Ed Password Format - Strength and Safety

[Dan O.]

You seem to be alluding towards a system similar to how Kerberos works.

Not at all. Kerberos is a 3-way authentication that requires a master server. I'm talking about a simple password authentication but with an agent on the client site that hides the simplicity of the password from the server.

 

[ElMondoHummus]

No, I'm just saying if my password was q3y7b9o6 (which it is not, obviously), is that unacceptably weak? The brute force calculators, noting that there are no capitals or non alphanumeric symbols, and assuming half a million PCs are trying to crack it, would say that is too weak.

Sorry for the delay in responding. I got to playing in other subforums for a while.

To answer your question, I have to hearken back to a previous post: It depends on what's being protected. I would definitely say that's definitely weak for, say, a credit card or other financial site that could cause some serious harm to you. If a malicious intruder knew he had the password for such a resource, he might be more willing to risk his botnet's detection by harnessing it for that password, as opposed to using that net to crack someone's Sports Illustrated login.

Using that spreadsheet I linked earlier, I used these assumptions to generate an answer for you:

• An average botted host being able to test 1 million keys per second. A mere 200 Mhz Pentium is able to achieve that rate if that were all it were doing, but it's safe to say that no malicious coder in his right mind would suck up 100% or even 50% of total CPU resources on his "borrowed" (i.e. compromised and "botted") computers. This figure is arguable, but I think it's reasonable. More pessimistic figures can be used if someone prefers.
• 45,000 botted hosts being harnessed for a calculation. That figure derives from here, and it's based on a pre-2006 study by a PhD student. I have no reason to believe that the figure has grown since then, especially with the added emphasis on virus scanners and the added vigilance of many ISPs since that year, but I don't know if it's shrunk either. So like the first presumption, it's arguable.
• A character set of 36 possible characters available for the password. That's your figure; it derives from you saying lowercase and numbers, but no capitals or non-alphanumeric characters.

With those assumptions: An 8 character password is cracked so fast, it doesn't even register as a fraction of a single day. A 12 character password takes just under two weeks (12 days), and a 13 charcter one takes just over a year 439 days). It takes 14 characters to reach a level where a cracking starts to look like it's becoming difficult enough to where there has to be a damn, damn good reason to work on it (15,795 days; that's just over 43 years). 15 characters is where you reach the point of practical impossibility (over 1,000 years).

And as I've been saying, there are a ton of assumptions built into that figure. It presumes a brute force attempt to crack it. It presumes that the computers have to iterate through all the possibilities. It presumes that the botnet can work together efficiently and well (and doesn't get diminished by users discovering their botted and cleaning out their computers)... and so on and so forth. There are many other legitimate assumptions that can be applied and would change the above figures. It's reasonable to say that the above figures are not the final word, not by a long shot. But my point ultimately is that an 8 character-long, lower case and numbers only password is not really considered strong using even just middling assumptions about what's used to crack it. It's not a password I would use to protect my bank account or credit card site logins. But for, say, just logging into JREF ? Doesn't really matter, does it?

Does that answer your question? Sorry it's so long, but I felt the need to lay out my reasoning.

 

[ElMondoHummus]

Not at all. Kerberos is a 3-way authentication that requires a master server. I'm talking about a simple password authentication but with an agent on the client site that hides the simplicity of the password from the server.

Oops! My apologies, I should've been more specific. I was merely referring to Kerberos's ticket system. That element eliminates the need to transmit the credentials beyond the original authentication and uses those tickets instead as the element that grants a user access to a resource.

That's my fault for not being clear; I was simply isolating that single element and making the comparison. But I failed to say that . Your point is taken, however; kerberos does indeed require that infrastructure on the authentication end in order to work. I shouldn't have implied that I was making a total, systemic comparison.

 

[Dan O.]

Getting back to Roger's question (and I think someone already made this point), the ability to brute force crack a password primarily requires access to the encrypted version of the password stored on the server. Back in the original unix days, the distribution came by default with an open "games" account. This gave anyone easy access to all of the encrypted passwords. There were also backdoors through UUCP to access that file. This led to the development of the brute force crack programs.

It was an interesting progression to watch as cracking became more efficient and deciphered passwords at an ever increasing rate, the recommended period for changing passwords tried to keep up by becoming shorter.

Finally when RSA dropped the gauntlet with a cash prize for cracking a 56 bit DES cypher which the unix password encoding was based, distributed networks popped up to meet the challenge. As the networks grew, the time to crack a password progressively shrank from years to 6 months to a few weeks to just a few days. The last time I did the calculations, any password (regardless of length) could be cracked in under 4 hours if the full power of the combined networks were dedicated to the task.

Fortunately, it had long ago been recognized that the encrypted passwords had to be hidden from view to prevent such acquisition and offline cracking. But the rules for ever longer passwords and short change cycles remain.

 

[negativ]

One problem. There are heaps of sites that demand a password. I could use a unique one for each of them, however there is no way known I could remember them all.

Most of them are on the computer. I could buy some software to remember the password for me. But then I would never know if there is a weakness in the software that allowed someone to tell them of all the passwords.

So what is the answer in today's world?

Easy.

Say your long password is

A5fj1mxjvu$;21xF

Use that as a prefix (or suffix), and add characters pertaining to the site.

A5fj1mxjvu$;21xF.JREF
A5fj1mxjvu$;21xF.w0rk
b@nk.A5fj1mxjvu$;21xF

etc.

 

[rjh01]

Easy.

Say your long password is

A5fj1mxjvu$;21xF

Use that as a prefix (or suffix), and add characters pertaining to the site.

A5fj1mxjvu$;21xF.JREF
A5fj1mxjvu$;21xF.w0rk
b@nk.A5fj1mxjvu$;21xF

etc.

Next problem is to work out how to remember the prefix.

I refuse to use any password that is related to any other password for a bank or any other site that matters.

 

[marplots]

There's actually some pretty good mnemonic systems that translate numbers into letters and vice versa. I use one by Harry Lorraine for things like phone numbers or addresses. Could be adapted easily.

 

[PetersCreek]

My passwords aren't 12 or 16 characters long but I make up for it by spitting on them, thereby encoding them with my DNA. So, if you run across a dry password, you know it's not mine.

I use a 6 digit numeric-only password.

Course it changes every 15 seconds.

[qimg]http://www.ctrl-key.co.uk/cimages/vasco_digipass_1.gif[/qimg]

I have a similar widget (we call it a FRAC) for accessing my work network via VPN. But I have to use another sercurity code in conjunction with the one generated by the FRAC.