|
Are passphase more secure than a password
hi jake here,
I have a question about passwords and passphrases. Below are two examples. One is a long string and other is the same password with spaces i.e a passphrase. PR&$hRW#JxnC6uGJ<rE4T PR& $hR W#J xnC 6uG J<r E4T The top one has 21 characters, the second one has 27 characters including the spaces. They're both really good strong passwords, but I read that having spaces with passwords makes it even more secure. I want your opinion if having spaces makes it more secure or not. |
In general, longer makes it better.
Spaces themselves do not make it better, they just make it longer. Longer with different characters instead of spaces is even better - higher entropy. PR& $hR W#J xnC 6uG J<r E4T is not better or worse than PR&_$hR_W#J_xnC_6uG_J<r_E4T or PR&0$hR0W#J0xnC06uG0J<r0E4T but maybe not as good as PR&0$hR1W#J2xnC36uG4J<r5E4T. |
jakeDM,
Welcome to LQ. I agree with astrogeek. A very long password, which is impossible to remember, used in conjunction with a Password Manager,such as KeePass2, and Two-Factor authentication will greatly help your security. Post #9 on here may help you: http://www.linuxquestions.org/questi...gh-4175550557/ |
Here is the article I read a few days ago about passwords and passphrases
https://theintercept.com/2015/03/26/...rs-cant-guess/ Of course, I'm not gullible about headline that the NSA can't break it. Nothing is guarantee. But the good practices in the article are good examples for entropy. After reading the article, I made a shell script to generate a passphrase with a mix of dictionary words and a set of mix gibberish characters. I believe this is a good example of entropy. Code:
#!/bin/bashQuote:
|
Quote:
The Intercept, the hard hitting, radical, anti-establishment, independent, truth and freedom press organ, created and wholly owned and operated by and for the benefit of mega-establishment oligarch and exploiter, Pierre Omidyar... If they said the sky was blue I would definitely want some trustworthy corroboration, in addition to full disclosure of just how that information is of benefit to Pierre and his high brow associates! And you might be interested to know, if you don't already, that more than a few Intercept staffers are well connected to (hush, hush...) the NSA and CIA... and here... But there is nothing new in that article, it is all about entropy. The benefit of a phrase over a long key is only to make it memorable by humans. There is also a trap in that - you may be more inclined to reuse your memorable long phrase in more places, precisely because it "feels" more secure... reuse can be more effective than a trillion guesses a second at insuring your adversary will learn your new phrase! "No one is ever safe..." Sarah Connor Good luck! |
A strong password has a number of features but many of the posted "facts" point to mathematical calculations that seem to have little to do with how systems do get attacked. While I agree that the longer the password, the better it is also true that a huge password on a weak system isn't worth the effort. I've even read articles that claim that your password might be more easily stolen if you change it often.
I am still a fan of certificate based authentication. |
the key to this is "memorize":
Quote:
i read some good articles about that (remembering). one approach was to take a verse from a song you remember, and use only the first letters of that. there's other approaches. there's also a relevant xkcd comic. other than that, it doesn't matter whther you have spaces in it or other characters. |
Thinking about this over the past couple of days has caused my cynicism, if not paranoia to stir a bit.
Knowing who is promoting the dice method (not only those linked in earlier posts) makes me suspect some motive other than interest in everyone else's security. It then occurs to me that the arguments of the particular method rest on the entropy of your own "locally" rolled dice... so far so good... but is some entropy not lost in the list of words... That entropy is encoded into a very finite choice of words from a list someone else has published. That seems to me like a very good way to actually decrease all that wonderful roll-of-the-dice entropy after the fact! I have not made any attempt to actually work out real numbers, but it must involve not only the product of the choices (as repeated in the article), but also the granularity or chunkiness of the choices which is never mentioned. Consider this... Suppose I generate an unpredictable (as opposed to purely random) string of characters like $3cRitW355ayeG - 14 characters out of an alphabet of say 64 choices. Even I could probably remember it, but it would be very unlikely that it could be easily "guessed", and brute force attempts would take whatever random choices from that alphabet were required before it would crack... I would consider it "safe enough" for most purposes, and I could make it arbitrarily long. Good enough. Now, suppose I roll the dice 6 times and choose 6 words from a dictionary of 10,000. I might end up with a phrase about 30 characters long with all that good dice-generated entropy and should feel pretty good about it, right? But in reality, I don't have 30 random unguessable characters, I have 6 random space separated chunks - and my adversary knows with good confidence the list from which those chunks were taken, AND the separator character, AND whatever distribution information can be gleaned from it (or may be encoded into it...). On the surface, the math looks simple enough, but so did dual elliptic curve algorithms, and we know how that has worked out! Code:
If you know a certain property about the Dual_EC parameters, and can recover an output point,I seriously have to wonder if there is not some known weakness, incidental or intentional, that could be exploited by having keys generated from a finite list of known chunks... it gives me pause... Anyone with the time and knowledge and enough interest available to give that more thought? |
What I use is a phrase transliterated from another language, with a different alphabet. Of course, that requires knowing at least a little about the foreign language and alphabet, but I do know enough. There are different transliterations possible, depending on how one decides to spell a word from a different language with a different alphabet. Dictionary attacks against this would be difficult at best, and require rather specific knowledge of an individual's life. It's easy for me to remember, but hard for anyone to guess. Using the dice method is just too complicated for me, and seriously limits the words available, unless you make up the word list yourself.
|
| All times are GMT -5. The time now is 10:21 AM. |