<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.32.2">
</HEAD>
<BODY>
Interesting stuff...I guess the days of "m3$$1ng w1Th m1x3d C@53 & <A HREF="mailto:ch4r@cT3rz">ch4r@cT3rz</A> R n0T g00d 3n0ugh eH?" Although I used that character substitution about a half-decade ago. Still, if you used a longer phrase of mixed/substituted characters from a phrase all run together I suspect that would be good a most anything these days? As long as an attacker didn't know your base phrase from which you derived your password from. <BR>
<BR>
I did have an alpha numeric password of two letters and five numbers that was solid for years. It was applied on a website (not mission critical stuff) for years. It got cracked last month and is the only time one of my sites has been hit like that. Yes, I was lax but have beefed-up the password scheme since then to mix of caps, numbers, letters and symbols now of nine characters (and easy for me to remember). It could be better but for now I feel it good enough for now until I decide on a new scheme moving forward.<BR>
<BR>
One of my personal favs of employers past was "luvm32xs"....<BR>
<BR>
<BR>
On Thu, 2011-09-15 at 09:12 -0400, Wolf Halton wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
Here is an interesting utility, I found while looking for password-development models<BR>
<A HREF="http://www.multicians.org/thvv/gpw-js.html">http://www.multicians.org/thvv/gpw-js.html</A> This creates pronounceable non-words that follow English lexi to the point that they will be easy to remember. Adding some substitutions and some caps, and you have a good password that is easy to remember.<BR>
<BR>
My own 'system' is to choose a 6-8 character word and have muscle-memory turn it into something unrecognisable.<BR>
Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv<BR>
It is fast, and you don't move around the keyboard much as you type, so it is hard to shoulder-surf.<BR>
<BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier <<A HREF="mailto:atllinuxenthinfo@c3energy.com">atllinuxenthinfo@c3energy.com</A>> wrote:<BR>
<BLOCKQUOTE>
Hi all,<BR>
<BR>
If you've been watching the list, you know I've been in discussion with<BR>
several others related to the topic of creating strong passwords. Based<BR>
on prior discussions and recommendations, I had concluded that pass<BR>
phrases are highly desirable. However, if using a 2048 word lexicon,<BR>
they must be 6 words long to achieve a few days of crack resistance from<BR>
a botnet array. You have to go up to 8 words to reach a crack time of<BR>
centuries if the attacker is doing 100 trillion guesses / second. Pass<BR>
phrases this long are impossible to enter into many websites. And, even<BR>
if they can be entered, it is very tedious to type this many words in a<BR>
password field.<BR>
<BR>
Here, I will describe a good compromise if you either wish to or are<BR>
forced to use a shorter password.<BR>
<BR>
I was slamming my bank in prior discussions due to only allowing 8<BR>
character passwords. Well, I guess other people have been slamming<BR>
them. I checked the password policy today and it has been updated to<BR>
the following:<BR>
<BR>
"Must be 6-20 characters with at least one letter and one number. There<BR>
should be no spaces and no special characters."<BR>
<BR>
As you can see, I cannot use a 6-8 word pass phrase here. However, I<BR>
can still make it plenty strong. The key to making a short password<BR>
work is not only making it as long as you can, but including as many as<BR>
possible of the following in the alphabet of characters you use: lower<BR>
case letters, upper case letters, digits, symbols. Adding just 1 of<BR>
these character types, as long as the attacker doesn't know your<BR>
pattern, dramatically expands the number of guesses he has to make.<BR>
<BR>
Here is a simple example of what adding each different possibility<BR>
does. Imagine a 4 character password. This one won't be strong, it's<BR>
just for an example.<BR>
<BR>
* lower case, ex: "junk" (excluding quotes), 26 possibilities in each<BR>
character, permutations = 26^4 = 456,976<BR>
* lower, upper, ex: "Junk", 52 possibilities in each character,<BR>
permutations = 52^4 = 7,311,616 (Note that this is 16 times more secure.)<BR>
* lower, upper, digits, ex: "Jun8", 62 possibilities in each character,<BR>
permutations = 62^4 = 14,776,336 (Note that this is 32 times more secure.)<BR>
* lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each<BR>
character, permutations = 95^4 = 81,450,625 (Note that this is 178<BR>
times more secure.)<BR>
<BR>
These short passwords would be cracked instantly by a cracking array.<BR>
However, a bit of clever adding of characters will allow me to have a<BR>
very secure and pretty memorable password, even at MY bank.<BR>
<BR>
Following is the minimum character length of a password of each type to<BR>
require at least a century of crack time by an array operating at 100<BR>
trillion guesses / second.<BR>
<BR>
lower case, 17 characters, 3.60 centuries crack time<BR>
lower, upper, 14 characters, 3.35 centuries crack time<BR>
lower, upper, digits, 14 characters, 39.33 centuries crack time<BR>
lower, upper, digits, symbols, 12 characters, 1.71 centuries crack<BR>
time (Note that my bank will not accept this one.)<BR>
<BR>
Going any SHORTER will reduce the crack time to less than a centuries,<BR>
and it does so VERY rapidly. In the case of the lower, upper, digits,<BR>
removing 1 character reduces crack time to 63.43 years. Removing a 2nd<BR>
character reduces it to 1.02 years. And, removing a 3rd character<BR>
reduces it to 6.02 days.<BR>
<BR>
The best compromise of length, memorability, usability at websites, and<BR>
security is the lower, upper, digits scenario with 14 characters. An<BR>
easy way to do this is to pick 2 words from a standard English<BR>
dictionary which combine to at least 12 characters then throw some caps<BR>
and 2 digits in, or 13 characters and 1 digit. This has some of the<BR>
benefits of a pass phrase and is pretty memorable, and will be accepted<BR>
by most websites. You could use more digits, but there is no big<BR>
benefit. Once you've added even 1 digit, you've increased the<BR>
possibilities at each character spot from 52 to 62. Note that all this<BR>
assumes the attacker is brute force guessing and doesn't know YOUR word<BR>
pattern.<BR>
<BR>
4AntimonyBlast - 14 characters - 39.33 centuries crack time<BR>
CastoffWander2 - 14 characters - 39.33 centuries crack time<BR>
Debark3Debates - 14 characters - 39.33 centuries crack time<BR>
<BR>
Here's how the math works.<BR>
<BR>
permutations = 62^14 = 12.402 x 10^24<BR>
time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x<BR>
10^09 seconds<BR>
divide by 3600 to get hours, then 24 to get days, then 365 to get years,<BR>
then 100 to get centuries<BR>
<BR>
To do the whole thing at once, take the number of permutations and<BR>
divide by 315.36 x 10^21.<BR>
time to crack = 39.33 centuries<BR>
<BR>
-----> BOTTOM LINE <------<BR>
<BR>
So, the BOTTOM LINE is: create a password at least 14 characters long<BR>
containing lower case, upper case, and digits; and you will be<BR>
uncrackable by a botnet of 1000 pc's doing a total of 100 trillion<BR>
guesses / second for almost 40 centuries. Some of the crypto guys can<BR>
chip in and say whether, statistically, the cracker might hit your<BR>
password in 1/2 the time. In that case, you're good for 20 centuries.<BR>
<BR>
I hope you find this useful. I certainly found the analysis revealing,<BR>
and I'll be upgrading some of my website and applications passwords.<BR>
<BR>
There's a lot of math here, all hand done. I'm pretty sure it's all<BR>
right, but if there's typos (at 2 AM), they'll have to be corrected later.<BR>
<BR>
Sincerely,<BR>
<BR>
Ron<BR>
<BR>
--<BR>
<BR>
(PS - If you email me and don't get a quick response, you might want to<BR>
call on the phone. I get about 300 emails per day from alternate energy<BR>
mailing lists and such. I don't always see new messages very quickly.)<BR>
<BR>
Ron Frazier<BR>
<BR>
770-205-9422 (O) Leave a message.<BR>
linuxdude AT <A HREF="http://c3energy.com">c3energy.com</A><BR>
<BR>
_______________________________________________<BR>
Ale mailing list<BR>
<A HREF="mailto:Ale@ale.org">Ale@ale.org</A><BR>
<A HREF="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</A><BR>
See JOBS, ANNOUNCE and SCHOOLS lists at<BR>
<A HREF="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</A>
</BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<BR>
<BR>
<BR>
-- <BR>
This Apt Has Super Cow Powers - <A HREF="http://sourcefreedom.com">http://sourcefreedom.com</A>
<PRE>
_______________________________________________
Ale mailing list
<A HREF="mailto:Ale@ale.org">Ale@ale.org</A>
<A HREF="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</A>
See JOBS, ANNOUNCE and SCHOOLS lists at
<A HREF="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</A>
</PRE>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>