From:
[url]http://www.theguardian.com/technology/2015/sep/11/gchq-password-advice[/url]
---------------------------
[quote]The UK intelligence agency responsible for vast amounts of snooping, as exposed by the Snowden revelations, has released new password guidelines.
GCHQ and the Centre for the Protection of National Infrastructure have released a report entitled “Password guidance: simplifying your approach”, which suggests that complex passwords are no longer recommended.
The agency instead recommends using passwords made from three random words, using password managers and jettisoning overly complex password rules in favour of systems capable of detecting unauthorised activity.[/quote]
[quote]However, some will be sceptical about trusting the advice of the intelligence agency of a government which has pushed for backdoors within software and the weakening of encryption used to protect user data for surveillance purposes.[/quote]
The report:
[url]https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf[/url]
Essentially:
Guys make our job easier please
[QUOTE]The agency instead recommends using passwords made from three random words[/QUOTE]
Please let us bruteforce your passwords with a dictionary
The public recommends GCHQ to fuck off
[QUOTE=wickedplayer494;48673277]The public recommends GCHQ to fuck off[/QUOTE]
+1
To be honest I think the best password should be made from a sequence of numbers and letters that you can 'just remember' e.g. AVRX69ddy2! if you can find one that rhymes to your favorite song / tune you will remember it much easier, as there are no words, standard dictionary attack won't work, and with.
[img]http://i.imgur.com/V05YEws.png[/img]
You are safe against Directory and Brute force.
[QUOTE=i_speel_good;48673276]Please let us bruteforce your passwords with a dictionary[/QUOTE]
If you use less common words and vary spelling/capitalisation and spacing (and preferably use four or five words instead of just three) this is still really hard to crack; one common system is [url=https://en.wikipedia.org/wiki/Diceware]Diceware[/url], which is secure.
Not that I think GCHQ is trying to promote that...
Of all the ways GCHQ and NSA is going to get at your shit, brute forcing is the least likely
I myself am addicted to using random strings of numbers and letters as my password, but it would be better for me to "simplify" it in a way so that it's easier for me to remember it but just as hard for them to bruteforce it.
[IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG]
Just do something like this, with numbers instead of letters and some combination of symbols or whatever.
[QUOTE=i_speel_good;48673276]Please let us bruteforce your passwords with a dictionary[/QUOTE]
That's not how it works. Lets say you are vaguely educated and know 10000 English words. Randomly choosing 4 means 416416712497500 combinations, and that's ignoring the fact lot of people make it up to 20000 words, or that you can use a plural of something, or declination, or whatever, which further makes the words bigger.
If you go the "classic" password, 8 characters long, and count with approximately 90 characters in ascii table (includes normal letters, capital letters, and all the other characters), that leaves you with 77515521435 combinations, which is about five thousand times fewer possible combinations than we got with the low estimate of four dictionary words and trying to guess them by dictionary.
Using 4 common dictionary words is more secure for dictionary attack than getting an 8 character random ascii password, and mainly SIGNIFICANTLY easier to remember.
[QUOTE=Octopod;48673404]I myself am addicted to using random strings of numbers and letters as my password, but it would be better for me to "simplify" it in a way so that it's easier for me to remember it but just as hard for them to bruteforce it.
[IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG]
Just do something like this, with numbers instead of letters and some combination of symbols or whatever.[/QUOTE]
What are dictionary attacks?
Not to mention most attempts to crack a password like that will [I]not[/I] be dictionary attempt to randomly clamp 4 words together, but instead just brute force character after character. My passwords made up of just common words are ~30 characters long. Do the maths on how long would it take to bruteforce that character by character.
[editline]13th September 2015[/editline]
[QUOTE=Killuah;48673452]What are dictionary attacks?[/QUOTE]
See just above.
[editline]13th September 2015[/editline]
Whoever wrote this article is just retarded lol.
[QUOTE=Killuah;48673452]What are dictionary attacks?[/QUOTE]
Besides Awesomecaek's explanation, the 2^44 figure in the xkcd is even based on dictionary attacks: 11 bits of entropy per word, so each word is one of 2048 possible words.
Please if you still have doubts read the [url=https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf]actual report[/url] on your own and tell me if it makes you feel like they are trying to trick people into storing their information less securely.
Also, the article wrongly states "three words", the report says "four".
[QUOTE=Matthew0505;48673410]Or just use a Password Manager like they said and have it generate with the maximum entropy possible on wherever you're using it.[/QUOTE]
I've started doing this and I think it's made my life so much easier. There are accounts for things I use very rarely (like once a year) that have unique passwords and I always end up having to recover them. I started using KeePass now and it's great.
Obviously the only problem now is if someone got a hold of the password database file and my password, or if I lost it somehow.
[QUOTE=The DooD;48673584]I've started doing this and I think it's made my life so much easier. There are accounts for things I use very rarely (like once a year) that have unique passwords and I always end up having to recover them. I started using KeePass now and it's great.
Obviously the only problem now is if someone got a hold of the password database file and my password, or if I lost it somehow.[/QUOTE]
That's why I upload the master file to like 4 different sites.
[QUOTE=nuttyboffin;48673299]+1
To be honest I think the best password should be made from a sequence of numbers and letters that you can 'just remember' e.g. AVRX69ddy2! if you can find one that rhymes to your favorite song / tune you will remember it much easier, as there are no words, standard dictionary attack won't work, and with.
[img]http://i.imgur.com/V05YEws.png[/img]
You are safe against Directory and Brute force.[/QUOTE]
You should link the original website, since it has a very good explanation of the concept: [url]https://www.grc.com/haystack.htm[/url]
[QUOTE=Killuah;48673452]What are dictionary attacks?[/QUOTE]
pretty certain that all possible permutations of any 4 words in a dictionary takes a really unreasonable amount of time to solve, and also provides no guarantees that it'll even contain the right words in the sequence.
dictionary attacks also don't use an actual dictionary lol they use a list of common passwords/hashes.
now that a lot of people are advertising the use of combining three or so words for a password, I'm fairly sure that type of password is going to become obsolete just like character replacements ("a" swapped with "@", "o" swapped with "0", etc) because it's been highly publicized
[QUOTE=nuttyboffin;48673299]+1
To be honest I think the best password should be made from a sequence of numbers and letters that you can 'just remember' e.g. AVRX69ddy2! if you can find one that rhymes to your favorite song / tune you will remember it much easier, as there are no words, standard dictionary attack won't work, and with.
[img]http://i.imgur.com/V05YEws.png[/img]
You are safe against Directory and Brute force.[/QUOTE]
[img]http://i.imgur.com/1Ynf82C.png[/img]
Is easier to remember [I]and[/I] more secure. And I want to see a dictionary that will guess this.
[editline]14th September 2015[/editline]
[QUOTE=awcmon;48679307]now that a lot of people are advertising the use of combining three or so words for a password, I'm fairly sure that type of password is going to become obsolete just like character replacements ("a" swapped with "@", "o" swapped with "0", etc) because it's been highly publicized[/QUOTE]
And how exactly is that going to happen? There's no way of cheating guessing the password. The best you can do is to start picking random dictionary words, but even with 4 and 20000 word dictionary, there's more combinations than with 8 character random garblage password.
Also keep in mind the hacker probably won't have any clue if your password is of this kind, or of short, random character kind, so he will have to probably try all these to some depth.
[QUOTE=Awesomecaek;48679448]
Is easier to remember [I]and[/I] more secure. And I want to see a dictionary that will guess this.
[/QUOTE]Imagine due to randomness the dictionary generator gets lucky and selects all these words on 1st try.
Overall dictionary attacks are only good for 2 things: mass brute force and targeted attack if you're certain the password is all words. Otherwise adding even a single number/symbol will break the cracking process. Any decent site that uses salting should be safe from 1st.
Yeah people are getting tangled in the semantics.
"dictionary attack" uses "dictionary" of common passwords and hopes you used one of the passwords other people have used before (with the passwords coming from incorrectly salted databases and such). You could theoretically try to crack my password by choosing random words from the dictionary, but again, firstly you would have to know that my password uses this and that you shouldn't try to go with ASCII character by character bruteforce, and secondly, it's still a MASSIVE volume of options to go through.
[QUOTE=Awesomecaek;48679490]Yeah people are getting tangled in the semantics.
"dictionary attack" uses "dictionary" of common passwords and hopes you used one of the passwords other people have used before (with the passwords coming from incorrectly salted databases and such). You could theoretically try to crack my password by choosing random words from the dictionary, but again, firstly you would have to know that my password uses this and that you shouldn't try to go with ASCII character by character bruteforce, and secondly, it's still a MASSIVE volume of options to go through.[/QUOTE]
Even a simple password that isn't in english will be a bitch to crack. Hell, if you don't know any other language just write something in Elvish or another nerd language.
[QUOTE=Octopod;48673404]I myself am addicted to using random strings of numbers and letters as my password, but it would be better for me to "simplify" it in a way so that it's easier for me to remember it but just as hard for them to bruteforce it.
[IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG]
Just do something like this, with numbers instead of letters and some combination of symbols or whatever.[/QUOTE]
That's basically exactly what they're suggesting people do. And it does work, it's considerably easier to remember while being harder to brute force.
[QUOTE=Awesomecaek;48679448][img]http://i.imgur.com/1Ynf82C.png[/img]
Is easier to remember [I]and[/I] more secure.[/QUOTE]
Is it more secure than a random string of the same length or just that smaller password in the picture? If you're going to compare the two, at least make sure they are on equal grounds IE the same number of characters.
[QUOTE=asteroidrules;48679528]That's basically exactly what they're suggesting people do. And it does work, it's considerably easier to remember while being harder to brute force.[/QUOTE]
Unless you're dyslexic, then it's a pain to remember.
[editline]14th September 2015[/editline]
[QUOTE=lxmach1;48679532]Is it more secure than a random string of the same length or just that smaller password in the picture? If you're going to compare the two, at least make sure they are on equal grounds IE the same number of characters.[/QUOTE]
It is not more secure but it is 100 times easier to remember than a random string of same length. The chances of this getting broken are already very low. If you have something very important to password, you should consider using long ass bit keys. But for every day use word passwords like that are more than enough.
[QUOTE=itisjuly;48679549]Unless you're dyslexic, then it's a pain to remember.
[editline]14th September 2015[/editline]
It is not more secure but it is 100 times easier to remember than a random string of same length. The chances of this getting broken are already very low. If you have something very important to password, you should consider using long ass bit keys. But for every day use word passwords like that are more than enough.[/QUOTE]
It is indeed easier to remember which is certainly a benefit. It's just misleading to try comparing those two passwords and then saying:
[QUOTE=Awesomecaek;48679448][I]and[/I] more secure.[/QUOTE]
[QUOTE=asteroidrules;48679528]That's basically exactly what they're suggesting people do. And it does work, it's considerably easier to remember while being harder to brute force.[/QUOTE]
The length is the only reason it's harder to brute force, a complex password of the same length will be considerably harder to brute.
An English dictionary attack considerably reduces the actual number of attempts one needs to try, there are approx 171,476 words in the Oxford Dictionary, meaning if you brute attacked somebody that only had 1 word as their pass phrase your chances would be 1/171,476^1 whereas four words would be 171,476^4. What this means is that pass phrases are indeed strong when used in large quantities (3 or more words), they should really only be used when your goal is to memorize a password, and cannot use an encrypted password manager to store a 16+ character random password.
I've always used a gibberish prefix that's easy to memorize with a suffix vaugely releveant to whatever the account is for. Not the best path but easy to remember at least.
[QUOTE=lxmach1;48679532]Is it more secure than a random string of the same length or just that smaller password in the picture? If you're going to compare the two, at least make sure they are on equal grounds IE the same number of characters.[/QUOTE]
It's obviously not as secure as using just random string of same length, but I am talking about passwords that one can normally memorize. if you manage to memorize 30 random characters then good for you.
Slightly related: [url]https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html[/url]
[QUOTE]Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, [B]we recommend not making a significant expenditure[/B] to do so at this point but instead to [B]prepare for the upcoming quantum resistant algorithm transition.[/B][/QUOTE]
[I]Lol, in the meantime, we'd like you to use weak crypto.[/I]
(This is a slight exaggeration on my part.)
Sorry, you need to Log In to post a reply to this thread.
