Originally Posted By: ireckon
Originally Posted By: Eugene
Originally Posted By: UncleGoo
The four random words were much more secure: e.g. Looking at my Avatar, one might pick "CrackerPonyFlipFlop". This kind of password is easier to remember AND more secure...and I guess I won't be using "CrackerPonyFlipFlop" anytime soon...


This isn't secure at all. A dictionary attack will find all 4 words just as easy as it will find one.

Basically you take the first letter C and go down in your dictionary file to all the words that start with C. Then look for all worlds that are Cr within that subset, then Cra, etc.
Once you've found Cracker you just take the next letter P and look for all the P words.

I'll give an example of how easy it is to do: Way back in my high school English class we have to figure out compound words by breaking them apart into the Greek and Latin roots, then getting the meaning of each part and putting those back together into a definition.
I did this in Commodore Basic in 1989/1990.


That's still not a trivial computation. The computer must be prepared to try every combination of known words. If one character or one capitalization is out of place, then the dictionary attack won't work.

Anyway, obviously, the most secure passwords are going to be long and random. Any rule that deviates from that can be met with at least some criticism. There is a point at which your password is no longer the weak link (e.g., it may be much easier for a hacker to steal your computer's key strokes).

With a few simple modifications to the cartoon "CorrectHorseBatteryStaple", you can obtain a password that makes a dictionary attack substantially more difficult without being much harder to remember.

Here are some examples:
CorrecHorsBatterStapl (Drop the last letter of each word)
C!orrectHorseBatteryStaple (One random character in the there)
cOrrecthOrsebAtterysTaple (capitalize second letter of each word)

It's not always possible/convenient to have a "long and random" password. Thus, some sort of mental hash algorithm is often required.


Thats why I was just illustrating how simple it is. You don't need to look for combinations of words since you start comparing from the beginning of the text string and once you match a word or words you match the next. In your example it would just take 4 passes.

A dictionary of millions words (and misspellings of words) is actually quite small and easy to get ftp://ftp.gnu.org/gnu/aspell/dict/0index.html

So even intentional misspellings are very trivial, a non programmer like myself can throw together code to do it.

Adding other characters does make a simple attack harder, but even then the common h@ck3r$p3@k is well known so you simply run a script against your dictionary to find each word with a commonly substituted character and append those. You use a dictionary like I listed above which has common mis-spellings of words. Then if your intentional addition of a character doesn't match the spell check or hackerspeak dictionary you just run a different attack vector.
This can all be done in seconds, remember modern database servers are doing millions of lookups like this all day long when you check your back account status for example.

Anyway, don't get a false sense of security thinking 4 words (or 6 or 8 or 10) is more secure, it just makes the attack take 4 (or 6 or 8 or 10) seconds rather than 1. The 4 random words is a tiny bit more secure than one but not "much more secure" as stated originally.


Edited by Eugene (04/16/14 12:32 PM)
_________________________
https://connect.garmin.com/modern/profile/eugenenine
https://pixelfed.social/i/web/profile/587437729469961861
https://www.alltrails.com/members/eugenenine/recordings