Password De-Complexity
-
dandy72 wrote:
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
-
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Oh, very good point. That's ridiculous that they don't allow it. What? I use my app exclusively for my own passwords and I'm always annoyed when sites tell me that I have to use a special char, because with my app my passwords now look like: 1. cf82bb8b015707c5cef11942b88bb058d3795f4dcae551e65ea72891333a1384 2. ea50612a6d5dde56c7a826cc03317e99c2f2f5547b0bd0b5e985ac27883b8242 Those are extremely strong because they are long and not based upon words. Those silly password checkers will say they are of medium complexity. :sigh: The industry has a lot to learn.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Best passwords ever, so easy to remember and having characters
[0-9a-f]is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23. -
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account? Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
You know there is an app called "Google Authenticator". It is service-to-service connected with the service for which you are authenticating and generate a new, relatively short password every minute, so you don't need to remember anything. Short-term one-time passwords (OTP) seems like good idea, but don't prevent device theft.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Because their programmer still needs to grasp that newfangled weirdness called "Unicode" and instead of solving that problem, they shift the problem over to you.
-
Is it "🐑.com"?
Well, maybe "🐑-🐑.com" :-O
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
Best passwords ever, so easy to remember and having characters
[0-9a-f]is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23.I agree. The point is a sha256 hash is a value on the order of 2^256. That's 1.1579208923731619542357098500869e+77 -1 So basically we are saying: My password is one out of the set of all 256-bit numbers. Guess it now. :) If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway. :-D
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
It seems a good idea. I am iOS user so I didn't give a try to your app. However, I think you should add the user name to the site key. This would add some additional text to hash and it would help if someone forget it.
Thanks for checking it out. I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it. You can make the site/key anything (any string of chars) you want it to be. So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRememberI've kept it open so only you know your site/keys. thanks again for checking it out and for commenting.:thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
Not allowing special characters helps a little bit with all of the rules in the linked article. The article is about XSS only. Then there could be SQL injections, command line injections, etc. on top of this. For maintainability due to XSS, if one developer encodes something in the context of an HTML attribute, and then another developer refactors it and moves the same information into a hidden HTML element or a javascript code block, the second developer better update all of the different encoding rules! This applies to both server and client side code dealing with the data. XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP[^]
-
Thanks for checking it out. I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it. You can make the site/key anything (any string of chars) you want it to be. So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRememberI've kept it open so only you know your site/keys. thanks again for checking it out and for commenting.:thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I agree. The point is a sha256 hash is a value on the order of 2^256. That's 1.1579208923731619542357098500869e+77 -1 So basically we are saying: My password is one out of the set of all 256-bit numbers. Guess it now. :) If you can guess the resultant hash or you have a algorithm that can calculate it then you pwn all computers anyway. :-D
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
-
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Nish Nishant wrote:
Sorry, your math's not right :)
Hence the disclaimer. :-) I knew I was way off, and somebody would correct me. Was not disappointed.
To get back to my original point, what I am trying to convey here is that a longer easier to remember password is often safer than a shorter harder to remember one. That said, it's not all black and white. :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
To get back to my original point, what I am trying to convey here is that a longer easier to remember password is often safer than a shorter harder to remember one. That said, it's not all black and white. :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Each digest is created by adding 65 bytes, 64 digits = 512 bytes which is exactly the length of single-iteration digest, this means this has two iterations, therefore a shorter string exists that could generate exactly the same hash as the one that is hashed by your passwords. Not that it could be guessed in seconds/hours/days/years, but it is not as difficult as this calculation. Basically anything beyond 447 bits does not increase the difficulty.
Plamen Dragiyski wrote:
but it is not as difficult as this calculation.
I agree with you. I was basically summarizing for brevity and generalizing for analogy in order to explain it without all the details. Thanks for adding to the conversation. Always like to think about how to make these things more clear and more correctly explained. :thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
using gesture or swipe input on mobiles, too hard to do some of the specials
Sin tack ear lol Pressing the "Any" key may be continuate
That just means you're not using the right keyboard[^] :-\
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
raddevus wrote:
Those silly password checkers will say they are of medium complexity.
Ya, sure. I was only off by one character when I tried to guess your password. :laugh:
There are only 10 types of people in the world, those who understand binary and those who don't.
Off by one character, in EVERY character position :-)
-
That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
But we still use it on our corporate iPads now that a lock code is enforced as accessibility is more important than security for demo apps.
-
I've noticed with several sites I have an account with that they no longer allow special characters in passwords. That seems like a move in the wrong direction. Special characters allow passwords to be more complex so I wonder why some are making this change. Has anyone else noticed this?
There are only 10 types of people in the world, those who understand binary and those who don't.
