Reader responds to my column on MySpace Password exploit

Reader, George Shaffer, responds to my comments on passwords.

George responded to my column on the Myspace Password exploit and passwords in general.

Here’s George’s email:

Roger,

No word that can be found in a dictionary is safe. And for these purposes a dictionary is any electronic list of words. chartreuse is not safe just because it is not a commonly used password. While all common passwords are easily cracked the inverse is not true; being uncommon is of no value whatsoever in making a password difficult to crack. Common passwords are easily cracked because crackers put them in their dictionaries.

Chartreuse appears in the current Red Hat dictionary (linux.words). It also appeared in the 2001 linux.words dictionary (probably also Red Hat, as well as a much smaller English words list (origin forgotten) that were among the many dictionaries and word lists that were used to populate my “database” for my Password Evaluator at http://geodsoft.com/cgi-bin/pwcheck.pl which I placed online in March 2001.

If you want to understand how crackers crack passwords you may want to read my “An in Depth Analysis of Good, Bad, Strong and Weak Passwords, Password Cracking Techniques and How-To Reduce Password Vulnerabilities” at http://geodsoft.com/howto/password/ The entire section is on the order of 50 printed pages, and is the most comprehensive discussion of passwords I’ve found on line. You can pick and choose from sections that may interest. I’ll take at Mark Burnett’s book if I can get into my local library’s online database, and the Microsoft articles as well. I was not favorably impressed by their password article in which they referred to me and my website (search Google with ‘”george shaffer” site:microsoft.com’).

chartreuse is bad for a second reason. You have listed it as “a relatively safe password choice.” This automatically makes it a bad password. Crackers will grab any password they see listed in any public source and add it to their core dictionary. People who read your article are much more likely to use a chartreuse than any randomly selected word from a modest size dictionary such as linux.words.

If I were to suggest that Ggabm2!qat was a good password on my web site, even though it meets all normal tests of a good password, I have ruined it as a password. When an apparently authoritative source says a password is good, you can be sure that some readers will use it as a password. The small increase in chance that that character sequence will be more likely used than all other possible sequences (of similar length) makes it worth including in the dictionary of first resort used by a cracker.

Depending on the target, a cracker may use multiple dictionaries starting with tens of thousands of words and working up to millions (unabridged and or multi lingual). A 45,000 word dictionary (the size of linux.words) on a fast desktop with 10 variations per word will take less than a second to process. While it’s true that users who use easy 6 or 7 character passwords will almost certainly not use my sample password, someone looking for a good longer password with mixed case, digits, and symbols or punctuation, who read my site is more likely to use this than another arbitrary equal length sequence.

This was generated with my fully configurable Password Generator http://geodsoft.com/cgi-bin/password.pl This password deliberately has two consonant vowel consonant sequences separated by two non letters.

This aids in remembering strong passwords. Capitol letters also tend to be at the beginning or end of a letter sequence in several of my predefined patterns, but it’s pretty much chance between which or both sequences and which end, and in some rare occasions all ends.

By changing the options, my password generator can create totally random character sequences limited in length only by screen readability. As an experiment I’ve generated fully random 400 character “passwords,” but totally structured 6 or 8 or any other arbitrary character length can also be created. A control pattern can also create passwords of highly variable length, though variation of more than a few characters does not make sense, because those who want 7 character passwords are quite different than those who can live with 12 character passwords. Letters, consonants, vowels, case, alphanumeric, digits, symbols and punctuation, non letters, and all displayable characters, are some of the pattern categories that can be used to structure a password. The probability that each pattern type will appear at its designated location, or repeat

2 or more times is fully configurable.

From the blurb that I read on Mark Burnett’s book, my password generator is designed to do automatically what he teaches users. It allows a user any degree of structure that they require, but with the randomness of the selected characters, that a computer but not a human brain can generate. By default it shows 10 at a time and if you don’t see one that looks reasonably easy to remember, you can refresh and get a new set, or try a new pattern.

This all started with the State Department’s password generator in the 1980’s which generated passwords in the form of CVC99CVC, or two sets of consonant, vowel, consonant, separated by two digits. Both ends pronounceable, with three easy to remember pieces. Very advanced by the standards of day but pretty weak now if a cracker suspects such a pattern is being used.

The evaluator checks for dictionary words and all the transformations that cracking tools can do plus some they cannot yet, as well as every kind of character sequence. It’s very rigorous with the default settings but can easily be relaxed.

George Shaffer

—

For my GnuPG key ID and fingerprint see http://geodsoft.com/about/