[ale] creating very powerful relatively short memorable passwords
Rich Faulkner
rfaulkner at 34thprs.org
Thu Sep 15 09:41:02 EDT 2011
Interesting stuff...I guess the days of "m3$$1ng w1Th m1x3d C at 53 &
ch4r at cT3rz R n0T g00d 3n0ugh eH?" Although I used that character
substitution about a half-decade ago. Still, if you used a longer
phrase of mixed/substituted characters from a phrase all run together I
suspect that would be good a most anything these days? As long as an
attacker didn't know your base phrase from which you derived your
password from.
I did have an alpha numeric password of two letters and five numbers
that was solid for years. It was applied on a website (not mission
critical stuff) for years. It got cracked last month and is the only
time one of my sites has been hit like that. Yes, I was lax but have
beefed-up the password scheme since then to mix of caps, numbers,
letters and symbols now of nine characters (and easy for me to
remember). It could be better but for now I feel it good enough for now
until I decide on a new scheme moving forward.
One of my personal favs of employers past was "luvm32xs"....
On Thu, 2011-09-15 at 09:12 -0400, Wolf Halton wrote:
> Here is an interesting utility, I found while looking for
> password-development models
> http://www.multicians.org/thvv/gpw-js.html This creates pronounceable
> non-words that follow English lexi to the point that they will be easy
> to remember. Adding some substitutions and some caps, and you have a
> good password that is easy to remember.
>
> My own 'system' is to choose a 6-8 character word and have
> muscle-memory turn it into something unrecognisable.
> Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv
> It is fast, and you don't move around the keyboard much as you type,
> so it is hard to shoulder-surf.
>
>
> On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier
> <atllinuxenthinfo at c3energy.com> wrote:
>
> Hi all,
>
> If you've been watching the list, you know I've been in
> discussion with
> several others related to the topic of creating strong
> passwords. Based
> on prior discussions and recommendations, I had concluded that
> pass
> phrases are highly desirable. However, if using a 2048 word
> lexicon,
> they must be 6 words long to achieve a few days of crack
> resistance from
> a botnet array. You have to go up to 8 words to reach a crack
> time of
> centuries if the attacker is doing 100 trillion guesses /
> second. Pass
> phrases this long are impossible to enter into many websites.
> And, even
> if they can be entered, it is very tedious to type this many
> words in a
> password field.
>
> Here, I will describe a good compromise if you either wish to
> or are
> forced to use a shorter password.
>
> I was slamming my bank in prior discussions due to only
> allowing 8
> character passwords. Well, I guess other people have been
> slamming
> them. I checked the password policy today and it has been
> updated to
> the following:
>
> "Must be 6-20 characters with at least one letter and one
> number. There
> should be no spaces and no special characters."
>
> As you can see, I cannot use a 6-8 word pass phrase here.
> However, I
> can still make it plenty strong. The key to making a short
> password
> work is not only making it as long as you can, but including
> as many as
> possible of the following in the alphabet of characters you
> use: lower
> case letters, upper case letters, digits, symbols. Adding
> just 1 of
> these character types, as long as the attacker doesn't know
> your
> pattern, dramatically expands the number of guesses he has to
> make.
>
> Here is a simple example of what adding each different
> possibility
> does. Imagine a 4 character password. This one won't be
> strong, it's
> just for an example.
>
> * lower case, ex: "junk" (excluding quotes), 26 possibilities
> in each
> character, permutations = 26^4 = 456,976
> * lower, upper, ex: "Junk", 52 possibilities in each
> character,
> permutations = 52^4 = 7,311,616 (Note that this is 16 times
> more secure.)
> * lower, upper, digits, ex: "Jun8", 62 possibilities in each
> character,
> permutations = 62^4 = 14,776,336 (Note that this is 32 times
> more secure.)
> * lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities
> in each
> character, permutations = 95^4 = 81,450,625 (Note that this
> is 178
> times more secure.)
>
> These short passwords would be cracked instantly by a cracking
> array.
> However, a bit of clever adding of characters will allow me to
> have a
> very secure and pretty memorable password, even at MY bank.
>
> Following is the minimum character length of a password of
> each type to
> require at least a century of crack time by an array operating
> at 100
> trillion guesses / second.
>
> lower case, 17 characters, 3.60 centuries crack time
> lower, upper, 14 characters, 3.35 centuries crack time
> lower, upper, digits, 14 characters, 39.33 centuries crack
> time
> lower, upper, digits, symbols, 12 characters, 1.71 centuries
> crack
> time (Note that my bank will not accept this one.)
>
> Going any SHORTER will reduce the crack time to less than a
> centuries,
> and it does so VERY rapidly. In the case of the lower, upper,
> digits,
> removing 1 character reduces crack time to 63.43 years.
> Removing a 2nd
> character reduces it to 1.02 years. And, removing a 3rd
> character
> reduces it to 6.02 days.
>
> The best compromise of length, memorability, usability at
> websites, and
> security is the lower, upper, digits scenario with 14
> characters. An
> easy way to do this is to pick 2 words from a standard English
> dictionary which combine to at least 12 characters then throw
> some caps
> and 2 digits in, or 13 characters and 1 digit. This has some
> of the
> benefits of a pass phrase and is pretty memorable, and will be
> accepted
> by most websites. You could use more digits, but there is no
> big
> benefit. Once you've added even 1 digit, you've increased the
> possibilities at each character spot from 52 to 62. Note that
> all this
> assumes the attacker is brute force guessing and doesn't know
> YOUR word
> pattern.
>
> 4AntimonyBlast - 14 characters - 39.33 centuries crack time
> CastoffWander2 - 14 characters - 39.33 centuries crack time
> Debark3Debates - 14 characters - 39.33 centuries crack time
>
> Here's how the math works.
>
> permutations = 62^14 = 12.402 x 10^24
> time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second
> = 124.02 x
> 10^09 seconds
> divide by 3600 to get hours, then 24 to get days, then 365 to
> get years,
> then 100 to get centuries
>
> To do the whole thing at once, take the number of permutations
> and
> divide by 315.36 x 10^21.
> time to crack = 39.33 centuries
>
> -----> BOTTOM LINE <------
>
> So, the BOTTOM LINE is: create a password at least 14
> characters long
> containing lower case, upper case, and digits; and you will be
> uncrackable by a botnet of 1000 pc's doing a total of 100
> trillion
> guesses / second for almost 40 centuries. Some of the crypto
> guys can
> chip in and say whether, statistically, the cracker might hit
> your
> password in 1/2 the time. In that case, you're good for 20
> centuries.
>
> I hope you find this useful. I certainly found the analysis
> revealing,
> and I'll be upgrading some of my website and applications
> passwords.
>
> There's a lot of math here, all hand done. I'm pretty sure
> it's all
> right, but if there's typos (at 2 AM), they'll have to be
> corrected later.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you
> might want to
> call on the phone. I get about 300 emails per day from
> alternate energy
> mailing lists and such. I don't always see new messages very
> quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O) Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> This Apt Has Super Cow Powers - http://sourcefreedom.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110915/26e2fcbf/attachment.html
More information about the Ale
mailing list