Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 542097
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: make 'm long
by Laurence on Mon 12th Nov 2012 08:50 UTC in reply to "RE[4]: make 'm long"
Laurence
Member since:
2007-03-26

But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.

That's besides the point as crackers are using the method I described and for the reasons I've described. Hence why I advised using random characters instead.


First, they have to make the assumption that the passphrase is made of words, rather than just a long password.

they do make that assumption because they understand user habits when creating passwords. As I've already stated, so many passwords have been leaked in recent years that there's a wealth of data to build more intelligent routines. Gone are the days when "dumb" brute force attack was the preferred method of attack.


Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative "spellings" of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there's the problem of how the words are joined together.

Indeed, but that's still significantly permutations that a blind brute force attack.


A quick search doesn't turn up anything significant about dictionary based attacks on passhprases for me, so I don't know how much research has been done on it.

That's because, and as I've already stated, the old advice is still pretty much widespread. I've been following blogs of a number of security researchers in recent years (as my profession is moving into that arena) and the advice I'm giving is what I've read industry experts advice.

The only people I've seen that suggest otherwise are blogs by journalists and system administrators - which with the greatest of respect to them, are not working as close to this field to understand the latest developments in cracking. Much like how I wouldn't expect professional application develops to keep up with the latest security patches for *nix platforms. After all, IT is a massive field these days.

Anyhow, I'll have a dig out for some of the blogs I've read that supports these claims I'm making. If you don't mind checking back in a couple of hours ;)

Reply Parent Score: 2

RE[6]: make 'm long
by Laurence on Mon 12th Nov 2012 09:47 in reply to "RE[5]: make 'm long"
Laurence Member since:
2007-03-26

Here's a link describing how crackers now use dictionary based attacks:
http://arstechnica.com/security/2012/08/passwords-under-assault/

Reply Parent Score: 2