ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    Scheduled Pinned Locked Moved IT Discussion
    202 Posts 12 Posters 52.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABillB
      BRRABill @scottalanmiller
      last edited by

      @scottalanmiller said:

      @BRRABill said:

      But isn't there an "order" to how the set would be checked against?

      If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?

      Well, if it was 1 character, I'd start with "a" and go through "z".

      For two I;d start with "aa" and move through "zz".

      And so on and so forth.

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said:

        @Dashrender said:

        @scottalanmiller said:

        @BRRABill said:

        thisisalongpassword = 607 million years

        thisisalongpasswor@ = 3 trillion years

        How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

        it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

        But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.

        Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.

        This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @BRRABill
          last edited by

          @BRRABill said:

          So you are saying that since you assume a hacker is going to try all characters (unless the KNEW you were forced to only use a 26-character set, for some reason) it doesn't matter WHICH if those characters you choose?

          Exactly. If you truly used a PURE lower case or PURE upper case set without a single number, alternative cap or anything, there is some small chance that someone might attempt a subset attack before going to a broader one, but this would be blocked by anything including a single punctuation, capital, number, space... anything. It's not as useful as it sounds unless only going after really low hanging fruit. And we aren't suggesting that you do that, we are suggesting that you don't enforce it, the chances of that stuff being there is quite high. And the longer it gets, the higher it gets. And length still trumps complexity quickly.

          DashrenderD 1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @BRRABill
            last edited by

            @BRRABill said:

            @scottalanmiller said:

            @BRRABill said:

            But isn't there an "order" to how the set would be checked against?

            If you were only dealing with a single character, perhaps. How would you propose ordering for a multi-char string?

            Well, if it was 1 character, I'd start with "a" and go through "z".

            For two I;d start with "aa" and move through "zz".

            And so on and so forth.

            Right, but if that password has even a space in it.... you have to check the entire aa - zz set to find out it isn't in that set and you've wasted all of that time.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              @scottalanmiller said:

              @Dashrender said:

              @scottalanmiller said:

              @BRRABill said:

              thisisalongpassword = 607 million years

              thisisalongpasswor@ = 3 trillion years

              How is that calculated? that's not based on math alone, those two are literally identical. That has to be based on a dictionary attack, if so, it's not the @ sign that does it.

              it is based on math alone - why might you ask? because, as I just said, the first one can be tried by just using a 26 character set instead of 42 (there are 16 specials in ASCII).

              But if can't be tried on a 26 set. They both have the same number of characters. If you are going to arbitrarily define sets, they are identical.

              Have you watched the show called Mr Robot? The main character actually walks the audience through (he breaks the fourth wall like Deadpool does) hacking people's passwords. I've also listened to podcasts where hackers came on the show and did the same thing. They social engineer the person to help them narrow the scope. If you can narrow an 80 character search set to 42, or anything smaller really, you're dramatically reducing the amount of time it takes to go through the number of options.

              This is real life - I understand that from a simple outside look, sure you don't know what character set someone might be using, but it's pretty easy to look at the sophistication of a person (in regards to IT) and make some pretty good guesses about how they probably operate and make their job of hacking easier.

              Right, which is why length is so crucial. The longer it gets, the more you can't engineer it. Length is the only reasonable competition for engineering.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said:

                And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                This really is the main point to take away from all of this.

                BRRABillB 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  For example:

                  Easy to crack "$f7slwe4D"
                  Hard to crack "once, I went to the market and saw a train"

                  But one is far easier to remember than the other.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre
                    last edited by

                    Is there really any point to limiting the types of characters people can use in their passwords?

                    If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"

                    Why can't I use that?

                    scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      For example:

                      Easy to crack "$f7slwe4D"
                      Hard to crack "once, I went to the market and saw a train"

                      But one is far easier to remember than the other.

                      And the SET SIZE of the second one is larger, space is not punctuation. So the set is potentially one character larger.

                      1 Reply Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill @Dashrender
                        last edited by

                        @Dashrender said:

                        @scottalanmiller said:

                        And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                        This really is the main point to take away from all of this.

                        I totally understand and agree.

                        I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.

                        But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.

                        scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @dafyre
                          last edited by

                          @dafyre said:

                          Is there really any point to limiting the types of characters people can use in their passwords?

                          If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"

                          Why can't I use that?

                          Exactly, never impose limits. Limits are bad. You want to do anything that you can to encourage length. Limits do the opposite.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @dafyre
                            last edited by

                            @dafyre said:

                            Is there really any point to limiting the types of characters people can use in their passwords?

                            If I wanted my password to be "I\x20\x20Like\00MangoLassi Because it is really cool!\x00"

                            Why can't I use that?

                            No reason at all not to use that.

                            Any password based system that doesn't allow you to use that is showing you that they are doing passwords wrong, they aren't salting and hashing your password, they are probably just storing your password as plain text in their shitty system.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said:

                              But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.

                              I've never heard anyone I'd considered a security person say this, that's what media and home users repeat, sure. Literally, outside of consumer stuff and hobby levels stuff, I've never heard a security expert or researcher suggest that. Having them in the pool, great. But using them over making things easy to remember universally I've heard as very, very bad and is one of the first things you learn about password security.

                              1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @BRRABill
                                last edited by

                                @BRRABill said:

                                @Dashrender said:

                                @scottalanmiller said:

                                And the longer it gets, the higher it gets. And length still trumps complexity quickly.

                                This really is the main point to take away from all of this.

                                I totally understand and agree.

                                I never really thought that once they are using the entire character set, you could pick ANYTHING in that set.

                                But that is really counter to everything you read everywhere. They ALWAYS say to add special characters.

                                Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

                                BRRABillB 1 Reply Last reply Reply Quote 1
                                • BRRABillB
                                  BRRABill @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

                                  Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    Now, if you are randomly generating passwords with no hope or attempt to remember them... then go for super long, super random, huge character set. Give it as much variation and randomness as the computations can muster. Any shared password that we use we make super long and fully random and you force it to be copy/pasted which is necessary in a shared password situation. In that case, though, we actively want to discourage memorization as well.

                                    1 Reply Last reply Reply Quote 1
                                    • JaredBuschJ
                                      JaredBusch @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      @Dashrender said:

                                      @larsen161
                                      I won't speak for JB, but for me - it's all around cost.

                                      But you can do that for free.

                                      How? How can you do 2FA for free in an office scenario?

                                      Something you know and something you have.

                                      The something you know is the password.

                                      The something you have is the part that costs money. It is not free.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        @Dashrender said:

                                        Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

                                        Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

                                        Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @JaredBusch
                                          last edited by

                                          @JaredBusch said:

                                          The something you have is the part that costs money. It is not free.

                                          The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.

                                          Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.

                                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            @BRRABill said:

                                            @Dashrender said:

                                            Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

                                            Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

                                            Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,

                                            Or that they MIGHT use, that's all that matters. Given that set, sure, some user might go nuts and ONLY use special characters in a pretty small set - but the smaller set is only useful to a hacker that knows what the smaller set is.

                                            In reality, knowing a smaller set is the same as knowing the password. Think of it this way...

                                            You have a one char password, the hacker knows your set, the set size, by definition, can only be one char, so knowing the set and knowing the password are the exact same thing in that case.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 11 / 11
                                            • First post
                                              Last post