Page 1 of 2 [ 31 posts ]  Go to page 1, 2  Next

Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

15 Aug 2015, 11:56 am

This is an interesting thread and it's a combination of two things I enjoy, cryptography and mathematics. I will show you, mathematically, how secure your password is and how long it will take the NSA to break it.

The cases I will do are numbers, letters (capital and lowercase), all characters on a keyboard and lower case letters.

I'll be using the fact the NSA can attempt 10^12 (1 trillion) combinations every second.


Numbers, letters and special characters:

There are 104 different characters including numbers, letters and special characters on a keyboard.

4 characters:

(104)^4=116985856 combinations, the NSA will be able to crack your password in 0.000116985856 seconds.

5 characters:

(104)^5=12166529024 combinations, the NSA will be able to crack your password in 0.012166529024 seconds

6 characters:

(104)^6=1265319018496 combinations, the NSA will be able to crack your password in 1.265319018496 seconds.

7 characters:

(104)^7=131593177923584 combinations, the NSA will be able to crack your password in about 2 minutes.

8 characters:

(104)^8=13685690504052736 combinations, the NSA will be able to crack your password in about 3 hours.

9 characters:

(104)^9=1423311812421484544 combinations, the NSA will be able to crack your password in about 2 weeks.

10 characters:

(104)^10=148024422576849183439 combinations, the NSA will be able to crack your password in about 4 years.

11 characters:

(104)^11=15394540563150776827904 combinations, the NSA will be able to crack your password in about 487 years.

Your password should probably be this secure.

Anything above 11 characters is very secure.

Just Letters(capital, lowercase):

There are 52 letters on the keyboard.

4 letters:

52^4=7311616 combinations, the NSA could crack your password in less than a second.

5 letters:

52^5=380204032 combinations, the NSA could crack your password in less than a second.

6 letters:

52^6=19770609664 combinations, the NSA could crack your password in less than a second.

7 letters:

52^7=1028071702528 combinations, the NSA could crack your password in about a second.

8 letters:

52^8=53459728531456 combinations, the NSA could crack your password in about 50 seconds.

9 letters:

52^9=2779905883635712 combinations, the NSA could crack your password in about 50 minutes.

10 letters:

52^10=144555105949057024 combinations, the NSA could crack your password in about 2 days.

11 letters:

52^11=7516865509350965248 combinations, the NSA could crack your password in about 3 months.

12 letters:

52^12=390877006486250192896 combinations, the NSA could crack your password in about 12 years.

13 letters:

52^13=20325604337285010030592 combinations, the NSA could crack your password in about 644 years.

13 letters is very secure, 12 letters is probably good enough though. Anything above 13 is great.

Just letters (lowercase):

It's the same for capital letters.

For 4-8 letter passwords: The NSA could crack your password in under a second.

9 letter passwords:

26^9=5429503678976 combinations, the NSA could crack your password in about 5 seconds.

10 letter passwords:

26^10=141167095653376 combinations, the NSA could crack your password in about 2 minutes.

11 letter passwords:

26^11=3670344486987776 combinations, the NSA could crack your password in about 1 hour.

12 letter passwords:

26^12=95428956661682176 combinations, the NSA could crack your password in about 1 day.

13 letter passwords:

26^13=2481152873203736576 combinations, the NSA could crack your password in about 4 weeks.

14 letter passwords:

26^14=64509974703297150976 combinations, the NSA could crack your password in about 2 years.

15 letter password:

26^15=1677259342285725925376 combinations, the NSA could crack your password in about 53 years.

16 letter password:/b]

26^16=43608742899428874059776 combinations, the NSA could crack your password in about 1381 years.

16 letter password is secure.

[b]Anything above 16 lowercase letters is good.


I think you get it. Before someone says someone like "why should we be worried about the NSA if we aren't criminals?" well if the NSA can do that I'm assuming many hackers could too.

Some more interesting facts:

The average Wi-Fi network has 13 numbers. 10^13=10,000,000,000,000 so the NSA (and hackers) could crack the password in 10 seconds.

Also, you hear people talking about 256-bit encryption and stuff. That means 256 bits of entropy or randomness. There is a formula to calculate entropy for passwords.

S=L ln(N)/ln(2)

Where S is the universal symbol for entropy. N is the number of possible symbols and L is the number of symbols in the password.


How secure is your password?


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

15 Aug 2015, 10:37 pm

For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."



eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

15 Aug 2015, 10:40 pm

By the way, people who replace letters with symbols in a common word -- for example, replacing 'a' with '@' or 'i' with '1' -- are merely fooling themselves. It hardly changes the security at all.



Fnord
Veteran
Veteran

User avatar

Joined: 6 May 2008
Gender: Male
Posts: 60,949
Location:      

15 Aug 2015, 11:22 pm

I wrote an app that randomly generates passwords. It worked really well, and the passwords it generates always score highly on those "How secure is your password?" tests.

But how easy is it to memorize passwords like "n3&£sP8AY0vQ2tM5", when you have to generate a new password for each of 70+ password-protected devices on a weekly basis?



Spiderpig
Veteran
Veteran

User avatar

Joined: 14 Apr 2013
Gender: Male
Posts: 7,893

15 Aug 2015, 11:41 pm

Secure enough for any further security to be inconsequential.

Image


_________________
The red lake has been forgotten. A dust devil stuns you long enough to shroud forever those last shards of wisdom. The breeze rocking this forlorn wasteland whispers in your ears, “Não resta mais que uma sombra”.


eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

16 Aug 2015, 12:01 am

Fnord wrote:
I wrote an app that randomly generates passwords. It worked really well, and the passwords it generates always score highly on those "How secure is your password?" tests.

But how easy is it to memorize passwords like "n3&£sP8AY0vQ2tM5", when you have to generate a new password for each of 70+ password-protected devices on a weekly basis?


What I hate are web sites that require passwords like that.

And web sites that rank your password/passphrase by how many upper case letters, lower case letters, numbers, and punctuation marks you use. I've seen one that would have ranked something like "GJKLDSJFjalksjdflabewaerJKLGJLJALKJLKSAGFafjelkwjarlkweja1234134514asjflaffdjslJKL32e" as insecure but would suddenly switch it to excellent by adding an exclmation mark at the end: "GJKLDSJFjalksjdflabewaerJKLGJLJALKJLKSAGFafjelkwjarlkweja1234134514asjflaffdjslJKL32e!"

I think that all it cared about was that the password was at least 15 characters and contained at least one upper case letter, lower case letter, number, and a non-alphanumeric symbol. A password such as "In G0d We Trust" would have been ranked as excellent.



Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 6:49 am

eric76 wrote:
For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."


e^(i*pi)+1=0 is not a bad password. It is twelve characters long so there are 104^12 possible combinations of what it could and would take years to crack.

What you are talking about is called "diceware" passwords which I forgot to mention, they are very secure.

There are 7776 possible combinations for a diceware password 6 words is enough.

7776^6=221073919720733357899776 combinations, the NSA can break your password in about 7005 years.

To add more security to a diceware password separate it by a special characters, preferably a rare one like a Greek symbol or the symbol for a pound or Bitcoin. This adds more complexity to your password.

Also two-step verification should be used always. A two step verification method is having the website you are trying to sign in on send you a PGP private message using your public key and you have to decrypt it and type the data into a text box.


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


Spiderpig
Veteran
Veteran

User avatar

Joined: 14 Apr 2013
Gender: Male
Posts: 7,893

16 Aug 2015, 6:56 am

Non-ASCII characters can be a pain in the rear end to enter.


_________________
The red lake has been forgotten. A dust devil stuns you long enough to shroud forever those last shards of wisdom. The breeze rocking this forlorn wasteland whispers in your ears, “Não resta mais que uma sombra”.


Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 7:19 am

I don't trust "How secure is your password?" or anything like that.

n3&£sP8AY0vQ2tM5 is really hard to remember and not as secure as diceware.

Then again, the NSA is rumoured to be able to break 128-bit encryption. Bits of what? Entropy.

We'll set number of possible characters to 104 and have L as the variable (length of password).

128=Llog(104)/log(2), L~19

So this means the NSA may be able to crack something with the same amount of randomness as a 128-bit password even though according to the files released by Edward Snowden they should not be able to crack something with the same amount of entropy as a 19 letter long password.


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 7:30 am

Spiderpig wrote:
Secure enough for any further security to be inconsequential.

Image


I wonder if the guy in the picture uses VeraCrypt or TrueCrypt because LUKS isn't 4096-bit.

That is a funny comic though. Haha.


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

16 Aug 2015, 9:43 am

Rudin wrote:
eric76 wrote:
For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."


e^(i*pi)+1=0 is not a bad password. It is twelve characters long so there are 104^12 possible combinations of what it could and would take years to crack.


Every mathematician, physicist, or engineer who has a minimum level of competency will know Euler's formula. I would be surprised if some of the cracking dictionaries do not contain one or more ways that it could be expressed on the computer. It's too obvious not to include it.

Quote:
What you are talking about is called "diceware" passwords which I forgot to mention, they are very secure.


Diceware is a method of choosing the passwords or pass phrases. if you do not use that method, then it is simply not a diceware password/pass phrase.

Quote:
There are 7776 possible combinations for a diceware password 6 words is enough.

7776^6=221073919720733357899776 combinations, the NSA can break your password in about 7005 years.

To add more security to a diceware password separate it by a special characters, preferably a rare one like a Greek symbol or the symbol for a pound or Bitcoin. This adds more complexity to your password.

Also two-step verification should be used always. A two step verification method is having the website you are trying to sign in on send you a PGP private message using your public key and you have to decrypt it and type the data into a text box.


Just how do you require a web site to do that? What methods a web site uses is up to the web site owners -- I've yet to see a web site do as you suggest.

In any event, if a web site required that to log on, I probably wouldn't bother.



Last edited by eric76 on 16 Aug 2015, 10:06 am, edited 2 times in total.

eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

16 Aug 2015, 10:03 am

Rudin wrote:
I don't trust "How secure is your password?" or anything like that.

n3&£sP8AY0vQ2tM5 is really hard to remember and not as secure as diceware.

Then again, the NSA is rumoured to be able to break 128-bit encryption. Bits of what? Entropy.

We'll set number of possible characters to 104 and have L as the variable (length of password).

128=Llog(104)/log(2), L~19

So this means the NSA may be able to crack something with the same amount of randomness as a 128-bit password even though according to the files released by Edward Snowden they should not be able to crack something with the same amount of entropy as a 19 letter long password.


Password/key size and cryptographic security are actually different things. The 128 bit encryption you mentioned refers to the block size of a block cypher rather than the size of the key.

As a rather trivial example, imagine having a simple substitution cypher with the key determined by a password or pass phrase. No matter how great a password or pass phrase you select, anything encrypted with the cypher would be trivial to break since the block size would essentially be one character in size.



Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 11:45 am

eric76 wrote:
Rudin wrote:
I don't trust "How secure is your password?" or anything like that.

n3&£sP8AY0vQ2tM5 is really hard to remember and not as secure as diceware.

Then again, the NSA is rumoured to be able to break 128-bit encryption. Bits of what? Entropy.

We'll set number of possible characters to 104 and have L as the variable (length of password).

128=Llog(104)/log(2), L~19

So this means the NSA may be able to crack something with the same amount of randomness as a 128-bit password even though according to the files released by Edward Snowden they should not be able to crack something with the same amount of entropy as a 19 letter long password.


Password/key size and cryptographic security are actually different things. The 128 bit encryption you mentioned refers to the block size of a block cypher rather than the size of the key.

As a rather trivial example, imagine having a simple substitution cypher with the key determined by a password or pass phrase. No matter how great a password or pass phrase you select, anything encrypted with the cypher would be trivial to break since the block size would essentially be one character in size.


I see.
However, I knew that passwords are irrelevant in cryptographic keys.

Your comment about Euler's formula was rather surprising. I didn't know they had it in cracking dictionaries.

Euler actually invented Venn diagrams but they were not named after him. He also was ripped off by Bernhard Riemann. It should be the Euler zeta function instead.


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 11:49 am

eric76 wrote:
Rudin wrote:
eric76 wrote:
For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."


e^(i*pi)+1=0 is not a bad password. It is twelve characters long so there are 104^12 possible combinations of what it could and would take years to crack.


Every mathematician, physicist, or engineer who has a minimum level of competency will know Euler's formula. I would be surprised if some of the cracking dictionaries do not contain one or more ways that it could be expressed on the computer. It's too obvious not to include it.

Quote:
What you are talking about is called "diceware" passwords which I forgot to mention, they are very secure.


Diceware is a method of choosing the passwords or pass phrases. if you do not use that method, then it is simply not a diceware password/pass phrase.

Quote:
There are 7776 possible combinations for a diceware password 6 words is enough.

7776^6=221073919720733357899776 combinations, the NSA can break your password in about 7005 years.

To add more security to a diceware password separate it by a special characters, preferably a rare one like a Greek symbol or the symbol for a pound or Bitcoin. This adds more complexity to your password.

Also two-step verification should be used always. A two step verification method is having the website you are trying to sign in on send you a PGP private message using your public key and you have to decrypt it and type the data into a text box.


Just how do you require a web site to do that? What methods a web site uses is up to the web site owners -- I've yet to see a web site do as you suggest.

In any event, if a web site required that to log on, I probably wouldn't bother.


Why? It's no simple and so secure.

Two-step authentication methods like SMS can be jacked, verification questions can be secure depending on the circumstances and pin codes can be cracked by hand.

You just use an application like gpg4usb to generate public keys, did you think I meant decrypt it by hand? Absolutely not.

Google has an option to do this: https://support.google.com/accounts/ans ... 3523?hl=en


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider


eric76
Veteran
Veteran

User avatar

Joined: 31 Aug 2012
Gender: Male
Posts: 10,660
Location: In the heart of the dust bowl

16 Aug 2015, 12:07 pm

Rudin wrote:
eric76 wrote:
Rudin wrote:
eric76 wrote:
For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."


e^(i*pi)+1=0 is not a bad password. It is twelve characters long so there are 104^12 possible combinations of what it could and would take years to crack.


Every mathematician, physicist, or engineer who has a minimum level of competency will know Euler's formula. I would be surprised if some of the cracking dictionaries do not contain one or more ways that it could be expressed on the computer. It's too obvious not to include it.

Quote:
What you are talking about is called "diceware" passwords which I forgot to mention, they are very secure.


Diceware is a method of choosing the passwords or pass phrases. if you do not use that method, then it is simply not a diceware password/pass phrase.

Quote:
There are 7776 possible combinations for a diceware password 6 words is enough.

7776^6=221073919720733357899776 combinations, the NSA can break your password in about 7005 years.

To add more security to a diceware password separate it by a special characters, preferably a rare one like a Greek symbol or the symbol for a pound or Bitcoin. This adds more complexity to your password.

Also two-step verification should be used always. A two step verification method is having the website you are trying to sign in on send you a PGP private message using your public key and you have to decrypt it and type the data into a text box.


Just how do you require a web site to do that? What methods a web site uses is up to the web site owners -- I've yet to see a web site do as you suggest.

In any event, if a web site required that to log on, I probably wouldn't bother.


Why? It's no simple and so secure.

Two-step authentication methods like SMS can be jacked, verification questions can be secure depending on the circumstances and pin codes can be cracked by hand.

You just use an application like gpg4usb to generate public keys, did you think I meant decrypt it by hand? Absolutely not.

Google has an option to do this: https://support.google.com/accounts/ans ... 3523?hl=en


Google sends PGP encrypted messages as a two step authentication?

I've had PGP keys for e-mail since the mid 1990s. It is pretty rare to receive an e-mail encrypted with PGP. On the other hand, I have used mailing lists on which some people signed their e-mails with their PGP keys. And I've done that many times as well.

In any event, there are very few web sites where I'm at sufficiently worried about someone guessing my password to log into. This site is such an example. For those very few where I would like something more, none of them, to the best of my knowledge, do anything like that. That is their decision, not mine.

What I would rather see is the use of RSA keys to log into web sites just like I already use for logging into various computers using ssh.



Rudin
Veteran
Veteran

User avatar

Joined: 7 Jun 2015
Age: 23
Posts: 1,046
Location: Southern Ontario

16 Aug 2015, 12:24 pm

eric76 wrote:
Rudin wrote:
eric76 wrote:
Rudin wrote:
eric76 wrote:
For the most part, I use pass phrases, not passwords. The pass phrases are typically four to six words. I often try to make sure that at least one of the words is quite rare.

The dictionary of obscure words at http://phrontistery.info/ihlstart.html is a good place to choose one or two of the words in the pass phrase.

In general, though, if your dictionary from which you chose the words contains 100,000 words, then with five words, using the same dictionary an attacker would have 10^25 passphrases to try out. Using a sufficiently obscure word that is not in smaller dictionaries would help keep the attacker wasting his time.

In my case, I make the pass phrases into a phrase to make it easier to remember, not just a list of four to six words. If an attacker used this, he could cut back a bit on the amount of combinations to try. On the other hand, including a little punctuation offsets some of that.

Sample pass phrases one could use:

* Henry's garnetiferous tortoise adores xanthometers.
* Queen Omar, the kangaroo, exhibits gametogenesis

(Note that words like "a", "an", "and", "the", ... do not count as a word in the pass phrase.)

One great thing about pass phrases is that they can be readily learned. Just make sure you don't have two different pass phrases that begin with the same word.

For what it's worth, I once used "e^(i*pi)+1=0" as a password. It's incredibly easy to remember but not very secure. After thinking about it overnight, I changed it to include a phrase in front applauding Euler.

For what it's worth, the longest pass phrase I ever used was something similar to "George went to the arctic seeking fine woolen bathrobes but all he could find was a fish and nine marbles."


e^(i*pi)+1=0 is not a bad password. It is twelve characters long so there are 104^12 possible combinations of what it could and would take years to crack.


Every mathematician, physicist, or engineer who has a minimum level of competency will know Euler's formula. I would be surprised if some of the cracking dictionaries do not contain one or more ways that it could be expressed on the computer. It's too obvious not to include it.

Quote:
What you are talking about is called "diceware" passwords which I forgot to mention, they are very secure.


Diceware is a method of choosing the passwords or pass phrases. if you do not use that method, then it is simply not a diceware password/pass phrase.

Quote:
There are 7776 possible combinations for a diceware password 6 words is enough.

7776^6=221073919720733357899776 combinations, the NSA can break your password in about 7005 years.

To add more security to a diceware password separate it by a special characters, preferably a rare one like a Greek symbol or the symbol for a pound or Bitcoin. This adds more complexity to your password.

Also two-step verification should be used always. A two step verification method is having the website you are trying to sign in on send you a PGP private message using your public key and you have to decrypt it and type the data into a text box.


Just how do you require a web site to do that? What methods a web site uses is up to the web site owners -- I've yet to see a web site do as you suggest.

In any event, if a web site required that to log on, I probably wouldn't bother.


Why? It's no simple and so secure.

Two-step authentication methods like SMS can be jacked, verification questions can be secure depending on the circumstances and pin codes can be cracked by hand.

You just use an application like gpg4usb to generate public keys, did you think I meant decrypt it by hand? Absolutely not.

Google has an option to do this: https://support.google.com/accounts/ans ... 3523?hl=en


Google sends PGP encrypted messages as a two step authentication?

I've had PGP keys for e-mail since the mid 1990s. It is pretty rare to receive an e-mail encrypted with PGP. On the other hand, I have used mailing lists on which some people signed their e-mails with their PGP keys. And I've done that many times as well.

In any event, there are very few web sites where I'm at sufficiently worried about someone guessing my password to log into. This site is such an example. For those very few where I would like something more, none of them, to the best of my knowledge, do anything like that. That is their decision, not mine.

What I would rather see is the use of RSA keys to log into web sites just like I already use for logging into various computers using ssh.


I think they generate the keys, they have some sort of PGP setup of some sort.

By the way, what is your profession? You come across as a mathematician or computer programmer.

I don't use RSA to log into my computer but it is encrypted using LUKS, I think it might be 4096-bit but I'm not sure.


_________________
"God may not play dice with the universe, but something strange is going on with prime numbers."

-Paul Erdos

"There are two types of cryptography in this world: cryptography that will stop your kid sister from looking at your files, and cryptography that will stop major governments from reading your files."

-Bruce Schneider