[security flaw] Ubuntu is a plain text offender

Kent Borg kentborg at borg.org
Tue May 24 19:11:52 UTC 2011 

Jordon Bedwell wrote:
 > Actually, 'beauty-alias-citizen' has between 86 and 94 (rounded) bits of
 > entropy depending on your math and method of calculation.

No.

I created it from 32-bits of entropy. The process I used to turn the 
bits into words is simple, and completely mechanical and reversible, 
such mechanical processes cannot create entropy. Because of the *way* I 
created the password, it has 32-bits of entropy.

The program I used is mnencode. It will convert arbitrary binary data 
into words, and mndecode will turn those words back into the identical 
input data. If 32-bits of entropy (uncertainty) goes in, there is no way 
more than 32-bits of entropy can come out. There are 32-bits of entropy 
in that password.

 > And it's a very weak password.

For a *password* (as distinct from en encryption key) it is actually 
quite good for many purposes.

The key feature of a password is that one can only test it by submitting 
a guess to some gatekeeper and wait for news of whether it opens the 
gate. And gatekeepers are allowed to get annoyed and quit cooperating, 
complicating an attacker's life a lot.

Password strength is a function of how fast combinations can be tried 
vs. how many combinations there are. That is why an ATM PIN is pretty 
secure at only 4-digits (10,000 combinations): ATMs only allow attempts 
to be made very slowly and after too many failed tries, will refuse 
further attempts.

An encryption key is very different. One must assume that the attacker 
has a copy of the encrypted data. If so, the attacker can make multiple 
copies, and have different computers trying encryption keys on the 
different copies. The speed at which guesses can be tested is not 
limited. So passphrases used for encryption must be much 
longer...depending on whom one is protecting against. If you want to 
keep a casual attacker out, a very short key is pretty good. If you want 
to keep a motivated and well funded foe out, you should got much longer, 
say, 128-bits for a symmetrical cypher.

 > entropy alone cannot decide password strength.

No, entropy is everything. Entropy is another (precise word for) 
uncertainty. If you have to search a space that has more combinations, 
then an attacker will have to search longer, if there are fewer 
combinations, then the attacker will have an easier time.

> A.) PIN Passwords [0-9] each letter has 3.3219 bits
> B.) Simple Hex Passwords [a-z, 0-9] each letter has 4 bits
>   

Unless there is a an underlying pattern that you don't know about. For 
example, you over-estimate "beauty-alias-citizen" at 86 to 94 bits. It 
is effectively identical to 0x167316a8.

> It goes up from there
>
> 1.) Your password is vulnerable to dictionary attacks.
>   

Is the hex value 0x167316a8 subject to dictionary attacks? It is 
effectively the identical password.

> 2.) Your password is vulnerable to common brute force attacks.
>   

Every password is vulnerable to brute force attacks, the question is 
*how* vulnerable. My example will take somewhat more than 4-billion 
tries to be 100% sure of finding the combination. That is if the 
attacker knows how I created it, which should be assumed. But just 
because I express "32-coin tosses" (actually bits from /dev/urandom) as 
three English words doesn't take away that there are 32-coin tosses 
under there. If someone doesn't know how I generated my password, then 
the brute force effort is more difficult, but that is an iffy thing to 
trust, I count the entropy I can demonstrate. Thinking that 1337-style 
transformations magically add entropy assumes that your attacker hasn't 
heard of such a thing.

> 3.) Your password contains a single repeated ASCII symbol.
>   

So? The hex version contains a repeated digit, too. That is what the 
"coin tosses" did. There are 32-bits under there.

> A.) Pass should contain multiple symbols.
> B.) Pass should contain letters and numbers, upper and lower.
> C.) Pass should have at least 2 characters that repeat (non-sequential)
>
> The list goes on but it's not my job to lecture you on how bad that pass
> is, it's just my job to correct the bad math and then give tips.
>   

Does 0x614d2079687420656f666372206565627720746920686f792175000a seem 
like a good enough password? How much entropy is in it?

Does 0x87972a55700e1080bf1c9b5e1cf45a01940553f919607a5d5aafae59 seem 
like a good enough password? How much entropy is in it?

One is a damn good password, one is truly terrible (if you are up 
against a motivated and funded foe).


Does:

circus-switch-india--monster-adios-history
studio-copy-salute--barcode-visible-gemini
chance-tractor-ritual--erosion-latin-salute
venus-brush-hawaii--sheriff-doctor-golf
hazard-candle-history--prefix-latin-jeep
goblin-ruby-gemini--maxwell-morris-royal
formula-equal-script--optimal-arthur-jazz
airline

seem like a bad password because it has words in it?

It is identical to the good one above--but coded in words. Run it 
through mndecode and it will again be example ASCII hex from above. It 
is not fundamentally better or worse whether expressed in words, 1s and 
0s, hex, octal, or morse code.

Just because a passwords looks random to a human or passes some set of 
password choosing rules means very little. Whether it looks impressive 
or not, my example is worth 32-bits of entropy.

How good is that?

An sshd login is by default quite limited for how fast a single IP 
address can try to login. The sshd man page seems to say the defaults 
will allow 60 attempts in 120 seconds. At that rate it will take 
132-years to have a 50-50 chance of breaking in. Enlist a botnet of many 
different IP address, and more attempts can be made in parallel, but ssh 
password computation is intentionally slow, so there is a limit to how 
much parallelism is possible on my little machine. By the time an 
attempt got very far my log files would fill up and things start to 
malfunction--giving an administrator time to do something about it. 
(Like change passwords and make the attacker start over.)

I am certain the NSA (and others) have studied what humans do when they 
are trying to dream up a good password; they have studied what humans do 
when told they have to follow rules such as have at least one digit, 
etc. Something tells me the result is rather mechanical and does not 
increase the entropy very much.

The NSA certainly has brute force programs that first try the things 
humans like to do. They have likely added my mnencode procedure to their 
brute force machine to crush my "beauty-alias-citizen"-examples down to 
their fundamental 32-bits of entropy. And the 0x614d207... example 
above? It is one they try in the first few days for sure.


If your attacker has to try many combinations, it is all about making 
him try a lot combinations, and has *nothing* directly to do with 
whether its appearance satisfies some silly set of rules. It is *all* 
about the number of combinations. Or entropy.


-kb

More information about the ubuntu-users mailing list