Enforce Full or Selective Complexity on Passwords?

scottalanmiller

@RAM. said:

The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?

You're stuck with brute force which a 12 character pass would take quite a while.

I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)

RAM.

@scottalanmiller said:

@RAM. said:

The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?

You're stuck with brute force which a 12 character pass would take quite a while.

I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)

Exactly my point, assuming you were to make a software that does that, and assuming you were using the top 100,000 passwords list (which who doesn't?) extending the potential passwords by a factor of one increases the complexity exponentially. 100,000^X, a 4 word password would have 100,000,000,000,000,000,000 potential combinations, at a billion guesses a second would take 100,000,000,000 seconds, or over 31 years

scottalanmiller

Yup, with a little effort in complexity and a little training of the end users, passwords can be effectively unguessable. But companies so often don't want security and cripple security efforts for no reason and let end users be idiots and security just goes out the window.

technobabble

@RAM. said:

The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?

You're stuck with brute force which a 12 character pass would take quite a while.

Nice explanation. When do you think we would be able to use phrases for password online?

scottalanmiller

@technobabble said:

Nice explanation. When do you think we would be able to use phrases for password online?

Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.

technobabble

@scottalanmiller said:

@technobabble said:

Nice explanation. When do you think we would be able to use phrases for password online?

Who doesn't allow this now? Pretty much any reasonable service has allowed that for a decade or more.

I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?

scottalanmiller

@technobabble said:

I have had lots of sites that wouldn't allow spaces, is a phrase without a space just as safe?

Yup, spaces are not necessary. Of course, a space is extra length, so finding a way to make up for the length is good. But you could just add a word or use something instead of the space. Consider a - or a _ or a +. That will make guessing even harder, in theory, than if you used spaces!

MattSpeller

@scottalanmiller said:

@RAM. said:

The reason 4 random words > 1 word in terms of a dictionary attack, or at best a hybrid attack, is based on the fact that 1 word, or 2 words may exist in a dictionary list, but 3 or 4 combined do not exist. A standard dictionary list reads from a list of predetermined potential passwords, everywhere from Mickey1 to Jones1, total crap. Combine the 2 words MickeyJones1 and you'd have to preform a brute-dictionary attack... which as far as I'm aware... doesn't exactly exist. Could it be written? Sure... but wouldn't that be clunky and really hog memory for no reason?

You're stuck with brute force which a 12 character pass would take quite a while.

I expect that it exists somewhere - people are always looking for ways of improving attacks, but even an elegant, hybrid dictionary attack is going to be insanely hard to execute. As the length gets longer, the overall complexity just skyrockets. This length also makes Rainbow Tables ineffective (with today's technology.)

Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day.

scottalanmiller

@MattSpeller said:

Rainbow tables are awesome at getting a percentage of a large number of passwords, against a single one there is probably a break even point where the complexity of your tables outweighs just brute forcing it.
$0.02 go for length over complexity any day.

I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.

MattSpeller

@scottalanmiller said:

I think the biggest question would be "is this a one time attack" or do you "attack passwords on a recurring basis." Funny, but it becomes a "business of hacking" question rather than one strictly of the technology involved.

Probably a good paper somewhere in there - economics of hacking? I'd read it.

technobabble

@scottalanmiller Thanks!

scottalanmiller

Saw this tonight in reference to requiring password changes every ninety days.

nadnerB

Bring out the ol' bocket-o-slap and apply liberal servings to the post-it bandits.