regarding password security: pass phrases vs complex passwords
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In the article (and cartoon) it is indicated that it is more secure to have a pass phrase like "correcthorsebatterystaple" than a complex password like "Tr0ub4dor&3". The idea seems to be that our complex passwords follow certain common formats that make them easier to guess than simply a long string of common words. But intuitively I'm still having difficultly accepting that "correcthorsebatterystaple" is harder to brute force than "Tr0ub4dor&3". Does someone perchance have more insight into this?
I know what you mean, but if you read the cartoon and the attached article and the one linked to early in the comments carefully, it may become clearer.
The pt is that longer = more secure (more entropy), all other things being equal.
The attacker has to assume you used other chars than just alpha and in fact the article makes this pt with spaces 'this is fun' and says you should(!) use some other chars than just alpha (esp if the site you want to use it on won't accept spaces; a pt made in the article).
Basically, 3+ words with a few non-alphas is easier to remember & more secure than the short 'complex' passwd in the cartoon.
Effectively a 'passphrase' rather than a 'passwd'.
One of the commenter's mentions that he works for a large Telco on helpdesk and explaining passphrase v passwd helps many users who can't remember complex strings.
Very useful if you have a lot of them to remember...
Note that (as mentioned) an attacker cannot break a passphrase word by word, its all or nothing, which is probably what you were worried about.
Last edited by chrism01; 09-19-2011 at 11:56 PM.
Reason: typo: sue => use
Not to mention that password cracking difficulty grows exponentially. a password with 30 characters has way more then double as many possible combinations of a password with 29 characters
so in terms of the comic. These are the amount of total passwords that be generated for each length.
for the sake of it we will do one more just to show how many more combinations a longer password is
we will ONLY use upper and lower case for this. a 30 character password and a 31 character password. I am only adding the letter A to the end of the first password to use it for the second.
So the 2 passwords would be:
ThisIsAReallyLongPasswordToday
ThisIsAReallyLongPasswordTodayA
With 52 possible combinations. 26 lower, 26 upper.
and
the formula "N^L" N = possible combinations, L = length of password.
52^30 and 52^31
(i think my math is right on this one.)
for this number 157073764616094509389508040547359786571070742722510848
even with some of the fastest gpu cards cracks 2.5Billion hashes per second you are looking at
1,976,498,572,255,221,915,562,210,088,789,428,189 years to find every possible combination.
or 1.96 undecillion years
Okay, though slimms calculation for "correcthorsebatterystaple" only a relevant if the attacker assumes that you could be using non-word characters. I'm wondering, how long would it take the brute force program if the attacker decides first of all to check all passwords composed of only, say, between one and five of the most common 3000 words in the English language (all lowercase). I should think, were I a hacker, that that would be the simplest and most logical place to start. Especially, beginning with all one word passwords, then all two word passwords, and so on. To get to all four word passwords would only be this, correct?:
3000 + 3000^2 + 3000^3 + 3000^4 = 8.1027009003e13
@chrism: I missed the part in the article where they encourage us to use non-alpha characters. I was strictly concerned with the issue of long word-only passwords versus short complex passwords.
Most passwords that get cracked are seriously bad passwords - you know, things like "password" or "passw0rd" or "password1". These are things that never should have been the password, in the first place.
The reason for this is that something else stops you having a quasi-infinite number of tries at cracking the password, so one question that needs asking is what is that something else and how low is the limit set? For example, fail2ban may limit remote login attempts, or you may be relying on manual examination of log files to stop repeated bad attempts...this doesn't work so well if you are not bothering to check log files.
Now if you look at honeypot research, you'll see that the 'top 30' terms used are all pretty pathetic - people's (or pet's) names, plus variants on 'password'. So, concatenations of words may be fine, but concatenations of words all of which are on the top 30 list would be really poor, too, irrespective of how many characters there are, in total. .
The idea here is just to generate longer passwords. They do not have to be much crazy complex passwords. All the other password best practices still mostly apply.
correcthorsebatterystaple altered to something even as simple as 1Correct_horse_Battery_staple1 is still far more difficult and would not be caught by a dictionary attack and would not be cracked in any useful amount of time.
If you look up the common patterns for passwords the number one used pattern is 1 Uppercase 6-7 lowercase 1 number
Password1
Scruffy6
Tiffany2
this is the most used pattern.
"Scruffy6" is just as easy to remember as "1Mary_had_a_little_lamb!" except one is far more resilient to brute force attacks.
Greetings
Am I correct in thinking if we go with this:
Quote:
Originally Posted by slimm609
Not to mention that password cracking difficulty grows
(i think my math is right on this one.)
for this number 157073764616094509389508040547359786571070742722510848 even with some of the fastest gpu cards cracks 2.5Billion hashes per second you are looking at
1,976,498,572,255,221,915,562,210,088,789,428,189 years to find every possible combination.
or 1.96 undecillion years
That setting a login retry delay of even 1 sec throws a wrench into the works as far as the "2.5 billion per sec" goes ? (I have mine set to 3 sec)
even with some of the fastest gpu cards cracks 2.5Billion hashes per second
is expressing this as the worst case scenario ie the attacker has somehow got hold of a copy of the passwd hashes and is processing them on their own machine.
Obviously you can't do login attempts at that speed, even on a lan or even on the local machine, the login program doesn't respond at that speed.
On top of that, setting 3 failed tries = a lockout via PAM or fail2ban is a good idea as well.
is expressing this as the worst case scenario ie the attacker has somehow got hold of a copy of the passwd hashes and is processing them on their own machine.
Obviously you can't do login attempts at that speed, even on a lan or even on the local machine, the login program doesn't respond at that speed.
On top of that, setting 3 failed tries = a lockout via PAM or fail2ban is a good idea as well.
That's what I normally do; I set all of mine up for a max of two attempts, and then a five minute lockout. After three repeated attempts after a max 15 minute lockout, I had my old system do a full lockout for 30 minutes. I know, it's too much.... I'm a security freak
But as far as this whole password thing, I do have something to say about it. I work for the government, and they always push to have users create complicated passwords. I have seen people created passwords as such:
Code:
1aqz!AQZ
1qaz2wsx#EDCVFR$
xsw2!QAZXSW@1qaz
Note the last two passwords - Look on the keyboard, and notice the "sequence" that is being used. Eventually, passwords like these will be within a dictionary file based on sequences as such.
is expressing this as the worst case scenario ie the attacker has somehow got hold of a copy of the passwd hashes and is processing them on their own machine.
Thanks, I was thinking that's what the deal had to be.
Quote:
Originally Posted by corp769
Note the last two passwords - Look on the keyboard, and notice the "sequence" that is being used. Eventually, passwords like these will be within a dictionary file based on sequences as such.
Disappointing, not all that surprising, just disappointing. Are you allowed to "Gibbs(NCIS)slap" them ?
ie the attacker has somehow got hold of a copy of the passwd hashes and is processing them on their own machine.
AKA an "offline attack".
I'd add to the thread: an organization with the type of resources to crack salted, hashed passphrases like linking tripped blues mi!playa sweden within a reasonable timeframe also have the resources to attack some weaker link in the crypto implementation instead.
i.e. You've likely entered a realm where it's infeasible (and unnecessary) for most to attack the passphrase - or the hash itself, assuming it has no known, effective cryptanalysis. So they exploit a buffer overflow. Or they install a camera, or a hardware keystroke logger. Or they simply hit you in the head with a wrench until you submit.
In the article (and cartoon) it is indicated that it is more secure to have a pass phrase like "correcthorsebatterystaple" than a complex password like "Tr0ub4dor&3". The idea seems to be that our complex passwords follow certain common formats that make them easier to guess than simply a long string of common words. But intuitively I'm still having difficultly accepting that "correcthorsebatterystaple" is harder to brute force than "Tr0ub4dor&3". Does someone perchance have more insight into this?
weirdwolf: that's a good site to check the the time to bruteforce a password. I found it funny to check the password "simpleuseofbadpasswords" and the Time Required to Exhaustively Search this Password's Space (Assuming one hundred trillion guesses per second) is 1.16 billion centuries. LOL
This method to remember passwords is OK for standard use, I guess. Most people that have allot of free time in hand (AKA hackers) don't waste time and effort on such targets (effort-return/profit analysis). Usually they just crawl the internet in search for a specific service and a password list to check or crack. I guess they prefer the "steal a candy from a children" approach. If you use 3 secs between password attempts and fail2ban to ban for an amount of time then it should be OK.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.