Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 541992
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: make 'm long
by Fergy on Sun 11th Nov 2012 17:26 UTC in reply to "RE: make 'm long"
Fergy
Member since:
2006-04-10

Common misconceptions with password security:

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.


Password cracking has come a long way in the last few years and current security advice hasn't kept up with development.

Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

Reply Parent Score: 2

RE[3]: make 'm long
by Laurence on Sun 11th Nov 2012 20:49 in reply to "RE[2]: make 'm long"
Laurence Member since:
2007-03-26


Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.

So I'm not saying that your examples are less secure than having plain English passwords; what I'm saying is that such passwords isn't more secure these days. What is more secure is a random hash of characters or doing away with passwords entirely - which is what I actually advocated if you go back and re-read my post. ;)

Reply Parent Score: 2

RE[4]: make 'm long
by kwan_e on Mon 12th Nov 2012 03:13 in reply to "RE[3]: make 'm long"
kwan_e Member since:
2007-02-18

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.


You're kind of switching the bait here.

The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

Reply Parent Score: 2