Your passwords don't suck, it's your policies

Your passwords don't suck, it's your policies

Summary: A developer has created a password analysis tool that examines patterns to determine password strength and concludes password-creation policies are the real enemy of solid passwords.

TOPICS: Open Source

Passwords stink because policies for creating them typically focus only on composition and can't measure strength, according to developer Cameron Morris.

The time it takes to crack a password is the only real way to determine its strength and value, said Morris, a developer at defense contractor Partnet.

And to prove it, he created an open-source tool called Passfault that predicts the time it takes to crack a specific password. And he invites administrators and end-users to try both the Analyzer and the Password Creation Slide-Tool.

Passfault's slider tool sets policy based on password strength

Passfault's slider tool sets policy based on password strength

"I had spent 30 minutes creating a password that would be hard to crack, but then I realized it would expire in 30 days," said Morris, who began building his tools three years ago. "I thought wouldn't it be neat to set password expiration based on how strong your password is, but I couldn't find a way to measure that," he said.

In January, Morris turned his Passfault project over to the non-profit Open Web Application Security Project (OWASP) in the hopes a community of developers will help improve the software, add new languages and expand its dictionaries.

He currently has Java and JavaScript Object Notation (JSON) versions and is planning a JavaScript version.

Morris is challenging common notions about creating strong passwords by examining patterns instead of using policies based on letters, numbers and special characters.

A 2011 Carnegie Mellon University study showed that password creation policies actually made it harder to create a strong password and that password length was the only significant variable influencing strength.

Morris's goal is to make password strength measurable and easily understood. Passfault shows that the right patterns beat a capital letter and an ampersand every time, he says.

Passfault identifies dictionary patterns (English, Spanish) including mixed cased words, substituted or inserted special characters, misspellings, and words spelled backward. It also examines keyboard patterns (U.S. and Russian), including horizontal and diagonal sequences and repeated keys; and data patterns.

Passfault examines a password then calculates the number of passwords that could exist with similar patterns. Morris calls it the "measurement of password complexity."

Passfault's Analyzer spits out a "time-to-crack" grade after a user enters their password. Time-to-crack represents how many passwords fit in a particular pattern. The slider tool lets admins calculate strength by pattern size, type of password protection, and an estimate of cracking hardware used by hackers.

He chuckles at Facebook's grade of "weak" for the 35-character password Morris created using the first letters of a random phrase, as compared to Facebook's "strong" rating for a password that fit its creation policies but uses the common word "cracked" followed by a ‘1' and a ‘!'

The pattern of the latter can be cracked in less than a day, according to Passfault.

Time-to-crack evaluations, he says, identify weakness and expose the true risk passwords pose to a company or organization.

Of course, Passfault is only about creating passwords, not protecting them. Recent hacks have resulted in the theft of passwords from company databases, including well-publicized hacks of Sony and Zappos. One issue is that end-users typically re-use passwords on multiple sites, which increases exposure if their credential is stolen.

A standards effort called OpenID is advocating that Web sites get out of the password business and rely on a set of identity providers that would validate credentials for users visiting their sites.

Passfault could potentially help those providers combine more secure passwords with their ability to protect the credential itself. And it also is aimed at enterprises who want to minimize risk and help end-users create strong passwords.

"I have a Google Alert on password strength, and it's fun to see people giving advice," says Morris. "The Passfault approach changes the advice we should give out."

See also:

Topic: Open Source


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Well, nice to know I've got good passwords

    At least according to this thing. One of my old PWs checked out at 2.7774319233443633e+23 centuries to crack. The one before would have taken a day. Thank you xkcd for your wonderful password advice.
  • Well, this guy proved the obvious: that only totally random symbols ...

    ... passwords are reliable enough. Any passwords that use actual words or names are weak because these words are parts of dictionaries crackers use to unlock protected data.
    • I'm Wondering if true.....

      I tried my normal password consisting of a made up not in dictionary pseudo-word plus symbols plus numbers and it returned as less than a day.

      I tried my backup - first letter of each word in a sentence plus a symbol plus a number and it came back as 214765 centuries.

      Both have the same general format and the same number of characters but wildly different results.

      What am I not seeing?
      • It will show you which patterns it finds

        It will show which patterns it finds. Mouse over the pattern sign and it will show more details of the specific pattern. If it doesn't find any patterns it will calculate how many passwords fit in the character set. It might have found a misspelled word in the not-in-dictionary-pseudo-word.
      • Saw the results

        c-a-m - true and I found them strange. It was matching 2 and 3 letter groups to larger "dictionary" words. Example: it showed "uga", a couple of letters in the middle of my made up word as matching Uganda and "ro" (another two letters) as matching Rock. I think my biggest aspect is I am not sure how it is determining the result. Personally I am not seeing any difference between a bunch of letters and a fake word.

        Example: rorokuga.6 nets 27yrs while tqbfjotld.6 nets 214765 centuries
      • Same general format...NOT!

        Quoting you: "Example: rorokuga.6 nets 27yrs while tqbfjotld.6 nets 214765 centuries"

        You say you see no difference between "rorokuga.6" and "tqbfjotld.6"
        But the first pwd has alternating consonants and vowels, a very, very common pattern in natural languages, whereas the second pwd has only one vowel.
        The alternating consonant-vowel pattern makes the first pwd easy to pronounce -- and thus remember-- which is both convenient AND a huge weakness. The second pwd is unpronounceable and has consonant clusters atypical of a natural language, which is precisely why it is stronger than the first pwd.
      • RE: Results

        Rhonin, the difference in your examples is that "rorokuga.6" follows general patterns of words in English, i.e., you have a consonant followed by a vowel: ro-ro-ku-ga. "tqbfjotld.6" violates several rules of English words, i.e., you have "q" without a "u" following it; only one vowel, and so on.
    • Several dictionary words work too

      Actually I was surprised to find that 4 or 5 dictionary words together work great. And it is easier to remember. Another great pattern is misspelled words, it turns out there are a lot of ways to misspell a word. So if you are a bad speller, you'll have better passwords!
    • You actually missed the point.

      You actually missed the point.

      Morris says this on his page:

      "We believe passwords can be [i]less annoying, more intuitive,[/i] and useful."

      So he's believing that he can actually make passwords less annoying and more intuitive.

      And I agree, that can be done. But we have to retrain people to focus on length more than complexity. We've been pushing this idea of "the only good password is one that is so complex it's impossible to memorize" for far too long.
    • Wrong

      the <i><b>xkcd</b></i> example "horse staple battery correct" consisting of <i>only</i> common words gives the result:

      "Time To Crack:
      10374928 centuries
      Total Passwords in Pattern:
      31 Sextillion"
  • Still Misses the Issue

    It's usually not the strength of the password, it is the infrastructure you use to manage all of them. The average user has so many different passwords, password formats, pin numbers, etc... they opt for the easiest method to keep track of and manage them all. Depending on the situation, a password manager may help (for me at home yes, for work no (not allowed)).

    So strength and complexity is nice but misses the driving issue.
    • This whole issue is a tough nut to crack

      Any way you look at it. Sadly.
    • depends how you define password manager

      Do you have Excel at work? If so, does group policy allow you to save workbooks with file-open passwords? If so, there's your password manager.

      At work I can access Lotus Notes e-mail directly when connected to the company network or via Citrix remotely. In the former case, I can use any password I want, and I use a long but memorable password which the tool shows would take 14 centuries to crack. In the latter case, I have to use a password which would work on the company mainframe, and given those restrictions, my current password would take less than 1 day to crack. Yes, some policies are really stupid.
      • It does, I do, Not allowed by Policy

        I hear you. At work I have 23 passworded systems that fall into 14 different password format rules and expiry timeframes. A list, while not allowed, is the only way I can keep them straight. Now I have to manage the list. And the list backup..... :D
      • Excel

        That is exactly what I do. PW protected spreadsheet. We also have access to encryption software, including Secure Zip if desired.
    • Limitations

      I once tried using a 96 character password at work only to find out that our old finance system, that shared our passwords, had a 32 character limit...
  • ya right

    The average person is supposed to have this elaborate and confusingly long password that is impossible to type little lone remember. Ridiculous. These security buff just ignore practical thinking.
    • Disagree

      You don't need elaborate passwords, that is the purpose of the project. XKCD describes it best: This is a password policy tool that will enforce XKCD-like passwords

      This could actually simplify your passwords. Just use a secure pattern: pass-phrases, misspelled words, something you could actually type on your cell-phone!
    • Sorry, correcting grammar...

      It's 'let alone' not 'little lone'
      • Is this a spelling class?

        No, it's a message board. Get over it.