Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 542118
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[8]: make 'm long
by kwan_e on Mon 12th Nov 2012 11:01 UTC in reply to "RE[7]: make 'm long"
kwan_e
Member since:
2007-02-18

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

That method is far more secure than using a passphrase.


I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.

If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It's a few more levels of indirection, but you've basically still used a passphrase. It's just the passphrase is for different data.

Reply Parent Score: 2

RE[9]: make 'm long
by Laurence on Mon 12th Nov 2012 11:20 in reply to "RE[8]: make 'm long"
Laurence Member since:
2007-03-26


I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.

They don't need to know - they just work on the assumption it is a standard passphrase because that's how most people have engineered their passwords and that's the routine that returns the most results for the least effort.


If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It's a few more levels of indirection, but you've basically still used a passphrase. It's just the passphrase is for different data.

You're thinking about this backwards. You're arguing that because the attacker doesn't know the type of password you'd be using that they wouldn't be able to use an appropriate routine to crack your password. That simply isn't true.

As I've stated before, attackers will use routines such as dictionary attacks to gain access to as many accounts as they can with as little effort as they can. Then worry about using a "blunter" brute force routine to catch the remainder should they need to.

Using a longer random password using the methods I've exampled will protect you from both dictionary attacks and against most brute force attacks (due to the length of the generated password hash and computation time required to match it). You're also relatively secure against poorer security on the server's databse end (eg lack of a password hash or even clear text passwords) as you have a unique password for each site - thus minimizing cross-site damage to zero.

Using a passphrase will only protect you if you manage to pick words that aren't already stored in the massive dictionaries available - which is quite a risk give the size and intuition of these dictionaries.

This makes good further reading as it's actually real world security researchers describing the very attack methods I'm discussing and how easy it makes cracking passphrases: http://arstechnica.com/security/2012/08/passwords-under-assault/

So anyone who doubts the truth behind the points I'm raising, then I implore you to have a read. (And I really wish more technology commentators read similar articles before giving security advice as well - because even some of the best technology experts aren't specialises in security and thus have an outdated understanding of modern cracking techniques).

Edited 2012-11-12 11:24 UTC

Reply Parent Score: 2

RE[10]: make 'm long
by kwan_e on Mon 12th Nov 2012 12:13 in reply to "RE[9]: make 'm long"
kwan_e Member since:
2007-02-18

As I've stated before, attackers will use routines such as dictionary attacks to gain access to as many accounts as they can with as little effort as they can. Then worry about using a "blunter" brute force routine to catch the remainder should they need to.


Since that's the strategy, it doesn't really make passphrases any less secure since they're just going to attack a whole lot of accounts and get as much as they can. There will always be people with weak passphrases.

There's nothing stopping crackers from targeting password hash generators either.

Reply Parent Score: 2