Friday, February 03, 2012

Minimum Password Length POO

(Picture from fileformat.info, showing U+1F4A9]
Looking at the wonderful new character named "Pile of Poo" in Unicode 6.0 (not 6.1, as re-tweeted by many...), I think my spontaneous competition on Twitter Jan 31 became even more fun to write about now. While I still owe you to write loads of opinions for/against periodic password changes, I'll drop this one as an input to the "minimum length" discussions as well.
Sweden experienced quite a few breaches last year, with "bloggtoppen.se" as probably the most publicly discussed case. Now the swedish government recommends minimum length mixalphanumericspesials passwords for everyone, with no connection to you whatsoever and no use of "common sequences such as qwerty". 

For that last part there, I recommend reading "You expect me to remember that? Part 1" by d3ad0ne_. There are many ways to do keyboard walking, so what is actually "common sequences"? 

Anyway; what I wrote on Twitter was simple:
Party (password) game: Create a normal sentence with minimum 4 words using the lowest number of unique letters - in any existing language.

@ardispark, earlier a colleague of mine at PwC, was the quickest to respond:
Net een nette teen! (just like a tidy toe). 6 unique characters. 

@Nangaul came up with (Norwegian):
Å gå i Å. That's a draw with @ardispark

My friend & colleague @KluZz comes up with:
I am a man. 6 unique there as well. Shouldn't be hard to remember for 50% of the worlds population?

Some attempts using spoken dialects came around as well, but I denied them. I did say existing language, probably should have said "existing written language". Oh well. Then out of nowhere my colleague Stine, who is an economist (not a computer/password geek!) suddenly says: "I'll give you a password written in binary form!". It IS a written language, it will generate loooong passwords (but how breakable would they be?), and will only have 2 unique characters: 0 and 1. Nice! Seemed as we had a winner some 10-15 minutes into this little competition...

@KluZz doesn't give in that easily:
Well, if you wanna get impractical… "the fish fishes fish." -> 鱼鱼的鱼。written in simplified chinese. 5 chars, 3 unique. Although more unique characters, I'm tempted to say this one would be harder to crack using our standard tools of the trade today. (Keyspace calculations are most welcome as comments here! Long binary passphrases or short UTF-8-16-32 passwords?)

@wimremes, who actually seem to know Chinese, promptly gives us a correction:
fishing = 钓鱼 so that would be 鱼钓鱼 3 chars, 2 unique. Google translate takes fishes not as verb but as plural fish.

--

@Openwall replies, saying that JtR supports some of this UTF-16/32 stuff through Dumb16 and Dumb32 modes (jumbo patch, info here), while @hashcat gets curious. :-)

So I think to myself: Depending on how you will count the number of keystrokes to input your truly original UTF-16 or UTF-32 or "Pile of Poo" password and the missing keyspace calculations here, can we really say that passwords should be a minimum of of 8-10-12-15-20 characters in length in order to be "unbreakable" with existing tools and computing power? Are we talking about number of characters input or number of keystrokes entered on your keyboard to create a "secure" password? Should we recommend using letterlike Unicode symbols as part of your password? (PDF with images, more documents here), or should we create "story-based passphrases using Unicode "Pile of Poo" symbols? Dog eat food make pile of poo passphrases?

Most places we talk about 4 character groups: loweralpha, UPPERALPHA, digits 0123456789 and specials. Usually we end up somewhere around 96 or so characters all-in-all. I've seen one or more sites actually talking about 5 character groups, while still being within a pretty limited character set. Unicode beats that hands-down.

Hm. It's 00:42. Perhaps I should just go to bed, before this gets way out of hand? Comments welcome. :-)

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.