February 2nd, 2014, 02:31 PM
Are insecure passwords really so insecure?
Certain types of passwords are often "proven" to be insecure because they can be found in a few minutes or seconds in a database of common passwords. Any time you use a password on the web, however, you have to enter it at a login, click on "Submit" (or the equivalent), and wait a second or two for the system to grant or deny access. Plus, the password has to match the username. Trying even half (on average) the passwords in the password database (plus all the permutations with possible usernames, assuming the attacker is guessing those, too) under these conditions would take much longer than a few minutes. Plus, many sites will lock you out for some period of time if you try to login with the wrong password more than x times in a row. So, aren't even "insecure" passwords more secure than typically suggested?
February 2nd, 2014, 03:55 PM
it's naive to assume that the attacker will go to the login form and manually try out different passwords.
The first thing an attacker would do is try to get access to the database itself. Given the awful security of many websites, this might very well work out. Now there's no delay and no lockout mechanism. It all depends on how strong the passwords are and how they're stored:
- If the passwords are stored as plaintext (yes, people still do that), the attacker has already won.
- If they're hashed with something like MD5 or SHA, only the strongest passwords will survive. The attacker can try out billions(!) of passwords per second on an average gamer PC, so any alphanumeric stuff is broken in a matter of minutes.
- If the passwords are hashed with a strong algorithm like bcrypt, things are slightly better. The attacker will be slowed down to a few thousand attempts per second on an average PC. This doesn't help weak passwords, but relatively strong ones may survive the attack.
If the attacker does not manage to break into the database, they still have many ways to efficiently attack the passwords. They can reduce the number of attempts by using smart patterns instead of blindly trying out characters. Or instead of trying 100 common passwords on 1 user, they'll try 1 password on 100 users (using automated HTTP requests, not the GUI). Many applications fail to recognize this, so their artificial delays and lockout mechanisms can easily be circumvented.
Long story short: No, insecure passwords are not “more secure than typically suggested”. If you're running around with, say, 6 alphanumeric characters or even a word, you're screwed in every scenario. You need a long random password which is unique per user account. Since humans simply aren't made for coming up with and remembering hundreds of random strings, I'd recommend using a password manager like KeePass. Personally, I always use 16 randomly generated bytes as a password.
But as I explained above, a strong password itself isn't enough. The website owner has to take care of using a strong password hash algorithm (like bcrypt) and getting the application security right.