Your password strength

Forums › Off topic › Your password strength

1 | 2 | 3 | 4 | 5 | 6

1624 posts

Uber Geek

Subscriber

#2221465 20-Apr-2019 13:58

One thing I noticed in that article is that while it deals in patterns and heuristics to make a point, it seemed to be quite lacking in the math.

I find it interesting that the brain is really good at working with patterns and so using common patterns in passwords may be not the greatest thing to be doing as suggested.

I did notice that the article referred to a dictionary attack. This in itself can be something worth doing the math on. I wonder if there is any difference in entropy/probability between the word ‘Mechanic’ and the word ‘Velviriki’ (spelt with an acute accent on the e)

I find it also just as interesting in looking at the theory behind storing all of ones passwords in a well known password store in the belief that they are any more safe.

Software Engineer
(the practice of real science, engineering and management)
A.I. (Automation rebranded)
Gender Neutral
(a person who believes in equality and who does not believe in/use stereotypes. Examples such as gender, binary, nonbinary, male/female etc.)

...they/their/them...

nunz

1421 posts

Uber Geek
Inactive user

#2221475 20-Apr-2019 14:32

Geektastic:
sparkz25:

This is a good test on you password strength

https://howsecureismypassword.net/

And this is good to see if you password has been pwned

https://haveibeenpwned.com/Passwords

I use these a bit for clients to show them how crap their password is and how long it will take to crack their crappy password

Very happy that the Dashlane site you linked to another told me one of my passwords would take 607 million years to crack.

I can live with that risk....

I'm a bit adverse to online password keepers. LastPass got compromised if memory serves me correctly.

Dashlane is installed on Acer computers. I had them up one time about the fact their website featured user testimonials using stock photos of the users giving testimonials (e.g. the users were BS with purchased or free images off the net).

Dashlkane have not stopped doing this. In their testimonials they have this image next to the testimonial.

It is a stock photo found in adobe and other places. https://www.tineye.com/search/5aafabce7533ced939c690a42a6dc830ff74f709/

Yes - they dont say she is Alex S but the photo is contained within a border that contains the quote, lumping them together. You may say they dont expect us to connect the two but just below the new york times logo is surrounded in exactly the same borders with a quote from a new york times user. Misleading. Not as bad as when I had them up about it - but still shady.

I use KeePAss. Locked with encryption, a strong 16 char password and an encryption key. Synchronized via ftp / rsync and onto a pen drive. It's on my phone, laptop and desktops. Works a treat with a separate 20 char plus random password for all sites, ssh connections, servers, etc etc etc. I could use dropbox but I worry about file locking so prefer a manual backup process or inbuilt plugin.

BTW - THe password checker reference above says Password1234 takes 3000 years to guess. Password strength checkers are dodgy at best. JesusJohn3:16 takes millions of years to crack -- except it doesn't. Dashlanes ideas on password strength are a little dated.

dc2daylight

87 posts

Master Geek

#2221527 20-Apr-2019 15:29

timmmay:
I use KeePass2 to randomly generate passwords. My geekzone password has 65 bits of entropy, my AWS has 100 bits plus MFA. My work password only has 21 unfortunately, but I have to type it 100 times a day so it can't be too difficult to type.

Geektastic: I like short phrases or character names from books I've read.

Anything in a dictionary is easy to crack, even if you add a few numbers on the end.

So on that note, if I am not mistaken the other issue or the main one is not how easy passwords can be bruteforced with dictionary attacks but how {function-trustworthy} the server admin team of the service at question is. Where {function-trustworthy}=admin keeps every product patched,employs penetration testers,logs all access attempts to separate secure equipment,incorporates MFA where possible,compartmentalises employee privelege,etc...

By invoking {function-trustworthy} in my brain, am I engaging in also relying upon {function-assumptions-are-T.M.O.A.F} a bit too much? Is this what any of us do when picking a high entropy password for a service with a bad track record for platform breaches in the marketplace?

So my point is that my fictitious entity of {function-trustworthy} is a sort of heuristic of trust many of us do, when picking or generating passwords that the host itself will remain secure. All those password dumps on haveibeenpawned usually came from attacks on the hosts API zero-days and server side scripting primarily didn't they?

paulchinnz

Circumspice
793 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2221559 20-Apr-2019 18:42

Hmm, ns8vfpobzmx098bf4coj with a number added to the end of it should just about be impenetrable...

k1w1k1d

1527 posts

Uber Geek

#2221565 20-Apr-2019 19:53

These password attacks require unlimited attempts until the correct one is stumbled upon.

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

How many failed attempts does GZ allow?

dafman

3928 posts

Uber Geek

Trusted

#2221567 20-Apr-2019 20:02

A lot of discussion about brute force attacks, but in reality how many sites we log into are at risk of brute force attack?

Unless you have an unprotected database on some obscure server, most of us use passwords for the likes of email, social media, banking, cloud services etc, all of which will have protection against brute force attacks. If i stuff up my password for gmail more than a few times I'm stuffed, so I'm not particularly concerned about statistics of the time required for brute force attempts to crack my gmail password.

I use long passwords, unique by service, and protected for MFA where available, so I'm not particularly concerned about hackers trying to hack me at so many thousands of attempts per nano second.

timmmay

20587 posts

Uber Geek

Trusted

Lifetime subscriber

#2221569 20-Apr-2019 20:04

How has no-one posted this yet?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2221576 20-Apr-2019 22:16

k1w1k1d:

These password attacks require unlimited attempts until the correct one is stumbled upon.

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

How many failed attempts does GZ allow?

Five attempts every few minutes then block for ten minutes. This would foil most brute force attempts for a strong password.

ANglEAUT

2326 posts

Uber Geek

Trusted

Lifetime subscriber

#2221584 20-Apr-2019 23:32

Jase2985:

its hard to memorize 50+ passwords especially when they are complex and especially when you change them regularly.

Very true indeed

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2221587 21-Apr-2019 00:35

k1w1k1d:

These password attacks require unlimited attempts until the correct one is stumbled upon.

Don't banks, online stores, etc have a limit to how many times an incorrect password can be entered before the account is locked out?

How many failed attempts does GZ allow?

Also worth mentioning we are now using Google reCAPTCHA v3... Instead of solving a CAPTCHA this version gives a score to each page view or transaction and we are able to block based on this. Check a test transaction here.

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#2221592 21-Apr-2019 06:31

paulchinnz:
Hmm, ns8vfpobzmx098bf4coj with a number added to the end of it should just about be impenetrable...

But utterly impossible to remember unless you're Rainman...

Geektastic

17943 posts

Uber Geek

Trusted

Lifetime subscriber

#2221593 21-Apr-2019 06:33

The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.

PolicyGuy

1727 posts

Uber Geek

ID Verified

Lifetime subscriber

#2221596 21-Apr-2019 08:09

Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.
Why we haven't seen Apple put Face Unlock into computers yet I don't know.

There are two difficulties with biometric identification

There is no privacy / anonymity anymore. No way to interact on the web except with potential full exposure of yourself.
There is no security anymore. If someone guesses or steals your password / PIN / credit card number, you just get a new one. If they get access to the string that uniquely represents your biometric details, then you ... no, you're stuffed. And their uniqueness and non-repudiation will make them very high value targets.

sparkz25

750 posts

Ultimate Geek
Inactive user

#2221597 21-Apr-2019 08:19

Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.

Even biometrics have downsides, i have mutiple sites where we have biometrics setup and there are a few that cannot use the biometrics or their biometrics cannot be read, so you are back in the same position of passwords or cards

nunz

1421 posts

Uber Geek
Inactive user

#2221603 21-Apr-2019 09:35

sparkz25:
Geektastic: The sooner passwords can be replaced with biometrics the better, really, I would think.

Why we haven't seen Apple put Face Unlock into computers yet I don't know.

Even biometrics have downsides, i have mutiple sites where we have biometrics setup and there are a few that cannot use the biometrics or their biometrics cannot be read, so you are back in the same position of passwords or cards

Two downsides to biometrics.
1. They don't work for me and others. Finger print scanners fail me. Probably same reason touch screens dont respond to my touch all the time. Dry and roughed up fingers from wood work and maybe age.
2. An eyeball or finger removed still work. The theives will take your hand not your swipe card.

A security pen drive or rfid key or similar backed with an unlock password works as does 2fa if txt or similar are working at the time

Quantum computing will render all this obsolete

1 | 2 | 3 | 4 | 5 | 6