Is the 'strongest password of 16 characters or less' really the strongest password?

On April 21, 2023, ActiveTK. tweeted 'The strongest password in 16 characters or less,' which has garnered 12,000 retweets and 70,000 likes at the time of writing. We asked an engineer whether this 'strongest password in 16 characters or less' is really the strongest password.

Below is the 'Strongest password of 16 characters or less' tweeted by ActiveTK.
';--\t:․ \n,'\0}`|@

ActiveTK. lists four characteristics of passwords: 'SQL → Database corruption with ';--', 'CSV → File corruption with \t\n,', 'Command → Syntax corruption with |', and 'Contains a mixture of double-byte characters and special characters'. We asked our engineers what each of these characteristics means, and received the following answers:

◆1: DB destruction by SQL → ';--
In SQL , a database language used to manipulate and define data in relational database management systems , commands are written as '(command);'. Because the password in question contains '';--', the part up to ';' is mistakenly recognized as the command, while the part after '--' is treated as a comment, and the entire password is not included in the data.

This means that a simple SQL injection attack can be performed by including '';--' in the password. While it is unlikely that the database would be corrupted, the following crude code can cause the process to stop with an error:

UPDATE users SET password = ' + pass + ' WHERE id = '+ id + ';

When you enter your password, it will look like this:
[code]UPDATE users SET password = '';--\t:․ \n,'\0}`|@' WHERE id = '+ id + ';[/code]

If the text after '--' is ignored as a comment, the final result will be as follows:
UPDATE users SET password = '';

◆2: File destruction by CSV →\t\n
In CSV , which is used as a file format for spreadsheets and database software, '\t' means a tab character and '\n' means a line break. If you export user IDs and passwords to CSV all at once, line breaks will occur at the '\n' parts of the passwords, and tab characters will be inserted at the '\t' parts.

In other words, even if this password is leaked, if the person who stole the password saves the password in CSV format, line breaks and tabs will be inserted automatically, making it impossible to determine what the correct password is.

In addition, '\t' is also compatible with TSV , another file format for spreadsheet data, so it may be possible to prevent password leaks in TSV as well.

◆3: Syntax destruction by command →|
The ' | ' is treated as a pipe (the output of one command as input to another), which forces the command to be cut off at this part of the password.

◆4: Mixing 2-byte characters and special characters
Because this password contains double-byte characters (full-width characters) and special characters , if a brute-force attack is performed to crack the password, it will take longer to crack than a password that contains only half-width characters.

However, it has been pointed out that 'there is no system that takes double-byte characters into account, making this password virtually invincible to brute-force attacks.'

In addition, because normal systems do not support input of double-byte characters, ActiveTK․ recommends inputting passwords using JavaScript.

If you read only the above explanation, it certainly seems like the 'strongest password with 16 characters or less', but it seems that all of ◆1 to 3 can be easily avoided if the password is properly escaped. In fact, it has been pointed out that 'it is more difficult to find a system on which ◆1 to 3 work.'

In addition, passwords are generally stored in a hashed form, and it is these hashed passwords that hackers steal, so it is highly unlikely that a hacker will encounter any of the effects listed above when dealing with passwords.

in Security,   , Posted by logu_ii