ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Instantly Increasing Password Strength

<< < (3/6) > >>

f0dder:
WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.-Stoic Joker (February 23, 2011, 06:05 PM)
--- End quote ---
Good question - a quick google does suggest that the easy-to-find publicly available tables don't even reach 10 characters for the larger character sets, and those tables are already huge and take a while to generate. But do keep in mind that criminals have access to very large botnets, and people have started renting Amazon EC2 servers (including GPU acceleration) for nefarious deeds. I definitely wouldn't feel too safe with a passphrase lower than 10 characters with a large character set.

And it does seem it takes a while (for a single box) to process passphrases, even with rainbow tables - but anybody serious enough to have serious tables are going to have more than a single box available.

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...-Stoic Joker (February 23, 2011, 06:05 PM)
--- End quote ---
Indeed, and that's one of my favorite XKCDs. You have to balance your security based on who's likely to try to attack you. I protect my digital signature / online-banking stuff with longer passphrases than forum logins, simply because attackers would be more interested in spending energy on something they can have real financial gain from.

That said, access to a forum or account account can be valuable as well - interesting information can sometimes be gathered form such access, either directly or through social engineering. And if the user has used the same passphrase in multiple locations, well...

40hz:
FYI: a reliable and safe source for true random strings is www.random.org-40hz (February 23, 2011, 05:10 PM)
--- End quote ---

I really wanted to make a joke here about random.org's satirical sister site - noentropy.net, but unfortunately it's offline.

It used to just return a string of 1's.
-Eóin (February 23, 2011, 06:19 PM)
--- End quote ---

Shouldn't be hard to redo and host here.  :P

So simple even I could probably code it.;D

Let's ask Mouser...

(Kidding...just kidding  :mrgreen:)

Stoic Joker:
WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.-Stoic Joker (February 23, 2011, 06:05 PM)
--- End quote ---
Good question - a quick google does suggest that the easy-to-find publicly available tables don't even reach 10 characters for the larger character sets, and those tables are already huge and take a while to generate. But do keep in mind that criminals have access to very large botnets, and people have started renting Amazon EC2 servers (including GPU acceleration) for nefarious deeds. I definitely wouldn't feel too safe with a passphrase lower than 10 characters with a large character set.

And it does seem it takes a while (for a single box) to process passphrases, even with rainbow tables - but anybody serious enough to have serious tables are going to have more than a single box available.-f0dder (February 23, 2011, 06:25 PM)
--- End quote ---

Quite true, But what are they really after? HBGary was completely torched in less that 24 hours. So there is an obvious time requirement involved. It their case the Low-Hanging-Fruit was also pay dirt ... So there was really no point in continuing. The object is to get as many of the accounts as possible, in the shortest time possible. So it is not really required to out run the bear, just the rest of the hunting party... :)

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...-Stoic Joker (February 23, 2011, 06:05 PM)
--- End quote ---
Indeed, and that's one of my favorite XKCDs. You have to balance your security based on who's likely to try to attack you. I protect my digital signature / online-banking stuff with longer passphrases than forum logins, simply because attackers would be more interested in spending energy on something they can have real financial gain from.

That said, access to a forum or account account can be valuable as well - interesting information can sometimes be gathered form such access, either directly or through social engineering. And if the user has used the same passphrase in multiple locations, well...-f0dder (February 23, 2011, 06:25 PM)
--- End quote ---

Guilty as charged ... I stole the line from you.  :D

And password reuse is definitely to be avoided, usually by using fsekrit.

Eóin:
Hmmm the .org domain was available, so I just bought it. Damn impulse buying  :-[

Guess I better setup some sort of a tribute site now.

NigelH:
Of course, the downfall of generated passwords or passphrases is generally the requirement to store them somewhere.
I've long favored using a key plus a passphrase to generate the password.

I often use a tool called keymaker (keymaker20 was the last release) but I'm not sure of a reliable site to download it from.
However, a quick search turns up  passkool
Python based, so is somewhat more flexible than keymaker (Windows based)
Bares further investigation...

Aha, I see Barney referred to Keymaker here Registrations on Websites

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version