on multiple sites. You are better off never even considering using the same passwords everywhere because it is easy to fall into that habit.

Just to illustrate why this is such a big deal, there are people such as me who collect passwords. Here is a list of all the passwords I have for the username bonehead. Now if I know that there is a user named bonehead on a web site, I can try all of these passwords and chances are surprisingly good that one of these passwords is correct. Why is this such an effective technique? Because everyone reuses their passwords on multiple sites.

5. If a password is older than 3 years, it has expired and is no longer a password

I know some of you get really attached to your passwords, but it is time to start using a password manager and changing those very old Hotmail and PayPal passwords.  You wouldn’t eat 3-year old food, so don’t use a 3-year-old password.

6. If you tell someone your password, it is no longer a password

Certainly sometimes it is necessary to share an account, but there is no excuse for telling someone your personal passwords, and this includes writing them down and sticking them on your monitor. If you have trouble doing this, one trick is to set your password as some phrase that reveals some highly personal or embarrassing fact you would never tell anyone–problem solved!

So come on people, we really can make passwords that really are passwords. Passwords don’t need to be totally random and they don’t always have to have numbers, capitals, and punctuation, but they do need to be long, unique, and secret!

For years I have advocated using long, memorable passwords using a variety of different memorization techniques. Humor, repetition, common suffixes, memorable phrases, and other methods are great for creating long passwords that are easy to remember.

But now my philosophy has changed: now I say just go ahead and use a password manager and generate long, random passwords for each online account.

While I still use my own easy-to-remember passwords for sites where I often need to enter passwords manually, the bulk of the passwords I create now are long, random passwords that LastPass generates for me. Even five years ago it was possible to manage and memorize ten or twenty unique passwords, but the world has changed and it is not uncommon for a typical web user to have dozens if not hundreds of online accounts.

With so many large web sites becoming victims of public account dumps, it is now more important than ever that you never reuse the same password anywhere. Tools such as LastPass or KeePass make the process of creating, managing, and entering passwords so simple, there is hardly any reason not to use one of these tools.

Yes, you can come up with fancy patterns or methods of creating unique passwords for each site, but it just is not worth the effort and pattern-based passwords tend to be shorter than they should be. Passwords are more vulnerable to attack than ever; you should never create a password less than 10 characters but use 20 or more if the system lets you. Managing this many strong, unique passwords is almost impossible to do now without the help of a password manager.

Yeah, I kind of miss making new clever passwords, that was always the fun part of creating new accounts. On the other hand, it is still kind of fun seeing how long a password each web site lets me create. My record so far: 128 characters, and it was a dumb recipes site.

I rarely see any discussion of password strength without seeing th XKCD comic below brought up to illustrate that a long pass phrase is better than a shorter random jumble of characters. Since this is something I have been arguing for fifteen years, this is something I do agree with, although adding a little more randomness and complexity is still necessary.

(XKCD: Password Strength - Creative Commons Attribution-NonCommercial 2.5 License.)

In 2006 I wrote Pafwert, a random but smart password generator, to illustrate this concept. Pass phrases are easier to remember, easier to type (we type in whole words), and are generally much stronger passwords. My philosophy has always been that length is more important than any other factor for password strength.

But not everyone agrees. Most often the argument against the pass phrase technique is that since the password is made up of 4 whole words, basically this isn’t that much different than a 4-character password, you just need to adjust the brute-force tools to work with whole words instead. While this is somewhat true, it doesn’t take much to turn this technique into something extremely effective.

How Strong are Pass Phrases?

To determine password strength, we generally determine how many passwords have similar characteristics. In other words, if finding a password is like finding needle in a haystack, the critical question is how big is that haystack?

To do the math on this, we need to determine how large a set of words the average English-speaking user would likely choose from. Some English language dictionaries include well over 150,000 words but most linguists agree that the average-intelligence English speaker has a vocabulary of somewhere between 7,000 and 15,000 words.

What is misleading about these numbers is that dictionary words are only a small part of our vocabulary. Consider these other non-dictionary words:

1. Proper nouns such as McDonalds, Lady Gaga, Instagram, JQuery, and possibly hundreds of thousands of other words that are part of our daily vocabulary.
2. Domain names like facebook.com, flickr.com, and thousands of others.
3. Popular slang and social jargon (see your average Facebook post).
4. Alternate spellings, leetspeek, etc.
5. Acronyms such as WWW, CISPA, SSN, WWII, and SMS.
6. Words from other languages
7. Programming language elements and function names
8. And don’t forget written-out numbers, you will never find “1,276,209″ in a dictionary and there are millions of those.

Forget dictionary words, our vocabularies are HUGE.

So how many actual words do we know? It is impossible to say but a very conservative estimate would be a minimum of about 25,000 words. Realistically this number is much higher than this but we will use 25,000 here just for illustration.

Now if we are picking 4 random words from a set of 25,000 words the number of possible combinations is 25,000⁴ or  390,625,000,000,000,000 (noted as #1 on the table below) which is about the strength of a 9-10 character alphanumeric password (see this chart). But passwords are case-sensitive and we often capitalize one of the words so realistically we are talking about 50,000 words or 50,000⁴ or  6,250,000,000,000,000,000 possible combinations (noted by #2 on the table below) which is about as strong as a 10-11 character alphanumeric password.

What’s interesting to note is that even a 3-word phrase results in 125,000,000,000,000 possibilities so even that would be roughly equivalent to a 7-8 character alphanumeric password which is the most commonly-seen password.

Making Them Even Stronger

Now most people have already developed techniques to make passwords stronger by adding some numbers or otherwise mutating that word so that it would not appear in a dictionary. That is why we often see passwords like dr@gon or freddy2000. Now these are very weak passwords by themselves but if you use this same technique in a pass phrase you can make them much stronger.

Remember, we are dealing with numbers that grow exponentially so a technique that is mediocre with a short password is incredibly effective with a long password.

Now consider the following pass phrase:  Picking at 200 p1ckles

Or this one:  I’m alway sthe first

Or this one:  How bout the 0xFC?

It’s a simple technique and a minor change but by doing this we have greatly expanded our 50,000 words. Many password cracking tools are very good at generating word permutations and can very quickly create and try hundreds of variants of a single dictionary word. But when you multiply that times 4 words, the numbers grow very fast.

Say, for example that for each of our original 25,000 words there are approximately 100 different mutations. That means we now potentially have a vocabulary of 2,500,000 words. And 2,500,000^4 equals 39,062,500,000,000,000,000,000,000 possible combinations of 4-word phrases (shown as #3 on the table above) which is stronger than a 14-character alphanumeric password.

So yeah, the XKCD recommendation is valid. And all you have to do is add a few simple mutations to make that method incredibly stronger.

I would like to welcome LinkedIn to the not-so-exclusive club of major web sites that have experienced major password leaks. Like any other major leak it is hard to visit any forum or tech blog without seeing some mention of it. And like any other leak my inbox is starting to fill up with press requests for comments.

But what is interesting here is that there’s nothing interesting here. It’s the same thing we have seen so many times in the past and surely will continue to see.

One thing that highlights this, brought up to me by blogger Johnvey Hwang, is that 93% of the passwords in my Top 10,000 passwords list appear in the LinkedIn hashes dump. Here it is in his words:

I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don’t think it really matters.

The fact that such a large number of the LinkedIn passwords appear on the top 10,000 list certainly does help validate my data but more importantly it shows that despite all we have learned, very little has ever changed.

Here are some other interesting facts Johnvey discovered about the list:

• 7,142 of the most common passwords were present
• 546 of the most common passwords were not present
• 2,312 of the most common passwords were too short for LinkedIn’s 6 character minimum

I think that 93% is an amazing number, yet again, the biggest story here is that nothing really has changed.

Sidenote:

I personally have three LinkedIn accounts that I maintain. None of those three passwords appear on the list. Apparently the list is not complete, but the question now is what criteria put those particular passwords on the list.

One of the difficulties of expressing just how much stronger one password is than another is that we as humans have such a hard time visualizing large numbers. Can we really, for example, truly comprehend the difference between a strong password and a weak one?

To illustrate this, imagine drawing a line from the Golden Gate Bridge in San Francisco to the base of the Statue of Liberty in New York that represents the strength of a strong password (the key space for a 12-character alphanumeric case-sensitive password). This line would be 2,573 miles (4,141 km) long.

So now ask yourself, if a 2,573 mile long represents a 12-character password, how long would you guess a line representing the strength of a more typical password would be (the keyspace of an 8-character alphanumeric case-sensitive password)? Would it be from San Francisco to Salt Lake City? Maybe even San Francisco to Lake Tahoe? The answer may surprise you: the line would only be 11 inches long.

That’s right, if a line from The Golden Gate Bridge to The Statue of Liberty represents a strong 12-character password, an 11-inch line would represent an 8-character password. A 9-character password would be 57 feet, a 10-character password would be 3,543 feet, and an 11-character password would be 41 miles.

At this point we are not even halfway to Sacramento but just by adding one more character to make it 12, that line stretches 2,573 miles.Want to add one more character to make it 13? Now that line is 159,526 miles long, which is two-thirds of the way to the moon!

So next time you see a system that lets users create 11-inch passwords, be very proud of your own 2,573 miler.