GPGPU: Why Passwords Need To Be Long

[LMNO]

Trip, watching you hold court on the intricacies of computer cryptology is pretty damn sexy, I gotta tell you.

[Triple Zero]

i see.
and the practical downside being how you mentioned that you would have to should have different, very long passwords for each website, thus negating the 'easy to remember' part?

Pretty much. There were some other practical concerns mentioned, but I forgot what they were. So they must not have been very important

Problem is, discussion threads about this comic/scheme, a lot of smart people are very wrong, of whom I really expected should know their shit about password strength, best practices and why you can't counter an argument about password strength in terms of bits of entropy with "but if you got a real clever dictionary attack ..." (because "bits of entropy" really is an objective measure of password strength)

Trip, watching you hold court on the intricacies of computer cryptology is pretty damn sexy, I gotta tell you.

You should read Neal Stephenson's Cryptonomicon, slightly less funny than Snow Crash but it more than makes up for it in awesome story. It involves Alan Turing being fabulous and solving the Enigma codes, hidden Nazi Gold treasure (and the logistics of moving it out of a jungle), hackers and high-tech investments, and lots of people knowing their shit about crypto--which is a lot more about common sense and "knowing that they know you know what they know you know"-reasoning than really complex math.

[Faust]

i see.
and the practical downside being how you mentioned that you would have to should have different, very long passwords for each website, thus negating the 'easy to remember' part?

Yes, unless you have an easy to remember system, for a while I would add the first letter +1 (a becomes b) of the name of a site to the end of my regular password.

[Elder Iptuous]

i see.
and the practical downside being how you mentioned that you would have to should have different, very long passwords for each website, thus negating the 'easy to remember' part?

Yes, unless you have an easy to remember system, for a while I would add the first letter +1 (a becomes b) of the name of a site to the end of my regular password.

i hardly see how adding the letter 'x' to the end of your passwords differentiates them at all.
.
.
.

[Triple Zero]

. . . . ... . . . . .... .

[Don Coyote]

So, I should probably change my password, and that might explain my GF's choice of password for our router. A string of gibberish and then this longass sentence. It was not fun typing it in on my kindle.

[Mesozoic Mister Nigel]

Wow, suddenly my habit of using the full names of book characters or compounding two random things I can see doesn't seem so silly.

[Triple Zero]

Wow, suddenly my habit of using the full names of book characters or compounding two random things I can see doesn't seem so silly.

Yup, that's a good strategy.

Although "things you can see" is a known pattern, I catch myself doing that as well when thinking up a new password. So I guess there must be some dictionary out there containing "stuff likely to be in eyesight of an office/desk/computer"

[Mesozoic Mister Nigel]

Wow, suddenly my habit of using the full names of book characters or compounding two random things I can see doesn't seem so silly.

Yup, that's a good strategy.

Although "things you can see" is a known pattern, I catch myself doing that as well when thinking up a new password. So I guess there must be some dictionary out there containing "stuff likely to be in eyesight of an office/desk/computer"

I usually do things like the name of a street and establishment, or a landmark... two things that are related, so that I'll remember them, but unlikely to be associated in anyone's head. Such as "Fremont Place Irving fountain" or "Madison Finnegan wind sock".

[Jasper]

I still have correcthorsebatterystaple stuck in my head.   

[Kai]

I still have correcthorsebatterystaple stuck in my head.   

Me too.

Zero, what is the optimum password length in terms of both symbols and words? Or is it "as long as you can make it"?

[Golden Applesauce]

I still have correcthorsebatterystaple stuck in my head.   

Me too.

Zero, what is the optimum password length in terms of both symbols and words? Or is it "as long as you can make it"?

As long as you can make it, without you yourself forgetting it.

[Mesozoic Mister Nigel]

It seems as if even phrases that make perfect sense would be very secure passwords.

[Triple Zero]

I still have correcthorsebatterystaple stuck in my head.   

Me too.

Zero, what is the optimum password length in terms of both symbols and words? Or is it "as long as you can make it"?

Theoretically:

A) They get better as they get longer, for the amount of possibilities, especially if you add in a symbol here and there.
B) They get "worse" as they get longer because you're more likely to forget them, as well as at some point it will become inconvenient to type a whole paragraph just to log in.

Now if you multiply A*B, you'd get an cost/benefit curve with a maximum somewhere. Unfortunately you can calculate A (benefit), but B (cost) is very personal, so you're going to have to sort of determine it experimentally.

TL/DR: What GA said



Co-incidentally, this morning I came across this very good password strength calculator + article on best practices and stuff:

https://www.grc.com/haystack.htm

The calculator demonstrates very nicely Cram's initial question of whether/how password length really trumps password complexity (which it does).

And the text on the page contains all sorts of good advice. Not all of it I 100% agree with, but they take the cautious approach, be sure to read the "One Important Final Note" about halfway.

One thing I don't agree with is that they're assuming once a cracker decides they're going to do an exhaustive password search, they're going to try the combinations in random, or worse, alphabetical order. Not true. They're still going to use some sort of heuristic to make the more likely passwords be tried first. This is very important and I have read about tools that are capable of this (would love to write one, too).

For instance, in the FAQ they say your password is news.

Bruteforce difficulty of this is 26⁴, four characters out of an alphabet of 26 lowercase letters.

- if you add one lowercase character to it, say newsy, difficulty becomes 26⁵, so it'll take 26 times as long to bruteforce this password versus the original.

- if you add a symbol to it, say news!, you get a bigger alphabet, there's 33 symbols that you can easily type on a standard keyboard¹, so in addition to the lowercase letters your alphabet is 33+26 = 59 characters. Length is five, so you get 59⁵ possibilities. That number is 1564 times as large as 26⁴ (the FAQ on the site says 1530 but I did the calculation and it's 1564. close enough, either way).

It's the second statement I disagree with. news! is not 1500 times as hard to crack as news. Why? Because adding an exclamation mark is the most common thing people do when they decide "hey let's add a symbol". A password cracker will probably try bruteforcing in this order:

- all 26⁴ possible passwords of 4 characters lowercase
- all 26⁴ possible passwords of 4 characters lowercase, with the first character changed to uppercase
- all 26⁴ possible passwords of 4 characters lowercase, with a ! tacked at the end
- all X * 26⁴ possible passwords of 4 characters lowercase, with some numbers at the end: 1, 0, 123, two digit birth years, four digit birth years, birthdates ...
- all 36⁴ possible passwords including 10 common l33tspeak symbols
- ...

as you can see, even though in the end the cracker will have exhaustively searched all possible passwords, he's not trying them in alphabetical or lexicographical order.
most password cracking tools are based on the key concept of "transformations", such as "first character to uppercase" or "append an exclamation mark". the cracker will think up all sorts of creative probable transformations, and the cracking tool makes sure they are all applied first to the word dictionary, then to the exhaustive search, all the while making sure there are no duplicates, and that the transformations that the cracker decides are most probable are searched first.

I tried to think about probable transformations and in my rough guess, adding the exclamation mark would be about the third thing I'd try, in order of likelihood. That makes adding an exclamation mark only THREE times as difficult as no exclamation mark.

But it all depends on what your adversary is doing, or thinks you will do.

¹ They are ~`!@#$%^&*()_+=-[]{}\|'";:/?.,<> and the space character.

It seems as if even phrases that make perfect sense would be very secure passwords.

Yes.

Although, absurdist phrases that are very crazy have two advantages:

- they're much harder to guess, because there's so much more possibilities
- because they paint such a crazy image in your mind, they are also much easier to remember

So it's win/win, really

Then change it up a bit with symbols, and you get what Assange used for his wikileaks PGP password. Very secure.

Then finally, what went wrong with Assange? It got printed, because it's printable.

Seriously, when you get to the Wikileaks level of secrecy, there's more you can do to secure your password and Assange should have known this, because I read it in an article many years ago.

Once you made yourself the perfect password that is so fucking clever, you'll feel pretty fucking clever, and you'll get the urge to tell people about it.

Now Assange might like to show how clever he is, but he's not stupid so he didn't do that.

The journalist, however, was a stupid fuck, so because the password he was given was so fucking obviously clever ("A_Diplomatic_History_Since_19xxsomethingorother%", something like that), he decided to print it in his book! Yaaaaay!

The simple solution the article presents to this problem is to make the password not only clever, but also highly embarassing, offensive, and something you definitely would not want to tell other people or put in print:

niggerFUCKSHITDAMN_theH0L0C4USTisaLIE+irapedmybabydaughterfor$$$

This would probably have never made it into print. Hell, I almost feel bad for posting those words here. That's how good it works.

[bds]

i use lastpass to save all my passwords - it has a nifty extension for pretty much every browser under the sun, that can automatically fill password forms etc.

the really cool thing about it is that it comes with a random password generator that creates randomised passwords exactly to what you want -- I used it to generate 30 character randomised passwords w/ both cases, numbers and symbols for all of my critical sites (gmail, amazon, some torrenting sites)