17 posts in this topic

Posted

FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one.

Share this post


Link to post
Share on other sites

Posted

I didn't even read the article... but I will just say this from the topic... The more of a challenge you make it, the more hackers will try, and the harder they will try to break into something.

Share this post


Link to post
Share on other sites

Posted

A good one I've found is to use a word from another language, and eastern european, asian etc... something that can be spelled out on an english keyboard, then using numbers to replace certain letters... but alas, xendrome does also make a good point

Share this post


Link to post
Share on other sites

Posted

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hl

For newegg, I have sAmpL3pa55ng

... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

Share this post


Link to post
Share on other sites

Posted

Another good way is to use a different username when sites allow it.

Share this post


Link to post
Share on other sites

Posted

Share this post


Link to post
Share on other sites

Posted

This:

password_strength.png

If you REALLY want to test your password strength (all client-side javascript), try this one, it's amazing at analyzing password strength: https://dl.dropbox.com/u/209/zxcvbn/test/index.html

2 people like this

Share this post


Link to post
Share on other sites

Posted

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

password_strength.png

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The best password advice I've seen to-date is this https://www.grc.com/haystack.htm

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hl

For newegg, I have sAmpL3pa55ng

... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

3 people like this

Share this post


Link to post
Share on other sites

Posted

you put too much effort into this...

http://www.pctools.c...uides/password/

store it in passkee or any other password locker and you should be good....you can keep the password locker password something simple.

Share this post


Link to post
Share on other sites

Posted

Not really. They still have to figure out the complex password that you create. My logic is the easy way to have diff passwords for each account. I don't recommend people to create a simple one and attach the site name after like 123newegg.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

Share this post


Link to post
Share on other sites

Posted

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

Share this post


Link to post
Share on other sites

Posted

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

sure it's unlikely that someone would individually target you, but when a huge corp's databases leak and you have a weak/non-unique password, you bet the attackers will take advantage of that. they won't care who you are, but they will care about your bank account.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Just use this: http://strongpasswordgenerator.com and you'll be set.

Share this post


Link to post
Share on other sites

Posted

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The math is easy. Can you explain why he's wrong?

Assume I use diceware and assume I give you the dictionary that I used to generate passwords (7776 words). Assume I tell you my password is at most 6 words long. Calculate the key space taking into account what you know:

7776^6 = 2.2E23

Compare to a 12 character "random, but easily typed character" password: a-zA-Z0-9 and all of the typical symbols: !@#$[];',. etc. Let's just call it 80 characters.

Sigma(n=1,12) 80^n = 7.0E22

So 6 random words form a dictionary that the attacker knows is an order of magnitude larger search space than 12 random characters.

My comparison assumes the 'best case' for random passwords: brute force search of the entire key space. I also assumed the worst case for diceware passwords (the attacker knows exactly which words are valid in my password, that I used only lower case letters to type them, that it's exactly 6 words long - not 4, not 7) and still diceware is better than 12 random digits by a large amount. Bumping it to 16 random characters vs 6 random words does not erase the advantage diceware ware if you allow me a minor change like "maybe I don't use spaces" or "maybe I capitalize some words".

The XKCD comic restricted the comparison space - he assumed the attacker knew the strategies in both cases and tuned his algorithm accordingly. He was also considering the common advice to start with a random word and modify it some way - that ends up in a much smaller amount of entropy than a purely random password. I tried to correct for these short comings in my example just to show that his advice still holds.

In his example and looking at his concerns (how hard is it to generate and memorize a strong password) things favour the random words approach even more. If the attacker doesn't have information about what passwords should look like and they resort to brute forcing the entire a-z0-9+symbols search space then the longer password will be stronger - that tends to favour diceware for the reason he highlighted.

The best password advice I've seen to-date is this https://www.grc.com/haystack.htm

Using your recommended site to evaluate passwords:

First I used diceware to make a 6 random word (The minimum recommended length) password:

  • Password: cash party island beset waxen coil
  • Search Space: 1.65E60
  • Massive Cracking Array Scenario: 5.23 trillion trillion trillion centuries

    Note that the advantage calculated here is much higher than in my example because here he's assuming the attacker only knows that he has to search a-z+spaces, not that he can restrict his key space to combinations of a specific list of 7776 words.

    Using keychain to generate a 12 character random password:

    • Password: zXn6(iy77&:r
    • Search space: 5.23E23
    • Massive Cracking Array Scenario: 1.74 centuries

    Assuming compute speed doubles ever year and that 1.74 centuries starts looking pretty damn small. If you're sending 'sexy pictures' with a 12 character password to a mistress now - they'll be pretty easy to crack (1 month) in 10 years when your wife is looking to divorce for a history of cheating. What are the odds those files end up laying about on a gmail account waiting for a sopena?

    In order to reach the same "durability" as I had with diceware I had to use a 30 character random character password. That seems to demonstrate exactly the point Randal was making: a few random words is just as strong and infinitely easier to memorize than random passwords or using a common strategy of mangling an uncommon word in predictable ways.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

The math is easy. Can you explain why he's wrong?

Assume I use diceware and assume I give you the dictionary that I used to generate passwords (7776 words). Assume I tell you my password is at most 6 words long. Calculate the key space taking into account what you know:

7776^6 = 2.2E23

Compare to a 12 character "random, but easily typed character" password: a-zA-Z0-9 and all of the typical symbols: !@#$[];',. etc. Let's just call it 80 characters.

Sigma(n=1,12) 80^n = 7.0E22

So 6 random words form a dictionary that the attacker knows is an order of magnitude larger search space than 12 random characters.

My comparison assumes the 'best case' for random passwords: brute force search of the entire key space. I also assumed the worst case for diceware passwords (the attacker knows exactly which words are valid in my password, that I used only lower case letters to type them, that it's exactly 6 words long - not 4, not 7) and still diceware is better than 12 random digits by a large amount. Bumping it to 16 random characters vs 6 random words does not erase the advantage diceware ware if you allow me a minor change like "maybe I don't use spaces" or "maybe I capitalize some words".

The XKCD comic restricted the comparison space - he assumed the attacker knew the strategies in both cases and tuned his algorithm accordingly. He was also considering the common advice to start with a random word and modify it some way - that ends up in a much smaller amount of entropy than a purely random password. I tried to correct for these short comings in my example just to show that his advice still holds.

In his example and looking at his concerns (how hard is it to generate and memorize a strong password) things favour the random words approach even more. If the attacker doesn't have information about what passwords should look like and they resort to brute forcing the entire a-z0-9+symbols search space then the longer password will be stronger - that tends to favour diceware for the reason he highlighted.

Using your recommended site to evaluate passwords:

First I used diceware to make a 6 random word (The minimum recommended length) password:

  • Password: cash party island beset waxen coil
  • Search Space: 1.65E60
  • Massive Cracking Array Scenario: 5.23 trillion trillion trillion centuries

    Note that the advantage calculated here is much higher than in my example because here he's assuming the attacker only knows that he has to search a-z+spaces, not that he can restrict his key space to combinations of a specific list of 7776 words.

    Using keychain to generate a 12 character random password:

    • Password: zXn6(iy77&:r
    • Search space: 5.23E23
    • Massive Cracking Array Scenario: 1.74 centuries

    Assuming compute speed doubles ever year and that 1.74 centuries starts looking pretty damn small. If you're sending 'sexy pictures' with a 12 character password to a mistress now - they'll be pretty easy to crack (1 month) in 10 years when your wife is looking to divorce for a history of cheating. What are the odds those files end up laying about on a gmail account waiting for a sopena?

    In order to reach the same "durability" as I had with diceware I had to use a 30 character random character password. That seems to demonstrate exactly the point Randal was making: a few random words is just as strong and infinitely easier to memorize than random passwords or using a common strategy of mangling an uncommon word in predictable ways.

    you're right, it's not completely the same, but the fact that it's using real words from a dictionary means it's not all that strong either. essentially the difference is between a 4 character password where each character can be one of ~70 choices and a 4 character password where each character can be one of ~10,000 choices (arbitrary example), while yes, it is stronger, it still takes a sane amount of time to crack. an order of magnitute, as you have calculated, is not really that much stronger in terms of passwords. The mistake that Randall made is exactly the one that you pointed out in the haystack calculator that I linked - it doesn't take into account dictionary attacks. Steve Gibson's method, on the other hand, is not vulnerable to a dictionary attack (of course, it might have other weaknesses of its own).

Share this post


Link to post
Share on other sites

Posted

essentially the difference is between a 4 character password where each character can be one of ~70 choices and a 4 character password where each character can be one of ~10,000 choices (arbitrary example), while yes, it is stronger, it still takes a sane amount of time to crack.

What are you talking about - it's like you didn't even read the post.

an order of magnitute, as you have calculated, is not really that much stronger in terms of passwords.

It's the difference between a year and a decade. An order of magnitude is the difference between minimum wage and 1%. Between failing a math class and having the top score.

A 'six word' password is 30,000,000,000,000,000,000,000,000,000x times stronger than a 12 random character password when it comes to resisting brute force attacks 10x stronger when I give you the dictionary I used, the number of words, I used, and the combination method (spaces,all lower case, etc).

If you're not seeing how this is true the you're literally struggling with the concept that 23 > 22.

The mistake that Randall made is exactly the one that you pointed out in the haystack calculator that I linked - it doesn't take into account dictionary attacks.

I pointed out that issue, then did the math for you to show that even if you correct for that mistake you still don't eliminate the advantage of 6-word passwords.

Once again: show the math. Given your difficultly with inequality I can see why your hesitant to trundle into the lofty world of exponents but I believe in you! You can do it if you try!

Steve Gibson's method, on the other hand, is not vulnerable to a dictionary attack (of course, it might have other weaknesses of its own).

Diceware passwords aren't vulnerable to dictionary attacks in any meaningful sense either. I get the feeling you don't actually know what that term means or how it actually works in practice.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.