Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 542141
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[12]: make 'm long
by kwan_e on Mon 12th Nov 2012 13:26 UTC in reply to "RE[11]: make 'm long"
kwan_e
Member since:
2007-02-18

"There's nothing stopping crackers from targeting password hash generators either.

You can't target hash generators for my method. the hash generator is only used as a method to create a random password. You could just as easily mash the keyboard for all the difference it makes. Except with my method you don't need to store the password anywhere.
"

Why can't you target hash generators? After all, to generate your hash, you're basically using a passphrase and the website for the salt.

If passphrase cracking is as easy as you say it is, then it's just as easy for a cracker to figure out the passphrase you use to generate the hash.

Edited 2012-11-12 13:27 UTC

Reply Parent Score: 2

RE[13]: make 'm long
by Laurence on Mon 12th Nov 2012 13:48 in reply to "RE[12]: make 'm long"
Laurence Member since:
2007-03-26


Why can't you target hash generators? After all, to generate your hash, you're basically using a passphrase and the website for the salt.

I'd already answered that.

The method used to create the hash is irrelevant in this specific context. Whether you used a hash generator or randomly mashed the keys on the keyboard - the password is still a random character string and it's that password that you need to crack. Knowing the method used to create the password would, at most, only tell you which characters to include in your brute force attack (eg base64 encoded sha512 hashes will have 0-9. a-z, A-Z + and /. Where as another random character string could include different characters.

What you're thinking about is the storage of passwords in hashes - which is completely different.

If you store a password in a hash then you can use a hash table to match hash strings and effectively reverse engineer the originating password. But the password itself wouldn't be a hash. That password could be a passphrase or any other password that the user chose.

So using a hash as a password itself doesn't leave itself vulnerable to detection based on the hash generator used. Using such a generator is just an arbitrary method to produce an arbitrary random string.


If passphrase cracking is as easy as you say it is, then it's just as easy for a cracker to figure out the passphrase you use to generate the hash.

No, you're getting yourself completely muddled there.
The only possible way you could find out the passphrase for the hash used in my method would be if you found out the output password; and if they know that then they already have your password so there's no bloody point trying to find the passphrase used to generate that password as they already have your login details lol.

My method is little different to randomly mashing a keyboard in terms of the password generated. Except I provide a way to exactly repeat the random mashing in a secure way. However the attack would only ever have exposure to the end result so could not and would not care about the method used to create the password (ie whether it was random keyboard mashing, password generator or a hash generator).

Reply Parent Score: 2

RE[14]: make 'm long
by kwan_e on Mon 12th Nov 2012 14:02 in reply to "RE[13]: make 'm long"
kwan_e Member since:
2007-02-18

The only possible way you could find out the passphrase for the hash used in my method would be if you found out the output password; and if they know that then they already have your password so there's no bloody point trying to find the passphrase used to generate that password as they already have your login details lol.


They don't need to know your password. They just need to know if the hash they generated managed to authenticate themselves to a site as you. ie:

1) Estimate your passphrase
2) Generate the hash
3) Use the hash to try and authenticate

Sure, it's a few extra steps than

1) Estimate your passphrase
2) Use the passphrase to try and authenticate

It's one more level of indirection, but it still begins with a passphrase.

Reply Parent Score: 2