ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Instantly Increasing Password Strength

<< < (2/6) > >>

40hz:
FYI: a reliable and safe source for true random strings is www.random.org

What's this fuss about true randomness?

Perhaps you have wondered how predictable machines like computers can generate randomness. In reality, most random numbers used in computer programs are pseudo-random, which means they are a generated in a predictable fashion using a mathematical formula. This is fine for many purposes, but it may not be random in the way you expect if you're used to dice rolls and lottery drawings.

RANDOM.ORG offers true random numbers to anyone on the Internet. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs. People use RANDOM.ORG for holding drawings, lotteries and sweepstakes, to drive games and gambling sites, for scientific applications and for art and music. The service has existed since 1998 and was built and is being operated by Mads Haahr of the School of Computer Science and Statistics at Trinity College, Dublin in Ireland.

As of today, RANDOM.ORG has generated 935.5 billion random bits for the Internet community.

--- End quote ---

They offer some very useful free services:

Lists and Strings and Maps, Oh My!


* List Randomizer will randomize a list of anything you have (names, phone numbers, etc.)
* String Generator makes random alphanumeric strings
* Password Generator makes secure passwords for your Wi-Fi or that extra Gmail account
* iGoogle Password Generator is a handy tool for your iGoogle desktop
* Clock Time Generator will pick random times of the day
* Calendar Date Generator will pick random days across nearly three and a half millennia
* Geographic Coordinate Generator will pick a random spot on our planet's surface
* Bitmaps in black and white
* Pregenerated Files contain large amounts of downloadable random bits
* Pure White Audio Noise for composition or just to test your audio equipment
* Jazz Scales to practice improvisation for students of jazz guitar
* Samuel Beckett's randomly generated short prose
--- End quote ---


I'm particularly partial to their String Generator

I'll use it to "gin up" and download a few hundred 20-character strings at a pop. You can always merge or concatenate multiple lists to get longer strings or otherwise make a mess of things.

Check out the Beckett random prose while you're at it. It's a riot if you're a Beckett fan.;D

Great resource. Highly recommended. :-*[/list]

4wd:
The Geographic Coordinate Generator is great!

Do you realise how hard it is to determine what country to invade without a dart?


It's just too bad most of the planet seems to be covered with water....Curses!

40hz:
The Geographic Coordinate Generator is great!

Do you realise how hard it is to determine what country to invade without a dart?


It's just too bad most of the planet seems to be covered with water....Curses!
-4wd (February 23, 2011, 05:29 PM)
--- End quote ---

Why be selective. Why not just invade all of them? ;D :Thmbsup:

Stoic Joker:
Anything else done to reduce the complexity or length in order to make it more suitable for human use will reduce the level of security.
-40hz (February 23, 2011, 10:58 AM)
--- End quote ---

Exactly, any rule or technique you develop only doubles the attackers work/rainbow table, ie they test their search space once with the rule, and once without. So they simply use two computers instead of one.-Eóin (February 23, 2011, 12:42 PM)
--- End quote ---

Okay, but... To everything there is a point called a bit too far. If you do go with a really long mixed case alphanumeric password with garbage characters. you not only encourage, but basically force over half of the users to jot said password on a sticky note. ... And your Uber fortress gets hacked by the cleaning lady.

How random is random enough? If a popular phrase is used for a pass phrase, well that's reasonable to assume it won't last too long. But if the phrase used is some comic line your grandfather quipped at a family event one time that's not so predictable.

Now it has been mentioned that common/popular/most likely work combinations both can and are used in many of the (let's say...) High-end Rainbow Tables. Okay, but what about word fragments used as a mnemonic for the string? Here's an example:

A popular phrase and long standing joke around our house, is a quote of mine that was originally said when I was trying to lighten the mood when an auto repair was going quite badly. The quote was "We Are Not Totally F***ed ...Yet!"

So if I was to use that (which I don't), for a mnemonic it would go something like this:
We Are Not Totally F***ed ...Yet!

-or-

WeRntf,Y3t!

Easy to Remember (for me), and I'd wager quite difficult to guess, even for the table.


Here's the thing, and it's a very critical and key point. Who is cracking what, and why. Lets say it's HacKeRtasTic group X. and they are digging into Evil Bank Y.

Now they got into Evil Bank Y's server and dumped the user tables (yada, yada, yada...) ... And they want to get (lets say) 10,000 user accounts to post online to shame Evil Bank Y, And they also have an order for 10,000 more accounts for the ID theft folks...For a total order of 20,000 accounts needed, out of the (lets say) 100,000 accounts the bank has.

Now regardless of what can be done (even in an evil geek's wet dream) there are still some things that are just flat not cost effective. The tables are going to instantly pop on the first wave of (low-hanging-fruit) idiot simple passwords. Then the harder ones, and the harder ones ... And after a while the CPU time (cost) vs. the Cracked Hash (win) is going to skew...a lot. And that will most likely happen long after the "Order Requirement" of 20,000 accounts have been passed by a country mile.

Besides even if you do manage to memorize a 8,000 character password ... If they really want you specifically, that badly ... Well, the term Rubber-Hose Cryptography comes to mind...

Eóin:
FYI: a reliable and safe source for true random strings is www.random.org-40hz (February 23, 2011, 05:10 PM)
--- End quote ---

I really wanted to make a joke here about random.org's satirical sister site - noentropy.net, but unfortunately it's offline.

It used to just return a string of 1's.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version