#269039 - 04/13/14 07:16 PM
Re: Might be time to change your passwords
[Re: Brangdon]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
Those kinds of transformations are known to hackers and easy to automate. Which is why I use the "every other character with the <shift> key" part. Those digits, which I agree are easy transformations to automate, become punctuation characters when you use the <shift> key. Does this actually make the final result password more secure? I can't say with any certainly because I haven't done any personal crypto testing myself, but at least we can probably assume it doesn't make them any LESS secure. Since you are using KeePass, why don't you let it generate strong passwords for you? I have thought about that. If I only used my desktop computer to access forums and such (where I tend to use the less secure passwords) I would do this. However, KeePass on my Android phone is not as easy to use, nor is the cut-n-paste, compared to a desktop computer. So I just have not made the switch to using KeePass to generate good passwords. I justify this, rightly or wrongly, with my thought process that "I don't really care all that much if my forum passwords get hacked". The consequences for me are minimal, since I don't share those less secure passwords with bank websites and such. Still, I agree it would be better to have super-secure passwords everywhere, no exceptions. I just haven't made that move yet. I should.
|
Top
|
|
|
|
#269048 - 04/14/14 03:46 AM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Enthusiast
Registered: 12/06/06
Posts: 392
Loc: CT
|
I saw something, somewhere, on another site...where a mathematician showed the compared probabilities associated with "m4Nuf4C+ur3D" passwords and those associated with passwords made of four 'random' words, for which a mnemonic could be contrived. The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon...
_________________________
Improvise, Utilize, Realize.
|
Top
|
|
|
|
#269054 - 04/14/14 02:03 PM
Re: Might be time to change your passwords
[Re: haertig]
|
Veteran
Registered: 12/12/04
Posts: 1204
Loc: Nottingham, UK
|
Those kinds of transformations are known to hackers and easy to automate. Which is why I use the "every other character with the <shift> key" part. Those digits, which I agree are easy transformations to automate, become punctuation characters when you use the <shift> key. Mapping digits to punctuation via the <shift> key is also easy to automate. Does this actually make the final result password more secure? I can't say with any certainly because I haven't done any personal crypto testing myself, but at least we can probably assume it doesn't make them any LESS secure. It's probably not less secure than ".357rugermag", but that's only about 45 bits so it's not a very high bar for a super-secure password. It's probably not as secure as 12 genuinely random characters would be (84 bits). Whether it's secure enough is a judgement call. It may also be something which would likely remain unbroken today, but become weak as hackers catch on to those transformations. However, KeePass on my Android phone is not as easy to use, nor is the cut-n-paste, compared to a desktop computer. Fair point. I don't use many passwords from my phone. There's always a trade-off between security and convenience.
_________________________
Quality is addictive.
|
Top
|
|
|
|
#269066 - 04/14/14 11:57 PM
Re: Might be time to change your passwords
[Re: Brangdon]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
The only sane approach is a password manager. I use KeePass. Thanks, KeePass 2 is way better than SplashID.
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
#269071 - 04/15/14 03:05 PM
Re: Might be time to change your passwords
[Re: UncleGoo]
|
Carpal Tunnel
Registered: 12/26/02
Posts: 3001
|
The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon... This isn't secure at all. A dictionary attack will find all 4 words just as easy as it will find one. Basically you take the first letter C and go down in your dictionary file to all the words that start with C. Then look for all worlds that are Cr within that subset, then Cra, etc. Once you've found Cracker you just take the next letter P and look for all the P words. I'll give an example of how easy it is to do: Way back in my high school English class we have to figure out compound words by breaking them apart into the Greek and Latin roots, then getting the meaning of each part and putting those back together into a definition. I did this in Commodore Basic in 1989/1990.
|
Top
|
|
|
|
#269073 - 04/15/14 04:36 PM
Re: Might be time to change your passwords
[Re: Eugene]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon... This isn't secure at all. A dictionary attack will find all 4 words just as easy as it will find one. Basically you take the first letter C and go down in your dictionary file to all the words that start with C. Then look for all worlds that are Cr within that subset, then Cra, etc. Once you've found Cracker you just take the next letter P and look for all the P words. I'll give an example of how easy it is to do: Way back in my high school English class we have to figure out compound words by breaking them apart into the Greek and Latin roots, then getting the meaning of each part and putting those back together into a definition. I did this in Commodore Basic in 1989/1990. That's still not a trivial computation. The computer must be prepared to try every combination of known words. If one character or one capitalization is out of place, then the dictionary attack won't work. Anyway, obviously, the most secure passwords are going to be long and random. Any rule that deviates from that can be met with at least some criticism. There is a point at which your password is no longer the weak link (e.g., it may be much easier for a hacker to steal your computer's key strokes). With a few simple modifications to the cartoon "CorrectHorseBatteryStaple", you can obtain a password that makes a dictionary attack substantially more difficult without being much harder to remember. Here are some examples: CorrecHorsBatterStapl (Drop the last letter of each word) C!orrectHorseBatteryStaple (One random character in there) cOrrecthOrsebAtterysTaple (capitalize second letter of each word) It's not always possible/convenient to have a "long and random" password. Thus, some sort of mental hash algorithm is often required.
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
#269075 - 04/15/14 05:26 PM
Re: Might be time to change your passwords
[Re: ireckon]
|
Pooh-Bah
Registered: 03/08/07
Posts: 2208
Loc: Beer&Cheese country
|
It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task. Notebook, my friend. Notebook. Yeah, yeah, don't write down your passwords. What are the chances that the guy hacking all the world's servers just happens to be burgle your house?
|
Top
|
|
|
|
#269080 - 04/15/14 06:04 PM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
It's easier for me to memorize patterns and pictures. For passwords that I want to be highly secure and memorized, I use a pattern on the keyboard. I don't even know what the password is because it's gobbledygook, but I know the pattern/drawing in my head. The password can be quite long and is not written down anywhere. I do write down something that can make me, and only me, recall the pattern that is meaningful only to me. So, even if a thief hacks my password vault, he is still out of luck. A brute force attack is the only crime that will work. The only downside to this approach is that I must have a full QWERTY keyboard to input the password. It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task. Notebook, my friend. Notebook. Yeah, yeah, don't write down your passwords. What are the chances that the guy hacking all the world's servers just happens to be burgle your house? Good old pen and paper!
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
#269125 - 04/16/14 12:25 PM
Re: Might be time to change your passwords
[Re: ireckon]
|
Carpal Tunnel
Registered: 12/26/02
Posts: 3001
|
The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon... This isn't secure at all. A dictionary attack will find all 4 words just as easy as it will find one. Basically you take the first letter C and go down in your dictionary file to all the words that start with C. Then look for all worlds that are Cr within that subset, then Cra, etc. Once you've found Cracker you just take the next letter P and look for all the P words. I'll give an example of how easy it is to do: Way back in my high school English class we have to figure out compound words by breaking them apart into the Greek and Latin roots, then getting the meaning of each part and putting those back together into a definition. I did this in Commodore Basic in 1989/1990. That's still not a trivial computation. The computer must be prepared to try every combination of known words. If one character or one capitalization is out of place, then the dictionary attack won't work. Anyway, obviously, the most secure passwords are going to be long and random. Any rule that deviates from that can be met with at least some criticism. There is a point at which your password is no longer the weak link (e.g., it may be much easier for a hacker to steal your computer's key strokes). With a few simple modifications to the cartoon "CorrectHorseBatteryStaple", you can obtain a password that makes a dictionary attack substantially more difficult without being much harder to remember. Here are some examples: CorrecHorsBatterStapl (Drop the last letter of each word) C!orrectHorseBatteryStaple (One random character in the there) cOrrecthOrsebAtterysTaple (capitalize second letter of each word) It's not always possible/convenient to have a "long and random" password. Thus, some sort of mental hash algorithm is often required. Thats why I was just illustrating how simple it is. You don't need to look for combinations of words since you start comparing from the beginning of the text string and once you match a word or words you match the next. In your example it would just take 4 passes. A dictionary of millions words (and misspellings of words) is actually quite small and easy to get ftp://ftp.gnu.org/gnu/aspell/dict/0index.htmlSo even intentional misspellings are very trivial, a non programmer like myself can throw together code to do it. Adding other characters does make a simple attack harder, but even then the common h@ck3r$p3@k is well known so you simply run a script against your dictionary to find each word with a commonly substituted character and append those. You use a dictionary like I listed above which has common mis-spellings of words. Then if your intentional addition of a character doesn't match the spell check or hackerspeak dictionary you just run a different attack vector. This can all be done in seconds, remember modern database servers are doing millions of lookups like this all day long when you check your back account status for example. Anyway, don't get a false sense of security thinking 4 words (or 6 or 8 or 10) is more secure, it just makes the attack take 4 (or 6 or 8 or 10) seconds rather than 1. The 4 random words is a tiny bit more secure than one but not "much more secure" as stated originally.
Edited by Eugene (04/16/14 12:32 PM)
|
Top
|
|
|
|
#269129 - 04/16/14 04:00 PM
Re: Might be time to change your passwords
[Re: Eugene]
|
Addict
Registered: 01/09/09
Posts: 631
Loc: Calgary, AB
|
Thats why I was just illustrating how simple it is. You don't need to look for combinations of words since you start comparing from the beginning of the text string and once you match a word or words you match the next. In your example it would just take 4 passes. This is really something I don't understand; I know in the movies they show passwords being decrypted this way, one character (or as you are describing, word) being decrypted at a time but I always assumed that like pretty much anything else shown in the movies with computers, that this was yet another misrepresentation. Movie makers tend to think computers are magic. My assumption was that a brute force password guessing algorithm would basically only get a boolean result; it worked or it didn't. I don't understand how it could know it was partially correct unless somehow it had access to the encrypted password, but then I would think that you'd be dealing with an entirely different type of algorithm. But again, this out of my area of expertise. Any references that would help me understand this better?
_________________________
Victory awaits him who has everything in order — luck, people call it. Defeat is certain for him who has neglected to take the necessary precautions in time; this is called bad luck. Roald Amundsen
|
Top
|
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
|
0 registered (),
653
Guests and
102
Spiders online. |
Key:
Admin,
Global Mod,
Mod
|
|
|