Biz & IT —

Why Intel’s “How Strong is Your Password?” site can’t be trusted

Lack of HTTPS + questionable metrics = don't rely on it.

Dan Goodin - May 8, 2013 8:50 pm UTC

Why Intel’s “How Strong is Your Password?” site can’t be trusted — Intel

A new website published by chipmaker Intel asks readers "How Strong is Your Password?" and provides a form for estimating the strength of specific passcodes. It's too bad the question isn't "How Strong is your Password-grading site," because the answer, unfortunately, is "not very."

The most glaring problem with the site is its failure to use standard HTTPS Web encryption. Based on the secure sockets layer and transport layer security protocols, HTTPS ensures that a Website being accessed is authentic and operated by a legitimate entity, as opposed to a knock-off page created by someone who is able to control the end user's Internet connection. It also encrypts traffic sent between the end user and site to prevent anyone else from eavesdropping. It wouldn't take much effort for someone to create a convincing replica of the McAfee-powered site and substitute it for the real one on a network in a coffee shop, at a conference, or in another setting. At that point anything a visitor typed could be sent to the attacker. Authoritarian regimes have also been known to inject code into legitimate sites to log account credentials.

To be sure, there are caveats. The site instructs users: "PLEASE DO NOT ENTER YOUR REAL PASSWORD," but I'd bet some percentage of users will ignore this request. Even then, the attack wouldn't reveal the user name corresponding to the password, or even the service or site they belong to. Still, the attack could be used in campaigns aimed at a specific individual or group to gain important insights about the passwords the targets use. More importantly, I'd expect a site with a goal of educating the masses about password security would tell users they should never enter a password on a plain HTTP connection. And I certainly expect Intel and its McAfee subsidiary to offer HTTPS on their own sites. The lack of encryption and authentication is surprising. I'd strongly discourage readers from entering any passwords they trust or use to secure important accounts.

The other problem with McAfee's site is the methodology used to rate the strength of passwords. The site estimates that it would take six years to crack the passcode "BandGeek2014" (minus the quotation marks) and three months to crack "windermere2313". Last week, I shoulder surfed as Jens "Atom" Steube, the lead developer of the freely available ocl-Hashcat-plus password-cracking program, decoded most of a list of 16,000 cryptographically hashed passcodes that were leaked on the Internet several months ago. It took him less than 30 minutes to break both of those passwords.

Conversely, the site says it would take only two years to crack "nIGpkQ8s.W6". That's a password I randomly generated for the purposes of this article, one that likely could be cracked only through the computationally painstaking process of brute forcing. Because it contains 11 characters and uses numbers, symbols, and upper- and lower-case letters, there are 95¹¹ possible combinations, a massive "keyspace" that could take real-world crackers ~~years~~ centuries to exhaust.

The Intel site doesn't explain how it arrived at the conclusion that "nIGpkQ8s.W6" is three times faster to crack than "BandGeek2014"—and ultimately it doesn't matter. What's important is that this site should never be trusted with real passwords and can't even be counted on to give realistic assessments about the relative strength of passwords. By asking users, "Are you hackable or uncrackable?" it's crossing uncomfortably close into what security guru Bruce Schneier calls "security theater."

In the coming month or so, Ars will publish a series of articles showing how passwords are cracked in the real world and techniques end users can follow to prevent these attacks. Stay tuned.

Promoted Comments

scooby509Ars Centurion
jump to post

JGoat wrote:
Someday we'll have a convenient multi-factor authentication scheme that's ubiquitous.

Yes, right around the time we invent a flying submarine. Multi-factor authentication will, by definition, require carrying around some gadget, whether it provides a token or scans your body. That's inherently inconvenient.

And, ubiquity doesn't help. If a third party provides the gadget, you now have to figure out how to trust that third party.

304 posts | registered Mar 2, 2011
JGoatArs Scholae Palatinae
jump to post

frankderr wrote:
I'm going to be 100% honest here. I am so TIRED of being told that my passwords suck, they're not good enough, and that I need to be smarter about my online security.

I know that's all true. But dammit man, I'm only human, it's becoming increasingly more frustrating just trying to use the internet now that every single website makes me log into some sort of account and then gets hacked and makes me change it.

Not to mention I should be using different log in names and emails for anything important. Which only compounds the issue further. How many email addresses am I supposed to keep up with?

Look, I get it, it's critically important that I take my security online seriously, but I am just tired of the game. It's like having a lock on every single door in your house each with a different key. Does that make your house safer? Sure, in a sense. Does it make getting around your own house hard as hell? Yes, it does. That's how I feel on the internet. Every damn door needs to be locked with its own key and I am going nuts trying keep things in order.

Does Lastpass help? Sure. To an extent, but good luck using that randomly generated 16 digit monster to log in on your phone to that companies specific app.

Rant over. I hate passwords and we need a technology that will help us move passwords beyond their glaring weakness, that we're all stupid mortals.

I appreciate your candor, and agree it's an annoyance.

I hate security questions, especially when they make you pick 3 from a short list, I manage my passwords well, but now I'm doling out personal information to all these sites so that some jackass who knows my mothers maiden name and where I went to high school can reset my account? That's more likely than them figuring out my passwords. So then you're using fake information for those questions but have to keep track of all that just in case? Screw that. I like using a phone number for recovery, but most sites don't let you get rid of the security questions.

871 posts | registered Feb 29, 2012
ManneriskySmack-Fu Master, in training
jump to post

No one is going to analyze the javascript?

It's pretty straightforward:
Quote:
var str = this.replace(toppasswords, "a");
...
// num of lowercase (entropy = 26)
var lowercase_chars = char_count(/[a-z]/g);
// num of uppercase (entropy = 26)
var uppercase_chars = char_count(/[A-Z]/g);
// num of digits (entropy = 10)
var digit_chars = char_count(/[0-9]/g);
// num of everything else (entropy = 32)
var special_chars = char_count(/[^a-zA-Z0-9]/g);

var lowercase_bits = uppercase_bits = 26;
var digit_bits = 10;
var special_bits = 32; //potentially

var entropy = Math.pow(lowercase_bits,lowercase_chars) * Math.pow(uppercase_bits,uppercase_chars) * Math.pow(digit_bits,digit_chars) * Math.pow(special_bits,special_chars);
var entropy = entropy /2;

var _std_comp_power = 2 * Math.pow(2, 33);

var hours = entropy / _std_comp_power;

So the calculation is:
1. every common password string counts as a lowercase character
2. every upper or lower case character counts as 26
3. every numerical digit counts as 10
4. every special character counts as 32
5. multiply the value of each character together
6. a hacker can compute 17 billion guesses in an hour

This is clearly a long way from useful.

13 posts | registered Aug 22, 2012
zneromSmack-Fu Master, in training
jump to post

Looking at this password checker it seemed totally ridiculous so I decided to figure out what it was actually doing. For anyone who wants to confirm my work the file in which the passwords are checked is Password.js.

Yes, the passwords are looked at locally in javascript, I can't guarantee that it does not send any information over the internet for every time I click the "GRADE MY PASSWORD" button it does request a new image from an automatically generated URL that is filled with gobbldeygook that could theoretically contain the password, though it doesn't contain it in plain text form.

So how does the algorithm work, well first it takes the password, and replaces any 'word' from a list of 'topwords' with an 'a'. The list of topwords appears to change every page load and is filled with what I presume are some common passwords from somewhere... not quite sure where. Next it generates a variable called 'entropy' which is equal to ( (26^Number of Lower Case Characters * 26^Number of Upper Case Characters * 10^Number of Digits * 32^Number of Special Characters) / 2 ). It divides entropy by what it calls standard 'comp' (I'm not sure if comp means computer or computational) power, or 2^34 and declares this the number of hours. It prints the number of hours out to the screen after a fashion (including a lot of rounding).

So what is wrong with this algorithm. Really it comes down to two things. 'entropy' appears to be intended to be the average number of tries it would take an attacker to find your password using a brute force attack that goes through passwords in a random order. Unfortunately it is actually that number only in the event if the attack already knows if each character is a lower case, upper case, numerical, or special character. As this is not the case in (practically) any real life situation, the algorithm is useless and creates a few interesting artifacts, a 8 character all lower case password takes 6 hours to break while a 8 character password with 2 lower case, 2 upper case, 2 digits, and 2 special characters takes only 1 hour.

The second issue is the treatment of words on the 'topwords' list. The list is about 140 words long, so even if the attacker knew the number and location of these words, like the algorithm presumes he does with the other characters, the logical improvement is 140^Number of words, not, what comes out as, 26^Number of words. I'm also very doubtful of the quality of this list, I'm not reproducing it here for a variety of reasons (swear words, length, dynamic nature) but lets just say I don't believe that eeeee1 is actually one of the top 140 words.

Coming up with an accurate measurement is undoubtedly hard because it requires on guessing the techniques that most hackers use for generating lists, but these are clearly not them.

1 post | registered May 8, 2013
GhentaliciousArs Centurion
jump to post

Fatesrider wrote:
For my clients I suggest a simple algorithm for generating passwords.

A. A short word (4-5 letters) and capitalize two of the letters.
B. Two different symbols
C. A four or five digit number.
D A few letters from the website URL.
E. Mix them them together.

A. For example, a short word could be anything. So let's use "pass". Capitalize two letters. The P and the first S in my example. So we have PaSs.
B. Two different symbols: "(" and ")" for this example.
C. A four or five digit number:A zip code you remember (90210, for example)
D. A few letters from the website before the domain: Last four letters of this one (since this is the website I'm at). "nica"
E. Mix and match. Let's go with D-B1-A-B2-C The result is nica(PaSs)90210

At google.com it would be ogle(PaSs)90210

This is a 15 character password that you make up which is easy for you to remember that's unique to every site you visit. You'll never, EVER have to write this down and it will withstand any attack for the next several centuries. If it IS cracked, only one website will be compromised (since most people use the same password for every site). It takes a few of them getting cracked before the algorithm becomes apparent, and your username is still needed to get inside.

It's not that hard, if you can remember what YOU made up in the first place and can read the URL of the site you're on. My clients all use this kind of method quite successfully.

Not to sound crass, but I think you may want to suggest something else. I think it's safe to say that many people aren't smart enough to mix up passwords between different sites. In that scenario, their key-word is going to be the same. And more than likely, the zip-code is going to be the same. So all that's changed is the first n letters that specify the site that you're on.

This just screams reproducible pattern.

/shrug.

To be fair, I am by no means any better, so I acknowledge I'm throwing stones at glass houses.
But this doesn't scream security to me. Sorry mate.

273 posts | registered Dec 28, 2011

Promoted Comments

scooby509Ars Centurion
jump to post

JGoat wrote:
Someday we'll have a convenient multi-factor authentication scheme that's ubiquitous.

Yes, right around the time we invent a flying submarine. Multi-factor authentication will, by definition, require carrying around some gadget, whether it provides a token or scans your body. That's inherently inconvenient.

And, ubiquity doesn't help. If a third party provides the gadget, you now have to figure out how to trust that third party.

304 posts | registered Mar 2, 2011
JGoatArs Scholae Palatinae
jump to post

frankderr wrote:
I'm going to be 100% honest here. I am so TIRED of being told that my passwords suck, they're not good enough, and that I need to be smarter about my online security.

I know that's all true. But dammit man, I'm only human, it's becoming increasingly more frustrating just trying to use the internet now that every single website makes me log into some sort of account and then gets hacked and makes me change it.

Not to mention I should be using different log in names and emails for anything important. Which only compounds the issue further. How many email addresses am I supposed to keep up with?

Look, I get it, it's critically important that I take my security online seriously, but I am just tired of the game. It's like having a lock on every single door in your house each with a different key. Does that make your house safer? Sure, in a sense. Does it make getting around your own house hard as hell? Yes, it does. That's how I feel on the internet. Every damn door needs to be locked with its own key and I am going nuts trying keep things in order.

Does Lastpass help? Sure. To an extent, but good luck using that randomly generated 16 digit monster to log in on your phone to that companies specific app.

Rant over. I hate passwords and we need a technology that will help us move passwords beyond their glaring weakness, that we're all stupid mortals.

I appreciate your candor, and agree it's an annoyance.

I hate security questions, especially when they make you pick 3 from a short list, I manage my passwords well, but now I'm doling out personal information to all these sites so that some jackass who knows my mothers maiden name and where I went to high school can reset my account? That's more likely than them figuring out my passwords. So then you're using fake information for those questions but have to keep track of all that just in case? Screw that. I like using a phone number for recovery, but most sites don't let you get rid of the security questions.

871 posts | registered Feb 29, 2012
ManneriskySmack-Fu Master, in training
jump to post

No one is going to analyze the javascript?

It's pretty straightforward:
Quote:
var str = this.replace(toppasswords, "a");
...
// num of lowercase (entropy = 26)
var lowercase_chars = char_count(/[a-z]/g);
// num of uppercase (entropy = 26)
var uppercase_chars = char_count(/[A-Z]/g);
// num of digits (entropy = 10)
var digit_chars = char_count(/[0-9]/g);
// num of everything else (entropy = 32)
var special_chars = char_count(/[^a-zA-Z0-9]/g);

var lowercase_bits = uppercase_bits = 26;
var digit_bits = 10;
var special_bits = 32; //potentially

var entropy = Math.pow(lowercase_bits,lowercase_chars) * Math.pow(uppercase_bits,uppercase_chars) * Math.pow(digit_bits,digit_chars) * Math.pow(special_bits,special_chars);
var entropy = entropy /2;

var _std_comp_power = 2 * Math.pow(2, 33);

var hours = entropy / _std_comp_power;

So the calculation is:
1. every common password string counts as a lowercase character
2. every upper or lower case character counts as 26
3. every numerical digit counts as 10
4. every special character counts as 32
5. multiply the value of each character together
6. a hacker can compute 17 billion guesses in an hour

This is clearly a long way from useful.

13 posts | registered Aug 22, 2012
zneromSmack-Fu Master, in training
jump to post

Looking at this password checker it seemed totally ridiculous so I decided to figure out what it was actually doing. For anyone who wants to confirm my work the file in which the passwords are checked is Password.js.

Yes, the passwords are looked at locally in javascript, I can't guarantee that it does not send any information over the internet for every time I click the "GRADE MY PASSWORD" button it does request a new image from an automatically generated URL that is filled with gobbldeygook that could theoretically contain the password, though it doesn't contain it in plain text form.

So how does the algorithm work, well first it takes the password, and replaces any 'word' from a list of 'topwords' with an 'a'. The list of topwords appears to change every page load and is filled with what I presume are some common passwords from somewhere... not quite sure where. Next it generates a variable called 'entropy' which is equal to ( (26^Number of Lower Case Characters * 26^Number of Upper Case Characters * 10^Number of Digits * 32^Number of Special Characters) / 2 ). It divides entropy by what it calls standard 'comp' (I'm not sure if comp means computer or computational) power, or 2^34 and declares this the number of hours. It prints the number of hours out to the screen after a fashion (including a lot of rounding).

So what is wrong with this algorithm. Really it comes down to two things. 'entropy' appears to be intended to be the average number of tries it would take an attacker to find your password using a brute force attack that goes through passwords in a random order. Unfortunately it is actually that number only in the event if the attack already knows if each character is a lower case, upper case, numerical, or special character. As this is not the case in (practically) any real life situation, the algorithm is useless and creates a few interesting artifacts, a 8 character all lower case password takes 6 hours to break while a 8 character password with 2 lower case, 2 upper case, 2 digits, and 2 special characters takes only 1 hour.

The second issue is the treatment of words on the 'topwords' list. The list is about 140 words long, so even if the attacker knew the number and location of these words, like the algorithm presumes he does with the other characters, the logical improvement is 140^Number of words, not, what comes out as, 26^Number of words. I'm also very doubtful of the quality of this list, I'm not reproducing it here for a variety of reasons (swear words, length, dynamic nature) but lets just say I don't believe that eeeee1 is actually one of the top 140 words.

Coming up with an accurate measurement is undoubtedly hard because it requires on guessing the techniques that most hackers use for generating lists, but these are clearly not them.

1 post | registered May 8, 2013
GhentaliciousArs Centurion
jump to post

Fatesrider wrote:
For my clients I suggest a simple algorithm for generating passwords.

A. A short word (4-5 letters) and capitalize two of the letters.
B. Two different symbols
C. A four or five digit number.
D A few letters from the website URL.
E. Mix them them together.

A. For example, a short word could be anything. So let's use "pass". Capitalize two letters. The P and the first S in my example. So we have PaSs.
B. Two different symbols: "(" and ")" for this example.
C. A four or five digit number:A zip code you remember (90210, for example)
D. A few letters from the website before the domain: Last four letters of this one (since this is the website I'm at). "nica"
E. Mix and match. Let's go with D-B1-A-B2-C The result is nica(PaSs)90210

At google.com it would be ogle(PaSs)90210

This is a 15 character password that you make up which is easy for you to remember that's unique to every site you visit. You'll never, EVER have to write this down and it will withstand any attack for the next several centuries. If it IS cracked, only one website will be compromised (since most people use the same password for every site). It takes a few of them getting cracked before the algorithm becomes apparent, and your username is still needed to get inside.

It's not that hard, if you can remember what YOU made up in the first place and can read the URL of the site you're on. My clients all use this kind of method quite successfully.

Not to sound crass, but I think you may want to suggest something else. I think it's safe to say that many people aren't smart enough to mix up passwords between different sites. In that scenario, their key-word is going to be the same. And more than likely, the zip-code is going to be the same. So all that's changed is the first n letters that specify the site that you're on.

This just screams reproducible pattern.

/shrug.

To be fair, I am by no means any better, so I acknowledge I'm throwing stones at glass houses.
But this doesn't scream security to me. Sorry mate.

273 posts | registered Dec 28, 2011

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica