Password Discussion

By xWhiplash
in Smart Home, Network & Security

 Share

Recommended Posts

Veteran

xWhiplash

Posted
Posted

I didn't know where else to put this, so please move it to a different forum if you need to.  I was recently discussing security with a few people, and they brought up a good point.  I used to think the xkcd article was spot on regarding security (correct horse battery staple).  However, what about dictionary attacks?

 

How is correct horse battery staple more secure than Tr0ub4dor?

 

Dictionary attacks are very fast.  The xkcd article contains four words found in the dictionary.  Wouldn't that make it much faster than Tr0ub4dor, which does't exist in a dictionary?

Link to comment
Share on other sites
Mentor

Lant

Posted
Posted

Say you have a dictionary size of 5000 words, just the different number of ways that they can be combined is 4x10^16325 which is massively large. This is with the correct spelling of the word, if the dictionary started including spellings that involve numbers or capitals, that large number is only going to get bigger. Also if the dictionary doesn't contain the word in the passwords, the attacker will do all that work for nothing.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"IF you have have to then mix it with symbols and numbers."

 

And there are tools that auto swap in these sorts of replacements, 0 or 0, 1 for i, 5 for s, etc.. So using just 1 word with them changed out not really all that extra strong.

 

While yes dictionary attacks can run through words very quickly - they don't combine then into combinations - not any crackers I have seen.  Now take a 100k dictionary and what the possible combinations if you used say 5 words in a combination.  Words you can repeat, etc.  your talking what 1 with 25 zeros possible?

 

Even using just 3 words "horse battery staple" you get what 1 with 15 zeros possible combinations.  and that is not even counting case, if you now make it "horsE baTTeRy staPle" not even sure off the top of my head to figure out the number of possible combinations there??  Lets just say a freaking lot of zeros in the number ;)

 

Are you pulling from only 100k words - I believe there is some 170k words in english - and who says you only use english, I would prob throw in some other language words as well ;)  I think your looking at it wrong about a dictionary attack anyway.  That article is more about putting together a simple combo of words that let you remember the password to get the character count up.  Maybe you have spaces maybe you don't - maybe you do replace some letters, using case, etc.  Maybe you throw in some numbers in there..  You can easy remember horse battery staple - remember you changed out e with 3 should be easy enough.  that you made every 4 letter cap.  And maybe you throw in your dogs birth day month and day between the words.  But no space between the lastnumber and word.

 

so you get horS3 03 batT3ry 24sTapl3

 

Does that look like dictionary password?  So that might be a good master password.  While you then use a password tool so your passwords are say like this "6872%6WVkG2%YU301u0bPqxmIPGWMTEI"

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I use a combo of words with case and numbers and specials in my master password. It is 23 characters long.. But its easy for me to remember, and then yeah you can just let your password tool keep track, I use lastpass and have for years - but there are other choices.

You can generate as long passwords as you want that way, as long as the site allows. I have one that allows 100 characters long - I thought that was just nuts, but I did create a 32 character random to use on that site ;)

And you can also use 2 factor if you want to get access to these passwords. I use a code matrix they can create for you that when you try and put in the master password from a machine you have not used before you have to put in an answer to a generated question of numbers. Then you can keep them machine as trusted, or only use it one time, etc.

There should no reason in this day and age that everyone should not be using very strong passwords, and different ones for all sites. last pass has a nice security test you can run against your passwords and gives you a score and shows you which sites seem to be low strength, or if you have duplicates on sites, if the site has been hit recently and you should change that password, etc. etc.

I would suggest take a look at lastpass, its FREE - it only cost money if you want to use some premium features - I have it on my phone and ipad, etc. so that cost $12 a year and you can put the premium app on any device and as many as you want, etc.

Link to comment
Share on other sites
Mentor

Grunt

Posted
Posted

I use Keepass with a password/passphrase generator addon based off xkcd's comic.

I only need to remember the master passphrase which is around 35 char long using spaces and the odd made up word.

 

e.g. "Deck jims fla6ordal pyjamas"

Vr7yHaM.png

Link to comment
Share on other sites
Grand Master

LittleNeutrino Veteran

Posted
  • Veteran
Posted

I use Keepass with a password/passphrase generator addon based off xkcd's comic.

I only need to remember the master passphrase which is around 35 char long using spaces and the odd made up word.

 

e.g. "Deck jims fla6ordal pyjamas"

Vr7yHaM.png

 

Wow, using that tool here is the info for mine.

 

(Apparently the Neowin Attachment uploader is broken)

 

Brute Force Search Space Analysis:
Search Space Depth (Alphabet): 26+26+10+33 = 95 Search Space Length (Characters): 16 characters Exact Search Space Size (Count):

(count of all possible passwords

with this alphabet size and up

to this password's length) 44,480,886,725,444,

405,624,219,204,517,120  Search Space Size (as a power of 10): 4.45 x 1031

Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:

(Assuming one thousand guesses per second) 14.14 million trillion centuries Offline Fast Attack Scenario:

(Assuming one hundred billion guesses per second) 1.41 hundred billion centuries Massive Cracking Array Scenario:

(Assuming one hundred trillion guesses per second) 1.41 hundred million centuries

Note that typical attacks will be online password guessing

limited to, at most, a few hundred guesses per second.

Link to comment
Share on other sites
Grand Master

exotoxic

Posted
Posted

How is correct horse battery staple more secure than Tr0ub4dor?

 

Dictionary attacks are very fast.  The xkcd article contains four words found in the dictionary.  Wouldn't that make it much faster than Tr0ub4dor, which does't exist in a dictionary?

 

A dictionary attack doesn't mean words from THE dictionary, of course it can but its mainly just a list of common password (sourced from previous exploits) so "Pa$$w0rd" (i assume this is a pretty common password these days) would be no more secure than "password" even though it has uppercase, special and numeric characters. To be secure against this sort of attack all you need is a password that is unique so it wont appear in the attackers dictionary.

Link to comment
Share on other sites
Veteran

xWhiplash

Posted
  • Author
Posted

I use a combo of words with case and numbers and specials in my master password. It is 23 characters long.. But its easy for me to remember, and then yeah you can just let your password tool keep track, I use lastpass and have for years - but there are other choices.

You can generate as long passwords as you want that way, as long as the site allows. I have one that allows 100 characters long - I thought that was just nuts, but I did create a 32 character random to use on that site ;)

And you can also use 2 factor if you want to get access to these passwords. I use a code matrix they can create for you that when you try and put in the master password from a machine you have not used before you have to put in an answer to a generated question of numbers. Then you can keep them machine as trusted, or only use it one time, etc.

There should no reason in this day and age that everyone should not be using very strong passwords, and different ones for all sites. last pass has a nice security test you can run against your passwords and gives you a score and shows you which sites seem to be low strength, or if you have duplicates on sites, if the site has been hit recently and you should change that password, etc. etc.

I would suggest take a look at lastpass, its FREE - it only cost money if you want to use some premium features - I have it on my phone and ipad, etc. so that cost $12 a year and you can put the premium app on any device and as many as you want, etc.

 

I already use 1Password with a 66 character master password.  

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

66 character master is a bit much if you ask me ;)  PITA to type in..

 

"but its mainly just a list of common password (sourced from previous exploits) so "Pa$$w0rd"

 

Valid point -- but still those don't make it less likely that your combo words you put together to come up with your password are less secure, etc.

Link to comment
Share on other sites
Veteran

xWhiplash

Posted
  • Author
Posted

Well its using the correct horse batter staple concept, just a lot more words and cases, symbols, and numbers :).  Still not as much of a pain as typing in Hb87g987G*IV87 and remembering it :P  I am a fast typer so that password doesn't take long.  Plus, and I know if is ridiculous, but having that long of a password for my password vault makes me feel better about having all my passwords in one place.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

While sure it might be easy to type on a real keyboard - but on a mobile device, its just over the top in my opinion..  20ish would be more than secure enough imho..

Link to comment
Share on other sites
Veteran

xWhiplash

Posted
  • Author
Posted

I don't mind typing it on my iPad or iPhone.  I do not use the same passwords on those devices, so I do not have the same password vault.  Also now with Touch ID support, it makes it easier :)

 

Plus, it is the only secure thing I could think of since I threw in some nonsense words that were pretty long.

Link to comment
Share on other sites
Grand Master

123456789A

Posted
Posted

So is it okay to use "correct horse battery staple" idea for a master password for LastPass then use that to generate random passwords like ub*&B*&b87b786yubd7q6b?

 

Well I wouldn't use that as your master password if you just posted it on a public forum.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

does the ipad have fingerprint support - I don't have current model, does the current one have fingerprint support?

Link to comment
Share on other sites
Proficient

AStaUK

Posted
Posted

does the ipad have fingerprint support - I don't have current model, does the current one have fingerprint support?

 

Not currently, the new iPad being released end of October should, according to rumour.

Link to comment
Share on other sites
Veteran

xWhiplash

Posted
  • Author
Posted

Well I wouldn't use that as your master password if you just posted it on a public forum.

 

You caught me :(

 

But no I do not use that password :P  I use the concept though, along with symbols, numbers and cases.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.