Password De-Complexity
-
You have the fantastic ability of generating SHA256 hashes completely from memory. :) There are only more of them than there are stars in the universe so it's easy. :laugh:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
raddevus wrote:
There are only more of them than there are stars in the universe so it's easy
Ya, I needed a challenge after I counted all the stars. :^)
There are only 10 types of people in the world, those who understand binary and those who don't.
-
When people use funny characters in their password my code doesn't work
string sql = "insert into users (username, password) values ('" + TextBox19.Text + "', '" + TextBox6.Text + "')";
How can I stop users using funny characters?
-
actually, they've determined that the hackers can easily replicate shoving in those few extra special characters into their password generators and they only serve to make the passwords more difficult to remember for users. The best information on passwords is that they should be : 1. much longer (my application generates 64 char passwords based upon the SHA256 hash) 2. not based upon words -- this protects from any kind of dictionary attack -- which basically all the hacker attacks which attempt to reverse passwords are based upon I've just written an blog article on this recently (pulled from my blog) ==> How Hackers Crack Passwords (part 1)[^] The paradigm shift that people can't get over with C'Ya Pass is that you never have to memorize a password again and they aren't stored anywhere. They're generated every time for your use. I apologize if this sounded a bit like gratuitous self promotion, but I'm really passionate about this whole (stupid) password thing. Passwords are terrible.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account? Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
Oh, very good point. That's ridiculous that they don't allow it. What? I use my app exclusively for my own passwords and I'm always annoyed when sites tell me that I have to use a special char, because with my app my passwords now look like: 1. cf82bb8b015707c5cef11942b88bb058d3795f4dcae551e65ea72891333a1384 2. ea50612a6d5dde56c7a826cc03317e99c2f2f5547b0bd0b5e985ac27883b8242 Those are extremely strong because they are long and not based upon words. Those silly password checkers will say they are of medium complexity. :sigh: The industry has a lot to learn.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
raddevus wrote:
Those are extremely strong because they are long and not based upon words. Those silly password checkers will say they are of medium complexity.
They ain't silly... 12 chars with 26 possibilities (9,54e16 combinations) 10 chars with 52 possibilities (1,445e17 combinations) Your length is bullish when it comes to complexity ;)
if(this.signature != "")
{
MessageBox.Show("This is my signature: " + Environment.NewLine + signature);
}
else
{
MessageBox.Show("404-Signature not found");
} -
raddevus wrote:
There are only more of them than there are stars in the universe so it's easy
Ya, I needed a challenge after I counted all the stars. :^)
There are only 10 types of people in the world, those who understand binary and those who don't.
RyanDev wrote:
Ya, I needed a challenge after I counted all the stars
:laugh:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
All my passwords are based on a special secret alphabet that I crafted in my voodoo laboratory. Just saying...
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Just a few weeks ago a new password was rejected because it contained a
-(hex 2D). Using an underscore was OK. So, yes I noticed it (and thought WTF). Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them. -
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account? Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
No, there is no cloud with C'Ya Pass. Here's how it works. 1. You add unique site/keys to the app. That is a text-based string that will help you remember what the password is associated with. The app hashes that value. 2. You draw a pattern in the grid. The original hash is salted with the generated value from the grid of the pattern that you drew. Now, each time you select your site/key and draw your exact pattern then the unique hash is generated. Your passwords are not stored anywhere. This is the paradigm shift. They are generated every time you select the site/key and draw the pattern. Your password is cryptographically strong since it is a SHA256 hash. Plus it is long (64 chars) and just random chars and numbers. Thanks for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
raddevus wrote:
There are only more of them than there are stars in the universe so it's easy
Ya, I needed a challenge after I counted all the stars. :^)
There are only 10 types of people in the world, those who understand binary and those who don't.
-
No, there is no cloud with C'Ya Pass. Here's how it works. 1. You add unique site/keys to the app. That is a text-based string that will help you remember what the password is associated with. The app hashes that value. 2. You draw a pattern in the grid. The original hash is salted with the generated value from the grid of the pattern that you drew. Now, each time you select your site/key and draw your exact pattern then the unique hash is generated. Your passwords are not stored anywhere. This is the paradigm shift. They are generated every time you select the site/key and draw the pattern. Your password is cryptographically strong since it is a SHA256 hash. Plus it is long (64 chars) and just random chars and numbers. Thanks for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
So it is a pattern to be drawn each time, this is fairly cool. It still requires a device with that app, which may be unavailable (ever been mugged? Or with a phone TFU?). A good 10-14 password unique to the site is more than enough. Usually my only problem is remembering if I registered as den2k or den2k88 (many site don't accept user names with less than 6 characters).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
Just a few weeks ago a new password was rejected because it contained a
-(hex 2D). Using an underscore was OK. So, yes I noticed it (and thought WTF). Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them.You forgot the "signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters" part. Sadly many sites are "managed" just like that.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
So it is a pattern to be drawn each time, this is fairly cool. It still requires a device with that app, which may be unavailable (ever been mugged? Or with a phone TFU?). A good 10-14 password unique to the site is more than enough. Usually my only problem is remembering if I registered as den2k or den2k88 (many site don't accept user names with less than 6 characters).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
It's easier to crack a$&12Gc# than to crack donalduckwasmyfavcharacterasakidinnewyork.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
in that case there still is EBCDIC[^].
The language is JavaScript. that of Mordor, which I will not utter here
This is Javascript. If you put big wheels and a racing stripe on a golf cart, it's still a fucking golf cart.
"I don't know, extraterrestrial?" "You mean like from space?" "No, from Canada." If software development were a circus, we would all be the clowns. -
It's easier to crack a$&12Gc# than to crack donalduckwasmyfavcharacterasakidinnewyork.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
So it is a pattern to be drawn each time, this is fairly cool. It still requires a device with that app, which may be unavailable (ever been mugged? Or with a phone TFU?). A good 10-14 password unique to the site is more than enough. Usually my only problem is remembering if I registered as den2k or den2k88 (many site don't accept user names with less than 6 characters).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
No security system is absolute. His password app is still vulnerable to actual theft but I have to say that it would protect you against the hordes of bot-nets working tirelessly to crack user accounts all across the net.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
Nish Nishant wrote:
It's easier to crack donalduckwasmyfavcharacterasakidinnewyork than to crack donalduckwasmyfavcharacterasakidinnewyork!.
FTFY ;)
There are only 10 types of people in the world, those who understand binary and those who don't.
Yeah but a day's difference won't affect something that'd take weeks or months of computational power :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
My main problem is that if you have to access to an account but not have a smart-thing with you or the USB thingie (which I suppose must be installed and that may be not possible if roaming or with another's machine) you are by all accouts locked out. Goodbye access to you banking site / e-mail while at work if the smartphone is unavailable due to hardware failure / in the pocket of a less-than-honest person. Especially if you work on the move, as a guest in many different companies (think of industrial equipment maintenance). The only device I rely on is my head since if it fails or is missing from the rest of the body it is evident that I have more pressing problems on my hands than a password. Also remembering a pattern isn't that easy, after months you may very easily forget which is the starting coordinate and how long is the pattern, even for a single line. It still relies on brains, plus a device. Cut the dependecies and use only the brain, it's easier and allows access under any condition which isn't physically incapacitating to the individual.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
Yeah but a day's difference won't affect something that'd take weeks or months of computational power :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Just a few weeks ago a new password was rejected because it contained a
-(hex 2D). Using an underscore was OK. So, yes I noticed it (and thought WTF). Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them.
