Dictionary words vs Random Gibberish

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Dictionary words vs Random Gibberish

Postby dcik99999 » Sun Jun 29, 2014 6:17 am

evilthought2 Wrote:
Lars Wrote:"The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find."
https://www.schneier.com/blog/archives/ ... ood_a.html
!


I left a comment on his page ..
https://www.schneier.com/blog/archives/ ... nt-3570382
:)

I doubt he will respond though

I'd stay away from dictionary-based passwords anyday!!


You shouldn't, as they are better passwords as not only a user can remember them easily but they are often stronger (more entropy) -- this advice is especially true when a user is not using a password manager like Laspass. The only care that must be taken is that words chosen should be randomly selected, as humans are not good at randomly selecting words.

My experience is that people who start to reason about the usefulness of passphrases and exclude math in that reasoning, like your opponents, cannot be convinced of the advantages of phrases. This thread is another proof of that. (I also left a comment on the refereed page :-) )

Besides the math of passphrases, I find the following pages convincing:
And I ask them which of the following passwords they think is stronger, and why:
1H44=n24E*3a
xrEnHrXxQmcVHywIiOHrTAwnNxyIxfGcnaWBxGHPOcPhoCQGkFtxWoyRIWDfyRidzTWTebLyvESUgbzu

There is one aspect I miss in the discussion here. Many sites still do not accept pass phrases or make the use impossible. I often have to append a phrase with A1* just to meet the site's PW requirement of using at least a Capital and a number and a symbol.

Sites like Skype, PayPal, eBay limit passwords to 20 characters. An average word length of ~5 would allow for a 4 word phrase which is to short for those sites, I think. (Some do allow 2 factor authorization though)
And also LastPass calculates the strength of a pure phrase as low, I sometimes get a warning of that.

But there is hope! IT services at Stanford University introduced new password requirements, see http://itservices.stanford.edu/service/accounts/passwords
It's a kind of gliding scale, balancing length and complexity requirements:
- So a PW length of less than 12 characters requires the use of all character types: aA1*
- Above 20 character lengths, there is no complexity requirement, so pass phrases would fit in well. They even have a note about using pass phrases.
dcik99999
 
Posts: 31
Joined: Wed Jun 26, 2013 12:04 pm
Location: Netherlands

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 1:20 pm

dcik99999 Wrote:
evilthought2 Wrote:
Lars Wrote:"The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find."
Sites like Skype, PayPal, eBay limit passwords to 20 characters. An average word length of ~5 would allow for a 4 word phrase which is to short for those sites, I think. (Some do allow 2 factor authorization though)
.


4 random words is not "short" for online site like Skype, PayPal, eBay. 4 random words might be short where offline attack is possible, (like wifi, encrypted folder, etc).

Think about it. If you are a hacker and your ping time to paypal server is only 10 ms (highly unlikely), you can only check 100 passwords per second, and that definitely is not enough to brute a random 8 char password (trillions of possible combination) as that will take years, not to mention that paypal server will detect the brute force and lock your account long before that

If your 4 words were chosen randomly, they are more than enough for online sites like Skype, PayPal, eBay where brute force attack would not only be very slow (online lag) but detectable too.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby Lars » Sun Jun 29, 2014 3:12 pm

evilthought2 Wrote:4 random words is not "short" for online site like Skype, PayPal, eBay. 4 random words might be short where offline attack is possible, (like wifi, encrypted folder, etc).
Think about it. If you are a hacker and your ping time to paypal server is only 10 ms (highly unlikely), you can only check 100 passwords per second, and that definitely is not enough to brute a random 8 char password (trillions of possible combination) as that will take years, not to mention that paypal server will detect the brute force and lock your account long before that

The way it's been done in the past is by downloading the files containing all usernames and passwords, and then working on them locally. Only a stupid hacker would try and do it via an online attack - it's simply not feasible.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby dcik99999 » Sun Jun 29, 2014 3:42 pm

@ evilthought2
Agree, you are right, should have stressed that it is not sufficient for off-line attacks only. Most (published) attacks are off-line and one should have both types in the equation.

B.t.w. my tool does make that distinction and estimates recovery times for both, online and off-line. A 4 -word (randomly chosen) sentence would take centuries on average at 1000 guesses/sec with a 7776 word known dictionary. A 1000 word dictionary would bring this back to some 15 years on average. Does 15 still seems OK? On average meaning that the chance it will be recovered on day 1 is one out 10,000! If my calculations are right.....

There are other practical reasons why 20 is bothering for online.
- If the site also requires numbers and symbols, the available length for words is only 18 characters only: 4,5 letters per word.
- There are not many dictionaries available that have such short words only.
Last edited by dcik99999 on Sun Jun 29, 2014 3:50 pm, edited 2 times in total.
dcik99999
 
Posts: 31
Joined: Wed Jun 26, 2013 12:04 pm
Location: Netherlands

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 3:48 pm

Lars Wrote:
evilthought2 Wrote:4 random words is not "short" for online site like Skype, PayPal, eBay. 4 random words might be short where offline attack is possible, (like wifi, encrypted folder, etc).
Think about it. If you are a hacker and your ping time to paypal server is only 10 ms (highly unlikely), you can only check 100 passwords per second, and that definitely is not enough to brute a random 8 char password (trillions of possible combination) as that will take years, not to mention that paypal server will detect the brute force and lock your account long before that

The way it's been done in the past is by downloading the files containing all usernames and passwords, and then working on them locally. Only a stupid hacker would try and do it via an online attack - it's simply not feasible.


I am pretty sure sites like paypal save hash of your password with at least salting it with hash (username+password) so if the hacker got the list, he will have to target you specifically to crack your 4 words password. Mass attack on the complete list NOT work.

Also, if the site is so insecure that they let their data stolen, the hacker probably already have other info he needs (name, address, bank account, etc)

4 random words isn't really a "weak" password. It will be still take some effort even in offline attack
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby dcik99999 » Sun Jun 29, 2014 3:56 pm

evilthought2 Wrote:
Lars Wrote:
evilthought2 Wrote:4 random words is not "short" for online site like Skype, PayPal, eBay. 4 random words might be short where offline attack is possible, (like wifi, encrypted folder, etc).
Think about it. If you are a hacker and your ping time to paypal server is only 10 ms (highly unlikely), you can only check 100 passwords per second, and that definitely is not enough to brute a random 8 char password (trillions of possible combination) as that will take years, not to mention that paypal server will detect the brute force and lock your account long before that

The way it's been done in the past is by downloading the files containing all usernames and passwords, and then working on them locally. Only a stupid hacker would try and do it via an online attack - it's simply not feasible.


I am pretty sure sites like paypal save hash of your password with at least salting it with hash (username+password) so if the hacker got the list, he will have to target you specifically to crack your 4 words password. Mass attack on the complete list NOT work.

Also, if the site is so insecure that they let their data stolen, the hacker probably already have other info he needs (name, address, bank account, etc)

4 random words isn't really a "weak" password. It will be still take some effort even in offline attack

Most writings I read assume that if a hacker can steal the passwords, the same is true for the salting. The (dynamic) salting is not considered a secret. So mass attacks on complete lists will work under that assumption. Salting does protect against rainbow tables based attacks.
dcik99999
 
Posts: 31
Joined: Wed Jun 26, 2013 12:04 pm
Location: Netherlands

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 4:00 pm

Lets assume a hacker has a list of 100,000 words

4 random words from such a large dictionary has entropy of 100,000,000,000,000,000,000

Lets assume the hacker can do 10 billion hashes per second (highly unlikely), to crack a 4 word password from such a dictionary will on average take 150 years.

This is absolutely not worth the effort so the hacker needs to drop his dictionary size to 10,000 (but then he might miss your word in the dictionary)

With 10,000 word dictionary the entropy for 4 random words is 10,000,000,000,000,000

With 10 billion hashes a second, it would still 22 hours (11 hours on average)

I am pretty sure the hacker would make more money by mining bitcoin than wasting his 10 billion per second hash power on cracking your 4 word password

Random passwords are not easy to crack (and that also applies to randomly picked words).

Predictable passwords are much easier to crack.

Trust me no one is going to waste time on cracking totally random (unpredictable) 4 word passwords
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby Lars » Sun Jun 29, 2014 4:24 pm

Whats the difference between these two passwords?
1) sun track marriage star jacket direct most first hot night (58 characters long)
2) A&<#<@kl1A/j59>/(ykgJ;KM(#c723CPrZ=Gjcrjc4qR4IWS£>ifA9O1<U (58 characters long)
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 4:26 pm

I made error in the above calculation with 10,000 words dictionary,. It's 11 hours not 5 days, but still we are assuming 10 billion searched per second is even possible when passwords are always saved by key stretching PBKDF2 where hashes are repeatedly hashed 10,000 times (at least)

So really there is no way in hell anyone is going to do 10 billion hashes per second with 10,0000 PBKDF2

If you have 10 billion per second has power that will drop down to only 100K per second if paypal is using 10,000 of PBKDF2 to store your passwords
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 4:33 pm

Lars Wrote:Whats the difference between these two passwords?
1) sun track marriage star jacket direct most first hot night (58 characters long)
2) A&<#<@kl1A/j59>/(ykgJ;KM(#c723CPrZ=Gjcrjc4qR4IWS£>ifA9O1<U (58 characters long)


If 1 are randomly chosen words, then there is no difference as both are impossible to brute force (not now not 50 years from now).

Of course "2" is "stronger" but that is meaningless as 1 is impossible to crack anyway. I can put 3 here too:

3. A&<#<@kl1A/j59>/A&<#<@kl1A/j59>/(ykgJ;KM(#c723CPrZ=Gjcrjc4qR4IWS£>ifA9O1<U(ykgJ;KM(#c723CPrZ=Gjcrjc4qR4IWS£>ifA9O1<U

This 3 is stronger than your 2 but who cares as 2 was already impossible to brute force

If a hacker can steal your #1 by other means (malware), he can steal #2 and #3 just as easily. Brute force will not be method he will use.

In fact the largest ever successful brute force attack was against 64 bits ( which is weaker than 12 random char password strength wise)

No force in this word has ever cracked password stronger than 64-bit by brute force. The distributed-net is currently trying to crack 72 bit (around 12 char password strength) since 2001 or something and they still have 100 more years to go at current search rate.

Really stop scaring and BS people with nonsense

The key property of password should be that it should not be predictable (not in a database, not a famous quote). No one uses BRUTE FORCE to crack random passwords longer than 10 char!!!! That's absolute waste of resources and hacker is really stupid and should be laughed out by everyone
Last edited by evilthought2 on Sun Jun 29, 2014 4:43 pm, edited 1 time in total.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

PreviousNext

Return to Off Topic

Who is online

Users browsing this forum: No registered users and 3 guests