Password Complexity, Good or bad?
-
@scottalanmiller said:
It's one of the "if you used Azure AD instead of AD" benefits apparently: http://www.infoworld.com/article/2611089/cloud-security/microsoft-integrates-two-factor-authentication-into-active-directory-to-protect-cloud.html
right, MS has has 2FA for MS accounts for ages... doesn't surprise me that you could get this in Azure AD.
-
@scottalanmiller said:
Because you are confusing the size of the set used with the size of the set to be tried. In both cases the set size is identical.
But isn't there an "order" to how the set would be checked against?
Or since that is random, it is not part of the equation?
In fact, if you knew what the most common characters were, you would start with those.
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
You can get 2TF for Windows AD for free?
That's such a sad limitation that it didn't even occur to me as a barrier. One of those things living in the Linux world that you get so easily for free in so many ways it seems unthinkable that Windows doesn't have just as much being so much more "popular." Is 2FA really not widely available for free for Windows?
Not that I'm aware of - though, I don't think many people would use it, even if it was.
Right, it's not popular, but I used it at Change, but not for Windows (but others did.) But they didn't use AD, just Windows.
As in to log into their computer? or they used 2FA for applications and websites?
No, just apps on Mac at least.
Looks like Wikid does it...
-
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
-
I've used these guys, but it isn't free.
-
@BRRABill said:
In fact, if you knew what the most common characters were, you would start with those.
Potentially, but it's far more complicated than that because getting "some" of the characters isn't useful. It's all or nothing.
-
@scottalanmiller said:
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
Well, if it was 1 character, I'd start with "a" and go through "z".
For two I;d start with "aa" and move through "zz".
And so on and so forth.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.
This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.
-
@BRRABill said:
So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?
Exactly. If you truly used a PURE lower case or PURE upper case set without a single number, alternative cap or anything, there is some small chance that someone might attempt a subset attack before going to a broader one, but this would be blocked by anything including a single punctuation, capital, number, space... anything. It's not as useful as it sounds unless only going after really low hanging fruit. And we aren't suggesting that you do that, we are suggesting that you don't enforce it, the chances of that stuff being there is quite high. And the longer it gets, the higher it gets. And length still trumps complexity quickly.
-
@BRRABill said:
@scottalanmiller said:
@BRRABill said:
But isn't there an "order" to how the set would be checked against?
If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?
Well, if it was 1 character, I'd start with "a" and go through "z".
For two I;d start with "aa" and move through "zz".
And so on and so forth.
Right, but if that password has even a space in it.... you have to check the entire aa - zz set to find out it isn't in that set and you've wasted all of that time.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@BRRABill said:
thisisalongpassword = 607 million years
thisisalongpasswor@ = 3 trillion years
How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.
it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).
But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.
Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.
This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.
Right, which is why length is so crucial. The longer it gets, the more you can't engineer it. Length is the only reasonable competition for engineering.
-
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
-
For example:
Easy to crack "$f7slwe4D"
Hard to crack "once, I went to the market and saw a train"But one is far easier to remember than the other.
-
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
-
@scottalanmiller said:
For example:
Easy to crack "$f7slwe4D"
Hard to crack "once, I went to the market and saw a train"But one is far easier to remember than the other.
And the SET SIZE of the second one is larger, space is not punctuation. So the set is potentially one character larger.
-
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
Exactly, never impose limits. Limits are bad. You want to do anything that you can to encourage length. Limits do the opposite.
-
@dafyre said:
Is there really any point to limiting the types of characters people can use in their passwords?
If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"
Why can't I use that?
No reason at all not to use that.
Any password based system that doesn't allow you to use that is showing you that they are doing passwords wrong, they aren't salting and hashing your password, they are probably just storing your password as plain text in their shitty system.
-
@BRRABill said:
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
I've never heard anyone I'd considered a security person say this, that's what media and home users repeat, sure. Literally, outside of consumer stuff and hobby levels stuff, I've never heard a security expert or researcher suggest that. Having them in the pool, great. But using them over making things easy to remember universally I've heard as very, very bad and is one of the first things you learn about password security.
-
@BRRABill said:
@Dashrender said:
@scottalanmiller said:
And the longer it gets, the higher it gets. And length still trumps complexity quickly.
This really is the main point to take away from all of this.
I totally understand and agree.
I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.
But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).