Password Strength and Security

[Vulpinus]

I noticed some questionable advice in another thread, and thought I should say something on the matter without derailing that thread.

Amongst other things, I've been a security consultant in the IT industry, for what saying that is worth.

Note that the following largely refers to our use of online passwords. While the facts are no different for your work login, that's more difficult to deal with.

Firstly, unless things have changed recently, the passwords we can generate to log in to SL are not as flexible as our website account passwords are allowed to be, stupidly. I bet I'm not the only one to create a password on the account page, then not be able to log in to SL because the password contains characters that aren't allowed in the actual SL login. I've done it twice, lol.

If I recall correctly, the SL password only allows up to 16 characters of alphanumeric only. No symbols. That's a bit poor really (one of my banks is actually worse though!), but see further for why it doesn't really matter. ETA: I'm wrong, symbols are allowed, but not spaces.

Password crackers these days are nothing like they used to be. By using statistical analysis on compromised and known password hash databases, tools have been developed that are very good at guessing the sort of passwords we all use. They are good enough to be able to crack 75% or so of an entire password database within a day.

Why? Because we are predictable, and follow patterns picked up from (and told to use by) other people. Humans can be predicted, even more so when they are trying to be unpredictable.

Think putting a few random characters in your password makes it safer? Nope. Odd capitalization or number/symbol replacement of letter? Useless.

Shorter, truly random password cracking is getting faster, using optimised software with banks of Tesla cards (or just a couple of normal nVidia graphics cards in a normal PC). These can process hundreds to thousands of times faster than a normal PC cracking program. So we need to use longer passwords. With a demonstrated cracking machine that can do 350 billion guesses per second, a six character password (all standard ASCII characters and symbols) would take  a maximum of 2.5 seconds to find. Eight characters would take up to six hours, assuming the password was the very last to be tried. Ten characters goes up to nearly 144 years, but the computers just keep getting faster.

They are all falling prey to the newer, smart tools.

The only secure password is a long, randomly-generated one, preferably one including all of the printable character set. That way, the smart guessing tools won't work and hopefully you've used enough characters to not be brute-forced in a useful timeframe. 16 characters should be considered the minimum, and is the maximum SL and some other places I've seen allow. I use 20+ everywhere else.

Never use the same password for two places. Generate a unique password for every place you need one. Databases get compromised with alarming regularity. Even though your password should still be safe if you follow the abve advice, don't tempt fate.

Changing your password regularly is not necessary, and is potentially detrimental for a few reasons. Provided, that is, that you made a good password in the first place. Only change it if you have reason to suspect it is compromised, or you discover it is potentially weak. Like now.

The only way to achieve the above for most humans is to use a password manager program. I use KeePass; it's free and works perfectly. There are apps for iPhone and Android for it too. Make up a good password to protect that database. See below for that:

If you must use a password you can remember and type manually (login at work, protecting your password database) without breaking your fingers, at least follow these guidelines:

Make it as long as you can. Mine is around 25 characters, but I can type it quickly because I've got used to it.

Don't use ANY words or number sequences (like dates), including 'clever' 'l33T words - every cracker knows them all and then some!

Maybe make up something including the initial letters of a sentence that means something to you; not a known quote!

Have a good mixture of symbols throughout it, not just at the beginning, end, or between words (which you AREN'T using).

Don't think you have to keep changing it, do it right, do it once. If you do, then you will eventually remember it, even if it's tough.

If you need to write it down, that's fine! Just don't pin it to your noticeboard in the office; use your common sense. This does not apply if you are in real, sensitive work. I've done some stuff in such installations and you really don't want to do that. My advice does not apply if you work in such a place where they will have their own, strict (but not necessarily wise) rules. I keep a printed list of all my passwords in a hidden safe, along with a couple of memory sticks with them on. Really.

Do I really need to say this? ... Don't share your password. If you do, change it as quickly as you can. No, really, just don't do it.

Never, ever, ever enter your password into a site without making sure it is what you think. Never, ever, use a link to a site then enter your password. If you think you have an email from SL or your bank, type the web address you know for them into the browser manually, don't go there from from some link in an email or webpage.

 

I know, I'm paranoid. I actually am; I've been involved in a few ways in data security for years, and was always of that mindset anyway.

Hope some of this helps.

[DaniSkunk]

The password I use for my alt is 64 char long, so the 16 chat length is not correct.   just used google to do a word count on it too.

opensim is a max of either 12 or 16.  not been there in a while though.

[Vulpinus]

Hmm... I'll have to check that, I hope you're right.

I know when I first created my main account, and later an alt, that I ran into problems logging in. It took me a while to figure out why at first, after going through a number of password resets. Only dropping down to no symbols (and I thought 16 characters) on my main account allowed me to log in to SL.

That doesn't change the main thrust of my post though.

 

ETA: Checked it. On the "create a new account" setup, there is no mention made of password requirements, just a box to enter the password and it accepts (and uses) symbols and long passwords. When I did that though, with my usual 24 character full-ASCII password, that would not allow me to log in to SL itself.

This is a picture from the password change, where I finally noticed the 16 character limit and no spaces. It was probably a space being put in my original (generated) passwords that caused the issue, as I have just tried setting a PW with some symbols in and it worked for SL login. So, my mistake there.

If you have used a 64 character PW, then there is certainly some incongruity in the system. Good password length, BTW.

 

[Nova Convair]

Yes, in case someone steals LL's database you wish you'd have a good password.

So it's best to have a long random password. A different one for every login of course.

Here starts the difference between therory and reality. Since nobody can remember that all the people think about ways to make things comfortable since they are lazy and careless. Using one password for all is common and a bad mistake. Let applications remember the password? Only few take care of it in a safe way.

So - strong passwords are good but don't help if the security is weakened by storing them at unsafe places. Most people may know what to do but they don't do it.

Another thing is phishing. If you are stupid enough to log into marketplace after clicking on a link your best friend sent you the best of the best of all passwords will not help - if that was a phishing link and you logged in. Stupid stupid but common.

For years we know that passwords are a bad way to secure logins. But nothing changes. Of course for companies it's comfortable. If anything goes wrong they can blame the customer.

 

[zoelamb]

Is the maximum password length officially 16 characters? This forum topic is the only reference I can find about it.

I thought I had a longer password from when i set up the account but my SL viewer is only letting me enter the first 16. I think what must have happened when i set up the account is that I copied the new password from my password manager software and pasted it into the password box, which limited it to 16.

16 characters is quite short by modern standards. There should be no reason to limit passwords to that length if SL are storing them securely. Most of my passwords for websites and things are over 25 characters each.  ~Z

[Darrius Gothly]

All of my passwords are a single digit. But it's super secure because it's a Prime number not divisible by 2.

Now, have I shown you my excellent selection of bridges and high-rise buildings for sale?

[Paul Hexem]

 

[Iain Maltz]

Having been tearing my hair out wondering why my bot code can't log in a specific account for a few days now....

At least from the viewers perspective, logins are done via an MD5 hash of the password (which really makes the length constraint irrelevant as the MD5 output is fixed length regardless of input size).... I tried logging in with the viewer and this account, worked fine, but my bot would only get generic auth failure errors.

I eventually intercepted the Login XML document from firestorm to see how that was working and spotted the obvious MD5 mismatch, with me doing a replay attack through my bot working just fine...

I found this page while googling the "second life MD5 login", because I figured they were using some "modified" MD5 or something...

But no, just substring the first 16 characters of the password and MD5 hash that and you get the right hash, and it lets you log in.

 

Can't speak to the web login service, not poked that, but the viewer/agent login service only respects the first 16 characters of the password apparently.  But the viewer masks this behaviour from you and lets you use >16 chars.  But if i'm right, changing the last character on your >16 character password will still log you in fine, because it's truncated before being hashed.

 

Enjoy...  I did.

 

Edit:  Nothing complains at /registration/ time if you put too long a password in...  Also website does the exact same truncation.  I discovered this using a random 24 character password.  Turns out if i take the first 16 characters of my password then I can then type whatever garbage I like after that and i can log in to my.secondlife.com too - same behaviour as the viewer basically.

Wonder if they store anything more than an MD5 hashed version at the SL end (doesn't seem to be any need to), and if not, is there any practical reason for the limitation?  MD5 strings all come out as 16 characters anyway, so you can just take the extra chars into the hash.   Though obviously a bit late to be changing this now

Edited September 13, 2018 by Iain Maltz
Updated with further research on website behaviour

[Love Zhaoying]

Very interesting. By the way, SL used to allow weak passwords.

[Phorumities]

350 billion guesses a second to break a 6 long password in under 3 seconds? 

very impressive, but, doesnt the cracker have to TRY each combination?

I get locked out of most places after the 3rd incorrect try so how is having 350 billion guesses gonna help him.

I personally use the minimum number of charactors required, only adding numbers, caps, or special charactors if prompted.

People love to worry about silly crap. 3 trys and locked out with 350 billion combinations seems pretty secure to me.

edit: my bad, using just lower case letters theres 308 million combinations in a password six letters long.

the chance of a hacker guessing correct in 3 tries is so low that im not gonna lose any sleep over it.

Edited September 13, 2018 by Phorumities
added stuff

[Iain Maltz]

350 billion guesses/second would be (presumably, no idea why you brought this up) a theorical local computation speed for cracking a hash of "assumed" security.  If the hash is known such as MD5 there may be (and in MD5 are) known weaknesses in the algorithm, plus unsalted hashes are prone to Rainbow Table attacks, all of which dramatically reduce the workloads, esp if your 6 character password in any way resembles anything and isn't just a totally random string.

No-one's doing (remotely close to) 350 billion ops per second of anything over the internet, lockouts or not.  You'd probably have to write your own TCP/IP stack to get around open local port limits during connection setup, not even taking into account the processing times of every request and remote limits on the server by IP or simply resource exhaustion (aka DOS attack)

For what it's worth.

[Kurshie Muromachi]

There was a recent password dump of like 42 million email records on the net. About 91% are duplicates of previous dumps. Just to reflect on what the OP mentioned, be sure NOT to reuse passwords. I use KeePass myself and like it a lot.

Edit: Here's the link for info about it.

https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/

Edited September 13, 2018 by Kurshie Muromachi

[JamieAddams]

hey

My password is 20 characters with upper/lower/digits/symbols in it, and i have no issue.

[Dakota Linden]

Greetings all! 

I cannot address any issues regarding PW strength and security, (not my job, so I have absolutely no clue), but I can confirm that SL WILL lock you out of your account and you will be required to contact Support for assistance if too many attempts are made with the wrong password.

So while computers may be able to blow through 350 billion guesses in a couple of minutes, as a proof of concept,  real world application may lock the attempts out at a certain point long before the "computer" hits the correct combination. 

 

[Bradford Mint]

Yes but as has been pointed out brute forcing a login (such that it would result in a locked account) isn't the threat actor in play here but rather the calculation of the hashes against a rainbow table.

 

[Callum Meriman]

10 hours ago, Dakota Linden said:

I can confirm that SL WILL lock you out of your account and you will be required to contact Support for assistance if too many attempts are made with the wrong password.

That's why 4 digit PIN numbers are bank quality security.

Not that there are only 10,000 combinations, but the fact you will be locked out.

I hit this problem when I was trying to recall the password for an account I made 10 years ago. After a few bad attempts the account was locked and I needed to talk to support. Which involved me providing proof who I was.

SL passwords are pretty much as secure as the PIN on our credit cards.

[Callum Meriman]

8 hours ago, Bradford Mint said:

Yes but as has been pointed out brute forcing a login (such that it would result in a locked account) isn't the threat actor in play here but rather the calculation of the hashes against a rainbow table.

For that, you need the hash. It's sent over TLS and would be rather difficult for most people to MITM. I wouldn't be surprised if it's salted considering the Corrade configuration advises : $1$MD5Hash ($1 will be replaced with salt)

Salt and rainbow tables? Heh.

Edited September 14, 2018 by Callum Meriman

[Bradford Mint]

5 hours ago, Callum Meriman said:

SL passwords are pretty much as secure as the PIN on our credit cards.

In terms of lockout protection yes but the reality is that the threat is not brute forcing a password in the first place but most likely phishing and in this case phishing a PIN would only have merit if the attacker is also in possession of the second factor, which implies a physical attack has also occurred. I realise that you are aware of this but wouldn't want people thinking a strong password is the same as a PIN.

So as was already mentioned by someone else, entering a cryptographically super strong password into compromised site, has provided no extra security.

[Callum Meriman]

1 hour ago, Bradford Mint said:

In terms of lockout protection yes but the reality is that the threat is not brute forcing a password in the first place but most likely phishing and in this case phishing a PIN would only have merit if the attacker is also in possession of the second factor, which implies a physical attack has also occurred. I realise that you are aware of this but wouldn't want people thinking a strong password is the same as a PIN.

We know from the other 2 resurrected threads you are very keen, vocally so, for 2FA. And that's fine. But please don't confuse phishing with 3 tries and you're locked out login systems.

First, leaving phishing out of this: Doesn't matter if the SL password is "1234" or "p4ssw0rd", when it's sent as a salted MD5 - it's not rainbow table crackable, and (as it's SSL) it's not interceptable either without some serious DNS poisoning and MITMing. I can't see how anyone can obtain the salted MD5 over the wire without some unusal hacks. And even if they obtain it over the wire, they can't reverse engineer it.

A weak password really means little for salted MD5 with lockout. With lockout in place a 4 digit [0000-9999] code is ok.

 

Now: Phishing, yes it's an issue that 2FA or 3FA would stop, but the whole design of SL to my understand, with regions on seperate servers means that login code is embedded quite tightly and your authority to be online is checked every teleport. If the lab can do 2FA, great!, but there are a bunch of other things more imporant in their eyes I guess.

 

[Bradford Mint]

I agree Callum, the rainbow table attacks with compute arrays as listed in the first post are most suited to unsalted password databases such as would be leaked from an organisation. Nobody bothers to attack consumers across a distributed geography using brute force. The attack landscape is too wide with usually insufficient gain.

Your other point about password strength is also important because it highlights that choosing a "strong" password in itself is usually meaningless given that a single letter when hashed is the same length as a 1,000,000,000,000 character long password.

Phishing remains the greatest threat here.

 

[Callum Meriman]

6 hours ago, Bradford Mint said:

Phishing remains the greatest threat here.

It does. My own partner was phished. One of those common altavista marketplace links. Took a while to get their account back, and lucky that they used real details for the account. Those who fake their details, then are phished have a much harder time regaining the account. Support do work with people, but I think even they can't do miracles.

All in all I use 2FA or 3FA where I can (my work is all 3FA).

 

[bigmoe Whitfield]

all I can say is good luck,  I'm using a pass word manager that it's self uses a keyfile,  which is not stored locally and almost all my passwords have untypable characters so.  

[Orwar]

   If you want a strong password with a wide range of symbols used, I suggest 'TheQuickBrownFoxJumpsOverTheLazyDog', as the sentence 'The quick brown fox jumps over the lazy dog' contains all letters of the alphabet. Nods sagely. We should all use that password!

[Fionalein]

I'll just leave this external sources reccomendations on passwords here:

https://xkcd.com/936/

 

Edited September 14, 2018 by Fionalein

[ellestones]

On 9/14/2018 at 12:59 PM, Callum Meriman said:

That's why 4 digit PIN numbers are bank quality security.

yeah that ^^