LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-07-2016, 03:59 PM   #1
jakeDM
LQ Newbie
 
Registered: May 2016
Distribution: Anything that isn't MS windows
Posts: 2

Rep: Reputation: Disabled
Are passphase more secure than a password


hi jake here,

I have a question about passwords and passphrases. Below are two examples. One is a long string and other is the same password with spaces i.e a passphrase.

PR&$hRW#JxnC6uGJ<rE4T

PR& $hR W#J xnC 6uG J<r E4T

The top one has 21 characters, the second one has 27 characters including the spaces. They're both really good strong passwords, but I read that having spaces with passwords makes it even more secure.

I want your opinion if having spaces makes it more secure or not.

Last edited by jakeDM; 05-07-2016 at 04:05 PM.
 
Old 05-07-2016, 04:15 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 3,879
Blog Entries: 1

Rep: Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998
In general, longer makes it better.

Spaces themselves do not make it better, they just make it longer. Longer with different characters instead of spaces is even better - higher entropy.

PR& $hR W#J xnC 6uG J<r E4T is not better or worse than PR&_$hR_W#J_xnC_6uG_J<r_E4T or PR&0$hR0W#J0xnC06uG0J<r0E4T but maybe not as good as PR&0$hR1W#J2xnC36uG4J<r5E4T.
 
Old 05-07-2016, 04:39 PM   #3
beachboy2
Senior Member
 
Registered: Jan 2007
Location: Wild West Wales, UK
Distribution: Ubuntu MATE, Mint MATE & antiX MX-15
Posts: 1,664
Blog Entries: 5

Rep: Reputation: 562Reputation: 562Reputation: 562Reputation: 562Reputation: 562Reputation: 562
jakeDM,

Welcome to LQ.

I agree with astrogeek.

A very long password, which is impossible to remember, used in conjunction with a Password Manager,such as KeePass2, and Two-Factor authentication will greatly help your security.

Post #9 on here may help you:

http://www.linuxquestions.org/questi...gh-4175550557/
 
Old 05-07-2016, 07:03 PM   #4
jakeDM
LQ Newbie
 
Registered: May 2016
Distribution: Anything that isn't MS windows
Posts: 2

Original Poster
Rep: Reputation: Disabled
Here is the article I read a few days ago about passwords and passphrases

https://theintercept.com/2015/03/26/...rs-cant-guess/

Of course, I'm not gullible about headline that the NSA can't break it. Nothing is guarantee. But the good practices in the article are good examples for entropy.

After reading the article, I made a shell script to generate a passphrase with a mix of dictionary words and a set of mix gibberish characters. I believe this is a good example of entropy.

Code:
#!/bin/bash

for ((i=1;i<=2;i++))
do 
  x=$(cat /dev/urandom | tr -dc '[:print:]' | head -c 11 ; echo)
  echo -n "$(sed `perl -e "print $RANDOM"`"q;d" /usr/lib64/firefox/dictionaries/en-US.dic  | cut -d\/ -f1) $x "
done; echo
And this was the output

Quote:
Chevron a!rEe"y0az0 elocutionist Si^3-Z;Z$xN
According to the article, a good long strong passphrase is good for PGP and hard drive encryption AND not so great for websites. The article explains way in the section "Now that you know passphrases, here’s when to avoid them"

Last edited by jakeDM; 05-07-2016 at 07:08 PM.
 
Old 05-07-2016, 07:48 PM   #5
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 3,879
Blog Entries: 1

Rep: Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998
Quote:
Originally Posted by jakeDM View Post
Here is the article I read a few days ago about passwords and passphrases

https://theintercept.com/2015/03/26/...rs-cant-guess/

Of course, I'm not gullible about headline that the NSA can't break it. Nothing is guarantee. But the good practices in the article are good examples for entropy.
Not gullible about the headline, only gullible about the source, eh?

The Intercept, the hard hitting, radical, anti-establishment, independent, truth and freedom press organ, created and wholly owned and operated by and for the benefit of mega-establishment oligarch and exploiter, Pierre Omidyar...

If they said the sky was blue I would definitely want some trustworthy corroboration, in addition to full disclosure of just how that information is of benefit to Pierre and his high brow associates!

And you might be interested to know, if you don't already, that more than a few Intercept staffers are well connected to (hush, hush...) the NSA and CIA... and here...

But there is nothing new in that article, it is all about entropy. The benefit of a phrase over a long key is only to make it memorable by humans. There is also a trap in that - you may be more inclined to reuse your memorable long phrase in more places, precisely because it "feels" more secure... reuse can be more effective than a trillion guesses a second at insuring your adversary will learn your new phrase!

"No one is ever safe..." Sarah Connor

Good luck!

Last edited by astrogeek; 05-07-2016 at 08:15 PM. Reason: Goof!
 
Old 05-07-2016, 08:57 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
A strong password has a number of features but many of the posted "facts" point to mathematical calculations that seem to have little to do with how systems do get attacked. While I agree that the longer the password, the better it is also true that a huge password on a weak system isn't worth the effort. I've even read articles that claim that your password might be more easily stolen if you change it often.

I am still a fan of certificate based authentication.
 
Old 05-09-2016, 01:59 AM   #7
ondoho
Senior Member
 
Registered: Dec 2013
Posts: 4,176

Rep: Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835Reputation: 835
the key to this is "memorize":
Quote:
A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize.
afaics, the whole point of the article is that you can remember the passphrase in your head.
i read some good articles about that (remembering). one approach was to take a verse from a song you remember, and use only the first letters of that. there's other approaches.
there's also a relevant xkcd comic.

other than that, it doesn't matter whther you have spaces in it or other characters.
 
Old 05-09-2016, 02:59 AM   #8
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 3,879
Blog Entries: 1

Rep: Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998
Thinking about this over the past couple of days has caused my cynicism, if not paranoia to stir a bit.

Knowing who is promoting the dice method (not only those linked in earlier posts) makes me suspect some motive other than interest in everyone else's security.

It then occurs to me that the arguments of the particular method rest on the entropy of your own "locally" rolled dice... so far so good... but is some entropy not lost in the list of words...

That entropy is encoded into a very finite choice of words from a list someone else has published. That seems to me like a very good way to actually decrease all that wonderful roll-of-the-dice entropy after the fact!

I have not made any attempt to actually work out real numbers, but it must involve not only the product of the choices (as repeated in the article), but also the granularity or chunkiness of the choices which is never mentioned. Consider this...

Suppose I generate an unpredictable (as opposed to purely random) string of characters like $3cRitW355ayeG - 14 characters out of an alphabet of say 64 choices. Even I could probably remember it, but it would be very unlikely that it could be easily "guessed", and brute force attempts would take whatever random choices from that alphabet were required before it would crack... I would consider it "safe enough" for most purposes, and I could make it arbitrarily long. Good enough.

Now, suppose I roll the dice 6 times and choose 6 words from a dictionary of 10,000. I might end up with a phrase about 30 characters long with all that good dice-generated entropy and should feel pretty good about it, right?

But in reality, I don't have 30 random unguessable characters, I have 6 random space separated chunks - and my adversary knows with good confidence the list from which those chunks were taken, AND the separator character, AND whatever distribution information can be gleaned from it (or may be encoded into it...).

On the surface, the math looks simple enough, but so did dual elliptic curve algorithms, and we know how that has worked out!

Code:
     If you know a certain property about the Dual_EC parameters, and can recover an output point,
     you can predict all subsequent outputs of the generator.
So which is better, a sequence of unknown length and totally unpredictable ordering, or a much longer character sequence composed of fewer chunks, with some known properties? I don't think the same math would apply to both cases.

I seriously have to wonder if there is not some known weakness, incidental or intentional, that could be exploited by having keys generated from a finite list of known chunks... it gives me pause...

Anyone with the time and knowledge and enough interest available to give that more thought?

Last edited by astrogeek; 05-09-2016 at 04:19 AM. Reason: grammer, typos, afterthoughts
 
Old 05-10-2016, 11:27 AM   #9
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian
Posts: 1,054

Rep: Reputation: 276Reputation: 276Reputation: 276
What I use is a phrase transliterated from another language, with a different alphabet. Of course, that requires knowing at least a little about the foreign language and alphabet, but I do know enough. There are different transliterations possible, depending on how one decides to spell a word from a different language with a different alphabet. Dictionary attacks against this would be difficult at best, and require rather specific knowledge of an individual's life. It's easy for me to remember, but hard for anyone to guess. Using the dice method is just too complicated for me, and seriously limits the words available, unless you make up the word list yourself.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSH login no passwords, want to set a passphase but not have to enter for known hosts j.smith1981 Linux - Security 6 06-13-2012 04:19 AM
secure password? Cultist Linux - General 5 03-10-2011 09:29 AM
SSH2 No Password Login with passphase key? j.smith1981 Linux - Security 1 09-30-2010 06:29 AM
Configuring wicd for WEP: Hex, Passphase or Shared/Restricted? cstrieder Linux - Software 2 07-20-2009 07:03 AM
Secure Password Authenication danielrcummins Linux - Software 2 03-26-2003 10:05 PM


All times are GMT -5. The time now is 12:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration