dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
14
share rss forum feed

SoLostNow

join:2013-02-07
Haltom City, TX
reply to Blackbird

Re: P@$$1234: the end of strong password-only security

@NotTheMama: A 32 character random string that contains mixed case/numeric/special characters would provide over 192 bits of entropy. It is computationally infeasible to crack strings containing over 128 bits of entropy by any technology currently available in the public domain. It's a matter of simple math and physics.

Although your 32 character phrase might be easier to type and remember there is absolutely no way to be certain that it does not appear in some cracker's wordlists, or that he/she can't apply custom rules to those wordlists to crack your passphrase. I'm certainly not saying that it is likely that your passphrase will be compromised, but I am saying that the 20+ random characters described above provides more security against advanced attacks.

Search for Theirus' blog post titled: "Cracking Story - How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords." It contains a link to over 80 gigabytes of wordlists from just one source, and the rules he used to crack the password hashes in my earlier post.

NoHereNoMo

join:2012-12-06
I always use upper and lower case, numeric, and special characters in my passwords, even the "short" ones (and the pitifully short ones, like 8 to 12 characters, too); been doing it for many years (since I was a [computer] security officer back in the '80s). Even my short 32 character ones exceed 160 bits of entropy. If the system allows longer passwords, then I'll typically use 46 to 48 character phrases--which exceed 240 bits of entropy. So, I feel safe enough. I'm quite certain none of my strong passwords are in anyone's wordlists. I'm fairly certain none of my "weak" ones are. (I already know about your "Cracking Story...", thanks.)
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."

SoLostNow

join:2013-02-07
Haltom City, TX
@NotTheMama: How are you estimating the entropy of your passphrases? Most cryptologists would now agree that a reasonably accurate Shannon entropy model of human generated passwords/passphrases is just not possible. The entropy estimate for human generated passwords in NIST Special Publication 800-63-1 has proven to be unreliable many times over against the results of real world attacks. Shannon entropy of random strings and the guessing entropy of a human generated password are two very different concepts, and there is no way to accurately measure guessing entropy.

NoHereNoMo

join:2012-12-06

1 recommendation

The only thing you need to know or do about entropy is ensure that there's enough of it to relegate the cracker to using a brute force attack, at which point the longer your password is, the longer it will take to crack, presuming it can be done at all. As far as my "approach" to building a password goes, it's more like Diceware than anything else--mostly random, non-personal words (plus one, perhaps, that is personal) strung together, and, generally, at least seven of them. Each of the words is in a list somewhere for sure, but the final phrase/string is not. Of course, this is only possible when the system doesn't restrict the length of passwords by too much, which some do. Still, I make the assumption that at some point it or the system can and will be hacked, cracked, or compromised for nefarious purposes. I merely try to reduce exposure where it's inevitable.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."


sivran
Vive Vivaldi
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

How many websites actually allow you to use such long passphrases though?


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
Given that we still see sites that have restrictions like "you can't use 'special' characters in a password", there's not a lot of skill invested in some web sites.

(What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)

NoHereNoMo

join:2012-12-06
reply to sivran
Email systems seem to be the least restrictive on length. I've yet to find a limit for Google, but I haven't bothered to check for longer than what I prefer to use. My credit union allows maybe half of what I'd prefer. Almost all other sites don't have anything I'm particularly concerned about securing. The restriction, though, doesn't change my method, just reduces the length--I use what they allow.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to dave
said by dave:

... (What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)

A long time ago I was told that special characters (non-letter/number) were used for field delimiters and control symbols in certain kinds of database structures, so they were forbidden as part of field entries like passwords and such. But that was years ago, and I can't imagine that the state of the art in software design hasn't moved light years beyond such archaic limitations... particularly with something like a password. Perhaps the real reason is that a lot of log-in software still has archaic interface modules that are 15 years or more behind the times...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6

1 recommendation

I don't understand why the banks can't get their act together. Chase, apparently, can't recognize a Win 8 computer and thus requires that I go through, EACH TIME, an intricate procedure whereby a code is sent to my email address and that I have to then enter and then do two challenges, etc( which I already did...but Chase claims my computer has never logged in there because it is Windows 8) and makes me do again. This happens on Fx 10.0.12 ESR. Then there is the separate Opera 12.14 problems at Chase where I can login (after the same "we don't recognize your computer" hassle), but cannot enter a payment amount that Chase sees and cannot logout at all unless I navigate to the main Chase Online page. As large as Chase is, you would think they could get these problems fixed quickly.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

reply to Blackbird
said by Blackbird:

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

Kinda makes no sense when a video game lets me do more complex passwords than a bank.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
Has anyone ever heard of a US bank account being compromised via a weak password?
I know that I haven't.
Between phishing, vishing, post-it notes etc... illegal access occurs daily but it has nothing to do with a weak password.
If anything, the password reset function presents a larger risk than current simple password restrictions.
But not to dilute the challenge - Can anyone find a verifiable reference to a US bank account hacked via a dictionary or brute force attack?


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Kearnstd
said by Kearnstd:

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

But did you know case doesn't matter for your World of Warcraft account? So, that cuts out 26 characters.

Snowy See Profile, you're just not getting it. Did you even read the article?

said by Deloitte Aritcle :
How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.
NO ONE tries to brute force passwords directly, due to incorrect password lockouts.

I agree that password resets are a major problem.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Yes, I read the article.
I just didn't get that the scope was framed around
90% of user generated passwords would fail if the password file were attacked"
If it were I'd think the title would have been 90% of password files are not secure.

The article would make even less sense if that's what it's about because at the point of attack the password becomes dependent on the strength of the password file.
If it's stored in plain text then it's not 90% that would fail - it would be 100%.

How or if the password is salted would come into play etc... there's too many variables to come up with a hard number as they did (90%).

Even if it were about passwords stored in a password file that was subjected to an attack:
1. They should have attacked a plain text file to get a 100% failure rate
2. I'm not aware of any US financial institution that lost their password files - though anything is possible.
3. If their point was a stronger password to offset a lost password file advocating a best policy in password file encryption would be more practical than changing the habits of 90% of humankind.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to Kilroy
said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Aah, it took reading that twice,
I usually just gloss over this type of noise
"Most organizations keep usernames and passwords in a master file. ...
So far, so secure. However, master files are often stolen or leaked....


I hope Deloitte is just setting the stage for a breach disclosure rather than actually believing that.
Deloitte's 90% figure still doesn't change any fact.
It's still true that 0% of US banking customers have had their accounts compromised due to a brute force or dictionary attack or even a weak password being cracked via a leaked or stolen password file.
Phishing, vishing, post-it notes, impersonation, forgery, ACH fraud, bank losing master password file.
It doesn't even look right.