NikolaeVarius
Lifer
- Oct 25, 2006
- 11,036
- 11
- 91
Because with a dictionary attack, it doesn't have to bother trying out every single iteration of any possible character for every space. things wrapped in quotations are extremely common, as well as capitalizing the first word in a sentence. They add much less variability than you would think, especially if you think replacing a with @ or e with 3 is a ton of variability.
Also you should be comparing equal length passwords, so its more like
"Ippon wins 1 match!"
vs
w!26*fg%s895!sim.d
One is harder to guess than the other. The first one has a direct method of attack. The second one, really only brute force is going to work against it.
First one could probably be broken in under a week. Easy.
If thats true, very good to know. I was always under the impression that mixing in numbers/symbols in the middle of the password was always the best way for security - I guess under the principle that bruteforcer's usually go by wordlists... hence... words... not symbols/numbber/letter mix.
However, a simple flaw is limitations in PW lengths. Unless you enjoy having 12 length of that PW on this site, 8 lenth of that PW on that site, etc.. etc... you will be constantly changing such a long PW. If were talking Windows login and thats it... well, thats different.
Last edited:
Rakehellion
Lifer
- Jan 15, 2013
- 12,181
- 35
- 91
Rakehellion
Lifer
- Jan 15, 2013
- 12,181
- 35
- 91
Phoenix86
Lifer
- May 21, 2003
- 14,644
- 10
- 81
Fixed. We're limited by the systems the vendors supply and the rules management wants to apply.
I have a plasma burn table that's computer operated. IT implemented and maintains the system but we did not choose the vendor nor do we operate it. It's the same thing with everything else.
silverpig
Lifer
- Jul 29, 2001
- 27,703
- 12
- 81
Everyone should read this article. Correct battery horse staple will go down quite quickly under these methods. Sure, it will take a long time to brute force, but these attacks don't use brute force. Dictionaries with substitution rules, password lists, etc all cut down the time it takes dramatically.
To the poster who uses the 4-letter algorithm, I do something similar but it won't really help either. Basically, the article states that if the algorithm is simple enough for you to remember, then it exists as a rule in some password cracking algorithm somewhere, and a computer can run it faster than you can.
With security/recovery questions being the stupidly easy way to get passwords nowadays, I am basically resigned to the notion that my passwords exist just to keep out accidental logins and people trying 5 times to guess my password via birthday and name combinations.
Wyndru
Diamond Member
- Apr 9, 2009
- 7,318
- 4
- 76
If only we lived in a world where complete SSO was a reality. But unfortunately standardization more complex than that.
I wouldn't mind the periodic changing of only 1 password at my organization, but having multiple passwords requires me to have a piece of paper hidden under my keyboard. :whiste:
I wouldn't mind the periodic changing of only 1 password at my organization, but having multiple passwords requires me to have a piece of paper hidden under my keyboard. :whiste:
mmntech
Lifer
- Sep 20, 2007
- 17,501
- 12
- 0
Yeah, ever since that comic came out and everyone started using random words.
Unfortunately, passwords aren't secure at all anymore. Gotten to the point where we either need to ditch them or make multiple step authentication more widespread.
ultimatebob
Lifer
- Jul 1, 2001
- 25,134
- 2,450
- 126
... and some bozo will still be saving a copy of them in cleartext somewhere, just waiting to be hacked.
ViviTheMage
Lifer
get rid of character/case sense requirements, and require at least 16 characters...that would be AOK with me.
DrPizza
Administrator Elite Member Goat Whisperer
You mean ''correct battery staple horse''? That wouldn't be easy to crack using a dictionary attack.
You sure? According to oxford dictionary, there are 750,000 English words.
What's 4^750000?
Even being more realistic, say only 100k words to choose from, that's more than my calculator can handle.
EDIT:
Sorry, just read that you said it WOULDN'T be easy, which IMO, is true.
DrPizza
Administrator Elite Member Goat Whisperer
Perhaps, I should have been more specific above. "correct horse battery staple" would be easy because that specific set of four words is now a part of a dictionary attack. But, four other random words is not. E.g., until someone scrapes this following phrase from this post, it would not be vulnerable (if I didn't post it, it would be immune to the attack methods mentioned in that article): Anandtech.tetracyclinebinomialdingleberries Four words, a specific password for this site, ( see how it could be modified for other sites?). Toss on another random word, and it becomes less vulnerable by more orders of magnitude. So, if I even told you that I picked four random words from the dictionary, assuming a working vocabulary of 60000 words, that's 12960000000000000000 possible combinations. Toss in a random punctuation and or capitalization, and for the time being, it's safe. What isn't safe is a four word combination that has appeared in print.
Engineer
Elite Member
- Oct 9, 1999
- 39,230
- 701
- 126
I agree with this. It's completely insane at the stupid requirements these days.
Red Squirrel
No Lifer
Another trend I hate is secret questions. those actually reduce security because someone can just find out the answer through social engineering. I would not considered my mother's maiden name or the school I went to to be a closely guarded secret. I usually put BS in there because they've always been used only if you forget your password (which is where the security issue is) but I see a lot of places that will randomly ask these questions after you put in your password. That forces you to put something you can remember, but that someone wont be able to find out in case someone tries to use the lost password feature. Oddly enough it seems to be banks that do this more than anything.
A conversation I had recently with Chase:
Rep: What's your mothers maiden name?
Me: donkey snowman pickle stolen 426
Rep: wat
Me: trust me, I'm from the internets.
Rep: typing....
Rep: well I'll be damned, what can I do for you Mr. Train?
I'm inclined to agree. Most dictionary based attacks are intentionally uncomplex, at least to start. And added complexity is usually created through the use of a hybrid attack rather than stringing more words together.
Any combination of those two words would be broken quickly, and the full password could be cracked by using a list with random combinations of four words (as opposed to two, which is most common), but that is going to be an absolutely tremendous amount of wasted time and computational power because of the exponential increase in the number of guesses necessary. Ultimately I think it would depend on the size of the word list but that's a double edged sword: more words gives you a more complete list of guesses but also means that added complexity will take that much longer to include, whereas a shorter list of course means you might miss something.
The problem with passphrases is not that they are phrases or that they can be dictionary attacked, but rather the fact that they already 'exist' so often through in existing literature, documentation, lyrics, logs, etc. For instance "correctbatterystaplehorse" would likely not be cracked by guessing every combination of [word1][word2][word3][word4] but simply the known phrase "correctbatterystaplehorse" because it is now part of some log or lexicon somewhere.
KlokWyze
Diamond Member
so many of these coming out. i just discovered 2 in this thread.
LastPass is the best I've encountered, but it's used @ the browser level. There is another that is used @ the OS level.... keepass I think. That could be interpreted differently.... :biggrin:
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 392
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter