How secure is your password?
Haha.
_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."
-Paul Erdos
"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."
-Bruce Schneider
My degrees are in math, but I've been a software developer for years.
For what it's worth, I had an opportunity in the 1970s to take a graduate cryptography course from a noted cryptographic researcher, but I didn't take advantage of the opportunity in spite of already having read the textbook for the course. From others who took the course, they covered quite a bit more than what was in the textbook.
By the way, if you want to try some interesting math tests, check out the past tests of the USA Mathematical Talent Search which is sponsored by the NSA: http://www.usamts.org/.
I use the following for passwords I don't have to remember. Part of an html page.
<form name="test1">
<table>
<tr>
<td><input type="text" name="password" size="12" style="font-size: 14pt; font-weight: bold"></td>
<td><input type="button" value="Mixed Case" onclick="genPassword(60)" </td>
<td><input type="button" value="Lower Case" onclick="genPassword(36)" </td>
<td><input type="button" value="No Numbers" onclick="genPassword(52)" </td>
<td><input type="button" value="Only Numbers" onclick="genPassword(10)" </td>
</tr>
<tr>
<td><input type="checkbox" name=selAll value="ON">Select
</td>
<td><input type="button" value="Hex" onclick="genPassword(16)" </td>
</tr>
<tr>
<td colspan="3">Write it down, this doesn't record what it creates.</td>
</tr>
<tr>
<td colspan="5">Zero "0" and u.c. "O" won't appear
together. In mixed case, that is a zero (0).</td>
</tr>
<tr>
<td colspan="5">One "1" and u.c. "I" won't appear
together either. In mixed case, that is a one (1).</td>
</tr>
</table>
</form>
<script>
function genPassword(parm) {
var Characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZOI"
var PassWord=""
for (var i=0; i < 8; i++) {
var rnd = Math.floor(Math.random() * parm) + (parm == 52? 10 : 0) ;
PassWord = PassWord + Characters.charAt(rnd);
}
document.test1.password.value = PassWord;
if (document.test1.selAll.checked == true) document.test1.password.select();
}
</script>
That is competition mathematics, a bit like the IMO.
I am currently viewing this pdf http://www.usamts.org/Tests/Problems_26_1.pdf and I see a IMO problem that I already know the solution of. I think I'll be able to solve one of the problems using differential equations or maybe induction.
Thank you.
_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."
-Paul Erdos
"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."
-Bruce Schneider
On everything that's very important (WP not being one of these things), I use song lyrics (not from very popular songs) followed by a number. That way, a dictionary attack or a heuristics based guess will be very difficult (try finding a dictionary containing "ivebeentohastingsandivebeentobrightonivebeentoeastbournetoo4444"). Moreover, I use a security token in addition to a password for my bank; that way, a keylogger is useless. These tokens are tamper resistant, the code is obfuscated and the number generation algorithm is kept a secret. They're also very cheap, and should be mandatory for every bank.
_________________
“He who controls the spice controls the universe.”
my strongest password (which is the master password of my desktop-server set 'password safe' is a 19-character, small/caps alfanumerical with 2+ special characters.
it is a variation of a randomly generated password i got at my uni, i modified it a bit, added the caps and special characters in it.
I remember the set by making a phrase out of it, but it was gibberish first with the phrase added on top later on
Tollorin
Veteran
Joined: 14 Jun 2009
Age: 44
Gender: Male
Posts: 3,178
Location: Sherbrooke, Québec, Canada
Why not making the computer controlling the access from the password waiting 0.1 seconds each time a password is attempted? Humans users would barelly notice it and it would take 135 days for the NSA to crack a 4 characters password and more than 38 years for a 5 characters password. Is there something that prevent doing it?
That is competition mathematics, a bit like the IMO.
I am currently viewing this pdf http://www.usamts.org/Tests/Problems_26_1.pdf and I see a IMO problem that I already know the solution of. I think I'll be able to solve one of the problems using differential equations or maybe induction.
Thank you.
How are middle and high schools students are supposed to be able to solva that!?
That is competition mathematics, a bit like the IMO.
I am currently viewing this pdf http://www.usamts.org/Tests/Problems_26_1.pdf and I see a IMO problem that I already know the solution of. I think I'll be able to solve one of the problems using differential equations or maybe induction.
Thank you.
How are middle and high schools students are supposed to be able to solva that!?
On a secure system there is often a bigger delay than that. Also, it isn't unusual to allow five or so attempts before dropping the connection. Sometimes there may even be a delay before it will accept a new connection from that address.
The passwords aren't stored in the clear. Instead, there is a password file where a cryptographic hash of the passwords is stored. When you log on, the password you enter is hashed the same method and compared to the one stored in the file. If they match, then they are presumed to be the same password.
To slow things down, instead of hashing them once, they are hashed and then the hashes are hashed and that is repeated over and over a large number of times. On OpenBSD systems, if you use blowfish to do the hash, then the number of rounds of hashing can be from 2^4 to 2^31 number of rounds of hashing. Mine do 6, 7, or 8 rounds depending on the computer.
That way, if someone gets a copy of the password file, the delay is built in by the complexity of the computation, not by an artificial delay between attempts from the computer.
In general, when someone attacks an account over the Internet, they aren't going to be trying the same account millions of times. They are likely to get noticed far sooner than that. However, if they can get a copy of the password file, then they can hash different passwords and see what matches. On a typical system, they can probably get the passwords to half of the accounts very easily.
On our e-mail server years ago, the number one password for men was "cowboy" and the number one password for women was "grandma". Get a copy of the password file and just hash those two passwords and you would have been able to retrieve the mail for about 5% of the accounts. It wouldn't have let you log on with ssh, though, since our ssh logins are only permitted for those accounts that actually need to logon over ssh.
---
As for the USA Mathematical Talent Search, they are looking for the most mathematically talented kids in the country. There are three rounds of tests, five problems each, and if I remember correctly, 5 points per problem. A perfect score would be 75. I think something like five to ten students will make a score of 71-75 each year. The test isn't designed to make average high school kids feel good about themselves.
I think that many of the questions can be solved by a gifted student even if there is no advanced curriculum available. In fact, many of the questions are such that no curriculum is going to be teaching their students how to solve those kinds of questions. Many are essentially fairly advanced mathematical logic problems where one mainly needs to be able to reason well mathematically.
I don't remember ever seeing any that required any knowledge of calculus or anything higher.
I used to use S/key pretty heavily for passwords.
S/key is a password system where you have simple words to enter as a passphrase. The next logon will have a different simple words.
433 Math Lab
otp-md5 99 math31282
S/Key Password:GLEN HOST FIGS TURF UN BACK
eric76@mathlab:~: exit
Connection to mathlab closed.
eric76@archimedes:~> ssh eric76:skey@mathlab
433 Math Lab
otp-md5 98 math31282
S/Key Password:MAC BAIL IF ORB SITE FOR
eric76@mathlab:~: exit
Connection to mathlab closed.
eric76@archimedes:~>
S/key is particularly useful if you are in an environment where there will be many people around. Use S/key instead of entering your normal password and even if they do figure out what you typed in, it won't matter at all. It isn't unusual to have the next ten sets of S/key passwords printed on a list.
I used to keep a loose leaf notebook with pages of S/key passwords for every system I had access to. I'm thinking of doing that again so that if I happen to forget a password, I will still be able to log on.
That should have been 2^6, 2^7, or 2^8 rounds, not 6, 7, or 8 rounds.
all of my passwords are at least 20-25 characters
things like my bios password, the password for my account on my computer and the password for my hard drive encryption are passphrases with letters replaced with symbols at regular intervals, to prevent some kind of dictionary attack.
stuff like my wrongplanet password and reddit password are randomly generated strings of characters that i store on my computer, and copy paste as needed.
everything else that i don't care about being broken into has a sh***y eight character password
_________________
life is a game
Ichinin
Veteran
Joined: 3 Apr 2009
Gender: Male
Posts: 3,653
Location: A cold place with lots of blondes.
(2+ factor authentication is recommended, but not always possible to have)
Mine? I use a generative password manager i wrote myself after getting sick and tired of having a crapload of passwords. It produces passwords from 8 to 32 characters (configurable per site) and can include/exclude special characters if the side does not accept those.
Examples:
8 characters: z4swTKlb (about 40 bits of entropy)
32 characters: GEiyFIB05LdMAcoSkwcNunyGThxUaKqI (Roughly 160 bits of entropy)
32 characters with special characters: fxQrup2zhX(mgfB}EvBpaLXPCh5up1xW (160+ bits)
Believe it or not, it is sometimes necessary to downgrade password strength since some sites only support passwords of a certain length, take vmware.com for example.
4 characters:
5 characters:
6 characters:
First of all, if that is your projections of their capability, then you are underestimating the speed of which precalculated hash matching can run at. Look at http://ophcrack.sourceforge.net/ . With a Hardware or GPU cracker and a SSD drive, you can reach higher speeds than that. And more than one computer can be networked...
Secondly, you need to look at the entropy of the password. A common password with [A-Z] + [0-9] only have about 6 bytes of entropy per character, so in effect there is less strength. Unless using a PRNG you will not make secure passwords out of user input. Users are biased and the keyboard layout is biased too.
Both above: A very good, and recommendable practice.
You can use Charmap.exe to find it, then press ALT + XXX where XXX is the keycode found at the bottom right of the window.
Crypto is harder than it looks. Again, noone do bruteforce. Cracking passwords usually means comparing a password hash against a known value, see Opthcrack above. Breaking into a system is usually done without passwords, like sending a buffer overflow into a field somewhere or doing an SQL injection = passwords means nothing when hacking a system if there is a vulnerable service. You can even sniff password hashes flying through the (local) network if you have access, then break em.
Its what happens in reality - no one do bruteforce. Attackers cheat and do not care about the rules. See http://www.thoughtcrime.org/software/sslstrip/
You can even attack the crypto protocol itself, example with TLS:
https://en.wikipedia.org/wiki/Transport ... _TLS.2FSSL
Standard repetivite hashing is about 1000 rounds, some do way above 10K, there are even precalculated hash values that can be added to, like 40k precalc + 10k calculated = effective 50k rounds, but that assumes that the precalculated hashes never will be stolen, if they get stolen then we reduce 50k to 10k rounds.
The last thing i need to point out is this: Engineers are not security experts. Security experts are security experts.
things like my bios password, the password for my account on my computer and the password for my hard drive encryption are passphrases with letters replaced with symbols at regular intervals, to prevent some kind of dictionary attack.
stuff like my wrongplanet password and reddit password are randomly generated strings of characters that i store on my computer, and copy paste as needed.
everything else that i don't care about being broken into has a sh***y eight character password
Store on your computer?
In a .odt or .txt file? That's not very safe.
I don't know if you are familiar with the designer and admin of the now defunct Silk Road, but he stored his password for his PGP key and many other things in plain text on his laptop. When he was arrested the FBI was able to get his computer while he was logged on and they could access all his files. He is currently serving a life time in prison.
_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."
-Paul Erdos
"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."
-Bruce Schneider
