However, an article by Mark Stockley for Sophos suggests that a poor meter may be worse than useless. He took five of the 10,000 most common passwords, according to xato.net, all of which the cracking software John The Ripper cracked more or less instantly, and then ran them against five plug-in strength meters. One meter categorized all five as good, another classified two of them as good. Ten were classified as weak by various meters, six as medium, and two as 'norm' (normal, presumably).
Stockley's contention is that:
A password strength meter that doesn't reject all five out of hand is not up to the job of measuring password strength.
They all failed. And not only that, they don't agree.
Well, I won't disagree: the results are inconsistent between meters and the classifications are misleading, unless you believe that 'iloveyou!' or even 'abc123' are good passwords. Why did they fail so spectacularly? The answer lies in the fact that the harshest categorization is 'weak'.
There are a number of characteristics you can use to assess the strength and entropy (randomness or unpredictability) of a password or, preferably, passphrase, such as:
Number of characters
Variety of characters – a very long password consisting of the same repeated character is not resistant to password cracking software
The types of character used: alphabetical, numeric, symbols and special characters, and where they're placed in relation to the other characters. (To take a simple example, when people append a number to their password which is augmented every time they're required to change it, that offers no effective barrier to password-cracking software.)
There are any number of algorithms that might be used to assess the effectiveness of a given string used as a passphrase. Obviously, some are better than others and you have to expect some variation in categorization. I tried the same passwords against the Microsoft checker, which wasn't one of those tested by Stockley
Clearly, there isn't a separate category for 'Don't use this password because an awful lot of other people already do so hackers will find it quickly'. And the fact that trustno1, confirmed by at least one other list to be far more common than ncc1701, is categorized as medium, suggests that ranking (or appearing at all) on such lists is not one of the categorization criteria applied by the Microsoft meter or, apparently, any of the five tested by Stockley.
That's not to say that the lists are only used by password crackers. At one time, Twitter used a script to check passwords created by its users against a list of strings: if someone tried to set a password that was found on the list, it would not be allowed. And yes, abc123, trustno1, and ncc1701 could be found there (the list was very trivially obfuscated). iloveyou! wasn't included, though iloveyou was. Nor was primetime21 or anything close to it.
So how do these meters reach their conclusions? Well, one of them considered all five of those passwords 'good', so maybe it doesn't have any negative criteria. All the others considered abc123 weak, even though it consists of a mix of letters and numbers, perhaps because it features two strictly serial sequences (abc and 123).
Perhaps ncc1701 fares better according to some meters because it doesn't include a dictionary word (though it is, of course, the instantly recognizable number of the Starship Enterprise, which is why so many people use it). iloveyou! probably gains favor because strength meters like passwords that include punctuation characters.
Read original article
No comments:
Post a Comment