I'm a little confused:

http://www.zdnet.com/blog/networking...y-experts/1340

In the article (and cartoon) it is indicated that it is more secure to have a pass phrase like "correcthorsebatterystaple" than a complex password like "Tr0ub4dor&3". The idea seems to be that our complex passwords follow certain common formats that make them easier to guess than simply a long string of common words. But intuitively I'm still having difficultly accepting that "correcthorsebatterystaple" is harder to brute force than "Tr0ub4dor&3". Does someone perchance have more insight into this?

Attached Thumbnails

 

I know what you mean, but if you read the cartoon and the attached article and the one linked to early in the comments carefully, it may become clearer.
The pt is that longer = more secure (more entropy), all other things being equal.
The attacker has to assume you used other chars than just alpha and in fact the article makes this pt with spaces 'this is fun' and says you should(!) use some other chars than just alpha (esp if the site you want to use it on won't accept spaces; a pt made in the article).

Basically, 3+ words with a few non-alphas is easier to remember & more secure than the short 'complex' passwd in the cartoon.
Effectively a 'passphrase' rather than a 'passwd'.
One of the commenter's mentions that he works for a large Telco on helpdesk and explaining passphrase v passwd helps many users who can't remember complex strings.
Very useful if you have a lot of them to remember...

Note that (as mentioned) an attacker cannot break a passphrase word by word, its all or nothing, which is probably what you were worried about.

Not to mention that password cracking difficulty grows exponentially. a password with 30 characters has way more then double as many possible combinations of a password with 29 characters



so in terms of the comic. These are the amount of total passwords that be generated for each length.

Tr0ub4dor&3 = 95^11 = 5,688,000,922,764,599,609,375 -- 95 possible characters by 11 digits long. http://en.wikipedia.org/wiki/Password_strength

correcthorsebatterystaple = 26^25 = 236,773,830,007,967,588,876,795,164,938,469,376 -- 26 possible characters (assume only lower case) by 25 digits long.

5,688,000,922,764,599,609,375 = Tr0ub4dor&3
236,773,830,007,967,588,876,795,164,938,469,376 = correcthorsebatterystaple

clearly you can see how many more combinations there are for the all lowercase.

if you just did upper and lower case for "correcthorsebatterystaple"

it would be 52^25 = 7,944,811,378,381,907,919,170,379,739,856,654,861,074,432 possible combinations.


numbers without commas.

for the sake of it we will do one more just to show how many more combinations a longer password is


we will ONLY use upper and lower case for this. a 30 character password and a 31 character password. I am only adding the letter A to the end of the first password to use it for the second.

So the 2 passwords would be:
ThisIsAReallyLongPasswordToday
ThisIsAReallyLongPasswordTodayA

With 52 possible combinations. 26 lower, 26 upper.
and
the formula "N^L" N = possible combinations, L = length of password.
52^30 and 52^31

(i think my math is right on this one.)
for this number 157073764616094509389508040547359786571070742722510848
even with some of the fastest gpu cards cracks 2.5Billion hashes per second you are looking at
1,976,498,572,255,221,915,562,210,088,789,428,189 years to find every possible combination.
or 1.96 undecillion years

1 members found this post helpful.

Okay, though slimms calculation for "correcthorsebatterystaple" only a relevant if the attacker assumes that you could be using non-word characters. I'm wondering, how long would it take the brute force program if the attacker decides first of all to check all passwords composed of only, say, between one and five of the most common 3000 words in the English language (all lowercase). I should think, were I a hacker, that that would be the simplest and most logical place to start. Especially, beginning with all one word passwords, then all two word passwords, and so on. To get to all four word passwords would only be this, correct?:

3000 + 3000^2 + 3000^3 + 3000^4 = 8.1027009003e13

@chrism: I missed the part in the article where they encourage us to use non-alpha characters. I was strictly concerned with the issue of long word-only passwords versus short complex passwords.

Most passwords that get cracked are seriously bad passwords - you know, things like "password" or "passw0rd" or "password1". These are things that never should have been the password, in the first place.

The reason for this is that something else stops you having a quasi-infinite number of tries at cracking the password, so one question that needs asking is what is that something else and how low is the limit set? For example, fail2ban may limit remote login attempts, or you may be relying on manual examination of log files to stop repeated bad attempts...this doesn't work so well if you are not bothering to check log files.

Now if you look at honeypot research, you'll see that the 'top 30' terms used are all pretty pathetic - people's (or pet's) names, plus variants on 'password'. So, concatenations of words may be fine, but concatenations of words all of which are on the top 30 list would be really poor, too, irrespective of how many characters there are, in total. .

The idea here is just to generate longer passwords. They do not have to be much crazy complex passwords. All the other password best practices still mostly apply.



correcthorsebatterystaple altered to something even as simple as 1Correct_horse_Battery_staple1 is still far more difficult and would not be caught by a dictionary attack and would not be cracked in any useful amount of time.


If you look up the common patterns for passwords the number one used pattern is 1 Uppercase 6-7 lowercase 1 number

Password1
Scruffy6
Tiffany2

this is the most used pattern.

"Scruffy6" is just as easy to remember as "1Mary_had_a_little_lamb!" except one is far more resilient to brute force attacks.

Greetings
Am I correct in thinking if we go with this:
That setting a login retry delay of even 1 sec throws a wrench into the works as far as the "2.5 billion per sec" goes ? (I have mine set to 3 sec)

Actually
is expressing this as the worst case scenario ie the attacker has somehow got hold of a copy of the passwd hashes and is processing them on their own machine.
Obviously you can't do login attempts at that speed, even on a lan or even on the local machine, the login program doesn't respond at that speed.
On top of that, setting 3 failed tries = a lockout via PAM or fail2ban is a good idea as well.

2 members found this post helpful.

That's what I normally do; I set all of mine up for a max of two attempts, and then a five minute lockout. After three repeated attempts after a max 15 minute lockout, I had my old system do a full lockout for 30 minutes. I know, it's too much.... I'm a security freak

But as far as this whole password thing, I do have something to say about it. I work for the government, and they always push to have users create complicated passwords. I have seen people created passwords as such:
Note the last two passwords - Look on the keyboard, and notice the "sequence" that is being used. Eventually, passwords like these will be within a dictionary file based on sequences as such.

Thanks, I was thinking that's what the deal had to be.
Disappointing, not all that surprising, just disappointing. Are you allowed to "Gibbs(NCIS)slap" them ?

I wish I could without getting harassment charges put on me

AKA an "offline attack".

I'd add to the thread: an organization with the type of resources to crack salted, hashed passphrases like linking tripped blues mi!playa sweden within a reasonable timeframe also have the resources to attack some weaker link in the crypto implementation instead.

i.e. You've likely entered a realm where it's infeasible (and unnecessary) for most to attack the passphrase - or the hash itself, assuming it has no known, effective cryptanalysis. So they exploit a buffer overflow. Or they install a camera, or a hardware keystroke logger. Or they simply hit you in the head with a wrench until you submit.

hydraMax, Hopefully you'll find this helpful
https://www.grc.com/haystack.htm

Hello all

This is interesting read.

weirdwolf: that's a good site to check the the time to bruteforce a password. I found it funny to check the password "simpleuseofbadpasswords" and the Time Required to Exhaustively Search this Password's Space (Assuming one hundred trillion guesses per second) is 1.16 billion centuries. LOL

This method to remember passwords is OK for standard use, I guess. Most people that have allot of free time in hand (AKA hackers) don't waste time and effort on such targets (effort-return/profit analysis). Usually they just crawl the internet in search for a specific service and a password list to check or crack. I guess they prefer the "steal a candy from a children" approach. If you use 3 secs between password attempts and fail2ban to ban for an amount of time then it should be OK.

Anyone who want's to persistently crack/hack such targets usually go the way anomie mentioned or by Advanced Persistent Threat (http://en.wikipedia.org/wiki/Advanced_persistent_threat)

Unless your are considered some high profile person or work on high profile company pass phrases are good option.

Regards,
hyakutake