Password Security: Why the horse battery staple is not correct

This article includes some good points, but puts them together into something inane. It&#x27;s true that silly constraints lead to trivial changes that lead to crackable passwords. It&#x27;s also true that assuming brute force over all character classes included in a password is wrong. Those are <i>precisely</i> what the &quot;correct horse battery staple&quot; comic was getting at. Picking words at random (that is, based on a PRNG - <i>not</i> &quot;random&quot; meaning &quot;arbitrarily, by hand&quot;) from a dictionary, brute force over that dictionary is the best an attacker can do, and the (dictionary size ^ number of words) calculation is a <i>correct</i> measure of entropy, and with sufficient entropy no passwords will be duplicated. The &quot;correct horse battery staple&quot; hypothesis is that this gets a better score on &quot;entropy per difficulty memorizing&quot; than generating passwords by drawing randomly from a dictionary of typeable characters, and I find that to hold - it&#x27;s also easier to type actual words.<p>The other odd point is that we shouldn&#x27;t be advocating stronger methods of choosing passwords because we should be using multifactor authentication. I don&#x27;t dispute that we should be using multifactor authentication in more places, but even in that case weak passwords are a problem!

For what it&#x27;s worth, the horse battery staple is completely correct for the problem it&#x27;s trying to solve. This article is about another (arguably more important) problem.

So I&#x27;ve got a question. Isn&#x27;t using a password manager with unique, big, long, randomly generated passwords per site essentially the same as two-factor authentication? Something I know (the master password) and something I have (the encrypted password list). The password list lives on my laptop, on my phone, etc. Furthermore, when I use 2 factor auth, I end up storing the lose-your-phone recovery password in the password manager anyway, so I&#x27;m probably missing the point of the SMS-, token- or Authy- based validation anyway.

Despite the slightly linkbaity article, I agree with the article&#x27;s actual premise (you shouldn&#x27;t be remembering passwords in the first place).<p>Unfortunately, it&#x27;d be tough pill to swallow for sites to push&#x2F;encourage users to get a password manager—you never want to be the site which people bounce from because they don&#x27;t understand what a password manager is.<p>At the very least, I wish sites would abandon the abhorrent process of disallowing copy &amp; paste. The completely random password my generator supplies is <i>much</i> more secure than me trying to remember a password for your site. Sadly, the sites which fail at this the most are also the ones where security is most important (ex. banks).

You have to be pragmatic with users and offer them a path of least resistance while implementing a greater level of security. I&#x27;ve only recently been able to get users to pay attention to why they need a password manager - the iCloud hack helped more in that than even Snowden did.<p>That path of least resistance right now, I find, is installing a password manager and securing it with a primary password that is generated from four or five dictionary words. Combine that with two-factor authentication for the most important accounts (Google Authenticator is surprisingly easy to teach people to use).<p>You find corner cases that cause problems: apps that don&#x27;t support automatically having the password entered, or pasting the password in, mobile apps that become frustrating to enter long random passwords into so users just change them to something simple (including Apple ID&#x27;s).<p>Four random words is beyond &#x27;good enough&#x27; and <i>far</i> better than what most users are doing now. Rolling out and advocating new security measures is much about compromise and pragmatism. When somebody who is an ordinary computer users asks you what a good password technique is, do you spend 60 minutes explaining entropy and how people are bad at generating passwords (putting them to sleep), or do you just point them to a comic and one of the random xkcd password generators?<p>The iCloud hacks have done more for security awareness than what a million blog posts could ever have. It would be good to take advantage of it with a common approach rather than mixed signaling (I just <i>know</i> that at some point i&#x27;m going to hear someone say &quot;but I saw something on hacker news about how those xkcd passwords <i>aren&#x27;t</i> secure&quot; - and I will have to take a deep breath).<p>Advocacy now could be focused on developers, where there is some catching up to do - a common protocol for password managers, allowing copy and paste, hooks in apps, agreeing on a set of weak passwords that should be not allowed (a lot of services already do this, most use top x from RockYou), removing those silly character restrictions (example: apple ID&#x27;s can&#x27;t be XKCD passwords since they enforce a capital letter and number), building password generating into more systems (based on an open spec - it should be an OS feature, not an app)

Password managers, combined with randomly-generated passwords, solve the most serious problems afflicting user-selected passwords. Adding two-factor authentication solves yet more problems. And yet both password managers and 2FA are not widely adopted by users. Where do we go from here?<p>I use a password manager, and the UX of registering to a new website is just awful. On the registration page I need to check what sort of password is being asked for (e.g. &#x27;no longer than 15 characters&#x27;), and configure the password generator accordingly. After registration I need to manually convert the password into a login; my password manager can try to do it automatically, but it often fails because it doesn&#x27;t know how to translate fields from the registration page to the login page. Compare this with what most users do: just enter the same password everywhere. Much less friction.<p>I think we can make using password managers <i>easier</i> than entering the same password everywhere. We can do this by introducing a standard web interface for password managers. This interface will let browsers fill in usernames and passwords on registration and login pages, automatically. It may include password specifications, such as &#x27;password should be between 10-15 characters long&#x27;.<p>Here&#x27;s the use case: imagine the password manager is integrated with the browser (say as an extension). When it detects this interface on a web page, the password manager <i>hides the password field</i>, replacing it with a message like &#x27;secure password is auto-generated&#x27;. Similarly, login pages that support the interface will not show a password field at all. From time to time, the user has to enter their single password (to allow the password manager to access its database). In this scenario, the user has to do less work (on average) than when they enter their password manually. When no password manager is installed, the browser simply displays the same old password field.<p>Given a standard interface, implementation is simple: on the server side, it&#x27;s just a few tags that specify user and password fields on registration and login pages, and what to replace them with when the password manager works. There should probably also be a site identifier to let the password manager know which registration page corresponds to which login page. (Currently password managers rely on URLs to figure this out, and this heuristic sometimes fails.) The whole architecture of storing passwords stays the same. On the client side, password managers already do much of this work anyway, including trying to heuristically figure out which fields correspond to the username and the password. This sort of interface makes things much simpler for them.

<i>Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security.</i><p><i>People are not very creative and tend to think the same way when choosing passwords. This would lead to the exact same problem we have now, where a few passwords such as &quot;password123&quot; become very common.</i><p>The XKCD comic[1] says to use &quot;four random common words.&quot; There seems to be some confusion between the popular use of &quot;random&quot; to mean &quot;arbitrary&quot; and the specific information-theory meaning of &quot;random&quot; (better worded as &quot;randomly chosen&quot;). Bruce Schneier criticized[2] the XKCD method based on the &quot;arbitrary&quot; interpretation, and the best explanation of the problem I&#x27;ve seen is in an answer[3] on the cryptography Stack Exchange site:<p><i>Random choices are random and uniform. This is hard to achieve with human users. You must convince them to use a device for good randomness (a coin, not a brain), and to accept the result. [...] If the users alter the choices, if only by generating another password if the one they got &quot;does not please them&quot;, then they depart from random uniformity, and the entropy can only be lowered (maximum entropy is achieved with uniform randomness; you cannot get better, but you can get much worse).</i><p>[1] <a href="http://xkcd.com/936/" rel="nofollow">http:&#x2F;&#x2F;xkcd.com&#x2F;936&#x2F;</a><p>[2] <a href="https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html" rel="nofollow">https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2014&#x2F;03&#x2F;choosing_secu...</a><p>[3] <a href="http://security.stackexchange.com/a/6096" rel="nofollow">http:&#x2F;&#x2F;security.stackexchange.com&#x2F;a&#x2F;6096</a>

Two factor is not a good solution either. Having to lug around your phone pulling up randomly generated strings from an RNG on both ends... defeats the point. Instead of an RNG seed, have a shared secret.<p>Of course, you need a trusted party for that, but that is how oauth and friends work. And how Persona should have worked. Logging in to <i>anything</i> should be clicking login and everything happening behind the scenes, because you are already trusted and authenticated by a dozen other services that whomever you are trying to access should defer to to identify you.<p>At least that is what Persona was supposed to do, and then fell flat due to slow adoption. But it was a chicken and egg problem through and through - nobody would use an immature Persona, and Mozilla abandoned it before it had time to shine.<p>Oauth is the maimed cripple of what should solve all of this, but at least it gets the correct UX to end users most of the time, even it if means wading through a half a dozen login buttons from various services selling your identity.<p>Considering modern browsers all support synced data stores, why the hell is there not some standards pushing api a la webrtc (in scope and adoption) to get randomly generated unique id keys made browser side for each service you use, that you can then sync between devices and across your browser &quot;account&quot;? Persona was meant to become that, but it died. Where is the successor?

I am skeptical of the security of the self-organising map based scheme in the paper of his own (s)he links to in the article, despite the Fourier-transform based hash scheme.<p>For a start, the scheme requires all passwords to be stored in plain text (or with reversible encryption), or at least the DFT output for them, for the final adjustment of node popularity levels, which is itself a risk.<p>Given the self-organising map (which is supposedly safe to distribute widely), take the nodes which are flagged as the highest danger level (i.e. most widely used). For each of these nodes, you have the amplitude of the DFT, but not the phases. However, performing a brute force attack on the phase space is likely relatively easy, because it would normally be relatively small. An attacker could fix the values of all phases except one (phase_i), and then find, using the simplex algorithm, the next value of cos(phase_i) or sin(phase_i) that changes one of the time-domain values to round to the next output value. For each value of phase_i, the attacker then recursively repeats the attack for phase_{i+1}, until all passwords for the amplitude vector on the node are enumerated.<p>These passwords are then used to brute force attack the system. If one password is extremely common in the SOM, that common password should be in the resulting list.

&gt; <i>For the few passwords they do need to memorize, you should focus on making them dictionary-attack resistant, not just strong from an information theory perspective.</i><p>Information theory is exactly how you measure attack resistance (dictionary- and otherwise). The entropy measure in the XKCD comic already takes into account dictionary attacks. That&#x27;s the point.

It seems like the major gripe is against passwords like &quot;p@assword&quot;, not against passwords like &quot;correcthorsebatterystaple&quot;.<p>If you truly choose 4 words randomly, the number of possibilities is &gt; 1e24 (at least 1 million words in english language, likely not including slang or names).

I don&#x27;t agree with everything in this article and he glosses over some complex issues too quickly, but it is good to see such a reasonable discussion about actual password security in contrast to the pants-on-head mouth-breathing &quot;security&quot; standards of &quot;enforce changing your password every 12 weeks&quot; and &quot;your password must contain an upper and lower case letter, number, and special character.&quot;<p>There are people that believe those practices have positive effects on authentication security. Those people should be identified and prevented from ever making a security-related decision again.

&gt; What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts?<p>This comment suggests the author doesn&#x27;t really understand the XKCD password scheme. The point is to choose four <i>random</i> words, not the first four words that pop into your head.<p>Also you cannot rely on an automatic-password-checker to tell the user their candidate password is weak: If it flags &#x27;password1&#x27; as a weak password the user will just switch to &#x27;password2&#x27; and <i>that</i> will become a common (ie. weak) password, at least until the password checker&#x27;s database is updated.

whilst i concur with the premise that passwords should die, saying that xkcd-passwords are hence incorrect would be like saying.. hi-dpi monitors are not better than their low-dpi predecessors - we <i>should</i> be using direct computer&#x2F;brain interfaces.<p>obviously, xkcd-passwords are an improvement, in many aspects, over the passwords many people tend to pick. but until a reliable, secure, and proven alternative shows up (which i&#x27;m hoping it will), there&#x27;s no need to muddy the what-makes-a-good-password waters.

On reflection, there&#x27;s a way you can force users to use &quot;something like a password manager&quot; - don&#x27;t accept a password; instead have them prove they hold a specific private key (and allow multiple, so they can revoke specific devices). This would seem to be a win on all counts over a password manager. The only thing it breaks <i>hard</i> is backwards compatibility, but if using individual passwords per site is so broken then that&#x27;s not something we really want to permit anyway.

I liked this article and largely agree with what it has to say, but I have a question related to a bit at the end.<p>The article recommends using multifactor authentication everywhere, which sounds great for keeping things extra secure. Recently, though, I got a new phone and I&#x27;m thankful that I only had two services for which I was using multifactor authentication because otherwise I would have had to remember to set up even more than those two services on my new phone.<p>Is there any good solution to that problem?

This reads like something from someone with a product to sell.

Good point and article.<p>I wish there was a de facto standard password manager&#x2F;data format (open source, free, works everywhere).<p>As it stands, there are many good ones, and it&#x27;s hard to choose <i>one</i>, even though any choice is better than no choice.

&quot;Ultimately, passwords should die&quot; - that would be nice, but passwords are like roaches... they&#x27;ll outlive us all :-) it&#x27;s the lowest common denominator. can&#x27;t ignore it or wish it goes away...

After reading that xkcd style password generation may not be as security proof as it sounds I decided to use Bruce Schneier&#x27;s method which is just mixing the first letter of each word of a personal sentence with special characters and number to make a password. Considering the quantity on information we leave on internet I fear it might be too easy for someone to parse everything I have written, every places I have been, and everything I have done to come close to the words that I might use to compose a password worthy sentence.

Maybe this would be a good time to plug my proposed solution to this problem:<p><a href="http://dswi.net/" rel="nofollow">http:&#x2F;&#x2F;dswi.net&#x2F;</a>

Linkbaity title from a PhD student with something to sell: the example cited was entirely correct about password strength, and is something the article author admits is important as it is the underpinning of using password managers.<p>&gt; Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security.<p>&gt; People are not very creative and tend to think the same way when choosing passwords.<p>He also completely strawmans the XKCD example: it&#x27;s not that you should pick four words yourself, it&#x27;s that you should use four randomly chosen words (using an RNG&#x2F;PRNG). In this sense, we&#x27;re just picking fewer random symbols we have an easier time remembering out of a larger symbol space, but this is functionally equivalent to picking passwords of random characters. That was the point of the XKCD comic - that a random chosen password is stronger than your l33tspeak choice of a word or two.<p>&gt; This means that we should stop blindly classifying password strength based on the number of bits of entropy3, and should consider first and foremost how dictionary-attack resistant the passwords is.<p>If you look at the right number of bits of entropy, then you get this property: a lot of entropy in the password means that the subspace of passwords it lives in is large, and that a dictionary probe of the space is unlikely to find it quickly. Dictionary attacks are just a particular form of brute force that prioritizes some kinds of passwords over others. In the case you actually followed the XKCD example, you&#x27;d have good resistance to dictionary attacks: your password is randomly placed in a large subfield of possible passwords, and the randomness removes any benefit of guessing particular words over words at random.<p>He&#x27;s still sticking to the strawman version of the XKCD comic, and attacking a much weaker idea than was actually presented.<p>&gt; This means that instead of a password strength meter you should be ensuring that there is no skew in the distribution of passwords. If each password is guaranteed to be unique, the advantage of a statistical guessing attack is greatly reduced.<p>He even admits that the solution actually proposed by the XKCD comic would mitigate the attacks he&#x27;s talking about, and only his strawman version doesn&#x27;t.<p>The rest of the article is obvious security cliches about password managers and 2FA.<p>I seriously suggest that this guy stop giving security advice that&#x27;s wrong and clearly just meant to market his own work.

I&#x27;d be interested to know how common &quot;correcthorsebatterystaple&quot; has become as a password now.

It seems that the real hacker scenario was forgotten. If the attackers own the system, they can do lot more than just steal password hashes. They can modify the system to store plain text passwords when users login as well as steal the information from the system(s), in many cases. Of course it&#x27;s easy to forget that there are sites with very different security levels. Others are just running without any monitoring and others have very strict IDS&#x2F;IPS, 24&#x2F;7 security &amp; intrusion monitoring staff &amp; systems, version control, configuration management, enforcement, monitoring systems, etc. I don&#x27;t actually even understand why people are so obsessed with this password topic. I personally consider passwords as shared random blobs. So what if it leaks? If I were the primary target of the attackers, they probably already stole the required information from the system(s), even without the password(s).<p>2FA doesn&#x27;t help either at all, if the system is completely compromised. The attacker(s) can easily circumvent it, because they probably already have full control of the system. Only way to get these things right, is tight layered security, internal protocols, etc. Why does the &#x27;site&#x27; anyway have full access to password(s). Shouldn&#x27;t there be secondary hardened authentication system, and only tokens passed? Does the system(s) containing the data, properly verify from authentication service if the user is allowed to access the data etc? These are endless topics, when it&#x27;s forgotten that there are systems with completely separate security requirements. Is 2FA enough? No? Do you run authentication client on smart phone? It&#x27;s computer, it&#x27;s hackable. There should be hardware token. Does the hardware token give you monotonic &#x27;non action independent&#x27; codes? It does? Well, that&#x27;s also fail. Because every authentication code should be based on the action &amp; content it&#x27;s authenticating. Otherwise you could authenticate something, you&#x27;re not aware about. Many systems fail on that scale too, completely. Of course there are secure solutions, but those are expensive.<p>Password managers are also bad solution, because those run on your computer &#x2F; phone, and as we know, consumer devices &#x2F; normal business systems aren&#x27;t ever secure. All are sitting ducks if attacker really wants to control those. Which also means that they can access your password managers content at will. Actually most important passwords in my password manager say something like, &quot;Do you really think I&#x27;m stupid enough to put the password here?&quot;<p>Passwords &#x2F; PINs are completely good part in multi factor authentication scheme where you have to know something. I often wonder why people prefer to disable passwords when using SSH key login? I personally think that key + password is better than key only, in case of the keys are stolen. Just my random blah thoughts about all this endless blah blah.<p>I&#x27;ve also seen many times, that the crackers have so many systems under their control, that they don&#x27;t even care to explore the content of the systems they&#x27;re owning. So they have missed the important stuff several times. Or they&#x27;re smart enough to let me to believe so. ;)<p>P.S. My bank doesn&#x27;t allow stronger than six digits password. But does it matter?

This article really disappointed me. It isn&#x27;t about how cryptographically &quot;horse battery staple&quot; is not correct, it&#x27;s more that passwords in general are the wrong paradigm for security.

I&#x27;m watching the work done by Steve Gibson with interest into a password replacement called SQRL. It&#x27;s just a spec and he is developing the proof of concept software, but as far as I know it is not a commercial venture at all.<p><a href="https://www.grc.com/sqrl/sqrl.htm" rel="nofollow">https:&#x2F;&#x2F;www.grc.com&#x2F;sqrl&#x2F;sqrl.htm</a><p>Abstract: The SQRL system (pronounced “squirrel”) revolutionizes web site login and authentication. It eliminates many problems inherent in traditional login techniques.

&quot;we just can&#x27;t memorize unique, strong passwords, for every single on-line service out there&quot;<p>... right. Apparently we don&#x27;t speak in a language with an absurd amount of subtle differences that need to be remembered (one example is punctuation, and all the subtle rules with punctuation as well). We also apparently don&#x27;t memorize other things such as face recognition, navigation, mathematics, physics, x amount of movies, actors, actresses, favourite foods.<p>Unfortunately, according to the article, we can&#x27;t remember around 50 to 100 twenty digit passwords with pieces of singular information we already have memorized.<p>The article looked promising, oh well.<p>Also, the article is supporting password managers. Which is the equivalent of thinking that a smart idea would be to basically archive all of the password information into one tiny little hackable program.<p>Yeah, great plan. Is this really coming from someone with these kind of credentials?<p><a href="https://diogomonica.com/about/" rel="nofollow">https:&#x2F;&#x2F;diogomonica.com&#x2F;about&#x2F;</a>