back to article Android apps prove a goldmine for dodgy password practices

An analysis of free Android apps has shown that developers are leaving their crypto keys embedded in applications, in some cases because the software developer kits install them by default. Will Dormann, software vulnerability analyst at the CERT Coordination Center (CERT/CC), told the BSides conference in San Francisco that …

  1. Anonymous Coward
    Anonymous Coward

    There's Nothing Wrong With QWERTY...

    ...honest!

    1. Phil Kingston

      Re: There's Nothing Wrong With QWERTY...

      I've always been more of an ASDFGH kinda guy

    2. IceC0ld

      Re: There's Nothing Wrong With QWERTY...

      XKCD has been totuting the complexity angle for years

      https://xkcd.com/936/

      1. Charles 9

        Re: There's Nothing Wrong With QWERTY...

        Except what if you've got a bad memory and your attempts keep coming out the likes of "donkeyenginepaperclipwrong"?

      2. GIRZiM

        Re: XKCD has been totuting the complexity angle for years

        Why do people persist in promulgating this myth after all this time?

        Do not do it; the xkcd approach of using real words in a string was cracked years ago - it falls to dictionary attack in no time at all.

        Take the first letter of each word in a strong passphrase of at least fifteen words, with punctuation and capital letters, replace letters according to the 'l337' schema.

        If you can't bring yourself to do that then use a password manager but, for goodness sake, do not use any real words - not even if you string them together without any spaces.

        THE XKCD 'HORSEBATTERYSTAPLEYOURMOM' APPROACH IS INSECURE! DON'T DO IT!

        1. Seajay

          Re: XKCD has been totuting the complexity angle for years

          I think it falls to dictionary attacks because instead of picking totally random words, people tend to pick real phrases instead. So the title of a movie, or their favourite band, or a line from a poem. That's easy to crack with dictionary attacks.

          What is being suggested in the xkcd is not vulnerable to dictionary attack however - if you actually select random unconnected words, the entropy is very large.

          1. Charles 9

            Re: XKCD has been totuting the complexity angle for years

            The problem is that the very entropy you seek is also what makes passanything (words, phrases, whatever) hard to remember, especially in the soup that is the everyday human experience. Now, imagine trying this with someone who regularly has to be reminded to do even basic things like, say, take their medicines on time? Or who can't even remember their birthday anymore?

            1. GIRZiM

              Re: XKCD has been totuting the complexity angle for years

              The entropy of randomrealwordsstrungtogetherwithoutspaces is not much greater than that of passphrases. Seriously, if passphrases made up of song lyrics/whatever take no time at all to crack, it takes next to no time at all to defeat the xkcd approach, even when the words are random; it was already defeated years ago - can't remember where I read about it and didn't make a note of it because I never used it anyway precisely because I said to myself "Real words? No way!", so I can't point you to it but, believe me, it wasn't simply phrases/lyrics that were of next to no use but any and all real words (in any and all languages), even with no spaces and/or punctuation.

              Yes, people have a hard time remembering complex passwords, which s why password managers were invented and why (although it's against my better judgement for various reasons) I suggested them as an alternative.

              But, using a core phrase with site/service/whatever-specific additions can work remarkably well.

              This is my core passphrase (which never varies); it's easy to remember. The unique extension for this site or service is: The Register.

              timcp(wnv);ietr.tueftsosi:tr. => timcP(wnv);ietr.tueftsosi:tR. => 71mcP(wnv);137r.7u3f75051:7R.

              It's twenty-nine characters long and has a far higher entropy than any number of real (but random) words any normal human being is going to recall. Once you've learned it, like every other password, it becomes automatic (muscle memory does the job) and the only thing that needs remembering is the unique extension itself (two characters).

              If you're not going to use a password manager but are going to use passwords without 2FA (I really don't recommend 2FA as techniques currently stand) then the above is far and away the best approach

              1. it's surprisingly easy to remember a very long, complex passphrase that is unique to you - furthermore, people who can't remember multiple passwords don't have to, they just have to think about the name of the site/service/whatever they are using and it all comes flooding back to them;

              2. it's not going to be easily cracked (if at all) thanks to its ridiculous entropy.

              1. Alphebatical
                Facepalm

                Re: XKCD has been totuting the complexity angle for years

                "it takes next to no time at all to defeat the xkcd approach, even when the words are random; it was already defeated years ago - can't remember where I read about it and didn't make a note of it because I never used it anyway precisely because I said to myself "Real words? No way!", so I can't point you to it but, believe me, it wasn't simply phrases/lyrics that were of next to no use but any and all real words (in any and all languages), even with no spaces and/or punctuation."

                I remember that article., The sole "evidence" he presented was to point out that dictionary attacks exist(with no further details). He then went on to pimp his self-named method for almost all of the article, giving me the impression he was mainly driven by ego. I immediately discarded it as worthless.

                That said, I don't know of any comparison of the strength of the xkcd method to what people actually do, which is all that matters. Let's not make the perfect the enemy of any possible improvement.

                1. GIRZiM

                  Re: XKCD has been totuting the complexity angle for years

                  I remember that article., The sole "evidence" he presented was to point out that dictionary attacks exist(with no further details). He then went on to pimp his self-named method for almost all of the article, giving me the impression he was mainly driven by ego. I immediately discarded it as worthless.

                  I'd have to re-read it in that light - as I said, I never thought real words were a good idea and never used them so, to me at least, it was, at worst, academic or, at best, validation of my own approach. But, given that Bruce Schneier also recommended the same approach as mine and not the xkcd one though, I think I'll stick with mine rather than one that almost certainly never was, let alone is, as secure.

                  Dismissing it as worthless because of someone's writing style though, no, I'm less convinced by that - the author can be a narcissist and still right.

                  That said, I don't know of any comparison of the strength of the xkcd method to what people actually do, which is all that matters. Let's not make the perfect the enemy of any possible improvement.

                  There is no perfect. Or at least there's no provably perfect yet - perfection is either NP Complete or an instance of the Halting Problem (it remains to be seen).

                  But that's no reason for complacency - if there's a way to do things that might be secure or an alternative that might not be 100% secure but is definitely more so than the other way then there is no argument to be made in favour of that other way unless it is markedly simpler/easier - and how the human brain/mind works dictates that the xkcd approach is, ultimately, weaker in that regard too because unrelated words are harder to hold in memory than a passphrase of related words.

                  1. Charles 9

                    Re: XKCD has been totuting the complexity angle for years

                    Why not just use combinatorics to prove your case? Take a simple dictionary of 300 words compared to say, 64 printable characters.

                    64P8 is 64!/56!, which calculates to 178462987637760. Sounds impressive, but...

                    300P7 is 300!/293!. I reduce that to...300*299*298*297*296*295*294...203810340189456000. One less item, but plenty more entropy. Make it like for like (300P8) and we get...59716429675510608000. Nice thing about factorials. They run away pretty quickly.

                    IOW, even with a simplified dictionary, 7 random words gives you more entropy than 8 random characters out of 64 and may be easier to remember using "memory theater" mnemonics. Now try a sizable chunk of your typical English dictionary and see how quickly that number runs away again.

                    1. GIRZiM

                      Re: XKCD has been totuting the complexity angle for years

                      Okay, but how many of those 300 words are you going to be able to commit to memory - bearing in mind that the average number of discrete items the human mind can hold onto without some 'story' chunking them together is 7 +/- 2.

                      it's a nice idea, but I don't think you're gonna memorise that many random words as easily as you're gonna remember to take the first character of each word in the phrase, transform them, plus add on something that the site/service itself reminds you of. I appreciate the maths and all but real human beings aren't calculators or Mr Memory and there are good reasons why Bruce Schneier recommends doing it the way I have suggested and not the xkcd way.

                      Passwords aren't about pure Maths, they're about imperfect human beings.

                    2. GIRZiM

                      Re: XKCD has been totuting the complexity angle for years

                      Also, your 300 words consist of only 26 characters each - a brute force dictionary attack relying upon letter frequency analysis yo boot doesn't need to go through an exponent of 300 words, it just has to guess the right one of 26 characters each time, aided by the fact that certain combinations will be ;illegal' to start with (e.g. zq never crops up).

                      1. Charles 9

                        Re: XKCD has been totuting the complexity angle for years

                        But each word is more than one letter, and the typical one is over 5 letters, so even with shortcuts you need to go through 35 of them, and you're at least running geometric progression, which like factorials stacks up quickly. And BTW, "mezquite" is a synonym for "mesquite" and is a real word that contains "zq". Even "qz" can appear in this kind of sequence in something like "tranqzero".

                        And as for chaining the words together, that's what the "memory theater" is for. xkcd itself uses the technique for "correcthorsebatterystaple". Once upon a time, memory theater and other mnemonics were the only way to keep track of things because people were illiterate and could only communicate things orally. We did before, why can't we do it again?

                        1. GIRZiM

                          Re: XKCD has been totuting the complexity angle for years

                          Hmmm. Okay, you make a convincing argument - I'm just still not convinced ; )

                          I'll have to think on it.

              2. Charles 9

                Re: XKCD has been totuting the complexity angle for years

                "This is my core passphrase (which never varies); it's easy to remember. The unique extension for this site or service is: The Register."

                Thing is, dictionary attacks are wise to tricks like yours, and the first things they'll try will be capital shifts and "1337 speak". Plus, anyone who finds one of them can take stabs at your formula, or just hit you a second time to get enough of a delta to figure it out.

                As for the password manager things, that doesn't work if there's nothing under the person's safe control. Then you double-whammy this with a really bad (as in "donkeyenginepaperclipwrong") memory.

    3. Joe Werner Silver badge

      Re: There's Nothing Wrong With QWERTY...

      Yeah, after all the first line of the keyboard reads qwertz ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: There's Nothing Wrong With QWERTY...

        AZERTY all the chemin, mon ami !

  2. Anonymous Coward
    Anonymous Coward

    Standing on the shoulders of imbiciles

    It's difficult to avoid bugs when your IDE inserts them for you, silently.

    Hopeless.

  3. Pascal Monett Silver badge

    20,000 out of 1.8 million and it's a problem ?

    That's 1.1%.

    I think we can agree that an issue not affecting users created by 1.1% of app developers is not a problem. It's worth knowing about, but I'm not about to believe that malware writers are downloading 1.8 million free apps to hit a password jackpot in 1% of cases.

  4. Dan 55 Silver badge

    Nearly 20,000 apps with insecure keys ... including popular code like Samsung’s "smart" home app

    I wouldn't expect anything less from the bigcorp that brought us Tizen.

  5. Shak

    As a non Android developer: where exactly are these keys expected to reside then?

  6. thosrtanner
    Facepalm

    QWERTY is so last year

    I've been using UIOP[] for ages (but I refuse to use websites who won't allow special characters)

    1. Charles 9

      Re: QWERTY is so last year

      But what happens when something you MUST interact with (say a government website with no B&M alternatives) won't allow the use of specials? Do you deny yourself necessary services because of a lack of security?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like