Password De-Complexity
-
When IT policy forces people to change their passwords every 60 days, no wonder they can't remember them :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
Ah, security taken to the point of absurdity. I can see it now.... Next week our company is moving to ten-factor authentication. Upon login, you will need to provide a password (1). Then you will receive an email with a link to a website(2) which you will provide your telephone number(3). If the telephone number provided is on record, you will receive a passcode(4) via text message. After correctly entering the passcode on the original login splash screen, the system will provide you a unique ten digit key(5) which you will need to complete your authentication process. Do not write down the ten digit key. Go to the bio-metric authentication closet. Enter your ten digit key on the key-pad. The bio-metric closet will open to let you in. Once inside the closet, you will need to use the scanners to provide your fingerprints(6), retina scan(7), plus a blood(8) and stool sample(9). Once you have completed the process and have been successfully authenticated, the system will provide you a unique, one-time-use, 22 character passcode(10) that will allow you to login to your computer. Do not write the passcode down and the passcode will also expire after 120 seconds. If you fail to login to your station before the temporary passcode expires, you will have to repeat the process. Then the CIO will brag that he has the most secure network in the world.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
Sounds great. When will you have it ready for my Blackberry and my PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
- I would love to change the world, but they won’t give me the source code.
Forogar wrote:
PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
Yes, PC is available right now at: C'YaPass: F*orget All Your Passwords | Get C'YaPass[^] You can draw with the mouse. My laptop has a touch screen and it works that way too. Blackberry on the other hand....probably not going to happen. :)
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I appreciate your answers, and you designed both the device and the software very well. So it attaches like a keyboard, nice... evil ideas cross my mind (not regardin your device but the possible use of this information :D).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
den2k88 wrote:
I appreciate your answers, and you designed both the device and the software very well.
You just made my day. :thumbsup::thumbsup::thumbsup:
den2k88 wrote:
evil ideas cross my mind (not regardin your device but the possible use of this information
I know. I have been contemplating this. With a little code on the device, which is very easy to write I can connect the device to your computer and then send a code over bluetooth from my phone, that runs a command while you are logged on. Since the thing is just a keyboard it will type the command on your screen. So imagine if I distracted you and pushed a button on my phone your computer suddenly types a bunch of commands. Could be a cool practical joke. :) But, let's keep this between ourselves. And oh, that device can move the mouse too. :-\
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
raddevus wrote:
more difficult to remember for users.
That's fine. So, don't make it required. My problem is they are preventing you from using a special character.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
People who are multi-lingual have an advantage - they can create cryptically complex passwords that they can easily remember by mixing languages. Example : thendralbaarishseason I've mixed a tamil word, a hindi word, and an english word there. What's gibberish to most mono-lingual people is a very easy to remember word for me (I speak 4 languages). :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
dandy72 wrote:
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
And a couple I've noticed that won't allow a hyphen in an email address... :sigh: No prizes for guessing which "special character" is in my domain name?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
dandy72 wrote:
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
-
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Oh, very good point. That's ridiculous that they don't allow it. What? I use my app exclusively for my own passwords and I'm always annoyed when sites tell me that I have to use a special char, because with my app my passwords now look like: 1. cf82bb8b015707c5cef11942b88bb058d3795f4dcae551e65ea72891333a1384 2. ea50612a6d5dde56c7a826cc03317e99c2f2f5547b0bd0b5e985ac27883b8242 Those are extremely strong because they are long and not based upon words. Those silly password checkers will say they are of medium complexity. :sigh: The industry has a lot to learn.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Best passwords ever, so easy to remember and having characters
[0-9a-f]is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23. -
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account? Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
You know there is an app called "Google Authenticator". It is service-to-service connected with the service for which you are authenticating and generate a new, relatively short password every minute, so you don't need to remember anything. Short-term one-time passwords (OTP) seems like good idea, but don't prevent device theft.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Because their programmer still needs to grasp that newfangled weirdness called "Unicode" and instead of solving that problem, they shift the problem over to you.
-
Is it "🐑.com"?
Well, maybe "🐑-🐑.com" :-O
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
Best passwords ever, so easy to remember and having characters
[0-9a-f]is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23.I agree. The point is a sha256 hash is a value on the order of 2^256. That's 1.1579208923731619542357098500869e+77 -1 So basically we are saying: My password is one out of the set of all 256-bit numbers. Guess it now. :) If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway. :-D
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
It seems a good idea. I am iOS user so I didn't give a try to your app. However, I think you should add the user name to the site key. This would add some additional text to hash and it would help if someone forget it.
Thanks for checking it out. I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it. You can make the site/key anything (any string of chars) you want it to be. So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRememberI've kept it open so only you know your site/keys. thanks again for checking it out and for commenting.:thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Not allowing special characters helps a little bit with all of the rules in the linked article. The article is about XSS only. Then there could be SQL injections, command line injections, etc. on top of this. For maintainability due to XSS, if one developer encodes something in the context of an HTML attribute, and then another developer refactors it and moves the same information into a hidden HTML element or a javascript code block, the second developer better update all of the different encoding rules! This applies to both server and client side code dealing with the data. XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP[^]
-
Thanks for checking it out. I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it. You can make the site/key anything (any string of chars) you want it to be. So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRememberI've kept it open so only you know your site/keys. thanks again for checking it out and for commenting.:thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I agree. The point is a sha256 hash is a value on the order of 2^256. That's 1.1579208923731619542357098500869e+77 -1 So basically we are saying: My password is one out of the set of all 256-bit numbers. Guess it now. :) If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway. :-D
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
-
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
