Password Complexity, Good or bad?
-
@BRRABill said:
@travisdh1 said:
Length matters, everything else is a flying spaghetti monster. If you really want to know why, you've got a LOT of reading to do, and probably more math than you've ever wanted to understand, let alone do.
I also agree with that.
I am just saying isn't
thisisalongpassword
weaker than
thisisa@longpassword
No, not weaker from a brute force attack. The thing that makes it weaker is that you used all common English words. Change that to gibberish, which is what you did in the second example, and it becomes a non-dictionary attack. That's the different, not the @ symbol.
To a computer password and p@ssw0rd are identically hard. Both words.
To a computer aosnmwen and D*n^63ed are identically hard. Both gibberish.Length and gibberish vs. words are what matters. But length trumps gibberish dramatically, so you encourage length not gibberish. But replacing a with @, for example as people do, isn't gibberish, it does nothing.
-
It is worth noting that at some point an attack stops looking for your password and starts looking for a collision instead because your password has reached maximum difficulty. No idea when that happens, but it does happen.
-
@scottalanmiller said:
@Dashrender said:
@larsen161
I won't speak for JB, but for me - it's all around cost.But you can do that for free.
You can get 2TF for Windows AD for free?
-
@scottalanmiller said:
@BRRABill said:
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.
They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
-
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
-
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
-
@Dashrender said:
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.
Unless the "order" the set is checked against is random.
-
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
My point is that just adding a capital or symbol adds a lot of complexity to the password. It can make a big difference when dealing with shorter passwords.
They don't, though. They add no complexity. They are "just another ASCII character", they are not a thing. The computer does not even know that you thought you added complexity. To the computer there are two kinds of complexity only: length and "not available in a dictionary", the dictionary meaning any list of things, not a dictionary book. A dictionary could include "list of common passwords", for example.
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Yes, if you KNOW that the character set is smaller, you get faster computation. But if someone locked the range to smaller and blocked those characters, that would be insane. But, I suppose, no more crazy that all of the things that the OP found in this audit. But, I'd have the same opinion, professional negligence as a best case.
But they don't know, in the real world, that the set is smaller nor is it. The set remains large and what people use remains large. You have like 80 reasonable characters to use easily and more with moderate ease.
-
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
-
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
-
@BRRABill said:
@Dashrender said:
OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.
for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.
Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.
Unless the "order" the set is checked against is random.
Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
-
It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
As in to log into their computer? or they used 2FA for applications and websites?
-
@scottalanmiller said:
It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html
right, MS has has 2FA for MS accounts for ages... doesn't surprise me that you could get this in Azure AD.
-
@scottalanmiller said:
Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.
But isn't there an "order" to how the set would be checked against?
Or since that is random, it is not part of the equation?
In fact, if you knew what the most common characters were, you would start with those.
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
As in to log into their computer? or they used 2FA for applications and websites?
No, just apps on Mac at least.
Looks like Wikid does it...
-
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
-
I've used these guys, but it isn't free.
-
@BRRABill said:
In fact, if you knew what the most common characters were, you would start with those.
Potentially, but it's far more complicated than that because getting "some" of the characters isn't useful. It's all or nothing.