Password Complexity, Good or bad?
-
@BRRABill said:
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
Exactly. If you truly used a PURE lower case or PURE upper case set without a single number, alternative cap or anything, there is some small chance that someone might attempt a subset attack before going to a broader one, but this would be blocked by anything including a single punctuation, capital, number, space... anything. It's not as useful as it sounds unless only going after really low hanging fruit. And we aren't suggesting that you do that, we are suggesting that you don't enforce it, the chances of that stuff being there is quite high. And the longer it gets, the higher it gets. And length still trumps complexity quickly.
-
@BRRABill said:
@scottalanmiller said:
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
Well, if it was 1 character, I'd start with "a" and go through "z".
For two I;d start with "aa" and move through "zz".
And so on and so forth.
Right, but if that password has even a space in it.... you have to check the entire aa - zz set to find out it isn't in that set and you've wasted all of that time.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.
This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.
Right, which is why length is so crucial. The longer it gets, the more you can't engineer it. Length is the only reasonable competition for engineering.
-
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
-
For example:
Easy to crack "$f7slwe4D"
Hard to crack "once, I went to the market and saw a train"But one is far easier to remember than the other.
-
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
-
@scottalanmiller said:
For example:
Easy to crack "$f7slwe4D"
Hard to crack "once, I went to the market and saw a train"But one is far easier to remember than the other.
And the SET SIZE of the second one is larger, space is not punctuation. So the set is potentially one character larger.
-
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
Exactly, never impose limits. Limits are bad. You want to do anything that you can to encourage length. Limits do the opposite.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
No reason at all not to use that.
Any password based system that doesn't allow you to use that is showing you that they are doing passwords wrong, they aren't salting and hashing your password, they are probably just storing your password as plain text in their shitty system.
-
@BRRABill said:
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
I've never heard anyone I'd considered a security person say this, that's what media and home users repeat, sure. Literally, outside of consumer stuff and hobby levels stuff, I've never heard a security expert or researcher suggest that. Having them in the pool, great. But using them over making things easy to remember universally I've heard as very, very bad and is one of the first things you learn about password security.
-
@BRRABill said:
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
-
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
-
Now, if you are randomly generating passwords with no hope or attempt to remember them... then go for super long, super random, huge character set. Give it as much variation and randomness as the computations can muster. Any shared password that we use we make super long and fully random and you force it to be copy/pasted which is necessary in a shared password situation. In that case, though, we actively want to discourage memorization as well.
-
@scottalanmiller said:
@Dashrender said:
@larsen161
I won't speak for JB, but for me - it's all around cost.But you can do that for free.
How? How can you do 2FA for free in an office scenario?
Something you know and something you have.
The something you know is the password.
The something you have is the part that costs money. It is not free.
-
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
-
@JaredBusch said:
The something you have is the part that costs money. It is not free.
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
Or that they MIGHT use, that's all that matters. Given that set, sure, some user might go nuts and ONLY use special characters in a pretty small set - but the smaller set is only useful to a hacker that knows what the smaller set is.
In reality, knowing a smaller set is the same as knowing the password. Think of it this way...
You have a one char password, the hacker knows your set, the set size, by definition, can only be one char, so knowing the set and knowing the password are the exact same thing in that case.
-
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
-
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?