Dictionary words vs Random Gibberish

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Dictionary words vs Random Gibberish

Postby Lars » Mon Jan 13, 2014 6:50 am

"sun track marriage star jacket direct most first hot night" - for a cracker using a dictionary-attack mode, this is not a +50 character password, but a 10 word password. Yes it takes longer to go through the dictionary, but it's infinitely faster than having to crack say a +50 truly random character password.

I've enjoyed this debate and the articles, but I must get some sleep now. Will return in the morning. :)
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Mon Jan 13, 2014 6:55 am

Just to summarize:

128 bit AES key can be written down as binary number (0s and 1s)
128 bit AES key be written as decimal number (0, 1, 2, 3, ... 9)
128 bit AES key be written in Hex format (0 to 9 + A to F letters).

In all cases it will remain just as strong no matter what format you use to represent that number.

Now Electrum program (cleverly) shows that you can also represent the same number with 12 words from a dictionary that has only 1626 simple words) in it.

This programmer uses this method since a human brain can remember 12 words much easier than numbers..

However, that AES key is still the same regardless if you represent it as binary, decimal, hex, or now with 12 words
Last edited by evilthought2 on Mon Jan 13, 2014 7:36 am, edited 1 time in total.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Mon Jan 13, 2014 7:04 am

Lars Wrote:"sun track marriage star jacket direct most first hot night" - for a cracker using a dictionary-attack mode, this is not a +50 character password, but a 10 word password. . :)


It's trillions of times stronger than 10 character password..

Lets compare 10 letter password vs 10 word password from small (easy to remember words) 3000 word dictionary.

There are only 26 letters from A to Z. 52 when you include caps and small letters, and 62 with numbers included.

62 is a much smaller number than 3000 (words in our dictionary).

10 random letter password from 62 characters
62^10 = 839299365868340224 (that's a 10 char password that includes caps small letters and numbers)

10 random words password from small 3000 words dictionary
3000^10 = 59049000000000000000000000000000000

Second one is trillions of times stronger than the first one

So if the first one takes 1 second to brute force, second will take (on the same machine) 2.2 billion years
Last edited by evilthought2 on Mon Jan 13, 2014 9:14 am, edited 2 times in total.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Mon Jan 13, 2014 8:08 am

evilthought2 Wrote:Just to summarize:

Now Electrum program (cleverly) shows that you can also represent the same number with 12 words from a dictionary that has only 1626 simple words) in it.

This programmer uses this method since a human brain can remember 12 words much easier than numbers..


If anyone doubts it, see this:

https://electrum.org/seed.html

A randomly (with cryptogen) generated 128-bit number can be represented by 12 words from a dictionary that only has 1626 simple words in it. All you have to do is remember those 12 words and you can recover the 128-bit key in case you lost it (hard drive crash, deleted files, etc).

This Is very clever and in fact (as ELectrum is free open source software), Lastpass should copy this for "one-time" password.

Lastpass OTP: 2145b57c3de2142ef7deb9653c56fb487
represent it as: " night try dog unseen hatred sway awaken born prepare rush bounce silver "

much easier to type and remember but the number is still the same 128-bit number. It's not changed
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Tue Jan 14, 2014 3:55 am

Lars Wrote:"The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find."
https://www.schneier.com/blog/archives/ ... ood_a.html
!


I left a comment on his page ..

https://www.schneier.com/blog/archives/ ... nt-3570382

:)

I doubt he will respond though


I'd stay away from dictionary-based passwords anyday!!


You shouldn't, as they are better passwords as not only a user can remember them easily but they are often stronger (more entropy) -- this advice is especially true when a user is not using a password manager like Laspass. The only care that must be taken is that words chosen should be randomly selected, as humans are not good at randomly selecting words.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby Lars » Tue Jan 14, 2014 4:02 am

evilthought2 Wrote:
Lars Wrote:I'd stay away from dictionary-based passwords anyday!!

You shouldn't, as they are better passwords as not only a user can remember them easily but they are often stronger (more entropy) -- this advice is especially true when a user is not using a password manager like Laspass. The only care that must be taken is that words chosen should be randomly selected, as humans are not good at randomly selecting words.

No, I tend to easily memorize 32 completely random character long passwords rather easily. I'll stay with that and my trusty LastPass.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Wed Jan 15, 2014 2:14 am

Found this

http://preshing.com/20110811/xkcd-password-generator/

For most people who use passwords like "1245678" and "password" these words would be a big step up in security
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby jpenny84 » Wed Jan 15, 2014 6:15 am

Even with good pass phrases, the increasing number of logins a typical person has to deal with breeds password laziness and the associated problems that come with it.
jpenny84
 
Posts: 8664
Joined: Tue Mar 06, 2012 9:10 pm

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Wed Jan 15, 2014 6:33 am

jpenny84 Wrote:Even with good pass phrases, the increasing number of logins a typical person has to deal with breeds password laziness and the associated problems that come with it.


This is true. The best solution is still password managers, but I have seen some people who don't trust password managers. Their logic goes that this is putting all eggs in one basket. The password manager gets hacked, and all your passwords (and bank and other personal info) is stolen.

If someone doesn't trust password managers, they have no choice but reuse passwords on several sites. They can lower the risk by having one pass phrase (3 words) for all web sites/forums that does not have their financial or personal info (forums/blogs/) etc).

Second slightly longer (4 words) pass phrase for social sites that have personal information (facebook/twitter) and secondary email account that is used to sign up to forums blogs, etc

Third (5 words) pass phrase for the primary email and bank account/paypal/amazon with two-factor authorization enabled (gmail and bank always have option for two-factor authorization)

That's all they need to do lower the risk even without using password manager.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby LakesGeek » Sun Feb 23, 2014 2:00 pm

Just been looking into this after reading the xkcd strip myself. Very interesting.

If you wanted a really strong password and were worried about dictionary attacks, I suppose you could just mess with upper and lower case and substitution. This re-introduces the same problem xkcd proposes to solve, but you wouldn't need as much randomness, so it might be easier for some brains to deal with. "correct h0rse b4ttery staple" only has 2 substitutions to remember and yet defeats the dictionary attack for 2 of the words, so this seems like the best of both worlds to me.

I think the main problem for me with using the "several words" technique, is that I also use lastpass on a smartphone, and I have the re-prompt enabled for sensitive sites. Typing on a smartphone is a tedious pain in the backside (at least without gesture based typing, which is disabled in password fields), and I would soon tire of re-typing 4 to 6 words over and over, as opposed to a small handful of random characters that sites such as lastpass and howsecureismypassword.net have assured me are pretty darn safe.
LakesGeek
 
Posts: 4
Joined: Sun Feb 23, 2014 1:51 pm

PreviousNext

Return to Off Topic

Who is online

Users browsing this forum: No registered users and 4 guests