Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 542101
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: make 'm long
by Laurence on Mon 12th Nov 2012 09:08 UTC in reply to "RE[4]: make 'm long"
Laurence
Member since:
2007-03-26


You're kind of switching the bait here.

I'm really not. I might not be explaining things that well (English isn't me strongest skill), but my advice here has been consistent.


The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

You're making an assumption that dictionary attacks can only work against a single instance within the dictionary file. What modern dictionary attacks actually do is use a the dictionary as a basis for a "brute force-style" attack.

Let me explain this better:
the old style brute force attack would try every character permutation (eg (if you don't mind some crude regex) m/[0-9a-zA-Z]/ and any symbols opted for).

Modern dictionary attacks use the dictionary as a bases for building the permutations. So if the dictionary file has: add, dad, bad then the attack will use add, dad, bad, addadd, adddad, addbad, dadadd, daddad, dadbad, badadd, baddad, badbad plus the "l33t" variants ("d4d") formating variants ("dad dad", "dad!") and so on.

So while it's technically still a dictionary based attack, it's significantly more sophisticated than a standard dictionary attack yet also significantly quicker to run through likely permutations than the old style brute force attack.


Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

Indeed. But the point is that's still massively quicker than doing every character permutation.

To put it another way, you stated that 5 word match might offer up 10^19 combinations (which I think is an over-estimate, but I'm still willing to use those figures), using a standard brute force attack offers up (10+26+26+20)^16 combinations (10 numeric characters, 26 alpha in both cases and 20 symbols) for a 16 character sequence. That works out at 2044140858654976 possible solutions and that's not even the entire length of an average 5 word string (which is what you're basing your example on).

So an intelligent dictionary attack really is the better cracking routing and why you have to assume that attackers are using it.

Reply Parent Score: 2

RE[6]: make 'm long
by kwan_e on Mon 12th Nov 2012 09:35 in reply to "RE[5]: make 'm long"
kwan_e Member since:
2007-02-18

This is getting beyond my level of expertise, but what I'm saying is generating a password of five words is different to figuring out that the password actually has five words.

10^19 is just a lower bound for a 10,000 word dictionary. Counting variations of those words, whether it's a change in casing or a numerical substition, you have at least an order of magnitude more word choices for each word. There's no requirement for there to be syntactical or grammatical structure to the passphrase.

z/OS supports passphrases of 100 characters long, which may be 10 or 20 words long, which obviously has a greater space of valid passwords than the 20 character passwords boxes that some sites are adopting. A 20 word sentence is more memorizable than a 20 character random string let alone a 100 character random string.

Reply Parent Score: 2

RE[7]: make 'm long
by Laurence on Mon 12th Nov 2012 09:45 in reply to "RE[6]: make 'm long"
Laurence Member since:
2007-03-26

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

That method is far more secure than using a passphrase.

Reply Parent Score: 2