Password theory that was simply wrong.

[hutch--]

I read an article yesterday that I just cannot find again and it addressed advice that has been given to ordinary people using computers about how to construct a password that is hard to guess. The normal Unix based advice for years has been a mixture of upper case, lower case, numbers and punctuation yet the obvious is that the character choice has nothing to do with making a password or phrase hard to guess. Nothing beats a longer password of phrase as each character increases the order of complexity by a substantial amount.

Yet another problem with this clapped out old bullsh*t is it makes passwords hard to remember which makes so many people give up and use "password" or something as common. Single short popular words are open to dictionary attacks with a large count of ordinary words. Using you name is a really bad technique. The trick is to construct a phrase that has no real association to you.

"Beware of the ides of march"
"A sadder but a wiser man he woke the morrow morn"

Bits of prose if it helps you to remember them is an improvement but there is better still.

"My granny's first name was Mabel"
"My next door neighbor's cat answers to lucifer"

A long enough phrase is extremely hard to guess and it effectively defeats dictionary attacks. One more thing, NEVER NEVER NEVER store passwords on a computer, a smart enough hacker can find them and empty your bank account, steal your identity and get you into big trouble using your identity. If you cannot remember all of your passwords, write the rarely used ones on something like a sheet of paper so you can find them when you need them.

[sinsi]

https://xkcd.com/936/

[hutch--]

 

[anunitu]

No one could guess that my password is my cats name that is Rumpelstiltskin. I guess I am safe(that is satire,if you missed it)

[jj2007]

NEVER NEVER NEVER store passwords on a computer, a smart enough hacker can find them and empty your bank account, steal your identity and get you into big trouble using your identity. If you cannot remember all of your passwords, write the rarely used ones on something like a sheet of paper so you can find them when you need them.

That is theory. Practice is that I have a hundred passwords or so, and need to find them somewhere. Sheets of paper get thrown away by cleaning ladies, kids, visitors. So yes, there is a file with all those passwords. A hacker would need to know which file among the Millions of files on my PC, not so easy. First of all, he needs to enter my PC - and at that point, he can install a keylogger, too.

No, the real problem with passwords is that you can do bruteforcing. There is a server, and you throw "jj2007" at it. Then  "jj2007a", "jj2007b", "jj2007c", and after 26 attempts, hooray!, it was "jj2007z". Dumb, extremely dumb. No, not the password, what's wrong with "jj2007z"? Dumb is that the server accepts 26 attempts to crack the password. It should have told the hacker, after the third attempt, "hey, you seem to be a bit stressed - try again tomorrow". Cracking works only because servers do not slow down their response times where they should. If they did, a password like a2c4 would be perfectly safe because 4 chars allows many Million combinations. No cracker can guess that in his lifetime if he has to do it by hand, or if the server is, deliberately, a little bit slow when responding.

> I read an article yesterday that I just cannot find again
Tried Ctrl H like "history"? Sometimes it helps.

[anta40]

One more thing, NEVER NEVER NEVER store passwords on a computer, a smart enough hacker can find them and empty your bank account, steal your identity and get you into big trouble using your identity. If you cannot remember all of your passwords, write the rarely used ones on something like a sheet of paper so you can find them when you need them.

Should you store your passwords in your PC, then make sure it's not stored as plain text file, but an encrypted one (those open source password managers can help you). Now instead of remembering all of those email, banking, social media, work-related password etc etc, only 1 password is needed: the password which unlocks the password database.

And add further protection: disk/filesystem encryption, like BitLocker, EFS, etc.

I'm not the President of Russia, or a high ranking NSA official, so why would those hackers pick me? 

[hutch--]

I agree that setting a delay between entering passwords and evaluating them makes the task far more difficult as instead of bashing attempts at billions per second as some dedicated hardware can do, one second delay restricts the combinations to 60 possibles a minute, a 10 second delay is 6 a minute and this makes trillions of combinations very hard to get to the end of possibilities but this misses the point of the original suggestion, conventional Unix password theory is simply wrong.

The only factor for making passwords more difficult to find is how LONG it is. As long as you avoid the types of common words or perhaps phrases that are used in a dictionary attack, then the longer you make the password or phrase, the more secure it is and importantly, it does not need to be a mixture of upper case, lower case, numbers and punctuation, they are all just characters.

[sinsi]

I have set up hundreds of wireless routers and computers, the best way for me was to have the customer
1. Think of a famous person you can associate with the account
2. Use a quote from them (movie line, song lyric etc.)

There are quite a few wireless routers with the password "I am the greatest said Ali" scattered around Adelaide...


Off topic, but are you ever going to change the forum to https hutch?

[Adamanteus]

As Cusma Prutkov said : look to root !
Protection as defense better to have in depth, so need to keep save : pass, data, prog, hard, room  - all at once !

[mineiro]

The thing is where hide that password file, like Johannes Trithemius.

An attack form that I have seen and still works today are links. Never click on any link while you're logged on a board.
From what I see the hash key (not sure if this is the exact word) used on a board can be captured while you're visiting another board or site, even google cache.
So an attacker don't need know your password, just need know your session or momentum.

More than 15 years ago I was visiting riddles sites about these themes, and one riddle was just to discover the passphrase based on pgp. That day I discover that pgp is not secure.
Other thing that persons don't care about are firmwares, even don't have a firmware image backup; a malicious person can inject microcode on routers and other devices easy.
To me the question is not about passwords but how your deal with passwords, a simple 'xor' cipher is secure and from my knowledge uncrackable, but how to deal with that is the question.

I remember to have seen that any program used to criptograph symbols can be reversed to just be used by an attacker. Nobody is safe.
That's why I prefer only use my mind. When I'm drunk I even don't log in any board, not because I like but because I don't remember the sequence of my own password. This is good not to protect me but others from my drunk words hehehe.
I'm just a hobbyst, nothing to care about.

Have persons today that stores they password on internet and are secure. Well, first 2 bytes of an lossless image on a site or logo, plus 3 bytes from a midi file, more 2 letters from a text, ... .

[jack]

I use a password generator https://ss64.com/pass/ I saved the web page to my PC, it's written in javascript so you can look at the code if you want
I have a very long master password which generates the different passwords that I need.

[jj2007]

I use a password generator https://ss64.com/pass/

Interesting idea

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  Let esi=Input$("Master password:\t", "Masm32 is great")   ; suggestion is editable
  Let edi=Input$("Type your user name:\t", "jj2007")+String$(4, "abcd")
  .if GetHash(esi)              ; uses CryptCreateHash
        ; PrintLine "The MD5 of [", esi, "] is", CrLf$, Hex$(xmm0), " and will be xor'ed with", CrLf$, edi
        movups xmm1, [edi]
        xorps xmm0, xmm1
        Let edi=Replace$(Hex$(xmm0), " ", 0)    ; get rid of the spaces in the XMMWORD hex$
        Inkey "Your password is [", edi, "] - copy to clipboard (y)?"
        If_ eax=="y" Then SetClip$ edi
        Print CrLf$, "bye"
        Delay 1000
  .else
        Inkey "Hashing failed: ", Err$()
  .endif
EndOfCode

But there are still questions, like "what about keyloggers?" and "Can I trust Microsoft's CryptCreateHash?"...

[hutch--]

Like everyone else, I have to deal with a reasonable number of passwords and I simply don't accept the conventional wisdom that at least one upper case characters, lower case, punctuation and number make a password secure. The result is a case of hard to remember but easy to crack and its the same arse about mentality that has been inflicted by the Unix community for years.

Outside of common words used in dictionary attacks, password/phrase length increases multiply the range of combinations to brute force a password by the range of available characters in the character set. With ascii, each additional character multiplies the number of combinations by 256, with unicode its multiplied by 64k so when you start using phrases of any reasonable length the numbers for a brute force attack become very large.

Now once you are free of un-rememberable passwords, you can routinely remember most of your common ones, you credit card number for daily purchases and similar passwords that you use on a regular basis and for the ones that are used occasionally, write them on something that is NOT stored on a computer. Just last week I needed to use a password to access a web site that I had not used for over 5 years, that in my case is 2 computers ago with hardware changes, disks that failed, and data moved around from one computer to another.

[hutch--]

I have retired the tail end of this topic as it serves no purpose to have members scratching each other's eyes out. Also locked the thread so it spares the rest of us from a repeat.