Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello All,
My company just published a research whitepaper on the possibility of uncrackable passwords, and I'm trying to raise awareness on this issue.
It seems that now no one is safe online, and we're trying something more or less new in a novel approach to revamping the password model.
All passwords can be cracked in time no matter what they are. So changing the passwords every month helps protect systems/networks. The issue is users that possesses passwords that are easy to guess. Or users that can never remember their passwords.
^ out of curiosity: did you read it?
Because it addresses both these issues:
Quote:
1
Obviously no password is actually uncrackable, in this document the term “uncrackable” refers to “realistically or
technically uncrackable.” Please refer to the remainder of the document for more details.
Quote:
While this may seem complicated, it really isn’t. Many people memorize 20-character
passphrases at the moment without needing to write them down. Instead of remembering
eIEO86#44*&$uk; remembering 9-5-3 9-2-5 9-6-7 is much easier. Make use of logical/visual patterns on
the keypad and it becomes easier still: 9-8-7 1-2-3 4-5-6 is just as strong!
I read the whole thing, and it raises some interesting possibilities.
However:
Quote:
remembering 9-5-3 9-2-5 9-6-7 is much easier. Make use of logical/visual patterns on
the keypad and it becomes easier still: 9-8-7 1-2-3 4-5-6 is just as strong!
If you're advising them to use this scheme, then really their passwords degenerate to a 9-character password from a 9-letter alphabet.
If the government reads your document, then they could brute-force your user's passwords using only 9^9 guesses, which isn't all that much.
To get the full benefit you'd need your users to use much longer unicode passwords, which would translate to far more than 9 digits for the user to remember.
I read the whole thing, and it raises some interesting possibilities.
However:
If you're advising them to use this scheme, then really their passwords degenerate to a 9-character password from a 9-letter alphabet.
If the government reads your document, then they could brute-force your user's passwords using only 9^9 guesses, which isn't all that much.
To get the full benefit you'd need your users to use much longer unicode passwords, which would translate to far more than 9 digits for the user to remember.
Yeah, your definitely right there.
However, I most certainly am not advising using that... it's just a password easier than others..
at the same time, 745 896 123 123, all of a sudden its much harder to guess, and almost as easy to remember (look at the number pad, its geometric sequencing)
Your idea is basically to make passwords more complicated by increasing the possible number of characters. Assuming it's fairly straightforward to enter them. The problem there is that ultimately the speed and power of computers will catch up with you, no matter how many characters you use. If you've got really important data online, like a bank account, it's probably better not to have an online account at all.
Fact is: Average Joe is not willing to remember a password longer than a given number of characters. By having him have to remember three figures to enter a single character you will restrict the password length he is willing to use to something like 4-5 charachters. (12-15 keystrokes: that's actually already more than most people are willing to enter to start using a computer)
Your only protection is the fact that password cracking programms don't look for unicode symbols at the moment. They will should this method of generating passwords catch on. And then what?
In future schemes, passwords should be fully binary (generated randomly) and the user should specify the hexadecimal string (a 16-byte alphabet may be easier to remember) or encoded using Base-64 (64-byte alphabet). The latter is better as it has a ratio of 4:3 (hexadecimal would be 2:1).
I agree fully though with the OP's main point, which is to use strong passwords rather than lame, easily guessed PW's. Using special characters as a component of a more secure PW is a good idea, but may be beyond the average user's skills.
The article makes an excellent point though, and I support it fully
Meaningful passwords/passphrases make it simple for the user to remember but can still be quite secure. My private key passphrase is a phrase from a classical novel with a one letter mis-spelling that changes the meaning. I can rattle it off quickly on the keyboard, but it is long and no dictionary attack will ever find it. A brute force attack might, but the universe might end first.
My usual "password" is a string combination that includes numbers that have meaning to me, with interspersed text strings that have meaning to me. Since they have meaning, I can remember them without effort. I can also permute them many different ways. I have run crackers on my own passwords and have stopped them after a couple of days; seemed good enough.
It doesn't have to be difficult...just takes a bit of thought to come up with a system.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.