Security

[frozenchief]

Stumbled across this today. Something to consider when creating passwords.

I am not seeking to advertise the company, in part because I know nothing about the company but I figured I'd pass on the information. I expect that as computing power increases, those figures will decline. When I'm 87, my password will have to be something like

pleasegetmemoredependsbecausethesearefullofcrap1234*

[htismaqe]

Quote:

Originally Posted by unlurking

Also, while this chart is a good opening comment about security. it is SUPER subjective and not nearly detailed enough for a true discussion of what makes a secure password. Those numbers are based on "brute-force" attacks which attempt every possible variation in a character data set. It completely ignores non brute-force attacks, speed of guesses, and ease of guessing the type of hash.


You wouldn't believe how many passwords I see like Spring-2002! or GoBroncos!2002 (obvious assholes) or Ch13f$Rule!!! All of which crack in seconds using basic rule and mask attacks but people still think nobody will figure it out.

Yep.

Here's another interesting read, BTW. He explains somewhat how "high entropy" is an outdated way of thinking. His "haystacks" suggestion is pretty interesting.

https://www.grc.com/haystack.htm

[unlurking]

Quote:

Originally Posted by htismaqe

Yep.

Here's another interesting read, BTW. He explains somewhat how "high entropy" is an outdated way of thinking. His "haystacks" suggestion is pretty interesting.

https://www.grc.com/haystack.htm

Please don't take this the wrong way, totally not trying to sound like an ass but I have a hard time explaining things sometimes and often end up sounding like a jerk.

I've never really been a fan of GRC (didn't know he was still around actually). I appreciate his attempt in this article, but I very heavily disagree with his assertions. Especially his D0g........... example. In fact, knowing that some people will probably hit the easy button and use something like that after reading his article, I'm going to add attacks specifically for it on my next engagement. Will be a couple months before I have spare cycles to test, but will try and get some performance numbers in a month or so.

Length is not the ONLY factor, and this comment...

Quote:

But that doesn't matter, because the attacker is totally blind to the way your passwords look

is very dangerous and very not true. Most sites give you the minimum password characteristics, which makes it easy to start configuring your attacks. Most sites also have limited available character sets. Testing for unaccepted characters is simple. The attacker is not blind, but things are blurry.

Cutting my dictionaries (and like every CP'er, they're HUGE! ) to words of 8 characters or less, running common "leetspeak" rules and appending a bunch of random special characters is not hard. Patterns are the death of a password. While yes, the D0g... password is longer than the PrXyc. This is insignificant if you know the pattern. And to be clear, I don't need to know what pattern you use. I will test all patterns I know.

Padding for length is FANTASTIC, don't get me wrong, but padding with such bad patterns will kill you. Patterns publicly espoused will kill you faster. Entropy DOES matter, because "guessing" (ugh) is NEVER the only attack. His recommendation is faulty in that it is intended to protect against an outdated method. Brute-force attacks are mostly dead except in specific use cases, and only after pattern based attempts are made. His argument is circular (because entropy - entropy doesn't matter) and misleading.

Sorry to rant.