Password Complexity, Good or bad?
-
@Dashrender said:
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.
Unless the "order" the set is checked against is random.
-
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.
They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Yes, if you KNOW that the character set is smaller, you get faster computation. But if someone locked the range to smaller and blocked those characters, that would be insane. But, I suppose, no more crazy that all of the things that the OP found in this audit. But, I'd have the same opinion, professional negligence as a best case.
But they don't know, in the real world, that the set is smaller nor is it. The set remains large and what people use remains large. You have like 80 reasonable characters to use easily and more with moderate ease.
-
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
-
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
-
@BRRABill said:
@Dashrender said:
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.
Unless the "order" the set is checked against is random.
Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
-
It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
As in to log into their computer? or they used 2FA for applications and websites?
-
@scottalanmiller said:
It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html
right, MS has has 2FA for MS accounts for ages... doesn't surprise me that you could get this in Azure AD.
-
@scottalanmiller said:
Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.
But isn't there an "order" to how the set would be checked against?
Or since that is random, it is not part of the equation?
In fact, if you knew what the most common characters were, you would start with those.
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
As in to log into their computer? or they used 2FA for applications and websites?
No, just apps on Mac at least.
Looks like Wikid does it...
-
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
-
I've used these guys, but it isn't free.
-
@BRRABill said:
In fact, if you knew what the most common characters were, you would start with those.
Potentially, but it's far more complicated than that because getting "some" of the characters isn't useful. It's all or nothing.
-
@scottalanmiller said:
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
Well, if it was 1 character, I'd start with "a" and go through "z".
For two I;d start with "aa" and move through "zz".
And so on and so forth.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.
This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.
-
@BRRABill said:
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
Exactly. If you truly used a PURE lower case or PURE upper case set without a single number, alternative cap or anything, there is some small chance that someone might attempt a subset attack before going to a broader one, but this would be blocked by anything including a single punctuation, capital, number, space... anything. It's not as useful as it sounds unless only going after really low hanging fruit. And we aren't suggesting that you do that, we are suggesting that you don't enforce it, the chances of that stuff being there is quite high. And the longer it gets, the higher it gets. And length still trumps complexity quickly.
-
@BRRABill said:
@scottalanmiller said:
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
Well, if it was 1 character, I'd start with "a" and go through "z".
For two I;d start with "aa" and move through "zz".
And so on and so forth.
Right, but if that password has even a space in it.... you have to check the entire aa - zz set to find out it isn't in that set and you've wasted all of that time.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.
This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.
Right, which is why length is so crucial. The longer it gets, the more you can't engineer it. Length is the only reasonable competition for engineering.
-
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.