Pafwert: Now Open Source

PafwertMore than 15 years ago I started working on a unique password generator that eventually evolved into a small program I now call Pafwert.

Pafwert is an unique tool to help you to select strong passwords that are easy to remember. Using strong entropy, tens of thousands of seed words, more than a hundred patterns with endless variations, and following password best practices, Pafwert can help you to select very strong passwords that are surprisingly easy to memorize. We have all seen random password generators, but Pafwert is very different.

Of course, while I still recommend using a password manager and generating completely random passwords, there are plenty of passwords we need to remember that we just aren’t able to save in a password manager. That is where Pafwert comes in.

Pafwert uses familiar patterns and a variety of memorization techniques to help you create strong passwords that are also easy to remember. Keep in mind that you don’t have to use the passwords exactly as it spits them out, you can use it simply as a tool to spark your own imagination when creating your passwords.

Pafwert is actually much more complex than it appears on the surface and generates passwords based on patterns and wordlists that you can customize. It then runs these passwords through a number of filters to obscure them just enough to make them unique. Yes, I probably wasted many thousands of hours overthinking this thing. Nevertheless, over the years it has gotten buried on my web site and largely forgotten (although I still use it myself every day).

I thought it was about time to update this tool and open source it (under the Apache license) to share it with the community. I would like to see it updated with new features and maybe even ported to PHP, but for now the code is there for anyone to play with. Note that I began work on this version of the code in 1999 so it is written in Visual Basic 6. That means that few of you will have the tools to do anything with the program itself (although I do have a complete dev environment in a VM if someone is serious enough about working on it).

If you would simply like to download the latest compiled version to install yourself, you can always grab it at http://xato.net/pafwert or you can check out the source code at GitHub.

If you want to get a taste for the complexity of this tool, you may want to spend a few minutes and read the Pattern Guide.

Hopefully someone can find this useful, if you do, let me know!


Pafwert – Smart Password Generator
https://github.com/m8urnett/pafwert
4 forks.
0 open issues.
Recent commits:


 

Email: The Security Industry’s Single Biggest Failure

Email securityI still remember so clearly the frustration I felt back in the 90′s when starting in the security industry and trying to sell my services. It was so difficult trying to emphasize just how much at risk potential clients were and then get them to pay me to fix their stuff. Too often I came off like the paranoid conspiracy theorist–their sky wasn’t falling and they saw no wolf.

I remember one particular conference call at the peak of my frustration where a network administrator confidently bragged to me and the managers on the call just how secure their network really was. What the managers didn’t know at the time was that as we were all talking, the network administrator was scrambling to lock things down as I was furiously trying to break in. Being that I was pretty good at that stuff at the time, I was able to quickly drop a little program called cdtray.exe onto a number computers, including the admin’s own PC, and used the at command to schedule all of their CD trays to open in one minute. I started asking the admin some questions and could hardly contain my amusement sixty seconds later as he suddenly seemed distracted. Then I went in for the kill: “are you convinced now you need more security?” I asked.

That was over a decade ago but I still remember the password: superchicken.

I didn’t get that job.

Nor did I get any work from Bank of America when I notified them of a glaring security flaw that exposed their global.asa file which contained their database username and password. That was over a decade ago but I still remember the password: superchicken. More on email security

My Advice: Just use a Password Manager

For years I have advocated using long, memorable passwords using a variety of different memorization techniques. Humor, repetition, common suffixes, memorable phrases, and other methods are great for creating long passwords that are easy to remember.

But now my philosophy has changed: now I say just go ahead and use a password manager and generate long, random passwords for each online account.

While I still use my own easy-to-remember passwords for sites where I often need to enter passwords manually, the bulk of the passwords I create now are long, random passwords that LastPass generates for me. Even five years ago it was possible to manage and memorize ten or twenty unique passwords, but the world has changed and it is not uncommon for a typical web user to have dozens if not hundreds of online accounts.

With so many large web sites becoming victims of public account dumps, it is now more important than ever that you never reuse the same password anywhere. Tools such as LastPass or KeePass make the process of creating, managing, and entering passwords so simple, there is hardly any reason not to use one of these tools.

Yes, you can come up with fancy patterns or methods of creating unique passwords for each site, but it just is not worth the effort and pattern-based passwords tend to be shorter than they should be. Passwords are more vulnerable to attack than ever; you should never create a password less than 10 characters but use 20 or more if the system lets you. Managing this many strong, unique passwords is almost impossible to do now without the help of a password manager.

Yeah, I kind of miss making new clever passwords, that was always the fun part of creating new accounts. On the other hand, it is still kind of fun seeing how long a password each web site lets me create. My record so far: 128 characters, and it was a dumb recipes site.

 

 

Analyzing the XKCD Passphrase Comic

I rarely see any discussion of password strength without seeing th XKCD comic below brought up to illustrate that a long pass phrase is better than a shorter random jumble of characters. Since this is something I have been arguing for fifteen years, this is something I do agree with, although adding a little more randomness and complexity is still necessary.

XKCD: Password Strength

(XKCD: Password Strength - Creative Commons Attribution-NonCommercial 2.5 License.)

In 2006 I wrote Pafwert, a random but smart password generator, to illustrate this concept. Pass phrases are easier to remember, easier to type (we type in whole words), and are generally much stronger passwords. My philosophy has always been that length is more important than any other factor for password strength.

But not everyone agrees. Most often the argument against the pass phrase technique is that since the password is made up of 4 whole words, basically this isn’t that much different than a 4-character password, you just need to adjust the brute-force tools to work with whole words instead. While this is somewhat true, it doesn’t take much to turn this technique into something extremely effective.

How Strong are Pass Phrases?

To determine password strength, we generally determine how many passwords have similar characteristics. In other words, if finding a password is like finding needle in a haystack, the critical question is how big is that haystack?

To do the math on this, we need to determine how large a set of words the average English-speaking user would likely choose from. Some English language dictionaries include well over 150,000 words but most linguists agree that the average-intelligence English speaker has a vocabulary of somewhere between 7,000 and 15,000 words.

What is misleading about these numbers is that dictionary words are only a small part of our vocabulary. Consider these other non-dictionary words:

  1. Proper nouns such as McDonalds, Lady Gaga, Instagram, JQuery, and possibly hundreds of thousands of other words that are part of our daily vocabulary.
  2. Domain names like facebook.com, flickr.com, and thousands of others.
  3. Popular slang and social jargon (see your average Facebook post).
  4. Alternate spellings, leetspeek, etc.
  5. Acronyms such as WWW, CISPA, SSN, WWII, and SMS.
  6. Words from other languages
  7. Programming language elements and function names
  8. And don’t forget written-out numbers, you will never find “1,276,209″ in a dictionary and there are millions of those.

Forget dictionary words, our vocabularies are HUGE.

So how many actual words do we know? It is impossible to say but a very conservative estimate would be a minimum of about 25,000 words. Realistically this number is much higher than this but we will use 25,000 here just for illustration.

Now if we are picking 4 random words from a set of 25,000 words the number of possible combinations is 25,0004 or  390,625,000,000,000,000 (noted as #1 on the table below) which is about the strength of a 9-10 character alphanumeric password (see this chart). But passwords are case-sensitive and we often capitalize one of the words so realistically we are talking about 50,000 words or 50,0004 or  6,250,000,000,000,000,000 possible combinations (noted by #2 on the table below) which is about as strong as a 10-11 character alphanumeric password.

What’s interesting to note is that even a 3-word phrase results in 125,000,000,000,000 possibilities so even that would be roughly equivalent to a 7-8 character alphanumeric password which is the most commonly-seen password.

 

Making Them Even Stronger

Now most people have already developed techniques to make passwords stronger by adding some numbers or otherwise mutating that word so that it would not appear in a dictionary. That is why we often see passwords like dr@gon or freddy2000. Now these are very weak passwords by themselves but if you use this same technique in a pass phrase you can make them much stronger.

Remember, we are dealing with numbers that grow exponentially so a technique that is mediocre with a short password is incredibly effective with a long password.

Now consider the following pass phrase:  Picking at 200 p1ckles

Or this one:  I’m alway sthe first

Or this one:  How bout the 0xFC?

It’s a simple technique and a minor change but by doing this we have greatly expanded our 50,000 words. Many password cracking tools are very good at generating word permutations and can very quickly create and try hundreds of variants of a single dictionary word. But when you multiply that times 4 words, the numbers grow very fast.

Say, for example that for each of our original 25,000 words there are approximately 100 different mutations. That means we now potentially have a vocabulary of 2,500,000 words. And 2,500,000^4 equals 39,062,500,000,000,000,000,000,000 possible combinations of 4-word phrases (shown as #3 on the table above) which is stronger than a 14-character alphanumeric password.

So yeah, the XKCD recommendation is valid. And all you have to do is add a few simple mutations to make that method incredibly stronger.

The Worst Password Tips

 

Because I have always been so fascinated with passwords, I always like to hear different tips people have for creating strong passwords. However, I have to admit that most of the tips I run across are actually kind of lame and really are not very secure. Unfortunately, some of these tips are quite popular and get passed around way too much. In fact, I rarely see any advice besides these I have listed. Continue reading “The Worst Password Tips” »

How I Collect Passwords

Some of you out there know that I have been collecting passwords for quite some time. Since 1998 to be exact. Originally I did it just to have big wordlists for password cracking, then I started gathering them for research on my Perfect Passwords book, finally it became like a big ball of string where you just do it because it makes no sense to stop now. My list currently contains about 6 million unique username/password combinations (not counting those from public lists from Gawker, RockYou, and others).

So I thought that some people might be interested in how I collect these passwords. Note that all of these passwords have already been made public and can easily be found by anyone. There are no passwords on my list that have not already been made public. Also note that so far I have never shared this list with anyone.

  1. I use tools such as Athena, which does massive Google searches for and collects passwords in the format “http://user:password@example.com/members”. This tool can easily gather 200,000 combos in a day but the majority of these are already in my database. I run this about once a month.
  2. I have a script that nightly leeches from a huge list of well-known password sharing web sites.
  3. I use a number of Google alerts that watch for common keylogger log formats. This is just one of many that I use. There are a surprisingly huge number of these logs that can be found via Google, although it is sometimes difficult to parse the passwords from the content.
  4. I use Google alerts to watch for SQL database dumps of forum and other common software databases.
  5. I also use Google alerts to look for passwords on pastebin.com and other related sites.
  6. I use a script that grabs all the Google alerts as RSS feeds and parses out URLs, then another script visits each site and leeches the passwords.
  7. I use RSS feeds from filestube.com to watch for and download password lists that might show up on a number of file sharing sites.
  8. I use RSS feeds from various torrent searches that I put into uTorrent to download automatically.
  9. I use a number of IRC bots that hang out in a large number of IRC channels where password sharing happens. These aren’t as effective as they once were but I still use them occasionally.
  10. I use a script to automatically download posts from various Usenet newsgroups, although most of those are just spam nowadays.
  11. I visit a number of public and private hacking-related forums to get wordlists and hacked passwords. I often pay for VIP memberships (usually the lifetime ones) so that I can access premium content areas. Leeching from forums has to be done manually, because you often have to comment on posts to be able to download the lists, but occasionally I will spend half a day leeching from these forums. Some forums will let you subscribe to posts and will include the entire post contents in the email. This bypasses the often-used “hide hack” and I can just use another script to save that inbox to local files.
  12. I use various FTP search engines to watch for interesting filenames that might show up on FTP sites.
  13. In the past I have used various P2P networks (such as LimeWire) to search for files but those don’t produce many results nowadays.
  14. Every once in a while someone will send me a big dump of their own lists they have collected.

As these scripts collect data, it is all dumped into a directory on my hard drive and regularly I run program I wrote that parses all the data looking for password is common formats.

Here are some examples of what the program recognizes:

http://www.example.com/members/ L:user1 P:password1
http://www.example.com/members login:user1 password:password1
http://www.example.com/members user: user1 pass:  password1
Login: user1 passw:password1
L:user1 P:password1
username:user1 password:password1
http://www.example.com/members L: user1 P:  password1
username = user1  password= password1
u=user1 p=password1
username    user1  password    password1
login id: user1 password: password1

It grabs the username/password combos and saves them into text log file. After a while these files accumulate and I merge them into my master database. In the database I perform cleanup steps such as removing passwords from well-known password hackers (such as pr0test) and other junk that might appear. I also strip domain names off usernames that are email addresses.

What is interesting about all this is how difficult it is to find new username/passwords combos that aren’t already on my list. These scripts can easily collecting 100,000 unique username/password combos every day, but only a few thousand of those are not already on my list.

After 12+ years of collecting passwords, I have found a few interesting facts:

  • Although my list contains about 6 million username/password combos, the list only contains about 1,300,000 unique passwords.
  • Of those, approximately 300,000 of those passwords are used by more than one person; about 1,000,000 only appear once (and a good portion of those are obviously generated by a computer).
  • The list of the top 20 passwords rarely changes and 1 out of every 50 people uses one of these passwords.

There are a few flaws with my list that I should point out:

  • Many of these passwords have been cracked from hashes so a good percentage of them would by nature be crackable, skewing the statistics some.
  • These passwords are largely dominated by passwords from adult web sites, which are the ones mostly publicly shared. This results in a higher percentage of adult-related and obscene passwords.
  • These passwords are usually from web sites that often do not enforce strong passwords policies that a private organization might. This is bad because this data doesn’t truly reflect all passwords, but on the other hand it shows the kind of passwords users will select if a password policy is not enforced.
  • My scripts only grab usernames and passwords between 3 and 30 characters long, all others are thrown out.
  • None of the passwords contain a colon, because that is the delimiter used to separate usernames and passwords in the combo lists my scripts generate.

So that is how I collect my passwords, maybe someday I will share the list itself.

Incidentally, the one tool I really wish I had time to build is either a proxy server or a Greasemonkey script that will automatically parse and log usernames and password combos from web pages that you visit. That would be extremely helpful!

 Update (4/25/12): Google has recently changed things that resulted in breaking several of the tools listed here. Now I collect many of my passwords using google alerts and custom searches turned into RSS feeds and automatically added into a private WordPress blog via AutoBlogged. Before each post is added it runs through a tool I have developed (which I will share eventually) that returns just the username/password combos. I can then use the RSS feed from that private blog as a raw combos list to merge into my master list.

 

 

It’s been a decade, how secure are you now?

A month ago I downloaded a well-known shareware application from a download web site–a site that has been around long enough for me to recognize the name. I wanted to test the download speeds on a freshly installed Windows 2008 server in my data center and multi-threaded download managers are a good way to load up your bandwidth pipe. I double-clicked on the installer, saw my mouse turn to an hourglass, and then disappear. I saw the hard drive lights flicker a few times, and then nothing else happened.

I knew right away something wasn’t right and that was quickly confirmed when I realized I couldn’t launch Task Manager or Regedit: I was infected with malware. A trojan to be more specific.

In the last ten years I have been infected once or twice before–usually by something minor like spyware attached to a game my kids downloaded–but I had never anything major like this. Bringing up a command prompt, I quickly fought the infection with my arsenal of cmdlines I had gathered over the years. But once I thought I had the thing completely gone, it once again would appear in my task lists and runonce entries.

It didn’t take long for me to realize that it was using WMI events to keep itself alive on my system. Because these types of infections are difficult to detect and even more difficult to remove, I went after the file system, removing any binaries related to the trojan. Using timestamps and several SysInternals tools, I was able to eliminate all of the infected files, although the trojan was still active–albeit neutered–on my system.

I spent two days working on the server and ultimately ended up with a system that would blue screen before loading Windows. I finally just gave up and reinstalled the system to a fresh state. What bothered me most wasn’t the time I had wasted fighting this trojan, it was the fact that it had beat me. In fact, it beat me using the very same tactics I myself had developed and used over the years.

But as I got thinking I realized that what really bothered me is that this was a fully patched server running Windows 2008 behind two firewalls. And I was downloading a trusted application from a web site I recognized. And most of all, it bothered me that this is 2009 and I still got infected.

A decade ago I remember telling my clients that it would take ten years for the tech industry to get caught up with security. There was simply too much stuff to fix and not enough talent to fix it. Well that ten years has come and I wonder how those clients are doing now. The daily security headlines nowadays really aren’t much different than they were in 1999. Some new worm threatens the Internet infrastructure. Some .gov or .mil was hacked, probably by The Chinese, and it turns out you can still get hacked no matter how many initials you have after your signature and no matter how many standards you comply with.

It’s 2009 and I am still forced to use ancient, unencrypted protocols like FTP, Telnet, and SNMP. And even where public key encryption is commonplace, like with SSL encrypted protocols, I still find myself faced with things like having to decide whether I should trust a self-signed certificate or not.

Then there’s e-mail. Not only is it unencrypted, but it is unauthenticated and also subject to tampering. Nevertheless, I finally stopped installing PGP on all my computers because no one ever sends me PGP-encrypted e-mails and no one is ever able to read the ones I send encrypted. And this is 2009.

Even though it’s 2009, so many are still fooled by those fake e-mails from their banks. And even though spam filters work pretty well at protecting us from seeing our spam, there are still thousands of spam messages that end up on my servers every day.

And when I send an e-mail, there’s no guarantee that only the recipient will receive my message. There’s no guarantee that other’s can’t read or even modify my message.

Ten years ago we knew exactly what it would take to fix our security problems. We got the firewalls down pretty good. Code is generally more secure now. And most of us are good at keeping our systems up-to-date with patches.

But we still don’t have widely-adopted solutions for authentication, encryption, and data integrity. We still have weak passwords and our mother’s still have the same maiden names. And most people are simply too underequipped or undermotivated to combat the skills of the malware developers.

That means that despite all our advances in security technology, the best ways to hack someone are the same as they have always been—through a malicious e-mail attachment, or some infected download, or simply guessing someone’s password.

This is a serious problem, a problem that will take a decade to fix.

A CAPTCHA Nightmare

What distinguishes an effective CAPTCHA from a poor CAPTCHA is the ability to make things hard on non-humans without making things hard on humans. Most of the CAPTCHAS I see out there fail in one of those two features.

But while I thought I had seen the worst CAPTCHAs ever, I stumbled across RapidShare’s new CAPTCHA. Now in the past I have actually praised their CAPTCHA because of it was so user friendly. It wasn’t case-sensitive and when there were ambiguous characters (number 0 vs letter o), it always seemed to work.

Obviously the CAPTCHA was flawed and a number of people wrote some bots and other tools to bypass it. RapidShare felt a need to tighten things up a bit so they came up with the Cat CAPTCHA:

Cat CAPTCHA

Now it is important to note that if you are not a RapidShare member you often have to wait to be able to download a file. In this case I had to wait three minutes before I even got to the point where I could enter the CAPTCHA. Already thinking this was an annoying CAPTCHA I also grabbed a screen shot.

Now if you look closely, it says to enter all letters having the image of a cat. Looking at the image, I saw both numbers and letters so, while it made me pause and think more than most CAPTCHAs would, I figured the answer was NTPS. The caption says there are four letters, the text box limits your input to four characters, everything was all caps, and so I figured I was all set.

It turned out that NTPS wasn’t the correct answer and it put me back into the queue to wait another three minutes. After the timer finished counting down, RapidShare presented me with another CAPTCHA to solve:

RapidShare CAPTCHA

This CAPTCHA was all letters and they all had little cats on them so this seemed easier, but as I started typing I remembered that the text input box only allowed four characters. So which four are the answer? I tried the first four but that didn’t work.

Thinking it might be a browser issue, I tried different browsers,but quickly discovered that after three failures it locks you out. And it doesn’t do this based on a cookie it’s based on your IP address! Being behind a NAT’d connection I guess I just locked out my entire ISP from using RapidShare.

At this point I did some searching and found out that I am just one of hundreds of people blogging about this.

It turns out that I wasn’t being too careful because what RapidShare doesn’t tell you is that some of those images on the letters are actually dogs, not cats. I must be a bot.

Looking (very) close I finally determined that the correct answer to the CAPTCHA above would have been NERW. Geez, they could at least start showing the CAPTCHA during the countdown so you can get started working on it.

This CAPTCHA fails in so many ways it is amazing:

  1. They rely too much on their description, which pretty much eliminates anyone who doesn’t speak that language.
  2. They lock you out by IP address.
  3. If you have to squint or enlarge the picture to figure out the CAPTCHA then something is probably wrong. Try entering this thing on your iPhone outside in the sun.
  4. If someone needs to post on Yahoo! Answers to figure out your CAPTCHA then something is probably wrong.
  5. If a Yahoo! search for “rapidshare captcha” returns 79,500 results, then something is probably wrong.

RapidShare’s response to the issue is this:

“As every free user should have noticed, we are experimenting once again with the CAPTCHA system. The reason is that RapidShare is popular enough for people to create tools to download from RapidShare as a free user as if they were a premium user. This has a negative impact for our paying premium users, since they expect a fast download.”

In the meantime they are probably losing a lot of visitors and completely destroying the already fragile user experience with CAPTCHAs.

Making sense of Microsoft malware protection

In case you haven’t noticed, in the last few years Microsoft has released a number of different client protection tools. First it was Windows Defender, then OneCare, and now we are seeing a big push on the Forefront product line. In fact, there are a number of tools that provide overlapping client protection. Continue reading “Making sense of Microsoft malware protection” »

Fun with open proxies

I was recently playing around with web proxies at my data center lab and got an idea to open up a couple anonymous proxies to see how long it would take for someone to start exploiting them. I fired up two anonymous proxies–using 3APA3A’s very cool and very tiny 3proxy tool–on adjacent IP addresses, each listening on port 8080. Continue reading “Fun with open proxies” »