LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Secret answers as insecure passwords

[Posted February 23, 2005 by corbet]

Here at LWN security headquarters, we have received hundreds of messages from readers with one crucial security question on their minds: how was Paris Hilton's T-Mobile account cracked? Well...OK...maybe we haven't received quite that many messages. But we're sure people will want to know. Turns out that OSDir has the answer. Apparently T-Mobile's site has a "secret answer" mechanism for people who forget their passwords. Ms Hilton's "secret answer" was her dog's name. Bitten again.

Wherever there is a potential security problem, there is inevitably a Bruce Schneier column warning about it. In this case, Bruce notes:

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

Passwords may well be heading toward the end of their useful life, but "secret answers" are not necessarily a demonstration of that fact. Many web sites (or other interfaces requiring confirmation) go out of their way to prevent the use of insecure passwords. Some site developers put considerable effort into creating novel rules for passwords. Then they add a "secret answer" mechanism which bypasses all of that.

The real issue here, perhaps, is that an authentication interface should actually control access to the resources it protects. Back doors are never good for the security of a system, and a "secret answer" scheme is really just a form of back door. If you provide a way around your password interface, you should not be surprised if attackers use it.

(Log in to post comments)

Secret answers as insecure passwords

Posted Feb 24, 2005 9:54 UTC (Thu) by ekj (guest, #1524) [Link]

It is true. Sometimes such a secret question can be a backdoor. Obviously that is the case if knowing the answer to that question gives you the same access as would knowing the password.

A better solution is the one the University of Bergen uses on their webpages. There *is* a "secret answer" that you can use if you forgot your password. BUT -- and that's a big BUT. Knowing this won't give you access to anything. All it will do is change the password to a randomly generated string. This new password will arrive with you by way of postal mail to the adress you've registered with the university.

That said Bruce is correct: Passwords are no longer enough for high-security applications. That is so because of three trends:

  • The strength of password that can be brute-forced and/or dictionarily attacked goes up all the time because of quicker computers.
  • The *number* of passwords the average person is being asked to remember is growing extremely fast.
  • There are natural limits to how long, how random and how many passwords people will remember.
If you choose passwords only from a-ZA-Z0-9 plus the 24 most common special characters, then you get 6 bits of entropy from each character, assuming the password is randomly choosen.

If you decide your security-needs demand a complexity of 2**64 for a break your're going to have to force your users to have 11-character randomly generated passwords.

People have a *very* limited tolerance when asked to remember passwords like (qA2lÆ8]%@m

With self-selected passwords (assuming you check that they're not derived from dictionary words) you're lucky to get 5 bits of real entropy from each character, so self-selected "non-dictionary" passwords would have to be atleast 13, probably 14-15 long to give the same security.

And this problem will only get worse. It's obviosu that sooner or later this is going to be a problem. I'm with Bruce on this one: Sooner.

Secret answers as insecure passwords

Posted Feb 24, 2005 10:11 UTC (Thu) by NAR (subscriber, #1313) [Link]

The *number* of passwords the average person is being asked to remember is growing extremely fast.

Oh yeah. One password for the UNIX network, one for the Windows network at the workplace. One PIN code for the private mobile phone, one for the company-provided phone (not the mention the PUK codes). One PIN code for my private credit card, one for the company-provided card, one for my mother's cards. One password for the ISP to log in, one for remote access to the company. There is also a password for the internet bank site. And then comes the various passwords at sites like lwn.net or amazon.com...

Bye,NAR

The *number* of passwords

Posted Feb 24, 2005 11:47 UTC (Thu) by PaulDickson (subscriber, #478) [Link]

I'm going through the process of changing my E-mail address due to SPAM.

I made a table of just my web passwords, so far there are 47. Some had
passwords that did not match what I'd written down previously.

I am also subscribed to 100+ mailing lists. Updating the E-mail
addresses has taken about 16 hours so far. The best was RedHat, on
which I had several lists. They use mailman 2.1, so I was able to
update all of them in one request/confirm cycle (mailman 2.1 also mails
out password reminders monthly, which I kept). Others like those on
SourceForge (which uses mailman 2.0) forced me to do an unsubscribe/
confirm and then a subscribe/confirm cycle for each list. Doing all
these mailing lists was so labor intentsive, I did not track the data
from them.

Gross overestimates

Posted Feb 24, 2005 15:23 UTC (Thu) by ncm (subscriber, #165) [Link]

The above analysis vastly overestimates the entropy in user-selected passwords. Most analyses report less than two bits per character of useful randomness in user-selected passwords, so a typical password has well under 16 bits worth, often no more than your typical PIN. (Short PINs are considered OK where they would have to be tried manually, but passwords can often be hammered at exhaustively with no one noticing.)

A helpful bit of advice that was lacking both above and in Schneier's column was to ask for a "passphrase" rather than a "password". One word yields only a few useful bits. Three words yield plenty of bits, yet are much easier to remember than the typical base64 randomly-generated passwords. The only technical addition needed to support passphrases is not to throw away everything after the 8th character, as UNIX did (and, who knows? may still). Beyond that, it helps to actually check if the phrase chosen has enough entropy to provide useful security, and whether it appears in Bartlett's.

Gross overestimates

Posted Mar 4, 2005 0:35 UTC (Fri) by barrygould (guest, #4774) [Link]

AFAICS, Bartlett's is not freely available.

Barry

Secret answers as insecure passwords

Posted Feb 24, 2005 17:11 UTC (Thu) by skx (subscriber, #14652) [Link]

Sounds like that approach is good - but it too can be abused.

If I guess your "secret answer" I've effectively turned your working account into an account with a random password, which you can not login to now.

This maybe just be a minor inconvience the first time, but imagine if I did it over and over again? Worse still, imagine you were travelling and couldn't check your postal mail?

Steve
--
Debian System Administration

Secret answers as insecure passwords

Posted Feb 24, 2005 17:24 UTC (Thu) by Ross (subscriber, #4065) [Link]

Yes, good point. It allows a DoS attack. These "remembering" questions
have always made me uncomfortable. I especially hate sites that force you
to use them or even worse force you to use one of their questions. Almost
all of the examples use information which can be easily obtained. I
usually fill it in with random garbage which I don't bother to remember.

But anyway, about the DoS problem, how about not allowing the password to
be reset again until the first new password has been used at least once or
24 hours have passed, whichever comes first?

Quicker computers

Posted Feb 24, 2005 17:20 UTC (Thu) by Ross (subscriber, #4065) [Link]

I have to disagree with that statement.

You are essentially saying that a password can be cracked more quickly with
faster CPUs. That would be true for running crack on an encrypted password,
but in most of the cases that matter today an attacker doesn't have access
to the encrypted password.

So sure, if you don't trust root on the system or if you find an exploit
that reveals the contents of /etc/shadow or similar files what you say is
true. But in those cases there are other security failures that are more
alarming.

Any password authentication mechanism needs to throttle the number of
attempts. This means that no matter what the CPU speed is the number of
guesses which can be made per minute is the same. Something like allowing
three guesses in a burst followed by only one guess per minute until no
guesses have been made for one hour drastically limit the "crackablility"
of accounts. Similarly many sites lock (blacklist, whatever) accounts
after a certain number of consecutive authentication failures. This has
DoS possibilites but it also limits the number of guesses which can be
made. Rate limiting can also be applied by the source of the guess: by
tty, IP, or whatever. Admins should be notified about attacks so they can
take action. Users should have to change their passwords. Sites which
allow high rates of password authentication guesses should only allow the
same password to be kept for a short period of time.

In other words, I'm not sure what you are talking about with the number of
bits only being secure while computers are slow. The rates in question
have little to do with CPU speed or bandwidth and much more to do with
the number of guesses -- and the number of guesses can be arbitrarily
limited to whatever wall-clock time you want. In other words, it's not
about breaking cryptographic algorithms.

Quicker computers

Posted Feb 25, 2005 17:11 UTC (Fri) by rgoates (guest, #3280) [Link]

Throttling password attempts is a good idea, and it seems to be commonly used. But I disagree that users should be required to change their passwords (except when a password has actually been broken). The only benefit of changing my password every 30 days, for instance, is that it limits the length of time a cracker can access my account to an average of 15 days. That is hardly useful. In fact, frequent password changes will most likely reduce security by encouraging users to keep their passwords written down in convenient (read vulnerable) locations.

IMO the conventional wisdom of requiring periodic password changes is seriously mistaken. Much better to put effort into quickly detecting breakins and THEN requiring a password change.

Quicker computers

Posted Feb 28, 2005 5:40 UTC (Mon) by Ross (subscriber, #4065) [Link]

Detecting breakins is important, but it can only mitigate damage, not
prevent it, which is what we really want to do. Forcing users to change
passwords not only limits exposure when their passwords are compromised by
an attacker who doesn't cause any obvious damage, it also prevents their
passwords from being guessed in the first place.

It ties in with throttling: you are limiting the number of guesses on a
password. Throttling limits it to a certain rate (g/s: guesses per second)
and forcing password changes puts an upper limit on the number of seconds.
This means you can set an absolute limit on the number of attempts (no
matter what CPU speed).

Quicker computers

Posted Mar 6, 2005 5:59 UTC (Sun) by rgoates (guest, #3280) [Link]

Ross, I'm late seeing your reply, for which I apologize. I agree with your point about the importance of throttling password attempts. With reasonable throttling it will take a long time to crack a good password by brute force. And it should take at least a few hundred thousand attempts to reliably brute force a good password. Actually, 40**6 sounds like a reasonable number. That many failed attempts should be raising alarms somewhere. There should be enough time to be aware of the problem and take action. Before the password is compromised.

One could argue that a combined brute force attack on thousands of passwords at once could provide a reasonable chance of success at compromising one of the passwords. But that kind of activity should be pretty obvious as well, allowing counter measures.

I suspect non-brute force cracking attempts, such as used in social engineering, are much more likely to be successful given a well monitored system. But I believe requiring users to change passwords frequently makes such non-brute force attempts even easier. Not to mention putting quite a burden on users.

Secret answers as insecure passwords

Posted Feb 25, 2005 16:24 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I've never understood the logic behind this kind of secret question. If your backup password is the answer to the question, "what is your favorite pet's name?" then why not just make that name your password? The secretq question just seems to take the problem of obvious passwords and make it much worse. I believe a better system is one where you choose your password and then enter a hint of your own choosing as to what it is. And the system should offer some advice, so the less skilled aren't as likely to choose the name of a well known pet. A bit of uninteresting history from your childhood should be quite secure.

But I'd still rather see a system where I don't need a password on every system I use.

Secret answers as insecure passwords

Posted Mar 5, 2005 12:29 UTC (Sat) by k8to (subscriber, #15413) [Link]

Inserting bogus answers into the "secret answer" field is not without its problems.

Since you will never be asked for this information to log in, it will not stay in your active memory. You could write it down, but then you've committed access-equivalent information to paper/disk/what have you. If you make it the same as your actual password, then you effectively disable the service, which is similar to entering in completely random data.

The problem with disabling the service is your faceless megacorp may use your inability to remember your nonsense backdoor password against you in an attempt to deny services to you later. I've been down that road.

Secret answers as insecure passwords

Posted Mar 4, 2005 10:22 UTC (Fri) by pcampe (guest, #28223) [Link]

There are some tips you can use to avoid being flooded by dozens (hundreds) of different passwords for each service you have to be authenticated with:

1) Think in term of "domains": service of the same level of security, managed by respectable and professional people, could share the same password. So you have a unique password for your operating system (a very complex password, but this is not a problem as you log in every day), a unique password for you primary e-bank account, e-mail system, and the same password for each "no mission critical" e-service you use: you don't need 100 different password for 100 different mailing-list, possibly except the 1-2 very critical for your business.

2) if you still want to have different password, think to them as made by a basepassword and then a password _deterministically_ derived from the site's name, i.e:

xtt11amazon for amazon
xtt11lwn for lwn.net

and so on. Practically speaking, they are stronger as usual password, as long as none of the parties suffers a security breach.

Secret answers as insecure passwords

Posted Mar 4, 2005 12:05 UTC (Fri) by job (guest, #670) [Link]

The base + sitename password scheme seems trivial to crack. An attacker
who stole your logins from lwn would probably try substituting "lwn" to
"ebay" to login there. It should be regarded as insecure as having the
same password, imho.

I agree

Posted Mar 4, 2005 20:21 UTC (Fri) by Ross (subscriber, #4065) [Link]

Yep, especially when the password is not hashed before sending it to the
server. This should only be considered an improvement over using the exact
same password on multiple sites. It's only an improvement because it does
add a very small degree of resistance against programmed attacks, though
anyone personally targetting your account would easily see the pattern. You
really don't want to depend on that for data you care about.

Secret answers as insecure passwords

Posted Mar 5, 2005 15:10 UTC (Sat) by pcampe (guest, #28223) [Link]

> The base + sitename password scheme seems trivial to crack. An attacker
> who stole your logins from lwn would probably try substituting "lwn" to
> "ebay" to login there.

This requires that:

a) the attacker must know that I have an account on ebay, and its name (not easy to derive from my account on lwn);
b) lwn has been exploited by the attacker;

Altough b) could happen, it's not very likely for well managed sites.

But if you want to be very strict on security, you can use some (2-3) different base passwords for sites of different level of security. Also, the algorithm to produce the site-specific part of the password could be somehow involved, an example "amazon" -> mzn "Linux Weekly Newsletter" -> iuek (odd letters).

I perfect understand that this approach reduces in fact the password length to te length of the basepassword, but I believe that is better than having a unique password (too easy to crack) or hundreds of password (too hard to remember).

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds