31 May 2008

GMail's Password Strength-o-meter, providing a false sense of security

I decided to play around with GMail's password strength-o-meter to see just how it did. The answer? Not too well. I wouldn't consider much of what it rated "strong" passwords to actually be strong passwords. Many were based on dictionary words. Many were simply a string of words. Many were made entirely of lowercase alpha characters. Check it out.

  • Weak
    • password
    • 12345678
    • mackenzie
  • Fair
    • password01
    • passw0rd
    • drowssap
    • baseball
    • qwertyui
    • default1
    • university
    • prestige
  • Good
    • pinkball
    • passtime
    • iuytrewq
    • mary1988
    • ChangeMe
    • Default1
    • torvalds
    • facebook
    • linuxuser
    • zyxwvuts
  • Strong
    • passxkcd
    • passy123
    • ChangeMe01
    • eiznekcam
    • 13375p34k
    • thinkgeek
    • b4s3b411
    • hispanola
    • notaword
    • faceb00k
    • prestig3
    • mvemjsun

Before conducting the test, I filled my name (Mackenzie) into the first name field. I also tried it in the last name field, since my last name isn't long enough to use as a comparison for last name.

Bad things you should notice:

  • Proper nouns are strong
  • All-lowercase strings are strong
  • Simple character replacement a la "leetspeak" (see "13375p34k" above) makes a password strong
  • Spelling your name forwards is weak, but backwards is strong
  • Common default passwords (default1, changeme) are marked as anything other than weak
  • Easy targets for social engineering are marked as good passwords

A good password cracker will check for variations on spellings, including backwards and 1337 when performing a dictionary attack. When it comes to brute force cracking, having an all lowercase password is no protection at all. If you have an 8-character password (GMail's minimum), and you use all lowercase letter, there are 8,031,810,176 (26^7) possible passwords. A modern processor can attempt 10,000,000 passwords each second. Do the math, and you find it takes only 13 minutes to brute force such a password. Using djohn? Even less time. There should not be a single all-alpha—let alone all-lowercase—password in the "strong" list, especially as only 8 characters. OK, so those figures are for locally cracking a password. Over the network, using a tool such as Medusa, it is limited by latency. Get yourself on a fast pipe, and it still won't take long. Know any hackers with 30Mbit FiOS? I do.

Now, see that "mary1988" which was rated "good"? Yes, it has letters and numbers, but there's something in particular about it. See, it's a first name followed by a year. When an adult is told they need letters and numbers, but password1 won't work, what do they do? They often put their child's first name followed by the year they were born. Social engineering anyone? A friend of mine has a sticker on his laptop which says:

Because there is no patch for human stupidity

While it is good that Google is trying to make people a bit more aware of password security, I don't believe they are being stringent enough. They have an 8 character minimum. Nothing which is the minimum length should have made it to strong. A strong password should have 10, 12 characters minimum (15 on Windows, due to a flaw in how it hashes passwords). Their password strength rater is leading people into a false sense of security. Please don't trust it. I know you can do better. If you think you can't do better and still remember your password, well, I'll post in a few days with a method for remembering good, strong passwords.


Tristan Rhodes said...

Good points about social engineering, humans really are the weakest link.

The difference between a password cracker and Google's password test is the amount of resources each one takes. I'm sure Google doesn't want to perform dictionary lookups for every password that is tested by their system!

Give Google some credit for creating a simple, easy to use tool that helps people improve their password strength.

Adam said...

Hmm.. And what's funny is that my letter/symbol combination was never a strong password for Google. Personally, I think they should reject any passwords that aren't strong, but that might have the side effect of many people having to recover their passwords every time they want to check their e-mail.

Btw... can't wait for the method for remembering good, strong passwords. I sure know that I have my fair share of probably too easy to break ones (like the one at work that was assigned to me and I *can't* change.)


T said...

The GovTech Security News Podcast ( http://security.govtech.com ) has a story about this issue, as it relates to protecting your domain name. A weak password can allow the bad guys to get control of a domain account, no matter how strong your security is.

The show also has helpful tips and links. It's free to stream and one can subscribe to it at the iTunes podcasting section.