Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
the human brain has some difficulties to remember seven unrelated words used to form a secure passphrase but can do it with a little practice. In a scenario in which two such passphrases are necessary, it seems that remembering 2 passphrases becomes exponentially more difficult.
Being no expert in security, I thought that a user could learn to remember 7 words of a passphrase supposed to be unbreakable and modify them to create a second passphrase. Examples:
Quote:
passphrase 1:
cult paoli pal finn juice onward ross
passphrase 2:
cultm paolii palc finnh juicea onwarde rossl
The letters of the word "michael" having been used to add 1 letter to each word, the extra thing to remember would only be how each of the 7 words have been modified.
Although there could be some sort of predictability and loss of entropy in such practice, I can not see how.
My question: would such modification of the words affect negatively the security of the modified passphrase and how?
Seriously, five (see diceware) or seven unrelated words are fairly secure. When you change a few characters, security certainly doesn't suffer. If anything, it gets better.
The letters of the word "michael" having been used to add 1 letter to each word, the extra thing to remember would only be how each of the 7 words have been modified.
Although there could be some sort of predictability and loss of entropy in such practice, I can not see how.
My question: would such modification of the words affect negatively the security of the modified passphrase and how?
If the first passphrase is leaked, then it would be easier to discover the second one (or vice versa).
My question: would such modification of the words affect negatively the security of the modified passphrase and how?
A passphrase made out of non-dictionary words is more secure than a passphrase made out of dictionary words.
So in most cases, your modification would be more secure, but (using a contrived example) it might not help, e.g: is at ho on to -> isp ate hot one tor - there are still five space-separated dictionary words.
I doubt that's a likely occurrence (especially with decent length words), but language is weird and there might be a few instances, so any process generating passcodes like that should verify the output with a strength checker to prevent accidentally insecure ones being created.
Also, it's important to note that in this context "dictionary" basically means any collection of "words", irrespective of Oxford/Webster/etc, though attackers will start with common/shorter dictionaries first (the smallest dictionary is the 62 alphanumeric characters).
And don't be afraid to still mix in symbols into your phrases - in unpredictable places - e.g. compare "that cat! wow!" to "that! cat^ wow".
Any information known or guessable about any passcode will reduce its security - if someone wants to attack you specifically, knowing the technique used will get them closer, as would knowing the seven-letter word you used (e.g. if you used the same word in multiple places, and one of those was insecure), but the time consuming part would still be trying combinations of seven words until they got lucky.
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824
Rep:
Quote:
Originally Posted by scasey
Another trick I’ve seen used is to replace some letters with numbers. 3 for e; 4 for a; etc
password crackers like hashcat have mode where it tries "1337 for leet" and "3 for e" and "4 for a" etc.
Code:
Table-attack
This attack mode is also based on dictionaries. You can attack the following targets well:
International characters
Toggled-case words
Leetspeek
Fill “holes” in your dictionary
The targets also can be combined, like:
Toggled-case words + Leetspeak
The table attack takes a configuration file, the "table"
Inside the table, you do a simple X=Y binding per line
Where X is a character that is to replace with Y
NOTE: You can use X multiple times
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.