andyrossPremium,MVM
join:2003-05-04
Schaumburg, IL
1 recommendation | Turbo-charged cracking comes to long passwords quote:
Cracking really long passwords just got a whole lot faster and easier.
»arstechnica.com/security/2013/08···sswords/ |
|
 IanPremium
join:2002-06-18
ON
kudos:2
 ·Rogers Hi-Speed
2 recommendations | What that really said is, "Cracking really long passwords with low entropy...." got easier. The same advice comes out of this that comes out of any discussion of brute-force and passwords. If your password was constructed based on some sort of easier to remember scheme, then a cracker could think of the scheme as well.
If your password is something like 6WefEwGqKD&j (just 12 chars) it will still take centuries at 100 trillion guesses per second.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
 KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN
1 recommendation | reply to andyross
I love this quote from the article.
said by Steube :
Steube wrote. "Password policies aren't always very clever; most of the time, they force users to select passwords with predictable patterns.
This has been my favorite issue with the Information Security groups I've worked with. They specify the length and complexity and 95% of the users just meet the minimum requirements. For example, if you need to have three of the four following: lower case, upper case, number, or symbol and at least 9 characters users will start with a capital letter, lower case for the next six characters, a number, then a symbol. Most users will use all four, because they either don't understand that they only need three out of the four, or just to be "safe". The number will normally increment as passwords are required to be changed and the symbol will either stay the same, or be the same as the number when shifted. So, resulting passwords will look like: Password1!, Password2@ and so on there by defeating the reason passwords are required to be changed. If you know one of the passwords you can easily increment the password until you have the current version.
If you can think of and remember a password, it isn't secure enough.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ | said by Kilroy:I love this quote from the article.
said by Steube :
Steube wrote. "Password policies aren't always very clever; most of the time, they force users to select passwords with predictable patterns.
This has been my favorite issue with the Information Security groups I've worked with. They specify the length and complexity and 95% of the users just meet the minimum requirements. For example, if you need to have three of the four following: lower case, upper case, number, or symbol and at least 9 characters users will start with a capital letter, lower case for the next six characters, a number, then a symbol. Most users will use all four, because they either don't understand that they only need three out of the four, or just to be "safe". The number will normally increment as passwords are required to be changed and the symbol will either stay the same, or be the same as the number when shifted. So, resulting passwords will look like: Password1!, Password2@ and so on there by defeating the reason passwords are required to be changed. If you know one of the passwords you can easily increment the password until you have the current version. If you can think of and remember a password, it isn't secure enough. However the 30d policy that many IT departments love on passwords tends to cause this issue of incrementing.
I think the issue as a whole is the password itself, For a general user login on a network there is just no way to be secure. Secure passwords that are properly secure usually end up written on postit notes and get stuck to the bottom of keyboards.
I think in the enterprise world we will see a push towards RSA keys even for the local login or employee IDs will have RFID and have to be tapped against a plate similar to the RFID plate that lets them into the building itself.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports |
|
IanPremium
join:2002-06-18
ON
kudos:2 Reviews:
·Rogers Hi-Speed
| said by Kearnstd:However the 30d policy that many IT departments love on passwords tends to cause this issue of incrementing.
Policies like 30 days make little sense to me. Unless your hash file is getting compromised on a regular basis.
The worst policy I ever saw though was with a medium sized company. You were issued a print-out with the generated random 8 character password. Most people, of course, filed this paper away for "safe-keeping". The IT director kept them all in an Access database, and "just in case" in hard-copy form locked in a file cabinet. 
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
| reply to Kilroy
said by Kilroy:If you can think of and remember a password, it isn't secure enough.
That's the rub, because if people can't remember it, they will write it down and leave it near their computer. |
|
|
|
IanPremium
join:2002-06-18
ON
kudos:2 Reviews:
·Rogers Hi-Speed
| said by lorennerol:said by Kilroy:If you can think of and remember a password, it isn't secure enough.
That's the rub, because if people can't remember it, they will write it down and leave it near their computer. A problem there though, is that's merely laziness, not "can't".
How hard is it to remember 4 random characters? Pretty easy. How hard to remember a second block of 4? Then a third? Only incrementally harder. What would be difficult would be to remember large numbers of complex passwords. That's where I think password managers protected with the above, make sense.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong |
|
 ashrc4Premium
join:2009-02-06
australia | reply to andyross
The key to surviving these days is to craft passwords outside of the obvious metrics used to create nock-lists for hackers. 
The graph highlights how quickly a well crafted set of password hashes can destroy traditional password creaters. Your right that multiple sets of rule based password rules added together is going to confound the crackers. 3 combined paterns with, one caps two, lower case can effectively be as long as you like and still rememberable! |
|
KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN | said by ashrc4:3 combined paterns with, one caps two, lower case can effectively be as long as you like and still rememberable!
And that is the problem. Read some of Dan's earlier posts and you'll see that the more the hacker knows about the site the passwords come from the easier it is to crack the passwords. The hacker will use the passwords they do crack to fine tune their attack. Gone are the days of the true brute force attack. Attacks now use past successes to hone their new attacks.
As soon as you use the word "pattern" you have an issue with password security. Any password that isn't 100% random is insecure. Humans are incapable of true randomness.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
ashrc4Premium
join:2009-02-06
australia | said by Kilroy:As soon as you use the word "pattern" you have an issue with password security. Any password that isn't 100% random is insecure. Humans are incapable of true randomness.
You can incorporate randomness into patterns that's pool is creater than the Truely Random set.
And the key lenght metric is infinately harder to guestimate.
Set one jnbhu89i is one such random (abable salt) pattern.
That example you can easily update to a new one. |
|
KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN | reply to ashrc4
I fail to see how that graph indicates any thing of the sort. It shows that half of the passwords are cracked in less than an hour using only one CPU. Other graphs that show longer passwords will take X number of years to guess do not take into account targeted attacks that aren't a straight brute force.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN | reply to Ian
Entropy isn't what is used to be. Cracking ThereisN0fat3butwahtweMake! doesn't take much longer than thereisnofatebutwhatwemake when the attack is targeted and controlled. If your password is not truly random it can be broken by something other than a true brute force attack.
Here are some of Dan's earlier columns:
Why passwords have never been weaker—and crackers have never been stronger
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
ashrc4Premium
join:2009-02-06
australia | reply to andyross
Their useing highly optimized tables.
Whats HF-EV
? |
|
IanPremium
join:2002-06-18
ON
kudos:2 Reviews:
·Rogers Hi-Speed
| reply to Kilroy
said by Kilroy:If your password is not truly random it can be broken by something other than a true brute force attack.
You're saying the same thing I am. Just differently. |
|
ashrc4Premium
join:2009-02-06
australia
3 edits | reply to andyross
Really only wanted to poiint out that long passwords can be inputed without memorizing yet easily remembered. Combining 3 different patterns.
HF-EV = hu87ygvb fghjklpoiuytre vfr43edc
said by Kilroy: Any password that isn't 100% random is insecure. Humans are incapable of true randomness.
My example could not be RNG'ed. |
|
KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN | said by ashrc4:My example could not be RMG'ed.
It could if a sufficient amount of people were to start using the same patterns. That is the problem with telling people how to create passwords.
Plus, using your method, how many different passwords would you be able to remember? According to this 2012 article "National Survey Reveals 58 Percent of Adults Need to Remember Five or More Unique Online Passwords". I think that number is way too low. The number of passwords I use online are over 200. The average person must have at least a dozen, Facebook, Linkedin, e-mail, bank, credit card, utilities, stores, etc.
While your password may work for one site, I sincerely doubt that you can create unique passwords for all of the sites you access. If you use the same password every where it only take one site who stored their passwords in plain text to compromise your online life.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
 CylonRedPremium,MVM
join:2000-07-06
Bloom County | reply to Ian
said by Ian:said by lorennerol:said by Kilroy:If you can think of and remember a password, it isn't secure enough.
That's the rub, because if people can't remember it, they will write it down and leave it near their computer. A problem there though, is that's merely laziness, not "can't". How hard is it to remember 4 random characters? Pretty easy. How hard to remember a second block of 4? Then a third? Only incrementally harder. What would be difficult would be to remember large numbers of complex passwords. That's where I think password managers protected with the above, make sense. All depends on the person - I have a difficult time remembering 7 different passwords for 7 different sites much less ever more complex passwords. As my father says - if you use the passwords and everyone tells you to use mnemonic - now you have to remember each mnemonic for each password.
My dad is not a stupid man and he works harder than most 73 year olds (was doing 14 hour days working last year) - it does depend on the person. Just because you don't have an issue does not mean everyone thinks or remembers like you.
--
Brian
"It drops into your stomach like a Abrams's tank.... driven by Rosanne Barr..." A. Bourdain |
|
 sivranOpera ex-patPremium
join:2003-09-15
Irving, TX
kudos:1 | reply to Kilroy
That's why I use a tiered system of passwords.
Some random forum on the internet? Not gonna put much effort into the password, probably use one of a few passwords I use commonly.
Email accounts? Stronger password. Unique? Maybe, but not shared with any low security account. I increase security on email accounts by using a dedicated email account for some services. eg, a unique email account with unique password for bank emails.
Bank, online retail, anything with sensitive info gets a unique, strong password, either randomly generated or using a simple formula.
--
Oh, Opera, what have you done? |
|
ashrc4Premium
join:2009-02-06
australia
1 edit | reply to ashrc4
said by ashrc4:My example could not be RNG'ed.
Crackers in order to form an optimized list need to be able to generate all the possibilities in the group. Fancy enetering all the combinations manually.
I do remember all my passwords.....usually 
True RNG's would need to generate millions upon millions of generations before the rest of the Sudo random set may even yeild a decent example. |
|
 LagzPremium
join:2000-09-03
The Rock
 ·AT&T DSL Service
| reply to andyross
For me, I have to wonder if people or organizations are properly salting their hashes. Are admins just using the default salt phrases or identical phrases? Are developers using methods like key stretching to slow attacks?
--
When somebody tells you nothing is impossible, ask him to dribble a football. |
|
 NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1
1 recommendation | reply to lorennerol
said by lorennerol:said by Kilroy:If you can think of and remember a password, it isn't secure enough.
That's the rub, because if people can't remember it, they will write it down and leave it near their computer. That's a physical access issue though and does not help the database thief / hacker to crack the hash.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation |
|
KilroyPremium,MVM
join:2002-11-21
Saint Paul, MN | The end result is the same, the account is compromised. Does it really matter who does it or how? Social engineering is still the best/easiest way to get into an account.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein |
|
NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1
1 edit
1 recommendation | Yes. It does matter who and how.
I can control physical access. I cannot control remote database theft from a third party. |
|
NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1
2 edits | reply to andyross
For those who are miss-guided to think that any password that is not 100% random, or can be humanly remembered, etc. is not secure. Try cracking this hash of a fairly easy to remember password. $6$rounds=50000$/dYF9qibHJogRupC$165pnZgmduFCzD95AFmABzMRhqRFhDUHzHpFVOQtkJSDhrjkrz3sSRBGBJCz70IJw2cCDSQKKMsRug7Pll XVY1
There should not be a space between Pll and XVY1
Don't know why this code block is putting that space in there.
Have double checked and other than that the hash is displayed correctly.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation |
|
LagzPremium
join:2000-09-03
The Rock Reviews:
·AT&T DSL Service
| reply to NOYB
said by NOYB:Yes. It does matter who and how.
I can control physical access. I cannot control remote database theft from a third party.
That's what it boils down to.
--
When somebody tells you nothing is impossible, ask him to dribble a football. |
|
NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1 | reply to NOYB
said by NOYB:
For those who are miss-guided to think that any password that is not 100% random, or can be humanly remembered, etc. is not secure. Try cracking this hash of a fairly easy to remember password.
$6$rounds=50000$/dYF9qibHJogRupC$165pnZgmduFCzD95AFmABzMRhqRFhDUHzHpFVOQtkJSDhrjkrz3sSRBGBJCz70IJw2cCDSQKKMsRug7Pll XVY1
There should not be a space between Pll and XVY1
Don't know why this code block is putting that space in there.
Have double checked and other than that the hash is displayed correctly.
Been more than a week and no one has cracked it. How much time do you chicken little sky is falling naysayers need? --
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation |
|
 rcdaileyDragoonflyPremium
join:2005-03-29
Rialto, CA
·Time Warner Cable
| This is all very interesting.
I found this link regardng random numbers:
»www.random.org/
I remember long ago that all you could generate in most systems was pseudo-random because it required a seed to start the process. Anyway, I don't know enough to say whether the method used by that org above is true random as they say it is.
--
It is easier for a camel to put on a bikini than an old man to thread a needle. |
|
NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1
1 edit | reply to NOYB
Been a month now and still no one has cracked it.
Guess all this Chicken Little sky is falling propaganda about practical memorable passwords not being secure is just a bunch of over blown fear mongering hype to drive the masses, like livestock, to the next "big" authentication thing for corporations to profit from. Possibly even to a standard or system to which certain government entities have master keys or have weakened so they can crack.
That's right, your government views and treats you like cattle and sheep to be exploited for their control and power.
Don"t get fooled again!
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation |
|
IanPremium
join:2002-06-18
ON
kudos:2 Reviews:
·Rogers Hi-Speed
| reply to andyross
said by NOYB:Been a month now and still no one has cracked it. Was there anyone who had said they'd try? |
|
NOYBSt. John 3.16Premium
join:2005-12-15
Forest Grove, OR
kudos:1 | said by Ian:Was there anyone who had said they'd try?
No one would do that and risk losing credibility until being certain of success.
It's out there and if those who are fear mongering are unable to back up their claims people should stop listening to them and giving them credence.
--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation |
|
