Main Area and Open Discussion > General Software Discussion

Instantly Increasing Password Strength

(1/6) > >>

Renegade:
I was reading on how HBGary got raped, and about their passwords, etc.

It occurred to me that a VERY simple way to increase security for those that like to use the same password or use pass-phrases would be to simply double them. e.g.:

Password: mypassword

New doubled:
* mypasswordmypassword
* mmyyppaasswwoorrdd

It's pretty much trivial, and adds virtually nothing in terms of complexity for remembering.

Personally, I like pass-phrases as they are easy to remember. e.g.

inthebeginningtherewasme

23 characters and pretty easy to remember. Sprinkle with caps or numbers, e.g.:

Ilike2moveitmoveit

Not bad, but doubling up really takes it to a new level.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.

1 Gbps. Residential. At home.

Goodbye to network speeds being a limiting factor in security!

f0dder:
I dunno how much that "doubling" strategy helps - if somebody has precomputed a rainbow table with enough digits, it doesn't help you at all. I'd feel a lot more confident with a 12-character passphrase with "enough" uncommon chars than a 20-character alphanumeric passphrase.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.
--- End quote ---
Yes and no. Anybody with half a clue are going to rate-limit the connection attempts, and fire warning signals if more than a few invalid attempts are tried for a single account. The only place I see where connection speed is useful wrt. brute-force attacks are when using cryptographic oracle exploits, like what has been done against Rails, JSP, ASP.Net et cetera.

Password brute-forces are done when you've successfully exploited a site and have grabbed the password database, and internet speed is pretty irrelevant there :)

Renegade:
I dunno how much that "doubling" strategy helps - if somebody has precomputed a rainbow table with enough digits, it doesn't help you at all. I'd feel a lot more confident with a 12-character passphrase with "enough" uncommon chars than a 20-character alphanumeric passphrase.

In related news, since broadband speed is related to the effectiveness of brute force attacks, Korea is going to have 1 Gbps Internet connections in 2012.
--- End quote ---
Yes and no. Anybody with half a clue are going to rate-limit the connection attempts, and fire warning signals if more than a few invalid attempts are tried for a single account. The only place I see where connection speed is useful wrt. brute-force attacks are when using cryptographic oracle exploits, like what has been done against Rails, JSP, ASP.Net et cetera.

Password brute-forces are done when you've successfully exploited a site and have grabbed the password database, and internet speed is pretty irrelevant there :)
-f0dder (February 23, 2011, 10:10 AM)
--- End quote ---

Good points.

But it will still help against a rainbow attack. You need to have at least double the storage then. There's really no difference between "J8Jh&hJi(" and any other 10 character password that includes lower, upper and symbols. But there is a difference between that and doubling it. Even with a rainbow attack.

Bed time for me.

Night~!

40hz:
Many capable crack tools include multilanguage dictionaries and "quick parsers." Once their dictionary heuristic determines you're primarily using "real" words, they've got you regardless of passphrase string length. Most have tables of common word pairs and combos which can reduce the time to crack even more.

Swapping out lookalike numbers and punctuation is a well known "trick" which does little other than slow a cracker tool down a bit. And at today's CPU clock speeds, it doesn't amount to much of a delay.

If you really want secure, the only known way is a very long and genuinely random key.

Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.

The real trick is to find the sweet spot where the convenience gained balances acceptably against the degree of security sacrificed. This can only be determined by knowing how secure you really need to be; and having a realistic idea of exactly how much of a threat you're up against.

For individuals, most only need to worry about the malicious. Genuine cybercriminals rarely bother targeting individuals unless they're involved with an institution or business they're trying to hack. And in those cases, they're only hoping to score unsecured data (password lists, login information, IT security memos, phone lists, etc.) that will aid them in cracking their real target.

Why bother hacking one person's PC for their bank accounts when you can crack the bank itself and gain access to all of them?
 8)

Eóin:
Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.
-40hz (February 23, 2011, 10:58 AM)
--- End quote ---

Exactly, any rule or technique you develop only doubles the attackers work/rainbow table, ie they test their search space once with the rule, and once without. So they simply use two computers instead of one.

Actually doubling the length of a truely random password instead squares the search space, which is a massive increase.

Navigation

[0] Message Index

[#] Next page