ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Password Managers ... vs. Not

<< < (4/6) > >>

Tuxman:
passwords that are made of actual words were more vulnerable than those "secure" generated ones
-MilesAhead (June 05, 2017, 04:30 PM)
--- End quote ---

They are not.

f0dder:
My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure.  Also the same thing applies to hijacking the encrypted database.  If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking.-MilesAhead (June 05, 2017, 04:30 PM)
--- End quote ---
That is wrong, though - and it all comes down to the number of guesses you have to make.

Assuming a dictionary of ~171k enlighs words and stringing five of them together (one more word than XKCD's Correct Horse Battery Staple) gives 171000^5 permutations. I don't know what the average word length is, but let's be (very) generous to the string-words-together method and compare to a 20-character random string of base64 alphabet - which gives 64^20 permutations. That's 9.091.152.181 times as many password attempts.

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.

Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.-MilesAhead (June 05, 2017, 04:30 PM)
--- End quote ---
False dilemma - using secure passphrases doesn't remove rate limiting. And while rate limiting definitely should be implemented, it only protects against remote bruteforcing of the lamest of lame passwords. Strong passwords guard against offline attacks.

Stoic Joker:
@MilesAhead - I hear ya man ... Some of this stuff - necessary as it may be - is just a flat-out royal pain-in-the-ass.

MilesAhead:
@MilesAhead - I hear ya man ... Some of this stuff - necessary as it may be - is just a flat-out royal pain-in-the-ass.
-Stoic Joker (June 06, 2017, 06:34 AM)
--- End quote ---

If you hear the phrase "for your protection" you know it's going to be shoved sideways.   :D

MilesAhead:
Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.
-f0dder (June 06, 2017, 02:44 AM)
--- End quote ---

I'm sure that technically you have foundation for your argument(s).  But people live day to day fine with getting home from work and using a house key to get into their house/condo/apartment.  It does not stress them that a guy with a couple of battery powered drills can drill out the front door lock in about 30 seconds if he has practiced the procedure.  But the owner/renter can get in his own place in the most likely event terrorists are not waiting inside.  There's a balance point past which the customer exists to serve the service instead of the other way around.  We have already tipped the scales in many areas.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version