Page 1 of 2 [ 18 posts ]  Go to page 1, 2  Next

AnonymousAnonymous
Veteran
Veteran

Joined: 23 Nov 2006
Age: 29
Gender: Male
Posts: 49,258
Location: Portland, Oregon

03 Aug 2018, 9:47 pm

Do you agree with this list written back in June of this year? :lol:

https://bestlifeonline.com/the-50-most-common-passwords-you-should-never-use/


_________________
Silly NTs, I have Aspergers, and having Aspergers is gr-r-reat!


naturalplastic
Veteran
Veteran

User avatar

Joined: 26 Aug 2010
Age: 64
Gender: Male
Posts: 19,325
Location: temperate zone

07 Aug 2018, 8:14 am

Always heard that the two worst were "password", and "Letmein".



kokopelli
Veteran
Veteran

User avatar

Joined: 27 Nov 2017
Gender: Male
Posts: 1,483
Location: amid the sunlight and the dust and the wind

16 Nov 2018, 10:45 pm

My typical passwords are passphrases. That is, four or more words that make a nonsensical thought. Often, some words are plays on words but are not themselves words, as far as I know.

For example, "Semi-aquatic Mystics Harboring Tyrotoxic Tendencies"

I usually have at least one rare word (or play on a rare word) to increase the size of the dictionary required for a dictionary attack on a shorter passphrase. I've used passphrases as long as 20 to 25 words. For passphrases that long, not having a rare word in the passphrase is not an issue.

A couple of years ago, I loaned someone a wifi router while they moved their office. For a passphrase to connect to the router, I used "I wish I were an Oscar Mayer weiner". As it turned out, there seems to be a lot of spelling variations of both "Mayer" and "weiner".



fiber bundle
Sea Gull
Sea Gull

User avatar

Joined: 20 Sep 2016
Age: 24
Gender: Male
Posts: 246

18 Nov 2018, 11:19 pm

This:

Quote:



lostonearth35
Veteran
Veteran

User avatar

Joined: 5 Jan 2010
Age: 44
Gender: Female
Posts: 8,314
Location: In my own little world. :)

18 Nov 2018, 11:36 pm

The only thing wrong with making a cool and original password is that you can't tell anyone what it is.



mjb4321
Emu Egg
Emu Egg

Joined: 30 Sep 2018
Age: 27
Gender: Male
Posts: 2
Location: London, Ontario

19 Nov 2018, 11:06 am

Password's would be useless if you had a mac address filter on your router. You wouldn't be able to connect. Unless they knew how to spoof mac addresses. But yeah website passwords are another story, just get lastpass with password generation, for security.



blindjack
Emu Egg
Emu Egg

Joined: 18 Dec 2016
Age: 69
Gender: Male
Posts: 5
Location: UK

01 Dec 2018, 5:40 pm

If any one is interested I create passwords all the time for the staff users in the school where I work.
Like it says in all the on-line guidance, in order to defeat attacks passwords need to have a mixture of the four different character forms (lower case, upper case, figures and symbols) and be a reasonable length.
Since I am not creating these passwords for myself I have to come up with something that is not only sufficiently random to make guessing nearly impossible, but also sufficiently memorable for the user to have a chance of retaining it. Something like 22kIox$41 is reasonable complex, but most people would find it hard to learn and difficult to remember. The passwords I come up with all have ordinary words in a simple phrase that the user can remember, but which are still random enough to defeat guessing and make the time to break via other attacks (such as brute force attacks) too long to be useful.

The typical passwords I give to users are like:

[email protected]? which can be remembered as "fall off 14?"

puL4u$99X (pull for us 99 X)

[email protected]! (sing a song 6!)

You get the idea.

Surprisingly few of the staff I give these passwords to ever ask for them to be changed because they have problems remembering them.



kokopelli
Veteran
Veteran

User avatar

Joined: 27 Nov 2017
Gender: Male
Posts: 1,483
Location: amid the sunlight and the dust and the wind

01 Dec 2018, 6:33 pm

blindjack wrote:
If any one is interested I create passwords all the time for the staff users in the school where I work.
Like it says in all the on-line guidance, in order to defeat attacks passwords need to have a mixture of the four different character forms (lower case, upper case, figures and symbols) and be a reasonable length.


That's not precisely true.

They need to be hard to guess. That means no common passwords and of sufficient length for their complexity to make attacks take a very long time.

For a short password, lower case, upper case, numbers, and punctuation are necessary.

I'm not sure what all punctuation and symbols can be used in a password, but suppose that 18 punctuation symbols could be included. With 10 numbers, 26 upper case, and 26 lower case symbols and 18 punctuation symbles, that would give you 80 different symbols. Then there would be 80^n different passwords of length n. If n=8, an attacker would have 80^8 different passwords to work through. If the attacker knows that there has to be at least one upper case letter, one upper case letter, one number, and one punctuation symbol, then the number of passwords needed in the attack would be reduced.

If, on the other hand, you used just five words randomly selected from a dictionary of just 20,000 words, the would have 20,000^5 passwords to work through, approximately 2,000,000 times as many to have to try. If you try to do like me and include at least one rare or archaic word, it would take a much larger number of attempts to guess the password.

In other words, an attacker would have a far more difficult time trying to guess a password of "teenager grey breakfast tyrotoxism foundation" than he would "[email protected]?".

The fastest password guessing cluster of computers that I know of can try 350,000,000,000 (350 billion) passwords per second. It could get "[email protected]?" in a bit more than an hour. (80^8/350000000000 = 4793 seconds).

If your password was made of up 5 words randomly chosen from a dictionary of 20,000 words, it would take nearly 300 years if he used the same technique to create passwords to guess.

Throw in some punctuation and maybe capitalize a word or two or, even better, capitalize a letter or two inside a word and you just made it even harder.

One thing to remember is that it isn't people sitting at a terminal trying to guess passwords that is the problem. It is also not programs connecting across the internet and trying different passwords. It is people breaking into computers to steal the password files and then testing passwords on their own computers against those files.

One other thing. Replacing 'a' with '@', 's' with '$', 'for' with '4', and other such replacements are purely cosmetic. Attackers know these tricks and test for those. They may impress the user, but they are not likely to slow an attacker down much.



kokopelli
Veteran
Veteran

User avatar

Joined: 27 Nov 2017
Gender: Male
Posts: 1,483
Location: amid the sunlight and the dust and the wind

02 Dec 2018, 7:01 am

There's a very good article at https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html about creating secure passwords.

From the article:

Quote:
A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tested them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!," and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.

Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.

Modern password crackers combine different words from their dictionaries:

Quote:
What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."



jrshupu92
Emu Egg
Emu Egg

Joined: 12 Dec 2018
Age: 26
Gender: Male
Posts: 1

13 Dec 2018, 12:57 am

One benefit for dumb password is that you can easily crack it once you forgot it, lol :D



Ichinin
Veteran
Veteran

User avatar

Joined: 3 Apr 2009
Gender: Male
Posts: 3,464
Location: Sweden

15 Dec 2018, 6:32 am

kokopelli wrote:
One thing to remember is that it isn't people sitting at a terminal trying to guess passwords that is the problem. It is also not programs connecting across the internet and trying different passwords. It is people breaking into computers to steal the password files and then testing passwords on their own computers against those files.


Actually, there are precalculated passwords hashes to compare against (Rainbow tables) and that takes seconds at best.

When someone asks me about password security, i usually point at this:
Image


_________________
"It is far better to grasp the Universe as it really is than to persist in delusion, however satisfying and reassuring" (Carl Sagan)


kokopelli
Veteran
Veteran

User avatar

Joined: 27 Nov 2017
Gender: Male
Posts: 1,483
Location: amid the sunlight and the dust and the wind

15 Dec 2018, 6:50 am

Ichinin wrote:
kokopelli wrote:
One thing to remember is that it isn't people sitting at a terminal trying to guess passwords that is the problem. It is also not programs connecting across the internet and trying different passwords. It is people breaking into computers to steal the password files and then testing passwords on their own computers against those files.


Actually, there are precalculated passwords hashes to compare against (Rainbow tables) and that takes seconds at best.


That would depend on a number of factors. If using a salt, Rainbow tables are completely ineffective unless the Rainbow tables were calculated using that salt. The salt wouldn't need to be kept secret since any attacker would have to completely rebuild the table from scratch using the new salt.

It is even better if the system performs the hash some large number of times. My systems generally recompute the hash 2^7 number of times which is far from enough for my tastes. I'd like to see the computation take at least a second for every login. If you have a billion password entries in the table and you have to recompute the table using the system salt and it takes one second of calculation per password, it would take a month to recompute the table. And on another computer with a different salt, another month to recompute the table for that computer.

On my main system, at the highest setting it would take 91 hours to compute the hash for a single password. Obviously I don't use that.

Some systems now us a different random salt for every password. You could have the same password on multiple accounts, but the hash stored in the password table would be entirely different for each.

Rainbow tables can work but are relatively easy to defeat. Of course, if you are using a Microsoft operating system, then all you can do is cross your fingers and hope.

Ichinin wrote:
When someone asks me about password security, i usually point at this:
Image


I always like that cartoon. These days, I don't think that four words are enough for anything you want to be really secure. I use six words, some far from common, for my e-mail and am thinking about using two factor authentication for my main e-mail. My main account on my primary workstation is seven words. Also my RSA passwords for ssh are 7 words long.

My longest passphrases are in the 15 to 20 word range.

Sometimes I use one time passwords. For a one time password, you have a different six word password for every login (it used to be four word passwords).



Ichinin
Veteran
Veteran

User avatar

Joined: 3 Apr 2009
Gender: Male
Posts: 3,464
Location: Sweden

15 Dec 2018, 11:56 am

Well, there is a reason why rainbow tables exist... Pentesters use stuff like that successfully all the time. Of course, they don't need to crack passwords, but it's part of the testing i guess.

Wrote my own pw manager that is 100% generative. You enter a password or passphrase, then it runs 1000 iterations with some entropy throw in at a specific round of the iterations so each pw/entropy combo generates a specific resulting password. It's all explained in the PDF.

Unfortunately some shitty AV did lame ass heuristics on the binary and the sourcecode and apparently classified it as "containing a virus" because of a features i use (hotkey to type the PW into a browser field using GetKeyAsynchState and SendKeys), so now i get a warning for my OWN CODE when i download it off google drive. Fun eh?


_________________
"It is far better to grasp the Universe as it really is than to persist in delusion, however satisfying and reassuring" (Carl Sagan)


kokopelli
Veteran
Veteran

User avatar

Joined: 27 Nov 2017
Gender: Male
Posts: 1,483
Location: amid the sunlight and the dust and the wind

15 Dec 2018, 2:46 pm

Ichinin wrote:
Well, there is a reason why rainbow tables exist... Pentesters use stuff like that successfully all the time. Of course, they don't need to crack passwords, but it's part of the testing i guess.

Wrote my own pw manager that is 100% generative. You enter a password or passphrase, then it runs 1000 iterations with some entropy throw in at a specific round of the iterations so each pw/entropy combo generates a specific resulting password. It's all explained in the PDF.

Unfortunately some shitty AV did lame ass heuristics on the binary and the sourcecode and apparently classified it as "containing a virus" because of a features i use (hotkey to type the PW into a browser field using GetKeyAsynchState and SendKeys), so now i get a warning for my OWN CODE when i download it off google drive. Fun eh?


They work against Windows machines.

I primarily use OpenBSD.

The following are five entries of the password "foo". It includes an identification of the method to use, the number of rounds, the random salt, and the hashed password.

$2b$12$NtOpBM2s1/k6XQB1BxJgyOe27Jz8NI/11qZ4KRFqQrnplUtqTtw0q
$2b$12$nAy8Vq9PFndaJs7lIuqAG.SbgXOTieQ5PTiCZ47rBRzVsi.WQgCHm
$2b$12$yKPLN2a2XrwORFEjxbrw8O8TaHntVmBFtrbfpDrUnDAU6hrNLXRzm
$2b$12$sJ.5/iV0rqtjxiYX7yL.WuqcQPpbklDylYLf.SRM8I0fU5.5BuzDy
$2b$12$FtVgNyfFZ0AkkvLjqGIjt.EWTxqYzZjFo8Gk6SbPmYRpscTBXKRD2

If I ran that a billion times, it is unlikely that any two hashes would match.

It would be impossible today (it might even be impossible a billion years from now) for anyone to build a Rainbow Table large enough to just pick out the hashes for the password "foo". And correspondingly larger for all passwords one might want to include. The salt is 128 bits. The number of rounds can be from 2^4 to 2^31.

On this computer, it takes approximately .65 seconds to go through 2^12 rounds. Thus, to generate a Rainbow Table for all possible salts for 2^12 rounds on this computer, would require .65 * 2^128 seconds or about 7,013,683,996,023,909,222,830,843,950,743 years just for all possible entries for the password "foo".

To include all possible entries for 2^31 rounds would require another 3,677,190,354,907,383,318,619,537,513,247,446,722 years if my calculation is correct. That would probably be unnecessary since with 2^31 rounds it would take slightly more than 90 hours to log onto the computer if you entered the password correctly.

Also, to store just the complete Rainbow Table for the password 'foo' using just 2^12 rounds would require more storage than the total of all of the computer storage (hard drives, tape drives, drums, solid state, paper tape, and anything else I might have forgotten) than has ever existed.

Rainbow Tables may work against Windows computers, but they are useless against any reasonable password scheme.



Last edited by kokopelli on 15 Dec 2018, 3:15 pm, edited 3 times in total.

TUF
Veteran
Veteran

Joined: 10 Dec 2018
Gender: Female
Posts: 502

15 Dec 2018, 2:55 pm

Mine isn't on here but I should prob not use it cos I learnt it as a kid from my stepdad who thought it was a great idea if everyone in the family used something he thought was clever.
Never quite sure why mum went along with that. I do now out of habit but need to stop.