Jump to content

educate me please!

VonVilkee

By VonVilkee
in Warpspace

 Share

Recommended Posts

xipetotec Newbie

xipetotec

Posted
Posted

If your password is mostly random and not short you're probably good.

 

Generally things like passwords are hashed when they're stored in a database with a one way algorithm like MD5 (http://en.wikipedia.org/wiki/MD5 note that this is technically a bad example because MD5 has flaws that can be exploited).  So if you have a password that is 'password' it should be stored in the database as "5f4dcc3b5aa765d61d8327deb882cf99"

 

When you enter your password in the site its hashed, and then the hash is compared with whats in the database.  Thats why if you see a databreach like the kickstarter one they say encrypted passwords were stolen, the thieves have 5f4dcc3b5aa765d61d8327deb882cf99 not password associated with your email.

 

Of course if they know the type of hash used they could brute force your password.  That is, simply hashing every password possible "abc111, abc112, abc113, abc114,  . . . etc" and comparing it to the hash they have.  That takes a LONG time for any reasonable length password and its not something someone would normally use unless they're desperate or they're the NSA or someone else with ridiculous computing power.

 

  Things like Dictionary Attacks and Rainbow tables shorten the amount of time needed to crack encrypted passwords.  Essentially someone goes and pre-hashes a whole bunch of things and then stores them in a file (dictionary attack) or does extra math stuff that I don't really get in the case of Rainbow Tables.  So to crack your password of 'password' they just look up the hashed value "5f4dcc3b5aa765d61d8327deb882cf99" in their table and out pops "password"  Now you're in trouble!  But those tables only have so much info in them because you can't store the hash of everything as it would be way to big, so it usually only has short, simple phrases "aaaaab" or things that people use all the time "password"

 

To be safe you just want something long and random enough to avoid being targeted by these sort of attacks but also something you can remember.

 

My favorite method was proposed by XKCD:

http://xkcd.com/936/

 

Note that I don't use it because I'm lazy.

  • Like 5
Link to comment
Share on other sites
Romans832 Experienced

Romans832

Posted
Posted

New security standards have some companies switching to a twelve character simple password. No need for numbers or symbols. So think of a passphrase instead of a password per se.

My Security Officer has been saying this at my office for the last year or two.

It would seem length is far more important than complexity these days... Someone else would have to explain in better details the why.

Link to comment
Share on other sites
xipetotec Newbie

xipetotec

Posted
Posted

Case A:  5 character password with a mix of lowercase-uppercase-numbers-and symbols (to make my life easier just the ones on the number row).  Total Characters: 26 + 26 + 10 + 10 = 72.

 

Total possible permutations: (72x72x72x72x72) = 1,934,917,632

 

Case B: 6 Character password with just upper/lowercase. Total Characters: 52

 

Totalpossible permutations: (52*52*52*52*52*52) = 19,770,609,664

 

Just adding one more character in length more than makes up for the lack of extra 20 possible characters.

  • Like 3
Link to comment
Share on other sites
WestRider Apprentice

WestRider

Posted
Posted

Once again, as I usn

 

Case A:  5 character password with a mix of lowercase-uppercase-numbers-and symbols (to make my life easier just the ones on the number row).  Total Characters: 26 + 26 + 10 + 10 = 72.

 

Total possible permutations: (72x72x72x72x72) = 1,934,917,632

 

Case B: 6 Character password with just upper/lowercase. Total Characters: 52

 

Totalpossible permutations: (52*52*52*52*52*52) = 19,770,609,664

 

Just adding one more character in length more than makes up for the lack of extra 20 possible characters.

Once again, as I understand it, the problem with this approach is that the number of possible English words that can fit in 6 characters is a far smaller space than the total number of permutations of upper and lower case letters. Dictionary attacks take advantage of this by running all the combinations that are actual words first, which is a fairly quick process as these things go. I'm not a cryptologist, but I remember reading an article a while back on password security where they managed to arrange to get together with three hackers to demonstrate how these things got cracked, and all three said and showed that passwords based on real words were among the easiest to crack. I believe that XKCD strip was actually brought up and used as a bad example, but it was a while ago, that may have been in the commentary or just my own comparison.

Link to comment
Share on other sites
fluger Newbie

fluger

Posted
Posted

What I do is I come up with a phrase that I am familiar with and do the first letters of it.  

 

For instance: ATSKNF, or WYSIWYG. 

 

Neither are words, but I know precisely what they mean and they are easy for me to remember.  

 

Another, similar option is to do something like use names and dates of loved ones.  This stops most hacking that isn't from people that have done any real research on you.  For instance, I could do n2680o2881 as a password and know that it is the first letter of my birth month, the day, and the two digit year then the same for my wife.  

Link to comment
Share on other sites
WestRider Apprentice

WestRider

Posted
Posted

Wouldn't throwing in a non-dictionary "word" keep the strengths of the xkcd style password while avoiding the dictionary attack? For example "keepyergawdammedcheezdoodlez" is 28 characters, easy to remember and doesn't have many actual words

It helps, but "dictionary" in this case refers to a hacker-compiled dictionary, not an "official" one, and they often include common miss-spellings and substitutions like using a 0 in place of an o. There are also partial dictionary attacks that use some wildcard characters.

 

Fluger's suggestions are good against any method I know as long as you get them up above about 9-10 characters (8 characters is brute-forceable with current tech, and 9-10 probably will be before too long). Including at least one special character probably helps.

 

Other tips:

- The first character is the most common place to put a capital letter. Put one somewhere else. If using real words, put a capital somewhere in the middle of a word.

- Similarly, the last character is the most common place to put special characters. Put one somewhere else. Again, good to toss one in the middle of a real word if you're using them.

- Four letters followed by four numbers is very common, and those combos are often checked first. Particularly avoid runs of four numbers corresponding to years in the last hundred years or so (1964, etc.), lots of people use those.

- If you're using something that you won't remember trivially, write it down, but keep it somewhere other than your computer desk or other sensitive documents.

 

The most secure way to go is with password management software, but that involves its own hassles and costs money and some people don't want to deal with that.

Link to comment
Share on other sites
tombking Newbie

tombking

Posted
Posted

The most secure way to go is with password management software, but that involves its own hassles and costs money and some people don't want to deal with that.

There are some nice free password management tools that will store and generate random string passwords for you. Keepass I think comes with the portable apps suite (or used to)

 

The other thing you can do is proper 2 factor aka chip/pin which is gonna be really hard for web based things or having keyfobs for every bank/merchant/etc. But for work I no longer have a password, I use my badge which is chipped and a PIN. So one has to have both a my physical token and my secret to get to my account. There are still some things that still require user/pass and those are either separate accounts (ooh you can close my trouble tickets for me) or things like the OS install tool, domain joins and our script tool for server builds. But for that we can have a temp random string generated as a password and that is good for 10 hours at the most. also that is an account different from my standard user account as well so I have 2 badges/chips for work one for my mail/workstation etc, and one for server access/work.

  • Like 1
Link to comment
Share on other sites
xipetotec Newbie

xipetotec

Posted
Posted

Once again, as I usn

 

Once again, as I understand it, the problem with this approach is that the number of possible English words that can fit in 6 characters is a far smaller space than the total number of permutations of upper and lower case letters. Dictionary attacks take advantage of this by running all the combinations that are actual words first, which is a fairly quick process as these things go. I'm not a cryptologist, but I remember reading an article a while back on password security where they managed to arrange to get together with three hackers to demonstrate how these things got cracked, and all three said and showed that passwords based on real words were among the easiest to crack. I believe that XKCD strip was actually brought up and used as a bad example, but it was a while ago, that may have been in the commentary or just my own comparison.

 

Yeah, I wasn't trying to espouse using a 6 character word, just showing that a 6 character password with limited choices is still more secure than a 5 character password with extra characters (not accounting for dictionary attacks).  The takeaway from things like the XKCD comic is that longer and easier to remember is better than shorter but hard to remember.  No dictionary (probably) is going to have something like peanutCarsGirlMagnet in their list of passwords.

Link to comment
Share on other sites
WestRider Apprentice

WestRider

Posted
Posted

Again, not 100% on this, but I seem to remember a chunk about the Dictionary Attacks including combinations of words, specifically to attack passphrases like that. So no, "peanutCarsGirlMagnet" wouldn't be in there, but "peanut", "Cars", "Girl", and "Magnet" each would, and that combination of the four would get checked at some point.

Link to comment
Share on other sites
xipetotec Newbie

xipetotec

Posted
Posted

Well given the price of storage nowadays pretty much everything will be in there eventually.  If they're programmatically joining elements of a (literal) dictionary then you're moving away from a dictionary attack and more towards a brute force attack because the things your checking against aren't precomputed hashes.  Of course if your set of words is precomputed in the dictionary you're screwed I guess, and if someone really wants to crack your password they're going to do it.  In the end we can only hope that websites salt their hashes so things like dictionary attacks don't really help.

 

I think its also worth noting that if someone really wanted to hack your accounts and get your password is probably way easier to just pretend to be you and then call customer support.  I know the last time I had to change my password at work I only had to call the help desk and say who I was and ask them to reset the password.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...