xkcd

[superluser]

google for "password manifesto" (can't post links yet).

- Users should be able to temporarily or permanently disable accounts, removing all passwords from the remote server's database.
whether that's because the user rarely comments, or because the user is paranoid, or because the user gave up the internet for Lent or because the user has been convicted of wire fraud and can't use a computer for the duration of her sentence is irrelevant

Most of that sounds like great advice, but practically speaking, how is this one supposed to work in the temporary case? If the password on the server is deleted, how do you verify that the user is actually themself when they come back to re-enable the account?

Treat it like a password reset. When you disable the account, you delete the hash and set a bit not to allow anyone to try to log in. When you want it back, you click on forgot password (conveniently relabeled "reactivate account" in this case if you're savvy enough), and the server sends you a challenge. If you pass, you get to set the password, and the bit is set to allow logins again.

[gmalivuk]

Where are we getting the 2048 words on the list?

Who cares? The math is the same regardless of how we pick our list, since a random word from that list has 11 bits of entropy minimum, even if the enemy has the exact same word list.

Also, unless a computer is picking our pass-phrases for us, we're unlikely to truly pick 4 random words...

A computer does pick them. Or dice. Or randomly drawn shuffled cards. Or whatever.

I said they were random words, and when I said "random" I meant random.

[ReallyDeepMan]

Where are we getting the 2048 words on the list?

Who cares? The math is the same regardless of how we pick our list, since a random word from that list has 11 bits of entropy minimum, even if the enemy has the exact same word list.

Also, unless a computer is picking our pass-phrases for us, we're unlikely to truly pick 4 random words...

A computer does pick them. Or dice. Or randomly drawn shuffled cards. Or whatever.

I said they were random words, and when I said "random" I meant random.

Well that makes sense. I'm running into a slightly different scenario though...

At my University, central passwords are controlled by our network group.

Currently, our rules are: 8 character minimum, 30 character maximum...
Regardless of length, you must have 3 out of the 4 following ... uppercase characters, lowercase characters, numbers, punctuation ... they refer to these as their 'complexity rules'
If the length is 8 or 9 characters, it also does a dictionary search and denies stuff like Bacon!!! (despite it's deliciousness)

I'm trying to present an case to our networking folks that any password longer than, say, 20 characters should be considered a pass-phrase, and that there's enough entropy to say it's ok to drop the complexity rules at that point. (e.g. "my dog eats trains" instead of "My dog 3ats trains")

Now, it's possible that I could convince them to put a random pass-phrase generator in, that spits out these 4 word phrases based on a catalog of 2048 (or however many they like) words. If that's what I wanted, I could definitely just use your math.

However, what I have been proposing is really just letting the user pick the phrase ... and I'm finding it harder to argue that math.

So, I'm trying to better understand how you arrived at your math, so I can adjust it to suit my own proposal.

[gmalivuk]

Well as was mentioned before, if users pick their phrases, the math works out less in their favor, because they're unlikely to do so suitably randomly.

And yeah, it is harder to do the math on phrases people might pick, apart from pointing out that if it's one of the most common (million/billion/trillion) n-word phrases (according to something like the Google Books corpus), it's probably not a good idea because someone could just run through the top (million/billion/trillion) of those fairly quickly.

[ReallyDeepMan]

Well as was mentioned before, if users pick their phrases, the math works out less in their favor, because they're unlikely to do so suitably randomly.

And yeah, it is harder to do the math on phrases people might pick, apart from pointing out that if it's one of the most common (million/billion/trillion) n-word phrases (according to something like the Google Books corpus), it's probably not a good idea because someone could just run through the top (million/billion/trillion) of those fairly quickly.

So, it looks like, in the end, my idea's actually not a good one. D'oh.

Ah well, at least I understand why this isn't a great idea now.

And I've got an alternative option (having the computer generate a passphrase using the actually random method).

I'm going to pitch them that idea instead now.

Thanks for taking the time to help me out with my logic/math.

[Czhorat]

Well as was mentioned before, if users pick their phrases, the math works out less in their favor, because they're unlikely to do so suitably randomly.

And yeah, it is harder to do the math on phrases people might pick, apart from pointing out that if it's one of the most common (million/billion/trillion) n-word phrases (according to something like the Google Books corpus), it's probably not a good idea because someone could just run through the top (million/billion/trillion) of those fairly quickly.

I'm not convinced it's that brute-force hackable. Wouldn't one have to know that one is looking for an 'n' word phrase to throw GoogleBooks at it? What if you break the phrase in an odd place? ie "was the best of times, it was the"? I'm not really convinced that there's an algorithm that would find that in a reasonable period of time.

[superluser]

And I've got an alternative option (having the computer generate a passphrase using the actually random method).

I'm going to pitch them that idea instead now.

Use the word Diceware, and you'll radically increase your chances of success. Each word adds 12.9 bits of entropy if chosen truly randomly. Of course, you now need to come up with a story to remember the password, but all you need is a sufficient number of horses and battery staples.

I'm not convinced it's that brute-force hackable. Wouldn't one have to know that one is looking for an 'n' word phrase to throw GoogleBooks at it? What if you break the phrase in an odd place? ie "was the best of times, it was the"? I'm not really convinced that there's an algorithm that would find that in a reasonable period of time.

It's more or less the equivalent of asking if antidisestablishmentari isn't more secure, and the exact equivalent of asking if it's more secure to have a password of nstaaf instead of tanstaafl.

[gmalivuk]

I'm not convinced it's that brute-force hackable. Wouldn't one have to know that one is looking for an 'n' word phrase to throw GoogleBooks at it? What if you break the phrase in an odd place? ie "was the best of times, it was the"? I'm not really convinced that there's an algorithm that would find that in a reasonable period of time.

So you start with a dictionary attack (i.e. 1-word "phrases"), then go through the billion most common 2-word phrases, then 3 words, etc.

The American English Google Books corpus has about 160 billion words. Even if they were all magically unique, it doesn't take terribly long to search through that many possibilities. And then it takes the same amount of time to search through all the consecutive pairs of words in the corpus (adding one bit). Searching through all the consecutive 3- and 4- word phrases adds one more bit (assuming time to check is approximately constant with password length, of course). Including all the 5-, 6-, 7-, and 8-word phrases adds another bit, bringing your grand total to 40 bits of entropy.

Which is to say, if you use a sequence of 8 or fewer words that appears anywhere in the entire GB corpus, your password could be cracked (by someone who assumes your password, or others in the database they hacked or whatever, might be a phrase you read somewhere) in the same amount of time as one generated by Randall's comic method, but using a word-list with only half as many entries.

(And note as well that this is a best-case scenario that assumes each n-gram is unique. But of course that's not the case for any of the shorter ones, which all likely appear many many times throughout the books there.)

[webgiant]

One of the people I know on Facebook posted this blonde joke recently:

Blonde Joke: During a recent password audit at our company, it was found that a blonde receptionist was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento. 

When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital!

Of course, the blonde has a password with 52 bits of entropy. At 2^52 with 1000 guesses per second, it would take a computer 142,808 YEARS to guess her password (I may have been mistaken about Randall's description of security theory, but if so the degree of entropy would appear to go up on a more correct answer). HowSecureIsMyPassword suggests "It would take a desktop PC About 21 tresvigintillion years to hack your password" (and only two of those "characters" are dictionary words, Pluto and Goofy).  So strictly speaking, the blonde receptionist has come up with an effectively *unbreakable* password, spelling out the whole words of what the rest of us would use as a mnemonic.

Someone else tried to point out to me that, given what was told to the blonde and knowing she'd probably used cartoon characters, it was easy to guess her password. I disagree, since she didn't need to use cartoon characters to achieve her goal: the nature of the joke and the unbreakable nature of the password is the direct result of her not being told which type of characters to use. She could just as easily, and with a much higher degree of entropy, used MichaelKarenDeangeloPamJimDwightAndyPhyllisSacramento, or characters from any other ensemble TV show or movie, or a completely different cartoon company, such as Warner Brothers.

As for the impossible length of the password, the blonde's company allows a 52 letter password, so that's irrelevant to discussing the strength of her password. As far as that goes, I could see someone creating a secure password list application which allowed a 52 letter password, allowing you to secure the list of much less secure passwords with a password that would take thousands of years for a computer to guess, and a human being so long you'd retire before they figured it out.

[superluser]

Of course, the blonde has a password with 52 bits of entropy. At 2^52 with 1000 guesses per second, it would take a computer 142,808 YEARS to guess her password (I may have been mistaken about Randall's description of security theory, but if so the degree of entropy would appear to go up on a more correct answer). HowSecureIsMyPassword suggests "It would take a desktop PC About 21 tresvigintillion years to hack your password" (and only two of those "characters" are dictionary words, Pluto and Goofy).  So strictly speaking, the blonde receptionist has come up with an effectively *unbreakable* password, spelling out the whole words of what the rest of us would use as a mnemonic.

SnowWhiteDocGrumpyHappySleepyBashfulSneezyDopeySacramento is not a good password. Once you get past SnowWhiteDoc, there's almost no entropy until the end. In fact, SnowWhiteDoc probably has more entropy than the full password, as you'd expect the whole litany to continue. Now SnowWhiteMustafaGastonUrsulaTarzanColonelHathiGepettoRedQueenSacramento would be a little better, as the majority of it is not from the *exact* *same* work.

[Manabu]

Well as was mentioned before, if users pick their phrases, the math works out less in their favor, because they're unlikely to do so suitably randomly.

And yeah, it is harder to do the math on phrases people might pick, apart from pointing out that if it's one of the most common (million/billion/trillion) n-word phrases (according to something like the Google Books corpus), it's probably not a good idea because someone could just run through the top (million/billion/trillion) of those fairly quickly.

So, it looks like, in the end, my idea's actually not a good one. D'oh.

Ah well, at least I understand why this isn't a great idea now.

And I've got an alternative option (having the computer generate a passphrase using the actually random method).

I'm going to pitch them that idea instead now.

Thanks for taking the time to help me out with my logic/math.

The current method used isn't random either: the user will likely chose a short password from his head. The best you can hope from it is something like the Tr0ub4dor&3, and the average will probably be even less "unique".

Another question: do your network really needs 40+ bits of entropy security in the passwords? Or passwords you can't chose? Aren't you overdoing and just making life more dificult for your users?

I think your original sugestion, of trading special characters for lenght, is better.

[FoolishOwl]

I wonder if there are good (as in, reasonably secure) methods to have a random password generator pop up when a user is prompted for a password. Random password and pass phrase generators are easy: several have been posted in this thread. The hard part is getting people to use them, and the more convenient it is to do so, without compromising security, the more likely regular people are to use them.

[wingsofwrath]

A way to create a hard to crack passwords is to simply use technical names, either of machinery or of parts, because they represent physical objects that are easy to recall for a human being and at the same time already contain strings of seemingly random numbers and symbols.

For example, the name of a laptop: "AspireAcer5740G_333G32Mn" or a jet engine: "RollsRoyceRB162Trident3B".

Using the brute force method, it would take a computer close to 1 octillion years (239 octillion for the first one) to crack either of them, since they eschew common English words they are completely immune to a random dictionary search but at the same time they are rather easy to remember because your brain stores the name along with a visual representation of the actual object.

[webgiant]

Of course, the blonde has a password with 52 bits of entropy. At 2^52 with 1000 guesses per second, it would take a computer 142,808 YEARS to guess her password (I may have been mistaken about Randall's description of security theory, but if so the degree of entropy would appear to go up on a more correct answer). HowSecureIsMyPassword suggests "It would take a desktop PC About 21 tresvigintillion years to hack your password" (and only two of those "characters" are dictionary words, Pluto and Goofy).  So strictly speaking, the blonde receptionist has come up with an effectively *unbreakable* password, spelling out the whole words of what the rest of us would use as a mnemonic.

SnowWhiteDocGrumpyHappySleepyBashfulSneezyDopeySacramento is not a good password. Once you get past SnowWhiteDoc, there's almost no entropy until the end. In fact, SnowWhiteDoc probably has more entropy than the full password, as you'd expect the whole litany to continue. Now SnowWhiteMustafaGastonUrsulaTarzanColonelHathiGepettoRedQueenSacramento would be a little better, as the majority of it is not from the *exact* *same* work.

So what you're saying is that not all Disney movies produce unbreakable passwords using the Blonde Method?

[gmalivuk]

Using the brute force method, it would take a computer close to 1 octillion years (239 octillion for the first one) to crack either of them

On the other hand, using the "run through technical names for machines" method, it would take a computer close to 1 day to crack either of them...

[wingsofwrath]

On the other hand, using the "run through technical names for machines" method, it would take a computer close to 1 day to crack either of them...

True, but I'm not sure such a dictionary exists, and you could always choose something rather obscure that is unlikely to pop up in anything but the most specialist material.
Besides, I'm pretty sure that if any brute force attacker gets to the point of running through the "technical names for machines" directory already knows what type of password you have and it's just a matter of filling in the details.

And even then the possibility of screwing with the password constituents are limitless. In my earlier examples, I chose: "RollsRoyceRB162Trident3B"; It incorporates the name of an engine (RR162) and the name of an aircraft on which it was used (Trident3b) but you can always throw in the year it was built (1962) the place where it was used (Mediterranean) the company which used it (British European Airways or BEA) or a variety of other information that is unique to you.

A further evolution of this system (and my current standard for password selection) involves choosing an antique technical textbook (For example purposes it will be Theo E. Sonnichtsen's "Das Flugzeug", 1939) written in a non-English language that you know (German in this case, for me it can also be French, Italian and Romanian) and take out the explanation from a picture for your "base password".
Thus, "Bild 88. Regler SSM 72" (image 88, voltage regulator SSM 72), showing a voltage regulator for an aircraft generator, becomes "Bild88.ReglerSSM72". To this we then add the maker's name (Bosch), and the year it was built (1936), making the chosen password: "Bild88.1936BoschReglerSSM72"
Which it's easy for us to remember with little effort, since it's coherent and it references an actual technical part, but, because it's in German, contains common words, dates, the producer's name, a non-numerical symbol, and the part has been out of production since ww2, the chances of a single dictionary containing all of the necessary constituents are very slim indeed.

[Corka]

Now, tell me if I'm wrong here, but isn't this discussion on password strength somewhat irrelevant? I would expect many login servers would block access to an account well before the 3 day mark if there is 1000 login requests per second coming in. I would think that user passwords are much more likely to be compromised by phishing or by taking advantage of the password fatigue problem to harvest passwords.

[gmalivuk]

I'm pretty sure that if any brute force attacker gets to the point of running through the "technical names for machines" directory already knows what type of password you have and it's just a matter of filling in the details.

Sure, but a good password generating algorithm will still have dozens of bits of "details" to be filled in, even after knowing what type of password you have. As in the comic, where even if the attacker knows the exact wordlist you used, there are still 44 bits of entropy.

Which it's easy for us to remember with little effort, since it's coherent and it references an actual technical part, but, because it's in German, contains common words, dates, the producer's name, a non-numerical symbol, and the part has been out of production since ww2, the chances of a single dictionary containing all of the necessary constituents are very slim indeed.

And when that book shows up on Google Books as well? And an attacker knows that you know German and chose a technical name?

Again, better algorithms will be really strong even *after* someone knows all of that information.

I would expect many login servers would block access to an account well before the 3 day mark if there is 1000 login requests per second coming in.

Good job not reading any of the thread!

[wingsofwrath]

Sure, but a good password generating algorithm will still have dozens of bits of "details" to be filled in, even after knowing what type of password you have. As in the comic, where even if the attacker knows the exact wordlist you used, there are still 44 bits of entropy.

And when that book shows up on Google Books as well? And an attacker knows that you know German and chose a technical name?

I'm not sure I understand what you're getting at, since the examples I gave do in fact conform to the aforementioned theory. Besides good informational entropy (they are in excess of 22 case sensitive alphanumeric characters, thus totalling at least 128bits of entropy) there is also the added element of opening a technical textbook at random, which provides little connection to known patterns of behaviour from the user.
Even if a hypothetical attacker knew the password was in German and had managed to snag a copy of the book (over 1000 pages of technical fun, good luck with that!) and even if he knew the actual picture I chose as the base, he would still be at a loss as to what exact words, symbols, numbers and combinations thereof I used to make up my password, especially since two of the elements, the manufacturer's name and the date, were introduced arbitrarily and are not present in either the original image or the adjoining body of text.

However, I find this is a bit besides the original point, because If a potential attacker knew that many things about my password it would have to do with carelessness on my part and not some inherent fallibility of my system.

[gmalivuk]

(they are in excess of 22 case sensitive alphanumeric characters, thus totalling at least 128bits of entropy)

But that is not how entropy works. To get 128 bits of entropy out of 22 case-sensitive alphanumeric characters, they need to be completely random. A password like k8yNOH9no7v3feG9NaxF8y has 132 bits of entropy, because *randomly* picking 22 characters gives that much. But none of your suggestions involve randomly picking character by character, so they give substantially less entropy than random passwords of the same length would.

[wingsofwrath]

Right, it was a gross miscalculation on my part. However, using the same method from the comic, my password yields at least 52 bits of entropy, so my point still stands.

[gmalivuk]

You're picking words completely randomly?

[wingsofwrath]

It's even better.

The example password has meaning, making it easy to remember, but it's not an actual phrase that could be figured out since it lacks actual grammatical structure. Some of the words are common and could be guessed through a dictionary attack, but one of them is the name of a parts manufacturer, thus unlikely to be found this way. There is also the type description, "SSM72", which has absolutely no independent meaning and must be taken as it is, and the two numerical notations, "88"and "1936", separated by the non-numerical symbol ".". Each of these latter elements is only vulnerable to brute force attacks, and the various constituents are sufficiently dissimilar to one another that they might as well be random.

Besides, even though my example can be read as a standalone phrase, the method is simply for picking up constituents, and, as such, someone desiring a tougher password can easily modify the original "Bild88.1936BoschReglerSSM72" to read instead "1936.SSM72BoschBildRegler88" which has the same level of informational entropy but loses any form of coherence, all while remaining relatively easy to remember because of it's visual association to a physical object.

[gmalivuk]

Some of the words are common and could be guessed through a dictionary attack, but one of them is the name of a parts manufacturer, thus unlikely to be found this way.

I don't think you understand how dictionary attacks work. They need not simply be the entries in an actual physical dictionary. Company names could very easily be included, and would be by anyone who suspects your password generating algorithm. (Which you've now posted here for all to see.)

Each of these latter elements is only vulnerable to brute force attacks, and the various constituents are sufficiently dissimilar to one another that they might as well be random.

The year 1936 is not a random number. If I suspect you might have a year in your password, I've only got to check 100 or so 4-digit numbers, instead of 10,000.

someone desiring a tougher password can easily modify the original "Bild88.1936BoschReglerSSM72" to read instead "1936.SSM72BoschBildRegler88" which has the same level of informational entropy but loses any form of coherence

That actually gives it more entropy. Five constituents that can now appear in any order adds almost 7 bits of entropy.

[wingsofwrath]

I don't think you understand how dictionary attacks work. They need not simply be the entries in an actual physical dictionary. Company names could very easily be included, and would be by anyone who suspects your password generating algorithm. (Which you've now posted here for all to see.)

I see you are still clinging to the specific example I posted rather to the system in general. "Bosch"is indeed a rather known company name, but I could just as easily chosen "Sienar Fleet Systems" or "Orchard Yard Blackwall".
Actually, since I'm currently working on a graphic novel (still in the design stage) I mostly base my passwords around fictional technology I created myself. It still holds meaning for me and good luck finding any of the names in any search database...

The year 1936 is not a random number. If I suspect you might have a year in your password, I've only got to check 100 or so 4-digit numbers, instead of 10,000.

Again, you have to "suspect" it, which suggests prior knowledge on your part. In fact, the number needn't be a date. It could be the number of units produced, height in attoparsecs or maybe the age of the designer when he fell into a well and sprained his ankle. The point here was to suggest a way of creating easy to remember alphanumeric combinations by connecting them to a physical object rather than making them fully random. Of course, to turn this into a hard to crack password you still have to add random bits of information loosely connected to the original, but the base is there. The rest is wholly up to you, including holding the subject matter secret.

That actually gives it more entropy. Five constituents that can now appear in any order adds almost 7 bits of entropy.

But there really was no "set order"for the constituents to begin with, since my examples did not represent an actual phrase. You could say "BoschReglerSSM72", "ReglerBoschSSM72" or "SSM72BoschRegler"and it would convey the same amount of information and have the exact same entropy.

[Eebster the Great]

I see you are still clinging to the specific example I posted rather to the system in general. "Bosch"is indeed a rather known company name, but I could just as easily chosen "Sienar Fleet Systems" or "Orchard Yard Blackwall".

Sure, but again, there just aren't that many companies out there. I could conceivably add the name of every electronics manufacturer in history to my word list without substantially increasing its size.

Actually, since I'm currently working on a graphic novel (still in the design stage) I mostly base my passwords around fictional technology I created myself. It still holds meaning for me and good luck finding any of the names in any search database...

Assuming the hackers do not know you use these names, the names are not also names in any other real setting, and your graphic novel is not visible enough for them to include anything from it, then you are perhaps correct. But since (as pointed out before) you have now revealed that you use these for your passwords, they could probably just look up your graphic novels and use the relatively few possible names from them as their (now incredibly tiny) word list.

Again, you have to "suspect" it, which suggests prior knowledge on your part.

We are indeed making the assumption. If you want to see why, you should read through this thread.

[wingsofwrath]

Sure, but again, there just aren't that many companies out there. I could conceivably add the name of every electronics manufacturer in history to my word list without substantially increasing its size.

This is still just nitpicking the specifics of my examples rather than the base algorithm. Neither of the latter suggestions is an electronics company, and one of them is entirely fictional. If you think you can expand your word list to include any company ever that produced something with a numerical designation, both fictional and real, you probably deserve to break that password because of the sheer volume of work you put into the effort.
Besides, you could always omit the manufacturer altogether and instead use the name of the cat of the designer if you know it. Whatever floats your boat, really, as long as you can recall that information by association with the base object.

And to clarify. Suggesting technology was for illustration purposes only. One can use virtually any object. If you wish, you could base your password around the Latin name of a rare species of snake, the colour of it's eyes and the number of scales on it's belly, and you would still be conforming to the outlined system.

Assuming the hackers do not know you use these names, the names are not also names in any other real setting, and your graphic novel is not visible enough for them to include anything from it, then you are perhaps correct. But since (as pointed out before) you have now revealed that you use these for your passwords, they could probably just look up your graphic novels and use the relatively few possible names from them as their (now incredibly tiny) word list.

I'll grant you that password's weak point is always the human element, but I hope you realise I would never willingly disclose (and on a public forum, no less!) any information that would endanger my actual passwords. Like I stressed in my earlier post, the whole point of my system is keeping the base object secret. None of the names I use exist, are known and will be known by any other person. I made sure of that.

We are indeed making the assumption. If you want to see why, you should read through this thread.

Assume away.
If one keeps to the one rule of the system, which not revealing any information about the base object, any "suspicion" is only as good as trying to guess a random measurement of a non existent object in fictional units.

[superluser]

I wonder if there are good (as in, reasonably secure) methods to have a random password generator pop up when a user is prompted for a password. Random password and pass phrase generators are easy: several have been posted in this thread. The hard part is getting people to use them, and the more convenient it is to do so, without compromising security, the more likely regular people are to use them.

OS X includes a number of password generators that pop up when you create a new user account, including memorable, letters and numbers, numbers only, random, and a FIPS-181 password generator.

[Eebster the Great]

This is still just nitpicking the specifics of my examples rather than the base algorithm. Neither of the latter suggestions is an electronics company, and one of them is entirely fictional. If you think you can expand your word list to include any company ever that produced something with a numerical designation, both fictional and real, you probably deserve to break that password because of the sheer volume of work you put into the effort.
Besides, you could always omit the manufacturer altogether and instead use the name of the cat of the designer if you know it. Whatever floats your boat, really, as long as you can recall that information by association with the base object.

And to clarify. Suggesting technology was for illustration purposes only. One can use virtually any object. If you wish, you could base your password around the Latin name of a rare species of snake, the colour of it's eyes and the number of scales on it's belly, and you would still be conforming to the outlined system.

Well obviously the strength of the password depends on what you are including in your algorithm, as has been pointed out in nearly every single post. Yes, if you are willing to include nearly anything in your potential pool of passwords, your password is far more difficult to break than if you limit it to a small selection of names. It still isn't as strong as a random string of letters, of course, but it is probably strong enough.

I'll grant you that password's weak point is always the human element, but I hope you realise I would never willingly disclose (and on a public forum, no less!) any information that would endanger my actual passwords. Like I stressed in my earlier post, the whole point of my system is keeping the base object secret. None of the names I use exist, are known and will be known by any other person. I made sure of that.

And the point we are trying to make is that a good system is strong whether you reveal it or not.

[Gorman]

This seems kind of like an unfair comparison.

A 25 character random password will always beat a 25 character dictionary word password.
Besides, most passwords are cracked by dictionary attacks, not by guessing each individual character.

And remembering either isn't even hard. Personally my current password is 30 characters, random characters picked from random.org. Took about 20 minutes to memorise it.

[gmalivuk]

Besides, most passwords are cracked by dictionary attacks, not by guessing each individual character.

Yes, but the passphrase Randall came up with won't be in any dictionary attack, whereas the mangled dictionary word might be.

And remembering either isn't even hard.

For you.

A million sticky notes on a million computer monitors would suggest that many people are different.

[wingsofwrath]

And the point we are trying to make is that a good system is strong whether you reveal it or not.

A million sticky notes on a million computer monitors would suggest that many people are different.

And my point was finding a practical way to remember a high entropy password.
Granted a completely random 30 character password will have the maximum amount of entropy, but I believe my system makes the whole thing easier without compromising too much security wise.

To further make my point, I tried testing my given example, "Bild88.1936BoschReglerSSM72", on this website:http://rumkin.com/tools/password/passchk.php.
According to it's findings, my password has:

Length: 27
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 126.7 bits
Charset Size: 82 characters

Thus the whole is actually closer to my original estimate of 128 bits of entropy rather than my "revised" 52.
I'll grant you that it has some vulnerability to a dictionary attack, but at the same time, due to it's greater character set it's a lot more secure than "correctbatteryhorsestaple" which is a lot more susceptible to such an attack because it uses common English words, and has:

Length: 25
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 93.7 bits
Charset Size: 26 characters

Also, the revised, "scrambled"version of my original password, "1936.SSM72BoschBildRegler88", has, according to the same website,

Length: 27
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 129.8 bits
Charset Size: 82 characters

.

[gmalivuk]

To further make my point, I tried testing my given example, "Bild88.1936BoschReglerSSM72", on this website:http://rumkin.com/tools/password/passchk.php.
According to it's findings, my password has:

Length: 27
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 126.7 bits
Charset Size: 82 characters

Thus the whole is actually closer to my original estimate of 128 bits of entropy rather than my "revised" 52.

And is therefore completely wrong. Like your earlier incorrect calculation, that site seems to be assuming that, since it doesn't recognize any particular words in your password, it must be completely random. But obviously it isn't, because you've just repeatedly described the non-random algorithm you use to generate it.

If you actually read the thread, you'd see that there have already been many complaints with such password strength checkers, which do nothing to test whether your method of generation will actually go through the complete range of possibilities it thinks.

(In other words, 128 bits of entropy means a generating algorithm could come up with approximately 2^128 distinct passwords. But yours clearly couldn't, because it's not a random string of characters. If my passwords are generated by appending A1! to the front of a movie quote, that site would probably fail to recognize any dictionary words, see that it's got letters numbers and punctuation, and conclude that it's a strong password. But in fact it's a really shitty password, because there are only so many possible movie quotes.)

[wingsofwrath]

Hmm, I had an inkling this might be the case when I was writing my earlier post, but I needed some external confirmation, which reading all through several sites devoted to this problem, along with your response, just provided.

However, I am not convinced that my method of password generation is completely useless, since, if you choose your subject matter carefully enough, you will still end up with a pretty strong (at around 52 bits of entropy) yet easy to remember password, which was the point of the exercise in the first place.

Also, using the same logic, Randall's passphrase of "correctbatteryhorsestaple" would be a snap to crack, since it's composed solely of common English words.

[gmalivuk]

My only objection to your generation method was that you were overstating its strength. I never said it has no strength at all, just that it wasn't as strong as you seemed to think.

And the logic by which Randall's password is relatively strong has nothing whatsoever to do with the fact that it's composed of English words, and everything to do with how those words are chosen. I agree that your method might have a similar level of entropy to his, with the added mangling you do by choosing from among many disparate facts about a particular technical item, and choosing arbitrarily how to order those facts.

But, like Randall's, yours is made up of discrete chunks which are individually not at all difficult to brute force. The choice and arrangement of those chunks is where the strength comes from, but at the "expense" of about 76 bits of entropy (assuming your 52-bit claim is accurate) compared to other passwords of similar length.

[wingsofwrath]

I understand.

It's a good thing then my (slightly) paranoid mind long settled for made-up words for my passwords, since to all intents and purposes, those have all the entropy of random letters, with the added bonus of a coherent and thus easy to remember meaning on my end.

[thevicente]

This discussion about password lenghts, letter cases and all that, is endless because it´s pointless. There is a reason this type of attack is called "brute force".

If a computer must present a problem easy enough so a human can answer it, then of course it's a piece of cake for another computer.

We Humanity are already outmatched by our creation.

I remember a silly Star Trek episode when the android locks the computer with an absurd-lenght password and the audience instantly and unquestionably knows nobody will never break that.

[gmalivuk]

If a computer must present a problem easy enough so a human can answer it, then of course it's a piece of cake for another computer.

Not if the human has, say, 44 bits of information the computer can only guess at. Such as, for example, a moderately strong password or something.

to all intents and purposes, those have all the entropy of random letters

Not quite, because made-up words are far less likely to contain long unpronounceable strings of consonants as random letters are.

[wingsofwrath]

Not quite, because made-up words are far less likely to contain long unpronounceable strings of consonants as random letters are.

Unpronounceable according to what standards? My full name is almost impossible to pronounce when read outright by an English speaker, because Romanian has sounds that do not exist in the English language.

So far, from what I've read and you've told me, the main ways of attacking a password are character by character (brute force), looking for common words (dictionary), or simply common combinations of letters, that might suggest word-like structures (standard codebreaker). However, if the base language is unknown, there is little that can be done except straight up brute force, since a foreign language will not conform to the same patterns of letter use English has. After all, this is the main reason quite a few ancient languages remain so difficult to analyse, even when written in a known alphabet (Etruscan springs to mind).

To take an example, the passphrase "correctbatteryhorsestaple", could be translated into Romanian as "adevăratacumulatorcalcapsă" (Romanian has both the word "corect"and "baterie", but I used synonyms instead to make my point clearer).
Can you tell, me just by looking (and without googling it), where the various words in this phrase begin and end? Also, a clever algorithm set to find the letter "e", the most common letter in English, will draw a blank, because the most common letter in Romanian is instead "a", and thus a potential attacker without any knowledge of the language of the password will simply assume the letters are random.

if you then add to that all the previously mentioned randomisation, digits and non-numerical symbols, you get a mess that is still a major pain to crack.

[gmalivuk]

thus a potential attacker without any knowledge of the language of the password will simply assume the letters are random.

Sure, but they'd do the same with correcthorsebatterystaple. Which is why we typically measure password entropy by worst-case scenarios. Randall's has 44 bits of entropy if the attacker knows the method and the exact word list. If the attacker knows the method but thinks the word list is twice as big, then for them it essentially has 48 bits. If they're looking at the entire diceware list, it's almost 52 bits. And if they know nothing at all beyond that it's 25 letters long, and they therefore choose to brute force it by checking all such combinations, then it essentially has 117.5 bits of entropy.

Similarly, if I have no information about your 4-digit PIN, there are 10000 choices. If I know it's a birthdate, then even knowing nothing at all about you personally I have only 365 choices to check, or 730 if I don't know what date format you used.

Furthermore, because it's so much faster to check 730 choices than 10000, and because birthdates are common choices for PIN, I would be foolish not to try those particular 4-digit combinations before going through all the other ones. (Which is why, incidentally, even a completely randomly-generated PIN should be rejected if it works out to correspond to a date, because even though that's not how you picked it, it's likely to be tried before other sequences because so many other people are stupid. Just like how, though >Rw=p:1b and password are equally likely to be generated randomly, the former makes a much stronger password because the two are *not* equally likely to be checked quickly by someone trying to get into your account.)