Instantly Increasing Password Strength

[Renegade]

I was reading on how HBGary got raped, and about their passwords, etc.

It occurred to me that a VERY simple way to increase security for those that like to use the same password or use pass-phrases would be to simply double them. e.g.:

Password: mypassword

New doubled:
* mypasswordmypassword
* mmyyppaasswwoorrdd

It's pretty much trivial, and adds virtually nothing in terms of complexity for remembering.

Personally, I like pass-phrases as they are easy to remember. e.g.

inthebeginningtherewasme

23 characters and pretty easy to remember. Sprinkle with caps or numbers, e.g.:

Ilike2moveitmoveit

Not bad, but doubling up really takes it to a new level.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.

1 Gbps. Residential. At home.

Goodbye to network speeds being a limiting factor in security!

[f0dder]

I dunno how much that "doubling" strategy helps - if somebody has precomputed a rainbow table with enough digits, it doesn't help you at all. I'd feel a lot more confident with a 12-character passphrase with "enough" uncommon chars than a 20-character alphanumeric passphrase.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.

Yes and no. Anybody with half a clue are going to rate-limit the connection attempts, and fire warning signals if more than a few invalid attempts are tried for a single account. The only place I see where connection speed is useful wrt. brute-force attacks are when using cryptographic oracle exploits, like what has been done against Rails, JSP, ASP.Net et cetera.

Password brute-forces are done when you've successfully exploited a site and have grabbed the password database, and internet speed is pretty irrelevant there

[Renegade]

I dunno how much that "doubling" strategy helps - if somebody has precomputed a rainbow table with enough digits, it doesn't help you at all. I'd feel a lot more confident with a 12-character passphrase with "enough" uncommon chars than a 20-character alphanumeric passphrase.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.

Yes and no. Anybody with half a clue are going to rate-limit the connection attempts, and fire warning signals if more than a few invalid attempts are tried for a single account. The only place I see where connection speed is useful wrt. brute-force attacks are when using cryptographic oracle exploits, like what has been done against Rails, JSP, ASP.Net et cetera.

Password brute-forces are done when you've successfully exploited a site and have grabbed the password database, and internet speed is pretty irrelevant there

-f0dder (February 23, 2011, 10:10 AM)

Good points.

But it will still help against a rainbow attack. You need to have at least double the storage then. There's really no difference between "J8Jh&hJi(" and any other 10 character password that includes lower, upper and symbols. But there is a difference between that and doubling it. Even with a rainbow attack.

Bed time for me.

Night~!

[40hz]

Many capable crack tools include multilanguage dictionaries and "quick parsers." Once their dictionary heuristic determines you're primarily using "real" words, they've got you regardless of passphrase string length. Most have tables of common word pairs and combos which can reduce the time to crack even more.

Swapping out lookalike numbers and punctuation is a well known "trick" which does little other than slow a cracker tool down a bit. And at today's CPU clock speeds, it doesn't amount to much of a delay.

If you really want secure, the only known way is a very long and genuinely random key.

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

The real trick is to find the sweet spot where the convenience gained balances acceptably against the degree of security sacrificed. This can only be determined by knowing how secure you really need to be; and having a realistic idea of exactly how much of a threat you're up against.

For individuals, most only need to worry about the malicious. Genuine cybercriminals rarely bother targeting individuals unless they're involved with an institution or business they're trying to hack. And in those cases, they're only hoping to score unsecured data (password lists, login information, IT security memos, phone lists, etc.) that will aid them in cracking their real target.

Why bother hacking one person's PC for their bank accounts when you can crack the bank itself and gain access to all of them?
 

[Eóin]

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

-40hz (February 23, 2011, 10:58 AM)

Exactly, any rule or technique you develop only doubles the attackers work/rainbow table, ie they test their search space once with the rule, and once without. So they simply use two computers instead of one.

Actually doubling the length of a truely random password instead squares the search space, which is a massive increase.

[40hz]

FYI: a reliable and safe source for true random strings is www.random.org

What's this fuss about true randomness?

Perhaps you have wondered how predictable machines like computers can generate randomness. In reality, most random numbers used in computer programs are pseudo-random, which means they are a generated in a predictable fashion using a mathematical formula. This is fine for many purposes, but it may not be random in the way you expect if you're used to dice rolls and lottery drawings.

RANDOM.ORG offers true random numbers to anyone on the Internet. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs. People use RANDOM.ORG for holding drawings, lotteries and sweepstakes, to drive games and gambling sites, for scientific applications and for art and music. The service has existed since 1998 and was built and is being operated by Mads Haahr of the School of Computer Science and Statistics at Trinity College, Dublin in Ireland.

As of today, RANDOM.ORG has generated 935.5 billion random bits for the Internet community.

They offer some very useful free services:

Lists and Strings and Maps, Oh My!

• List Randomizer will randomize a list of anything you have (names, phone numbers, etc.)
• String Generator makes random alphanumeric strings
• Password Generator makes secure passwords for your Wi-Fi or that extra Gmail account
• iGoogle Password Generator is a handy tool for your iGoogle desktop
• Clock Time Generator will pick random times of the day
• Calendar Date Generator will pick random days across nearly three and a half millennia
• Geographic Coordinate Generator will pick a random spot on our planet's surface
• Bitmaps in black and white
• Pregenerated Files contain large amounts of downloadable random bits
• Pure White Audio Noise for composition or just to test your audio equipment
• Jazz Scales to practice improvisation for students of jazz guitar
• Samuel Beckett's randomly generated short prose

I'm particularly partial to their String Generator

I'll use it to "gin up" and download a few hundred 20-character strings at a pop. You can always merge or concatenate multiple lists to get longer strings or otherwise make a mess of things.

Check out the Beckett random prose while you're at it. It's a riot if you're a Beckett fan.

Great resource. Highly recommended. [/list]

[4wd]

The Geographic Coordinate Generator is great!

Do you realise how hard it is to determine what country to invade without a dart?


It's just too bad most of the planet seems to be covered with water....Curses!

[40hz]

The Geographic Coordinate Generator is great!

Do you realise how hard it is to determine what country to invade without a dart?


It's just too bad most of the planet seems to be covered with water....Curses!

-4wd (February 23, 2011, 05:29 PM)

Why be selective. Why not just invade all of them?

[Stoic Joker]

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

-40hz (February 23, 2011, 10:58 AM)

Exactly, any rule or technique you develop only doubles the attackers work/rainbow table, ie they test their search space once with the rule, and once without. So they simply use two computers instead of one.

-Eóin (February 23, 2011, 12:42 PM)

Okay, but... To everything there is a point called a bit too far. If you do go with a really long mixed case alphanumeric password with garbage characters. you not only encourage, but basically force over half of the users to jot said password on a sticky note. ... And your Uber fortress gets hacked by the cleaning lady.

How random is random enough? If a popular phrase is used for a pass phrase, well that's reasonable to assume it won't last too long. But if the phrase used is some comic line your grandfather quipped at a family event one time that's not so predictable.

Now it has been mentioned that common/popular/most likely work combinations both can and are used in many of the (let's say...) High-end Rainbow Tables. Okay, but what about word fragments used as a mnemonic for the string? Here's an example:

A popular phrase and long standing joke around our house, is a quote of mine that was originally said when I was trying to lighten the mood when an auto repair was going quite badly. The quote was "We Are Not Totally F***ed ...Yet!"

So if I was to use that (which I don't), for a mnemonic it would go something like this:
We Are Not Totally F***ed ...Yet!

-or-

WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.


Here's the thing, and it's a very critical and key point. Who is cracking what, and why. Lets say it's HacKeRtasTic group X. and they are digging into Evil Bank Y.

Now they got into Evil Bank Y's server and dumped the user tables (yada, yada, yada...) ... And they want to get (lets say) 10,000 user accounts to post online to shame Evil Bank Y, And they also have an order for 10,000 more accounts for the ID theft folks...For a total order of 20,000 accounts needed, out of the (lets say) 100,000 accounts the bank has.

Now regardless of what can be done (even in an evil geek's wet dream) there are still some things that are just flat not cost effective. The tables are going to instantly pop on the first wave of (low-hanging-fruit) idiot simple passwords. Then the harder ones, and the harder ones ... And after a while the CPU time (cost) vs. the Cracked Hash (win) is going to skew...a lot. And that will most likely happen long after the "Order Requirement" of 20,000 accounts have been passed by a country mile.

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...

[Eóin]

FYI: a reliable and safe source for true random strings is www.random.org

-40hz (February 23, 2011, 05:10 PM)

I really wanted to make a joke here about random.org's satirical sister site - noentropy.net, but unfortunately it's offline.

It used to just return a string of 1's.

[f0dder]

WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.

-Stoic Joker (February 23, 2011, 06:05 PM)

Good question - a quick google does suggest that the easy-to-find publicly available tables don't even reach 10 characters for the larger character sets, and those tables are already huge and take a while to generate. But do keep in mind that criminals have access to very large botnets, and people have started renting Amazon EC2 servers (including GPU acceleration) for nefarious deeds. I definitely wouldn't feel too safe with a passphrase lower than 10 characters with a large character set.

And it does seem it takes a while (for a single box) to process passphrases, even with rainbow tables - but anybody serious enough to have serious tables are going to have more than a single box available.

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...

-Stoic Joker (February 23, 2011, 06:05 PM)

Indeed, and that's one of my favorite XKCDs. You have to balance your security based on who's likely to try to attack you. I protect my digital signature / online-banking stuff with longer passphrases than forum logins, simply because attackers would be more interested in spending energy on something they can have real financial gain from.

That said, access to a forum or account account can be valuable as well - interesting information can sometimes be gathered form such access, either directly or through social engineering. And if the user has used the same passphrase in multiple locations, well...

[40hz]

FYI: a reliable and safe source for true random strings is www.random.org

-40hz (February 23, 2011, 05:10 PM)

I really wanted to make a joke here about random.org's satirical sister site - noentropy.net, but unfortunately it's offline.

It used to just return a string of 1's.

-Eóin (February 23, 2011, 06:19 PM)

Shouldn't be hard to redo and host here.  

So simple even I could probably code it.

Let's ask Mouser...

(Kidding...just kidding  )

[Stoic Joker]

WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.

-Stoic Joker (February 23, 2011, 06:05 PM)

Good question - a quick google does suggest that the easy-to-find publicly available tables don't even reach 10 characters for the larger character sets, and those tables are already huge and take a while to generate. But do keep in mind that criminals have access to very large botnets, and people have started renting Amazon EC2 servers (including GPU acceleration) for nefarious deeds. I definitely wouldn't feel too safe with a passphrase lower than 10 characters with a large character set.

And it does seem it takes a while (for a single box) to process passphrases, even with rainbow tables - but anybody serious enough to have serious tables are going to have more than a single box available.

-f0dder (February 23, 2011, 06:25 PM)

Quite true, But what are they really after? HBGary was completely torched in less that 24 hours. So there is an obvious time requirement involved. It their case the Low-Hanging-Fruit was also pay dirt ... So there was really no point in continuing. The object is to get as many of the accounts as possible, in the shortest time possible. So it is not really required to out run the bear, just the rest of the hunting party...

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...

-Stoic Joker (February 23, 2011, 06:05 PM)

Indeed, and that's one of my favorite XKCDs. You have to balance your security based on who's likely to try to attack you. I protect my digital signature / online-banking stuff with longer passphrases than forum logins, simply because attackers would be more interested in spending energy on something they can have real financial gain from.

That said, access to a forum or account account can be valuable as well - interesting information can sometimes be gathered form such access, either directly or through social engineering. And if the user has used the same passphrase in multiple locations, well...

-f0dder (February 23, 2011, 06:25 PM)

Guilty as charged ... I stole the line from you.  

And password reuse is definitely to be avoided, usually by using fsekrit.

[Eóin]

Hmmm the .org domain was available, so I just bought it. Damn impulse buying  

Guess I better setup some sort of a tribute site now.

[NigelH]

Of course, the downfall of generated passwords or passphrases is generally the requirement to store them somewhere.
I've long favored using a key plus a passphrase to generate the password.

I often use a tool called keymaker (keymaker20 was the last release) but I'm not sure of a reliable site to download it from.
However, a quick search turns up  passkool
Python based, so is somewhat more flexible than keymaker (Windows based)
Bares further investigation...

Aha, I see Barney referred to Keymaker here Registrations on Websites

[4wd]

I protect my digital signature / online-banking stuff with longer passphrases than forum logins,....

-f0dder (February 23, 2011, 06:25 PM)

Cool!  Now I know I at least have a chance of logging into DoCo as you and donating all your donations to me....mwaahahaha 

[f0dder]

I protect my digital signature / online-banking stuff with longer passphrases than forum logins,....

-f0dder (February 23, 2011, 06:25 PM)

Cool!  Now I know I at least have a chance of logging into DoCo as you and donating all your donations to me....mwaahahaha 

-4wd (February 23, 2011, 08:54 PM)

Yeah, it should actually be trivial if you get your hands on the userdb, if it isn't salted

[Paul Keith]

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

Not necessarily. As I suggested before in another thread, three way login forms can be very powerful.

You can't mass brute force a photo upload for an image captcha unless you have access to the home storage file already but even then you have to know each users' specific thought process and which personal photo they are using to access something.

Same thing with using QR codes except the problem is cellphones obviously but the more you're inserting custom logins - the harder it is to guess the password. It's also a lot slower. You really have to have a database of things other than texts and you need a fast undetected connection so that you can mass upload all the custom passwords of multiple accounts rather than just quickly auto-type the entries based on guessing one syntax (letters and numbers).

Basically, I'm not a security expert, but IMO if you increase length of entry rather than length of password or complexity of password - it becomes harder to crack obviously since you're telling the cracker to crack multiple access points instead of one hub.

Edit:

One simple example of this is: fake username + fake password + fake e-mail.

Even if you can hack the e-mail, the recipient loses barely anything of importance. But let's say the e-mail username and password is showing a fake "fewer access" profile? Suddenly even if you can cut through the middle, you better be sure the user is logging in into their secure account rather than just giving you access to a limited account. It's basic Linux security who's only weakness is that it's not simple enough yet to create a disposable account as opposed to a guest account for the masses to use.

[Gwen7]

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

Not necessarily.

-Paul Keith (February 24, 2011, 09:36 AM)

i'm not a mathematician or a cryptography expert. but i think the experts disagree with you on that point based on what i've read and do understand ;-)

[Paul Keith]

Well, the problem with experts is that they often treat security in a vacuum.

That's why they missed defending people against Facebook while some of them were trying to figure out OpenID or some of them can only go so far as thinking cryptographically without having any solution for an easy to decipher master password except for one click logins.

The reason why simplicity is important is because the dumbest users are the ones in need of the best security. I'm not saying I'm unhackable and if you're not an expert, I'm way worse. I don't know anything about cryptography.

I do understand though that my first PC which was on Windows didn't function like Linux or that the guy who set it up didn't give me any better AV than Norton so I feel I get to have an opinion on security when I've experienced the fall and none of those security guys where there to save me from my own stupidity and naivete.

[Stoic Joker]

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

Not necessarily. As I suggested before in another thread, three way login forms can be very powerful.

You can't mass brute force a photo upload for an image captcha unless you have access to the home storage file already but even then you have to know each users' specific thought process and which personal photo they are using to access something.

-Paul Keith (February 24, 2011, 09:36 AM)

Okay, from a front door perspective only...I'd agree - I find the user, pass, pic, phrase logons much less annoying and effective than capachas which are easily defeated with OCR. But... That's not what we are (or the thread is) discussing.

The question on the table was regarding the HBGeary fiasco. Where the User Table had already been dumped via SQL injection. So the additional bits of info (pic & phrase) could simply be read from the next column over, and would afford no further resistance.

So the discussion was really focused on how complex does a password really need to be to keep it from being Hash Cracked in a matter of hours (e.g. it's all straight up back door stuff).

[Paul Keith]

Well the thread was two fold. One simplified password strength and the other is that situation.

I'd argue since there's a separate HBGary thread, that the front door perspective is more of a major component of this thread than the HBGary example. (sorry if it's really HBGeary, I didn't really look into the topics in depth and most of what I read was written HBGary)

In that sequence though, does a password really help? Most security relies on the front door being backdoored, not entered through.

It would probably be more secure for HBGary to have an easier deceptive information alongside real information to make disinformation decipheration much harder. In that sense, it's like an encrypted container. Get into the OS but all you can do is just delete the files, not view it.

In here, you're viewing the files but you don't know that you're being convinced to treat the wrong files as legit and the chances of a whistle blower getting the wrong picture means there's a lower chance someone is going to look again after what has been confirmed. That's the security there IMO. The password is just useless no matter how complex. You're basically attracting attention to a compromised situation. There's a very low percentage chance that the guys won't figure out the complex password eventually anyway. Obscurity is really your best password especially if it's obscuring via red herring.

[Stoic Joker]

HBGary/HBGeary I had a feeling I spellt that wrong...

Their problem was the front door had a set of keys left in it ... In the form of unvalidated SQL input being allow to execute against the server. Which is how the table got "dumped". This allowed all of the bruteforcing to be done off-line on fast (and distributed) hardware. No more internet connection speed slowing down the number of attempts per second.

[Paul Keith]

Yeah, that was what I was trying to imply.

I don't know anything about SQL but I do know one thing, if you leave your keys at the front door, eventually someone's bound to open your vault no matter how complicated the lock is unless you trick them into thinking the treasure is there.

[Mattphoes]

I use "Keypass" to store my passwords. It also offers to create random passwords with a single click.

What I really hate is that many websites limits the maximum password length.