There’s been a lot of snark going around the last few days over this password help screen from the Texas Attorney General’s Child Support Services Web Page. Child Support Services are, of course, doing the best they can to preserve the privacy of the children involved but their rules for passwords display some fundamental flaws:
- An entropy limiting hard limit of exactly 8 characters.
- Limiting special characters to
@,#, and$. - Additional rules that are there ostensibly to increase entropy but actually decrease it by limiting the number of patterns a legal password can have.
- Not hashing the passwords so they can enforce password reuse rules.
All this is standard stuff that I and many many others have written about before.
Sadly, those of us writing about the issue are not blameless either. In an otherwise excellent post, Rituraj over at Random Ramblings says that the scheme, recommended by the famous xkcd cartoon, of using random dictionary words is “…surely difficult to crack using brute force. But can be cracked using dictionary attacks.” Presumably he thinks this because the words are in a dictionary and hence known1.
But it’s not true that knowing the dictionary from which the words are drawn makes the password vulnerable to a dictionary attack anymore than knowing the letters from which a “normal” password is composed makes it vulnerable to a dictionary attack. Suppose you had a list of 94 words that you use to make your multiword password and suppose that you use 6 words in your password. Then you have 946=689,869,781,056 possible passwords. Now suppose you choose a six character password from the 94 possible characters on the typical keyboard. Again, you have 946 possibilities so there’s no difference between the systems. But, you say, you know the 94 words so you can mount a “dictionary attack,” whatever that means. The same is true of the second method: you know the 94 characters so you could mount an exactly analogous dictionary attack if one existed. In the first case you have an alphabet of 94 words (just think of them as symbols) and in the second you have an alphabet of 94 characters. It’s exactly the same thing.
Now let’s be a bit more realistic. The Unix list of dictionary words (/usr/share/dict/words) on my machine is 235,886 words long. After folding case and eliminating duplicates it’s 234,371 words long. If we choose 131,072 (=217, the highest power of 2 less than 234,371) of those words, a password of 4 random words from the list would have 72 bits of entropy as compared to just over 26 for a 4 character password (remember that increasing the entropy by 1 doubles the strength so this is a big difference). If we use the more realistic 6 symbols for each password we get 102 bits of entropy for 6 words as compared to just under 40 bits for the 6 characters. We’d need a password of about 16 character to match the strength of the six word password.
Rituraj rightly notes that one of the problems with the Child Support Services password policy is that it tends to require hard to remember passwords and so the user faced with several such passwords will pull out the Post-its and completely destroy all security. Troy Hunt has posted on this problem (my commentary here) and says that the only viable method is to use a password manager and a single high-entropy password for it. This is, I think, correct but good luck trying to get your average user to implement it; password and 123456 are so much easier.