Discussion in 'other security issues & news' started by Hungry Man, Feb 1, 2012.
I always die a little on the inside everytime a database is breached and the common passwords are qwert1234, 098765, password, administrator, <nameofwebsite> etc. I wonder how many additional passwords they would have cracked if they applied basic human behavior methods into a rule set, such as adding a 1 or 2 before or after each word
If I was in charge of a website that required members to set up passwords passphrases I would have my own database or tie into an existing one that keep track of all known breached password lists. I would alert the member that the passphrase is a match to a known public password list and not allow the user to enter said passphrase. I wonder how many angry emails I would get. Heh but in an era where gpu clustering is common place, rainbow tables exist in the cloud, and you can rent enterprise clusters for $2 an hour and try over 4 billion combinations a second (As of 2011)…I feel its justified. Honestly what good is ERT_dfdlk$111!!dkfjmypassworD09484 if it exists in word lists and the hash in rainbow tables?
 Sorry for anyone using ERT_dfdlk$111!!dkfjmypassworD09484 as a password
My friends say being involved with a cybersec profession has made me cynical, not sure what gives them that idea.
Do rainbow tables even exist for passwords over 10 characters? Maybe 12 max? Even with the cloud I doubt they're too feasible...
I don't think dictionary attacks even try to get passwords like dogcatmouse they just go for passwords like "dog1" etc. You'd probably be damn secure with a password like thecatjumpedoverthemouseandatethedog. Nice and easy to remember - no rainbow tables exist for that many characters, and dictionary attacks would never work on a password with such a huge character set (assuming words = char) etc.
I think the issue lies with users just having ridiculously easy to crack passwords lol
Oh yes it comes down to users and as you illustrated a passphrase is more secure than a word, which is why I tend to shy away from telling people to use words only. Also yes you be surprised what is out there rainbow table wise in inner circles.
Technologically there are just simply limits. I think it's been expressed here before that to calculate sufficiently large rainbow tables to crack, say, a 16 char password would take more energy than the Earth can even provide.
I mean, howsecureismypassword gives a worst case scenario ie: it's showing calculations for md/sha. When you're creating passwords on a site that's takin things seriously or bitlocker you'll use far more secure methods of encryption, which subsequently take longer to calculate. And, of course, when dealling with a website there's inherent lag.
Oh I agree, I was going off simple hashing techniques. Also if a database admin does the hashing right and throws in some good salt, it defeats rainbow tables with ease.
Okay, we finally agree on something!!! You're absolutely right. These are all mathematical questions, engineering and the power of processing. I never suggest words - even in a passphrase. Random passwords are best followed by a mix of letters, numbers, case selection, characters, etc. The dictionary attacks can be sophisticated against passphrases that still use even modified words (example being gr8 for great).
I do agree that the best way to keep a password secure is to increase the character set and length. General safe practices always include this: lower, upper, symbol, numbers. But I think you could be absolutely just as secure using dictionary words, even all lower case.
ex: a! > aa > a in terms of strength.
But using words is harmless. Most dictionary attacks go after passwords like "dog1."
that's a fine password. Dictionary attacks simply do not target passwords that long.
That said you can make that a massively more secure password simply by doing:
Because you more than double (4-5x off the top of my head) the character set.
But dictionary words aren't really harmful. For some people it's easier to remember a long quote and it's just as secure as, say, aN415!#@ weUh.
A lot of dictionary attacks do look for messed up words though like h1dd3n. But if your character set is even a few hundred words (most will probably be thousands) it's just not feasible to crack a password made up of even 4 or 5 dictionary words. And the attacks don't really bother trying.
Hopefully we agree on this as well? Always nice to have consistent ideologies.
He didn't test ATI cards.
And that's talking about MD5, which isn't what we use for passwords much of the time but instead for verification. Your average computer can probably crank out 1000 MD5s before it can do a single password-based encryption calculation. I hate myself for forgetting what's used typically for passwords such as BitLocker/ TrueCrypt.
It simply is not feasible for any password, dictionary words or not, that's over 10-12 characters.
If I used the plain lowercase text quote that I gave in the previous post it would be absolutely impossible to crack with today's technology even in a worst case scenario where it was only being used in MD5.
If one is to believe Steve Gibson, password length is what matters most.
the fear one you used against the massive cracking array scenario, which I don't think is even close to possible nowadays...
3.58 hundred thousand trillion centuries
I disagree taht password length is always most important.
A simple demonstration would be this:
aaaaaaaaa - 9 characters, 26 character set size
Aaaaaaaaa - 9 characters, 52 character set size
you would need to guess 2x as many times to get the second one and I didn't add a single character, I just doubled the character set size. Max the character set and then worry about length imo. Thankfully you can max it out in 5 characters (aB#4 )
Yep. And that's with MD5s, which are fast to calculate. (EDIT: I'm assuming you're using something like howsecureismypassword.com.)
Of course he recommends padding with different characters like <>*, for example.
btw, if you used even 18 a's instead of only nine, you're looking at 97.49 centuries against the massive cracking array. Not that I'd ever use or recommend a password like this, however
A long password with a small character set is just as good as a short password with a large character set in terms of brute force time. It's just so easy to increase both and if you have a 10 character password simply capitalizing/ adding a symbol etc will double, triple, or quadruple the time to crack.
But as we've seen in this topic once you get to 10 characters you don't have to worry anyways.
I'm just crazy so I always use 20+. It's actually just easier for me to remember.
EDIT: And for Windows users a nice way to make your password basically impossible to bruteforce is to add a special symbol û¯èú#¬í-ÐÝ etc. It'll add something like 255 characters to the char set + I don't think Linux/OSX have all of those characters + no one expects people to use those.
Best for locally encrypted files that you need to keep safe.
It's all about Maths.
Think of a five character password: _ _ _ _ _
The difficulty will be bigger if you start adding capital letters, numbers and special characters. There will be 5 * 9 numbers + all alphabet letters + all special characters. And, any one of them can be in whatever position.
It's not just about length; it's also about strength.
I'm thinking 12 characters is the "magic" number where it becomes almost exponentially impossible to crack, at least with a large character set, but I'm only hazarding a guess, based only on some playing around in that haystack tool.
Do those special symbols work with Bitlocker? I thought they didn't.
Yes, agreed, even from the beginning , but I think Gibson's point is that it might be better in more ways than one to create a long, easy to remember pw than one that's short, complicated but difficult to remember.
Exactly. In the end it's all about increasing the number of characters that have to be guessed. You can do this by adding a new character or by increasing the total number of characters. It only takes 5 characters to essentially max out your character set so you may as well use them all. It's simple.
I think one classic method for creating strong passwords is ex:
ie: website name, 2 numbers of relevance, those numbers + shift key.
I prefer song titles + a friend or exgfs birthday + bday/shift key.
Harder to guess.
Unfortunately no... such a shame too. Adding 1 of those special characters would make an all lower case password essentially take 10x as long to crack (255 ascii symbols i believe), just with a single character.
But you can use _ and spaces and numbers/letters/ symbols. It's very easy to have a strong bitlocker password. And bitlocker keys are definitely not MD5s, they take considerably longer to generate.
EDIT: Actually you can use them with bitlocker but you'll be unable to enter them at bootup. If you go into another OS and then enter them it'll work though.
Okay, that's what I thought, because I seemed to remember you posting about it some time ago.
For a USB or something like taht it'll work though. Just not a boot drive (any time you're loaded into Windows you have access to special characters, but when it's the boot partition you have to enter the apssword before you have access to them.)
I use a 14 character one for Bitlocker without special symbols. Good enough for me
More on short complex passwords vs easy-to-remember long passwords.
Using Offline Fast Attack scenario:
10 characters: [hT5* /].> = 19.24 years
12 characters: Konamtb-1994 = 1.74 thousand centuries
Sure, realistically the shorter, complex one is going to stand up to an attack likely long after I'm dead, but the longer one would be far easier for me to remember, and look at the difference in time before it's successfully cracked.
And no I haven't used it nor ever will
I saw on 48 Hours a case where the guy had encrypted a container with "FiFiFoFum" (I'm pretty sure that's what it was) and the forensics guy said it took a single dictionary database attack - that included nursery rhymes and such - and he was in the computer in six hours. Who knows, though.
I use passwords, from extremely complex to fairly simple, based on the security needs of the website, application, etc.
Think this way. If the password was fififofum it would probably only take 3 hours. But, the point is, it will take more time to figure out this password, than it would take to figure out fffffffff. Because, you could easily have that in a dictionary. I'd imagine that's the kind of password someone puts in a dictionary right?
Sure, but fffffffffff. will take exponentially longer to crack than those two examples, because it's longer than those, is padded by a special character, yet every bit as simple to remember. The point actually is that longer passwords are better than short ones, even if the short ones are complex.
I disagree with that.
It's just math. Simple math in terms of figuring out the number of combinations, more complex math when estimating entropy.
To gain 32bits of estimated entropy it takes:
to gain 128 bits of entropy it takes:
20 all characters
For 1024 bits:
309 numbers vs 157 all characters
Basically by using all characters you double the estimated entropy of your password.
Separate names with a comma.