Dictionary words vs Random Gibberish

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Dictionary words vs Random Gibberish

Postby Lars » Sun Jun 29, 2014 4:42 pm

evilthought2 Wrote:If 1 are randomly chosen words, then there is no difference as both are impossible to brute force (not now not 50 years from now). Of course "2" is "stronger" but that is meaningless as 1 is impossible to crack anyway.

Really stop scaring and BS people with nonsense

In theory they are NOT the same, but in all practicality they are, like you say, impossible to crack (unless you have trillions and trillions of years to waste).

I'm not scaring anyone, but pointing out a very important fact: When using a password manager like LastPass, why would you not go for the ultimate in security? Anything else would be foolish.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 4:53 pm

Passwords are stolen/cracked by these methods

(1) Malware/Keyloggers
(3) Trying a database of known passwords
(4) Tring a database famous quotes
(5) Making a clever guess .. I saw this when someone got hacked when he used a bitcoin address (with transactions history) as "password" for another crypto
(3) Making a prediction by knowing something about the individual (name, birthday, friends and family name).

Brute forcing a totally random password is not how passwords are cracked.

Here is a 12 char totally random password:

pPGct3tdSucb

If anyone breaks it, they would hold a world record as the strongest ever brute force was against 64-bits (which would be weaker than that 12 char password).

The advantage to random words as password (even 4 words) is that they are easy to remember. Just some care should be taken that words are random and can't be guessed by knowing something about your personality (and it should NOT be a famous quote, like "One giant leap for mankind" I recently saw someone got hacked as they used Neil Armstrong quote as a passphrase
.
Last edited by evilthought2 on Sun Jun 29, 2014 4:57 pm, edited 1 time in total.
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby Lars » Sun Jun 29, 2014 4:56 pm

evilthought2 Wrote:The advantage to words password (even 4 words) is that they are easy to remember. Just some care should be taken that words were random and can't be guessed by knowing something about your personality (and it should be a famous quote, like "One giant leap for mankind"

One selling point of LastPass is, that you don't have to remember but 1 password.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 5:01 pm

Lars Wrote:
evilthought2 Wrote:The advantage to words password (even 4 words) is that they are easy to remember. Just some care should be taken that words were random and can't be guessed by knowing something about your personality (and it should be a famous quote, like "One giant leap for mankind"

One selling point of LastPass is, that you don't have to remember but 1 password.


Not everyone uses password managers, we are talking about general users, passwords, and brute force

Passwords are not usually bruteforced. They are "cracked" by using password database, trying famous quotes, knowing something about human behavior (zxczxczxc as a password as it;s keyboard pattern)

As soon as you involve any kind of randomness to the password (like randomly picked words) -- thats pretty much the end of "brute force". The hacker will move on to next target or try to get you install malware
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby Lars » Sun Jun 29, 2014 5:04 pm

evilthought2 Wrote:Not everyone uses password managers, we are talking about general users, passwords, and brute force

I think a better solution would be, to have people start using Password Managers.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Sun Jun 29, 2014 5:37 pm

Lars Wrote:
evilthought2 Wrote:Not everyone uses password managers, we are talking about general users, passwords, and brute force

I think a better solution would be, to have people start using Password Managers.


People should use password managers (lastpass or not), but this discussion is about password strength and brute forcing random passwords (or randomly picked words) is not easy. The largest ever successful attack by distributed-net was against 64 bits (which is weaker than 12 char)

Given paypal (I hope) would save their passwords hashed (and salted) with 10,000 or more rounds of PBKDF2, I think even 64 bits would be pretty much impossible for any organized brute force except maybe by NSA or something.

10,000 rounds of PBKDF2 will drop computing power significantly (the difference between cracking a password in one day vs 10,000 days, or 27 years).
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby dcik99999 » Mon Jun 30, 2014 4:53 am

evilthought2 Wrote:[.......] this discussion is about password strength and brute forcing random passwords (or randomly picked words) is not easy.

The discussion is also about using passphrases I hope, that was lead post in this thread. And as a follow up, whether 4 (random) words pass phrases are strong enough (off-line vs.online) and are feasible given a 20 or 18 character (if numbers, symbols required) password limit of many sites.
evilthought2 Wrote:Lets assume a hacker has a list of 100,000 words
4 random words from such a large dictionary has entropy of 100,000,000,000,000,000,000
[......]

4-word phrases form that 100,000 word dictionary would be longer than the 18-20 character limit. You have to fall back to a pass phrase of 2 or 3 words.
- a 2 random words phrase from that dictionary would have a decimal entropy of 10^10 (27 bits). That seems inadequate to me.
- a 3 words would phrase have a decimal entropy of 10^15 (40 bits) which is a 'few weeks job' to recover on average for certain applications, including WiFi.

What is often forgotten is that if they have a large list with hashes, 50% of the passphrases will be recovered during those few weeks. And for a 4 week example, the change that my pass phrase will be recovered on day 1 is 3.6%.
I don't want to be the lucky one on day 1. And thus I have to go for at least 4 words and would have to make a special dictionary with words of up to 5 letters (for limit 20 ) or 4 letters (limit 18), which will influence the entropy somewhat. I still think those 18/20-limit sites hurt the use of passphrases severely.
dcik99999
 
Posts: 31
Joined: Wed Jun 26, 2013 12:04 pm
Location: Netherlands

Re: Dictionary words vs Random Gibberish

Postby evilthought2 » Mon Jun 30, 2014 5:14 am

dcik99999 Wrote:
evilthought2 Wrote:What is often forgotten is that if they have a large list with hashes, 50% of the passphrases will be recovered during those few weeks. And for a 4 week example, the change that my pass phrase will be recovered on day 1 is 3.6%.
I don't want to be the lucky one on day 1. And thus I have to go for at least 4 words and would have to make a special dictionary with words of up to 5 letters (for limit 20 ) or 4 letters (limit 18), which will influence the entropy somewhat. I still think those 18/20-limit sites hurt the use of passphrases severely.


Indeed if you restrict words to only 4 char or less, that will lower the entropy. I am not sure if a dictionary can have 100,000 words with only 4 or less char.

However, how about if you build a dictionary that only has words between 2 to 4 char and and the dictionary size is 5,000 words?

Then you can pick a 6 word passphrase and entropy for that would be

6 * log(5000) / log(2) = 73 bits

73 bits password (when stored using even only 1,000 rounds of PBKDF2) should be impossible to crack, even for combined power of distributed attack by hundreds of computers
evilthought2
 
Posts: 164
Joined: Sun Apr 28, 2013 5:05 am

Re: Dictionary words vs Random Gibberish

Postby dcik99999 » Mon Jun 30, 2014 1:43 pm

That's a great idea. In my case I really have to add the dictionaries because the word sequence in the dictionaries can be randomized before use. I think a dictionary of 3K-4K words is feasible.
dcik99999
 
Posts: 31
Joined: Wed Jun 26, 2013 12:04 pm
Location: Netherlands

Previous

Return to Off Topic

Who is online

Users browsing this forum: No registered users and 3 guests