Is your impossible-to-remember password really secure?

Whatever moves you, even it makes no sense ...
User avatar
legoboyvdlp
Posts: 1757
Joined: Mon Sep 14, 2015 9:49 pm
Location: Venezuela

Is your impossible-to-remember password really secure?

Postby legoboyvdlp » Thu May 26, 2016 7:49 pm

Results from http://random-ize.com/how-long-to-hack-pass:

Code: Select all

drearisome pitcher 12840510 years, 1 month

aqx7c03Lz 1 month, 25 days


Two random words from http://www.wordgenerator.net/random-word-generator.php and you have a password... add some capitals and two random numbers, and it will be really secure.

Right... a boring pitcher, and my birthday is the 30th day of the month... DrearisomePitcher30!
128670047768353630 years... I doubt even a bot can wait so long.
~~Legoboyvdlp~~
Maiquetia / Venezuela Custom Scenery
Hallo! Ich bin Jonathan.
Hey!
Avatar created by InSapphoWeTrust CC BY-SA 2.0, https://commons.wikimedia.org/w/index.p ... d=27409879

User avatar
legoboyvdlp
Posts: 1757
Joined: Mon Sep 14, 2015 9:49 pm
Location: Venezuela

Re: Is your impossible-to-remember password really secure?

Postby legoboyvdlp » Thu May 26, 2016 7:49 pm

Don't worry, DrearisomePitcher30 is not my password!
~~Legoboyvdlp~~
Maiquetia / Venezuela Custom Scenery
Hallo! Ich bin Jonathan.
Hey!
Avatar created by InSapphoWeTrust CC BY-SA 2.0, https://commons.wikimedia.org/w/index.p ... d=27409879

User avatar
legoboyvdlp
Posts: 1757
Joined: Mon Sep 14, 2015 9:49 pm
Location: Venezuela

Re: Is your impossible-to-remember password really secure?

Postby legoboyvdlp » Thu May 26, 2016 7:50 pm

CompressedRabbi30: 33472957275846 years, 4 months
~~Legoboyvdlp~~
Maiquetia / Venezuela Custom Scenery
Hallo! Ich bin Jonathan.
Hey!
Avatar created by InSapphoWeTrust CC BY-SA 2.0, https://commons.wikimedia.org/w/index.p ... d=27409879

User avatar
legoboyvdlp
Posts: 1757
Joined: Mon Sep 14, 2015 9:49 pm
Location: Venezuela

Re: Is your impossible-to-remember password really secure?

Postby legoboyvdlp » Thu May 26, 2016 7:50 pm

PediatricLugworm2016: 7977542961637923000 years
~~Legoboyvdlp~~
Maiquetia / Venezuela Custom Scenery
Hallo! Ich bin Jonathan.
Hey!
Avatar created by InSapphoWeTrust CC BY-SA 2.0, https://commons.wikimedia.org/w/index.p ... d=27409879

User avatar
IAHM-COL
Posts: 6455
Joined: Sat Sep 12, 2015 3:43 pm
Location: Homey, NV (KXTA) - U.S.A
Contact:

Re: Is your impossible-to-remember password really secure?

Postby IAHM-COL » Thu May 26, 2016 7:55 pm

you missed the point :D a keyphrase is more secure than a keyword, basically. (in order words, add space in between)

normalword(space)normalword, is already more secure than a scramble 1 word
Now onto the math

The most important thing here in complexity is length. (specially if you treat backspace as just another possible keystroke)
drearisome pitcher = 18 characters
aqx7c03Lz = 9 characters

Combinatorial mathematics will tell you how much harder it is to test all possibilites on 18 than on 9, specially when combinatorial mathematics grabs the usage of Factorials.

Finally off course, if you go
9scramblechars(space)8scramblechars will also give you 18 keystrokes passphrase, harder to crack, but on the negative side, also harder to humanly remember.
https://raw.githubusercontent.com/IAHM-COL/gpg-pubkey/master/pubkey.asc

R.M.S.
If we gave everybody in the World free software today, but we failed to teach them about the four freedoms, five years from now, would they still have it?

User avatar
legoboyvdlp
Posts: 1757
Joined: Mon Sep 14, 2015 9:49 pm
Location: Venezuela

Re: Is your impossible-to-remember password really secure?

Postby legoboyvdlp » Thu May 26, 2016 7:57 pm

Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years
~~Legoboyvdlp~~
Maiquetia / Venezuela Custom Scenery
Hallo! Ich bin Jonathan.
Hey!
Avatar created by InSapphoWeTrust CC BY-SA 2.0, https://commons.wikimedia.org/w/index.p ... d=27409879

User avatar
IAHM-COL
Posts: 6455
Joined: Sat Sep 12, 2015 3:43 pm
Location: Homey, NV (KXTA) - U.S.A
Contact:

Re: Is your impossible-to-remember password really secure?

Postby IAHM-COL » Thu May 26, 2016 8:05 pm

legoboyvdlp wrote:Drearisome Pitcher 30: 3.0883057306793835e+24 years
aJ3o0aXmz Dfd021@cX: 349514003019396100000 years


Interesting. ...
The difference there is on a 10^4 fold years magnitude, but the char length is similar.
I wonder how space is computing here.

I mean, who cares. Most people password is pwd123, anyways.
https://raw.githubusercontent.com/IAHM-COL/gpg-pubkey/master/pubkey.asc

R.M.S.
If we gave everybody in the World free software today, but we failed to teach them about the four freedoms, five years from now, would they still have it?

KL-666
Posts: 1610
Joined: Mon Sep 28, 2015 8:42 am

Re: Is your impossible-to-remember password really secure?

Postby KL-666 » Thu May 26, 2016 9:42 pm

It is a misconception that a good password must be hard to remember. A computer has to crack it, and he does not see a diff between bdtvgu and wiliam. Both 6 letters, both same time to crack. Length is everything (i believe israel said that too). MyNameIsWiliam is a lot stronger than bdtvgu.

Btw, brute force attacks should not be fended by stronger passwords, no matter how strong they eventually get cracked, but by banning (temporarily to slow them down) of ip's that try it. Linux has fail2ban for that.

Kind regards, Vincent

OPFOR77
Posts: 208
Joined: Wed Apr 27, 2016 7:30 pm

Re: Is your impossible-to-remember password really secure?

Postby OPFOR77 » Thu May 26, 2016 10:10 pm

Relevant XKCD

Image
OPRF Fighter Jock and Dev

KL-666
Posts: 1610
Joined: Mon Sep 28, 2015 8:42 am

Re: Is your impossible-to-remember password really secure?

Postby KL-666 » Thu May 26, 2016 10:50 pm

The bottom line of that cartoon is so true, OPFOR77. That whole bull of special characters is only there to confuse humans. Length is everything.

About brute force attacks, there is a big misconception too among administrators. They think they are safe when they turn on 3 times failed login on the same user. Wrong! Brute force attackers know about that and they first vary username, and second password. By the time they get to the same username again, the timout for that username has long passed. So a failed sense of security on the part of the administrators here!

No, there is only one secure way: ban on 3 times failed login on any username from the same ip. That is fail2ban.

Kind regards, Vincent


Return to “Unrelated Nonsense”

Who is online

Users browsing this forum: No registered users and 21 guests