[ale] creating very powerful relatively short memorable passwords

Wolf Halton wolf.halton at gmail.com
Thu Sep 15 12:41:55 EDT 2011


I think the word lists have been generated that include l33t-sp34k and other
manglements.  Wordlists and rainbow tables make cracking much faster. :-(
Make an MD5 hash of the word 'password' (5F4DCC3B5AA765D61D8327DEB882CF99)
or your favorite uncrackable password, and see how many times it comes up on
your google search return.



On Thu, Sep 15, 2011 at 9:41 AM, Rich Faulkner <rfaulkner at 34thprs.org>wrote:

> **
> Interesting stuff...I guess the days of "m3$$1ng w1Th m1x3d C at 53 &
> ch4r at cT3rz R n0T g00d 3n0ugh eH?"  Although I used that character
> substitution about a half-decade ago.  Still, if you used a longer phrase of
> mixed/substituted characters from a phrase all run together I suspect that
> would be good a most anything these days?  As long as an attacker didn't
> know your base phrase from which you derived your password from.
>
> I did have an alpha numeric password of two letters and five numbers that
> was solid for years.  It was applied on a website (not mission critical
> stuff) for years.  It got cracked last month and is the only time one of my
> sites has been hit like that.  Yes, I was lax but have beefed-up the
> password scheme since then to mix of caps, numbers, letters and symbols now
> of nine characters (and easy for me to remember).  It could be better but
> for now I feel it good enough for now until I decide on a new scheme moving
> forward.
>
> One of my personal favs of employers past was "luvm32xs"....
>
>
>
> On Thu, 2011-09-15 at 09:12 -0400, Wolf Halton wrote:
>
> Here is an interesting utility, I found while looking for
> password-development models
> http://www.multicians.org/thvv/gpw-js.html This creates pronounceable
> non-words that follow English lexi to the point that they will be easy to
> remember.  Adding some substitutions and some caps, and you have a good
> password that is easy to remember.
>
> My own 'system' is to choose a 6-8 character word and have muscle-memory
> turn it into something unrecognisable.
> Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv
> It is fast, and you don't move around the keyboard much as you type, so it
> is hard to shoulder-surf.
>
>  On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier <
> atllinuxenthinfo at c3energy.com> wrote:
>
> Hi all,
>
> If you've been watching the list, you know I've been in discussion with
> several others related to the topic of creating strong passwords.  Based
> on prior discussions and recommendations, I had concluded that pass
> phrases are highly desirable.  However, if using a 2048 word lexicon,
> they must be 6 words long to achieve a few days of crack resistance from
> a botnet array.  You have to go up to 8 words to reach a crack time of
> centuries if the attacker is doing 100 trillion guesses / second.  Pass
> phrases this long are impossible to enter into many websites.  And, even
> if they can be entered, it is very tedious to type this many words in a
> password field.
>
> Here, I will describe a good compromise if you either wish to or are
> forced to use a shorter password.
>
> I was slamming my bank in prior discussions due to only allowing 8
> character passwords.  Well, I guess other people have been slamming
> them.  I checked the password policy today and it has been updated to
> the following:
>
> "Must be 6-20 characters with at least one letter and one number. There
> should be no spaces and no special characters."
>
> As you can see, I cannot use a 6-8 word pass phrase here.  However, I
> can still make it plenty strong.  The key to making a short password
> work is not only making it as long as you can, but including as many as
> possible of the following in the alphabet of characters you use: lower
> case letters, upper case letters, digits, symbols.  Adding just 1 of
> these character types, as long as the attacker doesn't know your
> pattern, dramatically expands the number of guesses he has to make.
>
> Here is a simple example of what adding each different possibility
> does.  Imagine a 4 character password.  This one won't be strong, it's
> just for an example.
>
> * lower case, ex: "junk" (excluding quotes), 26 possibilities in each
> character, permutations = 26^4 = 456,976
> * lower, upper, ex: "Junk", 52 possibilities in each character,
> permutations = 52^4 = 7,311,616   (Note that this is 16 times more secure.)
> * lower, upper, digits, ex: "Jun8", 62 possibilities in each character,
> permutations = 62^4 = 14,776,336   (Note that this is 32 times more
> secure.)
> * lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each
> character, permutations = 95^4 = 81,450,625   (Note that this is 178
> times more secure.)
>
> These short passwords would be cracked instantly by a cracking array.
> However, a bit of clever adding of characters will allow me to have a
> very secure and pretty memorable password, even at MY bank.
>
> Following is the minimum character length of a password of each type to
> require at least a century of crack time by an array operating at 100
> trillion guesses / second.
>
> lower case, 17 characters, 3.60 centuries crack time
> lower, upper, 14 characters, 3.35 centuries crack time
> lower, upper, digits, 14 characters, 39.33 centuries crack time
> lower, upper, digits, symbols, 12 characters, 1.71 centuries crack
> time   (Note that my bank will not accept this one.)
>
> Going any SHORTER will reduce the crack time to less than a centuries,
> and it does so VERY rapidly.  In the case of the lower, upper, digits,
> removing 1 character reduces crack time to 63.43 years.  Removing a 2nd
> character reduces it to 1.02 years.  And, removing a 3rd character
> reduces it to 6.02 days.
>
> The best compromise of length, memorability, usability at websites, and
> security is the lower, upper, digits scenario with 14 characters.  An
> easy way to do this is to pick 2 words from a standard English
> dictionary which combine to at least 12 characters then throw some caps
> and 2 digits in, or 13 characters and 1 digit.  This has some of the
> benefits of a pass phrase and is pretty memorable, and will be accepted
> by most websites.  You could use more digits, but there is no big
> benefit.  Once you've added even 1 digit, you've increased the
> possibilities at each character spot from 52 to 62.  Note that all this
> assumes the attacker is brute force guessing and doesn't know YOUR word
> pattern.
>
> 4AntimonyBlast - 14 characters - 39.33 centuries crack time
> CastoffWander2 - 14 characters - 39.33 centuries crack time
> Debark3Debates - 14 characters - 39.33 centuries crack time
>
> Here's how the math works.
>
> permutations = 62^14 = 12.402 x 10^24
> time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x
> 10^09 seconds
> divide by 3600 to get hours, then 24 to get days, then 365 to get years,
> then 100 to get centuries
>
> To do the whole thing at once, take the number of permutations and
> divide by 315.36 x 10^21.
> time to crack = 39.33 centuries
>
> -----> BOTTOM LINE <------
>
> So, the BOTTOM LINE is: create a password at least 14 characters long
> containing lower case, upper case, and digits; and you will be
> uncrackable by a botnet of 1000 pc's doing a total of 100 trillion
> guesses / second for almost 40 centuries.  Some of the crypto guys can
> chip in and say whether, statistically, the cracker might hit your
> password in 1/2 the time.  In that case, you're good for 20 centuries.
>
> I hope you find this useful.  I certainly found the analysis revealing,
> and I'll be upgrading some of my website and applications passwords.
>
> There's a lot of math here, all hand done.  I'm pretty sure it's all
> right, but if there's typos (at 2 AM), they'll have to be corrected later.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> This Apt Has Super Cow Powers - http://sourcefreedom.com
>
> _______________________________________________
> Ale mailing listAle at ale.orghttp://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists athttp://mail.ale.org/mailman/listinfo
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110915/2956e8ea/attachment.html 


More information about the Ale mailing list