[QUOTE=PotcFdk;48679861]Slightly related: [url]https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html[/url]
[I]Lol, in the meantime, we'd like you to use weak crypto.[/I]
(This is a slight exaggeration on my part.)[/QUOTE]
It takes some companies years of planning before they can switch over to new crypto (due to budget, implementation,...). They're just giving a heads up to not put too much effort into switching right now, when they'll have to switch over in a few years anyway.
[QUOTE=asteroidrules;48679528]That's basically exactly what they're suggesting people do. And it does work, it's considerably easier to remember while being harder to brute force.[/QUOTE]
And do you think people will use truly random words or just passwords like "I love my wife" ???
Consider that "password" and "password123" are still the most common passwords.
[QUOTE=itisjuly;48679525]Even a simple password that isn't in english will be a bitch to crack. Hell, if you don't know any other language just write something in Elvish or another nerd language.[/QUOTE]
Most places don't accept unicode characters.
[QUOTE=thejjokerr;48673339]Honestly I don't see how anyone can find trouble thinking of a safe password for every individual site. Just like think of a sentence you'll easily remember containing multiple names of relatives/friends, take all the first letters (capitalizing names), make sure it ends up to be very long. Then afterwards just take all vowels in the site name and append or prepend those to the password.
Different password for every site and if it's long it's strong.[/QUOTE]
Using stuff from the sites name is actually integrated in soms dictionary attacks.
[QUOTE=Octopod;48673404]I myself am addicted to using random strings of numbers and letters as my password, but it would be better for me to "simplify" it in a way so that it's easier for me to remember it but just as hard for them to bruteforce it.
[IMG]https://imgs.xkcd.com/comics/password_strength.png[/IMG]
Just do something like this, with numbers instead of letters and some combination of symbols or whatever.[/QUOTE]
To add to this, you can even trash dictionary attacks as well by doing this:
The4SaladBasketTrip!
the result:
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 11.52 thousand trillion centuries
seriously, it's just easy to remember and a way better password.
[QUOTE=Awesomecaek;48673440]That's not how it works. Lets say you are vaguely educated and know 10000 English words. Randomly choosing 4 means 416416712497500 combinations, and that's ignoring the fact lot of people make it up to 20000 words, or that you can use a plural of something, or declination, or whatever, which further makes the words bigger.
If you go the "classic" password, 8 characters long, and count with approximately 90 characters in ascii table (includes normal letters, capital letters, and all the other characters), that leaves you with 77515521435 combinations, which is about five thousand times fewer possible combinations than we got with the low estimate of four dictionary words and trying to guess them by dictionary.
Using 4 common dictionary words is more secure for dictionary attack than getting an 8 character random ascii password, and mainly SIGNIFICANTLY easier to remember.[/QUOTE]
This is why I highly recommend Diceware.
[quote]The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through even with that knowledge . The Diceware word list contains 7776 words, so if you pick a five-word passphrase, there are 7776 x 7776 x 7776 x 7776 x 7776 combinations. That is over 2**64 (2 to the 64 power or 2.6 X 10**19) possibilities. A six word Diceware passphrase confronts an attacker with 2**77 (2 X 10**23) combinations; seven words 2**90 (1.5 X 10**27).[/quote]
[url]http://world.std.com/~reinhold/dicewarefaq.html#someoneknows[/url]
[url]http://world.std.com/~reinhold/diceware.html[/url]
And past that, just randomly select one letter and randomly swap out with a random number or character and the dictionary approach goes out the window.
[QUOTE=Awesomecaek;48679448][img]http://i.imgur.com/1Ynf82C.png[/img]
[/QUOTE]
Would be funny if this website is [i]secretly[/i] using all of these "secure passwords" people are testing out and adding them to their databases for one giant fucking brute forcer.
I don't see any problems with their suggestions. Its been proven that password complexity leads to people doing dumb shit (ie writing them down). A password does not need to be overly complex to be secure.
[QUOTE=Killuah;48680019]And do you think people will use truly random words or just passwords like "I love my wife" ???
Consider that "password" and "password123" are still the most common passwords.[/QUOTE]
Well, at least for the people who only put a little time and effort into things it will.
[editline]14th September 2015[/editline]
[QUOTE=QuinnithXD;48683189]Would be funny if this website is [i]secretly[/i] using all of these "secure passwords" people are testing out and adding them to their databases for one giant fucking brute forcer.[/QUOTE]
Pretty sure that isn't possible, since when you do input that I don't think your actually sending any data to them since you aren't requesting the page information and sending information back.
[QUOTE=QuinnithXD;48683189]Would be funny if this website is [i]secretly[/i] using all of these "secure passwords" people are testing out and adding them to their databases for one giant fucking brute forcer.[/QUOTE]
You really think Steve Gibson would do that and throw his credibility (and Security Now on TWiT) down the drain? It even says right then and there everything is local.
[QUOTE=Elspin;48681649]To add to this, you can even trash dictionary attacks as well by doing this:
The4SaladBasketTrip![/QUOTE]
this kinda defeats the purpose of the xkcd method
a better way to avoid dictionary attacks is to use [I]forms[/I] of words
turn adjectives into adverbs (correct -> correctly)
use latin names for species of animals or plants (horse -> equus)
replace nouns with proper noun equivalent (battery -> duracell)
I use md5 hash's.
I had to change my master password once because I found 7 out of 14 symbols in the correct order in some ancient tech support site in a post where someone just mashed their keyboard to express anger
I can't even imagine what the odds were for that
[QUOTE=Awesomecaek;48679448][img]http://i.imgur.com/1Ynf82C.png[/img]
Is easier to remember [I]and[/I] more secure. And I want to see a dictionary that will guess this.[/QUOTE]
[img]http://i.imgur.com/231HtBd.png[/img]
:wow:
Just make your password 3 or 4 random words that contain one or two made up words that you use a lot that aren't actually in the dictionary. We all have a few. Throw in a capital letter, a number, done. Easy peasy
[QUOTE=TheTalon;48693648]Just make your password 3 or 4 random words that contain one or two made up words that you use a lot that aren't actually in the dictionary. We all have a few. Throw in a capital letter, a number, done. Easy peasy[/QUOTE]
Throw in any of ^&*$#... 4 words + # somewhere randomly should be fine for most uses.
[QUOTE=Matthew0505;48693587]That website doesn't seem to take into account common patterns or passwords.
[img]https://i.imgur.com/IbA3oye.png[/img][/QUOTE]
It says right on the top
[quote]
Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.
[/quote]
It's a brute force calculator - it only takes into account bruteforces. It does not simulate dictionary attacks.
Sorry, you need to Log In to post a reply to this thread.
