Number in password required? Why not be more intelligent?

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Number in password required? Why not be more intelligent

Postby straygecko » Sun Dec 02, 2018 6:25 pm

The funny thing is when you go to change your master password it says:

Tips
Consider using a passphrase
For more Master Password tips, click here - https://blog.lastpass.com/2013/04/how-to-create-secure-master-password.html/

Minimum Requirements
At least 8 characters long
Not your email
Not easily guessable

The "click here" link is to a 2013 Lastpass blog post with the xkcd comic though they also show they missed the point of the comic by pushing adding in numbers and special characters instead of something easy like adding another word or two. I'm not ready to change my master password just yet so I'm not sure if it actually is less restrictive than when signing up for an account. I may be changing my master password in a few days and if I do I'll report back if it lets me use a passphrase with only all lower case letters.
straygecko
 
Posts: 14
Joined: Fri Jan 29, 2016 11:59 am

Re: Number in password required? Why not be more intelligent

Postby MathijsRiezebos » Mon Dec 03, 2018 11:30 am

straygecko Wrote:[...]
they also show they missed the point of the comic by pushing adding in numbers and special characters instead of something easy like adding another word or two.
[...]


Actually, using just one common substitution and an extra character between the words of your passphrase somewhere can still significantly increase the security of your passphrase.
Only using lowercase, UPPERCASE, camelCase or ProperCase words in a password, even if you add one or two extra, can even be less secure and it makes your password way longer to type.

I think that their example there is actually pretty good. A passphrase of between 15 and 20 characters that consist of a few semi-random words with just one or two random character swaps/inserts would, in my opinion, provide the optimal balance between security and ease to remember and type.
MathijsRiezebos
 
Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

Re: Number in password required? Why not be more intelligent

Postby straygecko » Mon Dec 03, 2018 3:57 pm

MathijsRiezebos Wrote:
straygecko Wrote:
Actually, using just one common substitution and an extra character between the words of your passphrase somewhere can still significantly increase the security of your passphrase.
Only using lowercase, UPPERCASE, camelCase or ProperCase words in a password, even if you add one or two extra, can even be less secure and it makes your password way longer to type.

I think that their example there is actually pretty good. A passphrase of between 15 and 20 characters that consist of a few semi-random words with just one or two random character swaps/inserts would, in my opinion, provide the optimal balance between security and ease to remember and type.


Semi-random words is a bad idea and seriously erodes the strength of a password. There was a study of passphrases actually in use and the semi-randomness (IOW not random at all) of the words let them find the passwords in hours.

Adding a separator character between words only adds a small factor - the number of possible separator characters or human beings what they are the number of typically used separators. Maybe another factor of 6 if you only use it between some words (4 word passphrase). So lets say 6 possible separator characters times 6 for using it between only some words. That's only a factor of 36. Yes, if you want to get complicated and possibly use a different separator between different word pairs but we're getting further and further away from easy to remember.

Same kind of thing for change case of first letter of words or upper casing some words. 3 options for each word - all lower, all upper, first capitalized. 4! combos so 24 * 3 is a factor of 72.

Assuming you did these things randomly (most people don't), combine the two and you get a factor of about 2600. Compare that with an additional random common English word of 20,000. I think most people are going to find the additional word easier to remember and type and they will get a much stronger password.
straygecko
 
Posts: 14
Joined: Fri Jan 29, 2016 11:59 am

Re: Number in password required? Why not be more intelligent

Postby MathijsRiezebos » Tue Dec 04, 2018 5:23 am

straygecko Wrote:Semi-random words is a bad idea and seriously erodes the strength of a password. There was a study of passphrases actually in use and the semi-randomness (IOW not random at all) of the words let them find the passwords in hours.

Adding a separator character between words only adds a small factor - the number of possible separator characters or human beings what they are the number of typically used separators. Maybe another factor of 6 if you only use it between some words (4 word passphrase). So lets say 6 possible separator characters times 6 for using it between only some words. That's only a factor of 36. Yes, if you want to get complicated and possibly use a different separator between different word pairs but we're getting further and further away from easy to remember.

Same kind of thing for change case of first letter of words or upper casing some words. 3 options for each word - all lower, all upper, first capitalized. 4! combos so 24 * 3 is a factor of 72.

Assuming you did these things randomly (most people don't), combine the two and you get a factor of about 2600. Compare that with an additional random common English word of 20,000. I think most people are going to find the additional word easier to remember and type and they will get a much stronger password.

I never claimed that upper, lower, camel, proper casing words actually significantly helped. My point was pretty much the contrary. The same with semi-random combinations from semi-random words, with which I, indeed, meant passphrases thought up by people.

I beg to differ on the topic of inserting/replacing characters, though.
You seem to be saying that there's only a handful of characters that people will and/or could use between words. That may be the case for some people and I do not mean to argue against this being bad practice, but for as far as I know, there's 26 letters in the alphabet, both upper- and lowercase, 10 numbers and then a handful, let's say another 10*, commonly used punctuation marks, which would total to +- 70 characters. Since the average English word length is +- 5 letters, let's say that a 20-letter passphrase has 4 words, which leaves 5 spaces for random characters.
This would result in 70^5 = +- 1,7 billion possibilities.

Then we have common substitutions. In each word, any lowercase letter could be substituted with an uppercase letter and, as can be derived from a study I think I linked before, at least 50% of all letters used in English (mainly vowels) have at least one common number- or punctuation-mark-substitution. Let's just assume that the standard deviation in this is close to 0, for now, even though, as you may well know, a higher standard deviation would result in greater password entropy.
Either way, for a word with 20 letters and 1,5 common substitutions for each of these letters, this would result in 2,5^20 = 91 million possibilities.

Combined, this would come to 1,5 * 10^17 times as many passphrase possibilities, while adding two completely random words would result in only 20.000^2 = 4 * 10^8 times as many possibilities**.

Granted, in my calculation I do not consider the rule that only up to a total of say... 4 random character inserts/substitutions can be used anywhere in the passphrase, so let me calculate that real quick, okay? :)
We have 20 characters. There's 26 uppercase letters, 10 numbers and 10 common punctuation marks, so let's say... 40 characters to substitute with or insert. Since we're only allowed to insert/replace 4 characters at maximum, I'd consider insertion in the middle of words easy enough to remember as well, which leaves us 21 places to insert and 20 places to replace. Let's, for ease of calculation, say there's 20 places to insert as well, though.
in a passphrase of four letters, with 4 random substitutions (so all letters substituted) or insertions, we get (40*2)^4 = 40.960.000 times as many possibilities.
Now in a passphrase of 20 words, these can be in (n! - (n-k)!) / (k!) different configurations that matter. This amounts to (20 * 19 * 18 * 17) / (4 * 3 * 2) = 4.845 different meaningful combinations.

Combined, this would result in 1,98 * 10^11 times as many possibilities, which is still quite a lot more than adding two random words would result in.

*
Code: Select All Code
1. .
2. ,
3. !
4. ?
5. "
6. ;
7. :
8. '
9. (
10. )
11. @
12. &
13. %
14. $
15. *
16. /
17. \
18. +
19. -
20. _
21. =


**
If those two words would have been randomly upper, lower, camel or proper case, that would have amounted to 1,28 * 10^34 times as many possibilities which would have been safer than substituting/adding a couple of random characters, but would have made the password at least as hard too remember and way less type-friendly.
MathijsRiezebos
 
Posts: 8
Joined: Thu Nov 22, 2018 4:14 am

Re: Number in password required? Why not be more intelligent

Postby straygecko » Fri Dec 07, 2018 9:32 pm

First off, changing a master password allows all lowercase words with spaces in between, no numbers, no special characters. Probably no restrictions so have at it with whatever you want for a master password.

You said:
MathijsRiezebos Wrote:I think that their example there is actually pretty good. A passphrase of between 15 and 20 characters that consist of a few semi-random words with just one or two random character swaps/inserts would, in my opinion, provide the optimal balance between security and ease to remember and type.


That did sound like you were saying that 4 semi-random words with a vaguely defined single substitution would make a good password. I upped that a little bit with other things mentioned in your post to give it a fighting chance. Of course if you go truly random and add the complexity of multiple random substitutions from a large character set you can get entropy to match or exceed an extra word or two but now you're getting into the xkcd comic first panel territory with complexity outweighing ease of remembering and typing for the average person.

I tested typing a 21 character password made up from 4 words with upper and lower case, number substitutions and an insert that I have typed several times a day for a year or so vs. a diceware 6 word password from the EFF word list that has 42 characters which I practiced about 20 times. Both have sufficient entropy to be secure. Only took me 7 seconds to type vs 6 seconds for the 21 character password. After a little use I'll beat the 21 character. 2 finger characters really slow you down and odd substitutions make you think. That was on a PC keyboard. On a mobile device diceware will win by a country mile especially with word prediction or swiping. And it wasn't any harder to memorize than a shorter password with substitutions & inserts. I know my wife will definitely find it easier to remember.

Regardless, Lastpass should stop with the restrictions on creating new master passwords and let us use whatever we think is best. Recommendation and warnings are fine but restrictions suck.
straygecko
 
Posts: 14
Joined: Fri Jan 29, 2016 11:59 am

Previous

Return to Feedback

Who is online

Users browsing this forum: No registered users and 12 guests