[ale] creating very powerful relatively short memorable passwords

Rich Faulkner rfaulkner at 34thprs.org
Thu Sep 15 09:41:02 EDT 2011


Interesting stuff...I guess the days of "m3$$1ng w1Th m1x3d C at 53 &
ch4r at cT3rz R n0T g00d 3n0ugh eH?"  Although I used that character
substitution about a half-decade ago.  Still, if you used a longer
phrase of mixed/substituted characters from a phrase all run together I
suspect that would be good a most anything these days?  As long as an
attacker didn't know your base phrase from which you derived your
password from.  

I did have an alpha numeric password of two letters and five numbers
that was solid for years.  It was applied on a website (not mission
critical stuff) for years.  It got cracked last month and is the only
time one of my sites has been hit like that.  Yes, I was lax but have
beefed-up the password scheme since then to mix of caps, numbers,
letters and symbols now of nine characters (and easy for me to
remember).  It could be better but for now I feel it good enough for now
until I decide on a new scheme moving forward.

One of my personal favs of employers past was "luvm32xs"....


On Thu, 2011-09-15 at 09:12 -0400, Wolf Halton wrote:

> Here is an interesting utility, I found while looking for
> password-development models
> http://www.multicians.org/thvv/gpw-js.html This creates pronounceable
> non-words that follow English lexi to the point that they will be easy
> to remember.  Adding some substitutions and some caps, and you have a
> good password that is easy to remember.
> 
> My own 'system' is to choose a 6-8 character word and have
> muscle-memory turn it into something unrecognisable.
> Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv
> It is fast, and you don't move around the keyboard much as you type,
> so it is hard to shoulder-surf.
> 
> 
> On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier
> <atllinuxenthinfo at c3energy.com> wrote:
> 
>         Hi all,
>         
>         If you've been watching the list, you know I've been in
>         discussion with
>         several others related to the topic of creating strong
>         passwords.  Based
>         on prior discussions and recommendations, I had concluded that
>         pass
>         phrases are highly desirable.  However, if using a 2048 word
>         lexicon,
>         they must be 6 words long to achieve a few days of crack
>         resistance from
>         a botnet array.  You have to go up to 8 words to reach a crack
>         time of
>         centuries if the attacker is doing 100 trillion guesses /
>         second.  Pass
>         phrases this long are impossible to enter into many websites.
>          And, even
>         if they can be entered, it is very tedious to type this many
>         words in a
>         password field.
>         
>         Here, I will describe a good compromise if you either wish to
>         or are
>         forced to use a shorter password.
>         
>         I was slamming my bank in prior discussions due to only
>         allowing 8
>         character passwords.  Well, I guess other people have been
>         slamming
>         them.  I checked the password policy today and it has been
>         updated to
>         the following:
>         
>         "Must be 6-20 characters with at least one letter and one
>         number. There
>         should be no spaces and no special characters."
>         
>         As you can see, I cannot use a 6-8 word pass phrase here.
>          However, I
>         can still make it plenty strong.  The key to making a short
>         password
>         work is not only making it as long as you can, but including
>         as many as
>         possible of the following in the alphabet of characters you
>         use: lower
>         case letters, upper case letters, digits, symbols.  Adding
>         just 1 of
>         these character types, as long as the attacker doesn't know
>         your
>         pattern, dramatically expands the number of guesses he has to
>         make.
>         
>         Here is a simple example of what adding each different
>         possibility
>         does.  Imagine a 4 character password.  This one won't be
>         strong, it's
>         just for an example.
>         
>         * lower case, ex: "junk" (excluding quotes), 26 possibilities
>         in each
>         character, permutations = 26^4 = 456,976
>         * lower, upper, ex: "Junk", 52 possibilities in each
>         character,
>         permutations = 52^4 = 7,311,616   (Note that this is 16 times
>         more secure.)
>         * lower, upper, digits, ex: "Jun8", 62 possibilities in each
>         character,
>         permutations = 62^4 = 14,776,336   (Note that this is 32 times
>         more secure.)
>         * lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities
>         in each
>         character, permutations = 95^4 = 81,450,625   (Note that this
>         is 178
>         times more secure.)
>         
>         These short passwords would be cracked instantly by a cracking
>         array.
>         However, a bit of clever adding of characters will allow me to
>         have a
>         very secure and pretty memorable password, even at MY bank.
>         
>         Following is the minimum character length of a password of
>         each type to
>         require at least a century of crack time by an array operating
>         at 100
>         trillion guesses / second.
>         
>         lower case, 17 characters, 3.60 centuries crack time
>         lower, upper, 14 characters, 3.35 centuries crack time
>         lower, upper, digits, 14 characters, 39.33 centuries crack
>         time
>         lower, upper, digits, symbols, 12 characters, 1.71 centuries
>         crack
>         time   (Note that my bank will not accept this one.)
>         
>         Going any SHORTER will reduce the crack time to less than a
>         centuries,
>         and it does so VERY rapidly.  In the case of the lower, upper,
>         digits,
>         removing 1 character reduces crack time to 63.43 years.
>          Removing a 2nd
>         character reduces it to 1.02 years.  And, removing a 3rd
>         character
>         reduces it to 6.02 days.
>         
>         The best compromise of length, memorability, usability at
>         websites, and
>         security is the lower, upper, digits scenario with 14
>         characters.  An
>         easy way to do this is to pick 2 words from a standard English
>         dictionary which combine to at least 12 characters then throw
>         some caps
>         and 2 digits in, or 13 characters and 1 digit.  This has some
>         of the
>         benefits of a pass phrase and is pretty memorable, and will be
>         accepted
>         by most websites.  You could use more digits, but there is no
>         big
>         benefit.  Once you've added even 1 digit, you've increased the
>         possibilities at each character spot from 52 to 62.  Note that
>         all this
>         assumes the attacker is brute force guessing and doesn't know
>         YOUR word
>         pattern.
>         
>         4AntimonyBlast - 14 characters - 39.33 centuries crack time
>         CastoffWander2 - 14 characters - 39.33 centuries crack time
>         Debark3Debates - 14 characters - 39.33 centuries crack time
>         
>         Here's how the math works.
>         
>         permutations = 62^14 = 12.402 x 10^24
>         time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second
>         = 124.02 x
>         10^09 seconds
>         divide by 3600 to get hours, then 24 to get days, then 365 to
>         get years,
>         then 100 to get centuries
>         
>         To do the whole thing at once, take the number of permutations
>         and
>         divide by 315.36 x 10^21.
>         time to crack = 39.33 centuries
>         
>         -----> BOTTOM LINE <------
>         
>         So, the BOTTOM LINE is: create a password at least 14
>         characters long
>         containing lower case, upper case, and digits; and you will be
>         uncrackable by a botnet of 1000 pc's doing a total of 100
>         trillion
>         guesses / second for almost 40 centuries.  Some of the crypto
>         guys can
>         chip in and say whether, statistically, the cracker might hit
>         your
>         password in 1/2 the time.  In that case, you're good for 20
>         centuries.
>         
>         I hope you find this useful.  I certainly found the analysis
>         revealing,
>         and I'll be upgrading some of my website and applications
>         passwords.
>         
>         There's a lot of math here, all hand done.  I'm pretty sure
>         it's all
>         right, but if there's typos (at 2 AM), they'll have to be
>         corrected later.
>         
>         Sincerely,
>         
>         Ron
>         
>         --
>         
>         (PS - If you email me and don't get a quick response, you
>         might want to
>         call on the phone.  I get about 300 emails per day from
>         alternate energy
>         mailing lists and such.  I don't always see new messages very
>         quickly.)
>         
>         Ron Frazier
>         
>         770-205-9422 (O)   Leave a message.
>         linuxdude AT c3energy.com
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
> 
> 
> 
> 
> -- 
> This Apt Has Super Cow Powers - http://sourcefreedom.com
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110915/26e2fcbf/attachment.html 


More information about the Ale mailing list