Twitter
Solving the Weak Password Problem
How effective are passwords?
It is common knowledge that passwords generated by humans are very predictable. We can create lists of words based on predicting what kinds of things we think people will put in their passwords. These lists can then be used to very effectively guess human generated passwords.How do we solve this problem?
The best way to solve this problem would be to educate users on how easy it is to guess passwords they make up, and teach them how to create stronger passwords. Although effective, this doesn't work for the majority of computer users. Most users don't have time to create and remember strong passwords.Currently, we solve this problem by forcing the user to create a password that contains one or more digits or symbols. This doesn't work that well either. Most users will turn a password like "iloveyou" into "iloveyou1" or something similar. Forcing users to add digits or symbols helps, but it doesn't stop the passwords from being predictable.
How should we solve this problem?
Humans aren't good at creating random data, but they are good at remembering it, beleive it or not. Most people are capable of remembering friends' phone numbers and can easily recall them when they need to make a call. We can use this take advantage of this ability to make passwords a lot more secure.What we should be doing is giving the user a second password to accompany their regular password. This second password should be short, and easy to memorize. More importantly, it should be random. The combination of a password of the user's choice, and a short but random password will make dictionary attacks MUCH harder.
The password should...
- be made from high quality random data
- use a small character set so memorization is easier
- be short enough to memorize, but long enough to be secure
- in some way be related to the service the passwords is for (e.g. Paypal's would all start with pp)
When all of these conditions are met, most people should be able to remember the password and which website/service the password is for.
An example registration page would look like:
| Username: | |
| Password: | |
| Choose a PIN to remember: | ppzqt2ppuz3cpp7417711ppwgta |
| Verify PIN: |
The login would look like:
Username: Password: PIN (starts with pp):
In this case, we are presenting users with four options. This should let the user choose a sequence that they are more likely to remember. To help the user remember, we could also provide a phrase that matches up with the random password. We could even have them type it over and over again. But if users are typing it in every time they log in, it shouldn't be long before it's stuck in their memory.
Forcing the user to remember a short random password is MUCH better than forcing them to use special characters. In this case we are adding approximatly 18 bits of entropy to their original password. Each password is approximatly 20 bits, and two bits are subtracted because the user is allowed to choose between four of them. We must assume that this choice is completely predictable. This makes dictionary attacks 2^18, or 262144, times harder. A dictionary attack that could be completed in 10 mintues would now take nearly 5 years! It would also force rainbow tables and hash databases to be much larger. A 1GB database would now require 256 terrabytes of space.
