Top Mud Sites Forum Return to TopMudSites.com
Go Back   Top Mud Sites Forum > MUD Players and General Discussion > Tavern of the Blue Hand
Click here to Register

Reply
 
Thread Tools
Old 05-28-2010, 12:44 PM   #1
prof1515
Senior Member
 
prof1515's Avatar
 
Join Date: Aug 2003
Location: Illinois
Posts: 791
prof1515 will become famous soon enoughprof1515 will become famous soon enough
Send a message via AIM to prof1515 Send a message via Yahoo to prof1515
Passwords

So, apparently the most popular password is 123456 and the second-most popular is 12345.

If-your-password-is-123456-just-make-it-hack-me.html: Personal Finance News from Yahoo! Finance

Reminds one of this famous scene:

YouTube - Spaceballs 12345
prof1515 is offline   Reply With Quote
Old 05-30-2010, 09:25 PM   #2
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Passwords

Not a surprise.

Back when I was a teen and would play around with "blind security testing" that was second on my automated guess list, with "password" as number 1.
For the master password, first on my guess list was "god"

In practice, even though they were the most common passwords, they still came up extremely, extremely rarely. Almost all the passwords would be found through automated guessing, starting at aaa, then aab, aac, and so on. (Once you've got the encrypted password file you can have as many guesses as you want, limited by the speed of your computer.)

The longer the password is, and if you also have to guess using numbers and other characters like ? or ! significantly increases the time it takes to brute force guess all the possible combinations.

So the moral of the story, you don't need any tricks to make a password super secure. You just need it to be long (preferably longer than eight characters) and include a special character. Heck, you can use your own name followed by an exclamation point. Nobody is going to think to guess that unless you've told them that you use it as your password (or unless you've written that into your password hint.)

People really don't get into accounts from guessing passwords.
silvarilon is offline   Reply With Quote
Old 06-05-2010, 10:46 PM   #3
dasy2k1
New Member
 
Join Date: May 2009
Home MUD: New Worlds
Posts: 20
dasy2k1 is on a distinguished road
Re: Passwords

go watch the movie hackers,
"if god would like to change her password!"
dasy2k1 is offline   Reply With Quote
Old 06-06-2010, 04:31 PM   #4
Pymeus
Member
 
Join Date: Oct 2008
Home MUD: tharel.net
Posts: 36
Pymeus is on a distinguished road
Re: Passwords

I have to disagree with you. The brute force approach to password cracking is ancient history. "Real" password cracking programs work off of extensive multilingual dictionaries (which is why good password systems have their own dictionaries to prevent you from choosing a weak password), and attempts an exhaustive number of permutations upon each. "L33t sp34k" is not safe, nor are intentional misspellings of a word, nor two words strung together, nor tacking on a few letters/numbers/symbols at the end of a word.

The best passwords are accumulations of randomly chosen lowercase, caps, numbers, and punctuation. But a "good enough" choice is usually to take the first letter from each word of a familiar phrase, book title, etc. I wouldn't recommend Lord of the Rings or Hitchhiker's Guide to the Galaxy, as these acronyms are in common use on the Internet.
Pymeus is offline   Reply With Quote
Old 06-07-2010, 02:10 AM   #5
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Passwords

Quote:
Originally Posted by Pymeus View Post
I have to disagree with you. The brute force approach to password cracking is ancient history. "Real" password cracking programs work off of extensive multilingual dictionaries (which is why good password systems have their own dictionaries to prevent you from choosing a weak password),
Well, yes. But dictionary lists are still just brute force. It's just slightly more intelligent brute force.
As I said, "password" was number 2 of my "automated guess list" - I should have said number 2 of my "dictionary of words to check"
But, also as I said, finding a word in the dictionary as a password was very rare. (But my software didn't do permutations like l33t which may have improved the success rate.)

If we want to talk about "real" password cracking, it'd likely be done with a MIM (man in the middle) attack, or by finding a weakness in the hashing algorithm allowing you to reverse the hash. It is possible, though, to design a system that can't be attacked using either method.

Quote:
Originally Posted by Pymeus View Post
The best passwords are accumulations of randomly chosen lowercase, caps, numbers, and punctuation. But a "good enough" choice is usually to take the first letter from each word of a familiar phrase, book title, etc.
No. That's not good enough. Because it's only letters, the search space for a cracker is significantly lower. And search space matters, whether brute forcing, or attempting to reverse a hash. Adding a bit of l33t to it, however, increases the search space while still avoiding a dictionary attack.

I don't think you need to choose the password randomly. Even just changing the password "horse" into "Horse!" is good enough to increase the search space hugely. And it's much easier to remember.
silvarilon is offline   Reply With Quote
Old 06-07-2010, 03:21 PM   #6
Pymeus
Member
 
Join Date: Oct 2008
Home MUD: tharel.net
Posts: 36
Pymeus is on a distinguished road
Re: Passwords

Quote:
Originally Posted by silvarilon View Post
If we want to talk about "real" password cracking, it'd likely be done with a MIM (man in the middle) attack, or by finding a weakness in the hashing algorithm allowing you to reverse the hash.
I'll have to take a pass on both of those. I've not heard of a popular hash algo being reversed in a very long time, and although MitM is a serious problem, I would consider it a problem separate from password cracking.

Quote:
Originally Posted by silvarilon View Post
But, also as I said, finding a word in the dictionary as a password was very rare. (But my software didn't do permutations like l33t which may have improved the success rate.)
Depends on your dictionary. Some studies have shown a reasonable rate of success at guessing the average user's password simply by attempting all strings from all files on their hard drive. Though I confess I can't find a link to the study at the moment.

Quote:
Originally Posted by silvarilon View Post
No. That's not good enough. Because it's only letters, the search space for a cracker is significantly lower. And search space matters, whether brute forcing, or attempting to reverse a hash. Adding a bit of l33t to it, however, increases the search space while still avoiding a dictionary attack.
A 6 letter password chosen from the first letters of a phrase has a larger search space than Horse! by at least 3 orders of magnitude. Choose a longer phrase to get the standard 8 letter password and it's stronger by 6 orders of magnitude. L33t does increase the search space, but not in an algorithmically significant way. An extra, random character tacked on the end would be much more significant.

Admittedly I didn't use frequency tables, which would shrink both passwords' search spaces considerably, or anything else fancy.
Pymeus is offline   Reply With Quote
Old 06-07-2010, 08:44 PM   #7
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Passwords

Quote:
Originally Posted by Pymeus View Post
I'll have to take a pass on both of those. I've not heard of a popular hash algo being reversed in a very long time,
Happens quite regularly (relatively speaking). Fortunately, stronger hashes are constantly being created, and most of the reversing is done by serious cryptography researchers. So when a hash is found to be insecure it drops out of circulation pretty quickly. Without the users having to really be aware of what's going on. Next time they upgrade their software (which often automatically prompts them) they get the more secure version.

And often these weaknesses are extremely subtle, so if there are a few hanging around with the older hashes, it's not a huge problem.

Besides, you still need to get your hands on their hashed passwords before you can do anything with them.

Quote:
Originally Posted by Pymeus View Post
and although MitM is a serious problem, I would consider it a problem separate from password cracking.
Very much depends on how you use it. And depends how the information the MiM is receiving is encrypted.
True, you typically wouldn't end up with their password (in the nature of the word "Horse!") but you would potentially end up with a key that lets you read the transferred data after they've logged in. And if you can figure out that key which would be needed to listen in during the authentication, you'd then be able to get their actual password. Although if you wouldn't need it by that point.
(Caveat: Explanation has obviously been very simplified)

Quote:
Originally Posted by Pymeus View Post
Depends on your dictionary. Some studies have shown a reasonable rate of success at guessing the average user's password simply by attempting all strings from all files on their hard drive. Though I confess I can't find a link to the study at the moment.
I'm not surprised. A number of people write their passwords into text files or word documents to avoid forgetting. Especially with systems that force regular password changes. I'd expect a very reasonable rate of success.

When I said I had a low success, I was assuming a pre-prepared dictionary guessing blind against the hashes.


Quote:
Originally Posted by Pymeus View Post
A 6 letter password chosen from the first letters of a phrase has a larger search space than Horse! by at least 3 orders of magnitude.
How so?
a 6 letter password chosen from the first letters of a phrase, using only lowercase, has a search space of 26^6, or approximately 3*10^8
a 6 letter password chosen from lowercase and capital letters has a search space of 52^6, or approximately 2*10^10
A 6 letter password chosen from lowercase and capitals, and only the special characters ()&!@$ has a search space of 58^6, or approximately 3*10^10
If we include numbers and only the special characters above the numbers, we have a search space of 72^6 or 1*10^11 - this is the category "Horse!" would fall into, since they would probably try with numbers before trying with special characters.

So I'm confused how the first letters of a phrase has the larger search space. It seems that if you include caps, numbers, and special characters, then the "Horse!" password is larger by 3 orders of magnitude, not the other way around...

Remember, you don't have to actually use all the characters. You just have to force the cracker to need to consider that you *might* be using them. Using just one special character means they can't test using only letters, which means they will probably have to add all 10 special characters, since they won't know which one you used.

But at least use both caps and lower case. As you can see, that alone increases the search space by two orders of magnitude.

Quote:
Originally Posted by Pymeus View Post
Choose a longer phrase to get the standard 8 letter password and it's stronger by 6 orders of magnitude. L33t does increase the search space, but not in an algorithmically significant way.
L33t is less significant in a dictionary attack. In a brute force, the potential characters are 1, 3, 4, 7, 0. So it'll take it from 52^6 to 57^6, or 3*10^10.
So it's adding about a 50% extra burden.

Quote:
Originally Posted by Pymeus View Post
An extra, random character tacked on the end would be much more significant.
Only if that extra character is not a letter. Tack $ on the end and it's significant. Tack "j" on the end and you don't increase the search space.

Unless you mean that you'll tack it to the end of the 6 letter password, making a 7 letter password. That will increase the search space, of course. But then we're comparing apples to oranges. Tacking $ to the end to make a 7 letter password will then increase the search space by a WAY huger amount.

Quote:
Originally Posted by Pymeus View Post
Admittedly I didn't use frequency tables, which would shrink both passwords' search spaces considerably, or anything else fancy.
I'm assuming blind guessing.
You are entirely correct that there are techniques to help prioritize the more likely guesses. A frequency table will help you find the bad passwords sooner, while probably meaning you find the well-made passwords slower. (But since most people make bad passwords, you still win. And you probably only need one password, so you should get it as fast as you can, which means you're aiming for the worst, easiest, shortest password.)

At least, when bruting. When using other attacks, such as reversing the hash, the length of the password and combination doesn't much matter (since the system changes them all to the same length and sets the used characters already. So they're all equally strong once encrypted.)

This is an interesting topic. It reminds me how much cryptography I've forgotten
It's just not something I use or think about in daily life... when writing code you just plug in a pre-written cypher and forget about it.
silvarilon is offline   Reply With Quote
Old 06-07-2010, 11:09 PM   #8
jackal59mo2
Member
 
Join Date: Oct 2008
Posts: 45
jackal59mo2 is on a distinguished road
Re: Passwords

The best suggestion I've seen for creating a password is to use the first letters of the words of a line or a couplet from one of your favorite poems or songs, making one or two of them upper case or easily-remembered numbers and tossing in a character as needed. For example, if I take:

Quote:
O, that this too too solid flesh would melt
Thaw and resolve itself into a dew!
That could produce the password:

ott2tsfwmT&riiad

I've used this method, and the resulting password is both easy to remember and a bear to type--and, I bet, to crack. (Of course, if everyone around you knows that your favorite song is "Nobody likes me, everybody hates me, I'm gonna eat some worms," then it might not be as effective.)
jackal59mo2 is offline   Reply With Quote
Old 06-08-2010, 08:19 PM   #9
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Passwords

Quote:
Originally Posted by jackal59mo2 View Post
The best suggestion I've seen for creating a password is to use the first letters of the words of a line or a couplet from one of your favorite poems or songs, making one or two of them upper case or easily-remembered numbers and tossing in a character as needed. For example, if I take:

That could produce the password:

ott2tsfwmT&riiad

I've used this method, and the resulting password is both easy to remember and a bear to type--and, I bet, to crack. (Of course, if everyone around you knows that your favorite song is "Nobody likes me, everybody hates me, I'm gonna eat some worms," then it might not be as effective.)
Yep, I think everyone will agree that is ideal. It gives a long password, and has a mix of caps, numbers and special characters.

You might want to try also using numbers other than 2 (since that's the most common number used for the same reason you chose it in your example) - but just adding one number, even the number 2, still forces a larger search space. So it's all good

You can also use < to replace c - it's an unusual character that often will be overlooked since it's not sitting above one of the numbers at the top of the keyboard. Similarly, you can use commas and full stops, brackets, semicolons, slashes and backslashes. Making easy passwords like <arry\On (Carry On - I'm thinking of the song "Carry On my Wayward Son" - great song) that will be hard to guess, and that use characters that will be extremely low on the frequency table.

Edit: Also, double points for the Hamlet quote We don't hear enough of the Bard during daily life...
silvarilon is offline   Reply With Quote
Old 06-08-2010, 10:38 PM   #10
Pymeus
Member
 
Join Date: Oct 2008
Home MUD: tharel.net
Posts: 36
Pymeus is on a distinguished road
Re: Passwords

Quote:
Originally Posted by silvarilon View Post
Happens quite regularly (relatively speaking). Fortunately, stronger hashes are constantly being created, and most of the reversing is done by serious cryptography researchers. So when a hash is found to be insecure it drops out of circulation pretty quickly. Without the users having to really be aware of what's going on. Next time they upgrade their software (which often automatically prompts them) they get the more secure version.

And often these weaknesses are extremely subtle, so if there are a few hanging around with the older hashes, it's not a huge problem.
Let's look at the crypto hash algorithms that most of us hobbyist crypto types can name off the tops of our heads: MD5, SHA1, SHA256. None of the three has suffered algorithmic reversal on any scale. Major weaknesses in MD5 and SHA1 didn't show up for some 10 years after they went into service, and AFAIK they can't be exploited with most password systems due to length limits. MD5 and SHA1 are still in regular use today, though usually combined with other safeguards. The SHA-2 series has been around for 8 years and doesn't seem to have any known weaknesses.

Quote:
Originally Posted by silvarilon View Post
Besides, you still need to get your hands on their hashed passwords before you can do anything with them.
You brought it up, not me

Quote:
Originally Posted by silvarilon View Post
How so?
a 6 letter password chosen from the first letters of a phrase, using only lowercase, has a search space of 26^6, or approximately 3*10^8
My original estimate assumed that capitalization was important. Book and movie titles may contain both capitalized and non-capitalized words, so I was working from 52^6 = 1.98*10^10. But unless there's a flaw in my approach, 26^6 is still larger than what I get for Horse!.
Quote:
Originally Posted by silvarilon View Post
a 6 letter password chosen from lowercase and capital letters has a search space of 52^6, or approximately 2*10^10
A 6 letter password chosen from lowercase and capitals, and only the special characters ()&!@$ has a search space of 58^6, or approximately 3*10^10
If we include numbers and only the special characters above the numbers, we have a search space of 72^6 or 1*10^11 - this is the category "Horse!" would fall into, since they would probably try with numbers before trying with special characters.

So I'm confused how the first letters of a phrase has the larger search space. It seems that if you include caps, numbers, and special characters, then the "Horse!" password is larger by 3 orders of magnitude, not the other way around...
That doesn't look like a dictionary approach to me. I'm looking at the search space very differently.

Horse! is a dictionary word, properly capitalized with a single non-alphabetic character tacked on the end. The modern English language is usually estimated to have around 300K words. I'll double that search space on the assumption that the first pass attempts words in all lowercase and pass #2 tries capitalizing the first letters. My keyboard has 42 unique non-alphabetic characters. So to my mind the search space is 600,000*42 = 2.5*10^7. That's 1 order of magnitude behind.

Quote:
Originally Posted by silvarilon View Post
This is an interesting topic. It reminds me how much cryptography I've forgotten
It's just not something I use or think about in daily life... when writing code you just plug in a pre-written cypher and forget about it.
I agree. But I'm also amazed at how little has changed in crypto since I was into this stuff last.
Pymeus is offline   Reply With Quote
Old 06-09-2010, 06:44 AM   #11
silvarilon
Member
 
Join Date: Dec 2009
Posts: 144
silvarilon is on a distinguished road
Re: Passwords

Quote:
Originally Posted by Pymeus View Post
Let's look at the crypto hash algorithms that most of us hobbyist crypto types can name off the tops of our heads: MD5, SHA1, SHA256. None of the three has suffered algorithmic reversal on any scale.
I haven't been keeping up with the field, but off the top of my head I'd mention LanMan hashing, which is what older versions of windows used for user passwords. It's a DES cypher, but has weaknesses that allows it to be reversed. So not secure.

But that was discovered a while ago. Newer versions of windows have it turned off by default. Which is what I mean by weaknesses being found but getting fixed "behind the scenes." And yes, this was discovered many years ago. I just haven't been keeping up to date, and because of the significance of LanMan it stuck in my mind.

Looking for something more recent, I easily find reference to MD5 weaknesses that allow you to create false domain certificates (and I note that MD5 is a popular hash that is still in use.)
But you knew MD5 had weaknesses, as you mentioned yourself.

Quote:
Originally Posted by Pymeus View Post
Major weaknesses in MD5 and SHA1 didn't show up for some 10 years after they went into service, and AFAIK they can't be exploited with most password systems due to length limits.
Well, they can be exploited in various ways. But you're right, it's taken a long time for any significant weaknesses to be found. But that's the reason that MD5 is in such common usage. The algorithms that quickly have problems don't make it into such widespread circulation.

I'm not saying *all* hashes have weaknesses. I'm just saying that new weaknesses to hashes are being found with surprising regularity. And I *did* say that most of the weaknesses were subtle and hard to exploit.

Quote:
Originally Posted by Pymeus View Post
You brought it up, not me
Mmmm, I did. I made that comment more for the people that might think a statement like "there are weaknesses found" means that their passwords will all be grabbed and the sky will fall.

Hashing is an important part of password management, but whether weaknesses in the hashes are important depends on what the attacker is doing. And you're right that in most cases, even if there is a weakness, the attacker won't be able to do anything significant with that weakness.

Quote:
Originally Posted by Pymeus View Post
My original estimate assumed that capitalization was important. Book and movie titles may contain both capitalized and non-capitalized words, so I was working from 52^6 = 1.98*10^10. But unless there's a flaw in my approach, 26^6 is still larger than what I get for Horse!.

That doesn't look like a dictionary approach to me. I'm looking at the search space very differently.
Aha! Yes, we were looking at the search spaces differently. I was looking at the search spaces in all cases as standard brute force guessing.

Once we add dictionaries, then it's different. But if we're looking at the search space of dictionary attacks, well... your password isn't going to come up in it at all.

Quote:
Originally Posted by Pymeus View Post
Horse! is a dictionary word, properly capitalized with a single non-alphabetic character tacked on the end. The modern English language is usually estimated to have around 300K words. I'll double that search space on the assumption that the first pass attempts words in all lowercase and pass #2 tries capitalizing the first letters. My keyboard has 42 unique non-alphabetic characters. So to my mind the search space is 600,000*42 = 2.5*10^7. That's 1 order of magnitude behind.
Yes, if we look at dictionary words, and add special characters to the end, then the search space is significantly reduced.

I was misunderstanding how you were calculating the search space.

Quote:
Originally Posted by Pymeus View Post
I agree. But I'm also amazed at how little has changed in crypto since I was into this stuff last.
Until quantum computers arrive, it's not going to change significantly.
Last I heard, quantum computing managed to linearly find the roots of 15. Sure, we can all do that in our heads, but if they can manage to scale that to linearly find the roots of arbitrary numbers, then the entire foundations of modern crypotgraphy will have to be rethought. Until that day, though, I doubt we'll see any real change.

About the most exciting thing to happen was PGP, and even that's old news now...
silvarilon is offline   Reply With Quote
Old 07-13-2010, 05:32 PM   #12
dasy2k1
New Member
 
Join Date: May 2009
Home MUD: New Worlds
Posts: 20
dasy2k1 is on a distinguished road
Re: Passwords

even stronger is to use some nonprinting char from ascii like 0x07 (BEL) or somthing in the 0x7e-0xff range

if the system on the other end can cope with that you have just moved the address space out of the normal dictionary with symbols approach
dasy2k1 is offline   Reply With Quote
Old 07-14-2010, 08:33 PM   #13
Pymeus
Member
 
Join Date: Oct 2008
Home MUD: tharel.net
Posts: 36
Pymeus is on a distinguished road
Re: Passwords

Well from a cryptographic standpoint the ideal of course is a long string of random bytes, chosen indiscriminately. However inputting characters that don't appear on the user's keyboard is generally a pain in the butt and the procedure for doing so varies widely from interface to interface, when it's supported at all. I don't consider it a real option for the "average" user.
Pymeus is offline   Reply With Quote
Reply


Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT -4. The time now is 12:27 AM.


Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Style based on a design by Essilor
Copyright Top Mud Sites.com 2014