ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    Scheduled Pinned Locked Moved IT Discussion
    202 Posts 12 Posters 52.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said:

      @Dashrender said:

      OK, now I understand why Scott doesn't consider suggesting Upper/number/special because he's assuming the hacker will be using the whole ASCII character set, instead of a subset that leaves one or more of those things out.

      for example, if you know someone doesn't bother to use upper/number/special, you can reduce your character search set to just 26 characters, making the job significantly shorter than say, adding a single upper case, which doubles the character set from 26 to 52.

      Right. So why doesn't having more character sets add time to the job? That is what I do not yet understand.

      Unless the "order" the set is checked against is random.

      Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said:

        @scottalanmiller said:

        @Dashrender said:

        You can get 2TF for Windows AD for free?

        That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?

        Not that I'm aware of - though, I don't think many people would use it, even if it was.

        Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said:

            @Dashrender said:

            @scottalanmiller said:

            @Dashrender said:

            You can get 2TF for Windows AD for free?

            That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?

            Not that I'm aware of - though, I don't think many people would use it, even if it was.

            Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.

            As in to log into their computer? or they used 2FA for applications and websites?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @scottalanmiller
              last edited by

              @scottalanmiller said:

              It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html

              right, MS has has 2FA for MS accounts for ages... doesn't surprise me that you could get this in Azure AD.

              1 Reply Last reply Reply Quote 0
              • BRRABillB
                BRRABill @scottalanmiller
                last edited by

                @scottalanmiller said:

                Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.

                But isn't there an "order" to how the set would be checked against?

                Or since that is random, it is not part of the equation?

                In fact, if you knew what the most common characters were, you would start with those.

                So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?

                scottalanmillerS 3 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  @scottalanmiller said:

                  @Dashrender said:

                  @scottalanmiller said:

                  @Dashrender said:

                  You can get 2TF for Windows AD for free?

                  That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?

                  Not that I'm aware of - though, I don't think many people would use it, even if it was.

                  Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.

                  As in to log into their computer? or they used 2FA for applications and websites?

                  No, just apps on Mac at least.

                  Looks like Wikid does it...

                  https://sourceforge.net/projects/wikid-twofactor/

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @BRRABill
                    last edited by

                    @BRRABill said:

                    But isn't there an "order" to how the set would be checked against?

                    If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?

                    BRRABillB 1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill
                      last edited by

                      I've used these guys, but it isn't free.

                      https://duo.com/

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @BRRABill
                        last edited by

                        @BRRABill said:

                        In fact, if you knew what the most common characters were, you would start with those.

                        Potentially, but it's far more complicated than that because getting "some" of the characters isn't useful. It's all or nothing.

                        1 Reply Last reply Reply Quote 1
                        • BRRABillB
                          BRRABill @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @BRRABill said:

                          But isn't there an "order" to how the set would be checked against?

                          If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?

                          Well, if it was 1 character, I'd start with "a" and go through "z".

                          For two I;d start with "aa" and move through "zz".

                          And so on and so forth.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            @Dashrender said:

                            @scottalanmiller said:

                            @BRRABill said:

                            thisisalongpassword = 607 million years

                            thisisalongpasswor@ = 3 trillion years

                            How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

                            it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

                            But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.

                            Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.

                            This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said:

                              So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?

                              Exactly. If you truly used a PURE lower case or PURE upper case set without a single number, alternative cap or anything, there is some small chance that someone might attempt a subset attack before going to a broader one, but this would be blocked by anything including a single punctuation, capital, number, space... anything. It's not as useful as it sounds unless only going after really low hanging fruit. And we aren't suggesting that you do that, we are suggesting that you don't enforce it, the chances of that stuff being there is quite high. And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                              DashrenderD 1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @BRRABill
                                last edited by

                                @BRRABill said:

                                @scottalanmiller said:

                                @BRRABill said:

                                But isn't there an "order" to how the set would be checked against?

                                If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?

                                Well, if it was 1 character, I'd start with "a" and go through "z".

                                For two I;d start with "aa" and move through "zz".

                                And so on and so forth.

                                Right, but if that password has even a space in it.... you have to check the entire aa - zz set to find out it isn't in that set and you've wasted all of that time.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  @scottalanmiller said:

                                  @Dashrender said:

                                  @scottalanmiller said:

                                  @BRRABill said:

                                  thisisalongpassword = 607 million years

                                  thisisalongpasswor@ = 3 trillion years

                                  How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

                                  it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

                                  But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.

                                  Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.

                                  This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.

                                  Right, which is why length is so crucial. The longer it gets, the more you can't engineer it. Length is the only reasonable competition for engineering.

                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                                    This really is the main point to take away from all of this.

                                    BRRABillB 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      For example:

                                      Easy to crack "$f7slwe4D"
                                      Hard to crack "once, I went to the market and saw a train"

                                      But one is far easier to remember than the other.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre
                                        last edited by

                                        Is there really any point to limiting the types of characters people can use in their passwords?

                                        If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"

                                        Why can't I use that?

                                        scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @scottalanmiller
                                          last edited by

                                          @scottalanmiller said:

                                          For example:

                                          Easy to crack "$f7slwe4D"
                                          Hard to crack "once, I went to the market and saw a train"

                                          But one is far easier to remember than the other.

                                          And the SET SIZE of the second one is larger, space is not punctuation. So the set is potentially one character larger.

                                          1 Reply Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            @scottalanmiller said:

                                            And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                                            This really is the main point to take away from all of this.

                                            I totally understand and agree.

                                            I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.

                                            But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.

                                            scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 10
                                            • 11
                                            • 5 / 11
                                            • First post
                                              Last post