Enforce Full or Selective Complexity on Passwords?
-
@coliver said:
@technobabble said:
@thanksaj said:
@technobabble said:
@thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.
Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.
Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.
Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.
From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.
Ah ha...well now that makes sense to me...thanks for taking the time to share!
-
@thanksaj said:
@technobabble said:
@thanksaj said:
@technobabble said:
@thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.
Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.
Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.
Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.
Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.
Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?
-
@technobabble said:
@thanksaj said:
@technobabble said:
@thanksaj said:
@technobabble said:
@thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.
Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.
Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.
Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.
Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.
Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?
I didn't say they did, and I wasn't arguing with you. If you want to do that, go right ahead. I have no issue with it, and you're welcome to do it that way if you want.
-
One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.
-
@Carnival-Boy said:
One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.
ROFL! Yeah, probably...
-
Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).
Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..
-
@g.jacobse said:
Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).
This is just another way of stating that people need to drop the complexity. The assumption is that without the need for complexity, passphrases become easy. This has been the standard answer for security professionals for over a decade. When we say "no complexity requirements" we also assume "good end user training" and that should always teach people to use phases, not words.
-
@g.jacobse said:
Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..
Any site with that requirement should be questioned as to the need for something so insecure and ridiculous. Chances are that limitation is created by using a clear text UNIX password system from decades ago that was never updated and nothing, truly nothing, should be running on that today. If they are, you don't need what they are offering.
-
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
-
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
-
@scottalanmiller said:
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
Exactly my point, assuming you were to make a software that does that, and assuming you were using the top 100,000 passwords list (which who doesn't?) extending the potential passwords by a factor of one increases the complexity exponentially. 100,000^X, a 4 word password would have 100,000,000,000,000,000,000 potential combinations, at a billion guesses a second would take 100,000,000,000 seconds, or over 31 years
-
Yup, with a little effort in complexity and a little training of the end users, passwords can be effectively unguessable. But companies so often don't want security and cripple security efforts for no reason and let end users be idiots and security just goes out the window.
-
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
Nice explanation. When do you think we would be able to use phrases for password online?
-
@technobabble said:
Nice explanation. When do you think we would be able to use phrases for password online?
Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.
-
@scottalanmiller said:
@technobabble said:
Nice explanation. When do you think we would be able to use phrases for password online?
Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.
I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?
-
@technobabble said:
I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?
Yup, spaces are not necessary. Of course, a space is extra length, so finding a way to make up for the length is good. But you could just add a word or use something instead of the space. Consider a - or a _ or a +. That will make guessing even harder, in theory, than if you used spaces!
-
@scottalanmiller said:
@RAM. said:
The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?
You're stuck with brute force which a 12 character pass would take quite a while.
I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)
Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day. -
@MattSpeller said:
Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day.I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.
-
@scottalanmiller said:
I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.
Probably a good paper somewhere in there - economics of hacking? I'd read it.
-
@scottalanmiller Thanks!