Enforce Full or Selective Complexity on Passwords?
-
One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.
-
@Carnival-Boy said:
One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.
ROFL! Yeah, probably...
-
Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).
Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..
-
@g.jacobse said:
Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).
This is just another way of stating that people need to drop the complexity. The assumption is that without the need for complexity, passphrases become easy. This has been the standard answer for security professionals for over a decade. When we say "no complexity requirements" we also assume "good end user training" and that should always teach people to use phases, not words.
-
@g.jacobse said:
Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..
Any site with that requirement should be questioned as to the need for something so insecure and ridiculous. Chances are that limitation is created by using a clear text UNIX password system from decades ago that was never updated and nothing, truly nothing, should be running on that today. If they are, you don't need what they are offering.
-
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
-
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
-
@scottalanmiller said:
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
Exactly my point, assuming you were to make a software that does that, and assuming you were using the top 100,000 passwords list (which who doesn't?) extending the potential passwords by a factor of one increases the complexity exponentially. 100,000^X, a 4 word password would have 100,000,000,000,000,000,000 potential combinations, at a billion guesses a second would take 100,000,000,000 seconds, or over 31 years
-
Yup, with a little effort in complexity and a little training of the end users, passwords can be effectively unguessable. But companies so often don't want security and cripple security efforts for no reason and let end users be idiots and security just goes out the window.
-
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
Nice explanation. When do you think we would be able to use phrases for password online?
-
@technobabble said:
Nice explanation. When do you think we would be able to use phrases for password online?
Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.
-
@scottalanmiller said:
@technobabble said:
Nice explanation. When do you think we would be able to use phrases for password online?
Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.
I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?
-
@technobabble said:
I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?
Yup, spaces are not necessary. Of course, a space is extra length, so finding a way to make up for the length is good. But you could just add a word or use something instead of the space. Consider a - or a _ or a +. That will make guessing even harder, in theory, than if you used spaces!
-
@scottalanmiller said:
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day. -
@MattSpeller said:
Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day.I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.
-
@scottalanmiller said:
I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.
Probably a good paper somewhere in there - economics of hacking? I'd read it.
-
@scottalanmiller Thanks!
-
Saw this tonight in reference to requiring password changes every ninety days.
-
Bring out the ol' bocket-o-slap and apply liberal servings to the post-it bandits.