Stronger passwords

  • (2 Pages)
  • +
  • 1
  • 2

15 Replies - 3848 Views - Last Post: 06 August 2012 - 02:43 PM

#1 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1138
  • View blog
  • Posts: 7,110
  • Joined: 07-September 06

Stronger passwords

Posted 02 August 2012 - 10:56 AM

Recently I saw this article and got to thinking about passwords.

If you are like me, you generally use a formula to come up with passwords, and this seems to work fine. (I can't say that I know of any of my passwords that have been cracked since the Yahoo and LinkedIn things that happened recently, and those weren't my fault).

I also read another article a few months back that said computers are better at guessing our random passwords than we are at remembering them. It claimed that instead you should use 2 or 3 words concatenated. Personally, I am for this approach and it led me to come up with these two ideas on creating passwords (likely not revolutionary, but may make for an interesting discussion).

First, you could come up with a sentence (not just 2 or 3 words) and camel case the words together. You would obviously want it to be something you can remember. For instance, you have the sentence "Froggy flies fast for fun", it is pretty simple to remember, and when you concatenate and camel case all the words it comes out to "froggyFliesFastForFun". Awesome, you now have a 21 character password that is quick and easy to remember. The only problem here is that a lot of sides out there require that the passwords are of at least a certain "strength" (meaning they have a number or special character in them). This is overcome by simply changing out words that sound like numbers for the number themselves. So "ate" would be "8" and "for" would be "4", etc. That changes the password to "froggyFliesFast4Fun" (a 19 character password). If you further add the punctuation into the password you get 20 characters and "froggyFliesFast4Fun.". Pretty simple right?

The second idea was actually a branch of the first. It will wind up shortening the password (just based off the idea I had in creating it), but it will also make it harder for people to crack even if they hear you say it. Basically, you take the password above and remove all duplicate characters. "froggyFliesFast4Fun." all of the sudden turns into "frogyFliesat4un." (16 characters, only 4 fewer than before, but it makes a lot less sense when you look at it). This is nice because you have the simple sentence "Froggy flies fast for fun." that turns into a 16 character password; and of the 95ish characters you can use in a password that will give you 95 choose 16, or 551 quadrillion possible sets. Even more if you allow the space character in your password.

Now, if we have 551 quadrillion possible sets at 16 characters, and assuming a computer can brute-force attempt 1000 passwords a second, it will take the computer approximately 551 trillion seconds to brute-force the password (that is over 17 million years). If you had a botnet of 1000 computers each running 1000 passwords a second and somehow not repeating a single attempt it would take over 17 thousand years.

NOTE - This is assuming that the computers are using the random password attempts that are common these days and not attempting to break this scheme (where they choose words from a dictionary, concatenate them, remove duplicate characters, etc.).

Personally either of these seem like a pretty good way to do passwords to me. And you could always throw in words from other languages, for instance: "Hello, me llamo BetaWar." -> "helo, MLamBtwr." (15 characters, 2 languages), or "Je ne se pas. No se. I don't know." -> "je NSPas.oIDn'tKw" (17 characters, 3 languages, and it looks pretty fricking random).

Thoughts? Other ways of making a password? Discuss.

Is This A Good Question/Topic? 0
  • +

Replies To: Stronger passwords

#2 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7578
  • View blog
  • Posts: 12,742
  • Joined: 19-March 11

Re: Stronger passwords

Posted 02 August 2012 - 11:02 AM

The trouble with using leet-substitutions to satisfy the "security" requirements is that it adds complexity that's harder for you to resolve than it is for the computer.

I just use a 1! at the end of my long sentence password, which for me is a long sentence that doesn't turn up in google, typed normally.
Was This Post Helpful? 0
  • +
  • -

#3 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5191
  • View blog
  • Posts: 26,901
  • Joined: 10-May 07

Re: Stronger passwords

Posted 02 August 2012 - 11:02 AM

View PostBetaWar, on 02 August 2012 - 01:56 PM, said:

First, you could come up with a sentence

For my daily usage passwords I make up a word, use a real word, & then four digits.

Sort of like GerpBugs1911
Was This Post Helpful? 0
  • +
  • -

#4 lordofduct  Icon User is offline

  • I'm a cheeseburger
  • member icon


Reputation: 2531
  • View blog
  • Posts: 4,631
  • Joined: 24-September 10

Re: Stronger passwords

Posted 02 August 2012 - 11:59 AM

I have varying techniques for formulating my passwords depending on the level of security I care about. I won't be sharing that as well... that kind of defeats the purpose of them.



But that's not why I'm posting. I'm posting about the article you posted. They say it's useful for teaching someone the password so it can't be tortured out of the person. But the person must also have to put it in at times... otherwise the password is useless. Which means they must be able to recall it on command... you know... when they go to long into the system.



So what stops the thief, who obviously has no care about torture, from setting up a login scenario and just capturing the keystrokes?

"Type in your password now or I'll shoot you!"
Was This Post Helpful? 0
  • +
  • -

#5 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7578
  • View blog
  • Posts: 12,742
  • Joined: 19-March 11

Re: Stronger passwords

Posted 02 August 2012 - 12:26 PM

View Postlordofduct, on 02 August 2012 - 01:59 PM, said:

I have varying techniques for formulating my passwords depending on the level of security I care about. I won't be sharing that as well... that kind of defeats the purpose of them.


I have no problem sharing the password format I use - that's sort of the point of it. It generates passwords which are easy for me to remember and difficult for a machine to guess - and difficult for a person to guess as well. But I'm a writer: coming up with sentences nobody's ever said before is sort of my job, and typing in long sentences accurately and quickly kind of goes with the territory.

Quote

But that's not why I'm posting. I'm posting about the article you posted. They say it's useful for teaching someone the password so it can't be tortured out of the person. But the person must also have to put it in at times... otherwise the password is useless. Which means they must be able to recall it on command... you know... when they go to long into the system.

So what stops the thief, who obviously has no care about torture, from setting up a login scenario and just capturing the keystrokes?

"Type in your password now or I'll shoot you!"


The article is not altogether too clear, but it looks to me like the password challenge is more like playing a few rounds of this game than like typing a password. The "password" part is a particular pattern that stands out because you're trained to it, and therefore perform slightly better against it than you do against the others.
I suspect that interspersing your pattern in with other patterns addresses this nicely. You'd have to spend a good long while with that gun against someone's head, and also do a fair bit of high-level data-crunching, to identify which pattern was theirs. This depends on how much of a training effect you end up seeing, though. If it's a major difference, the data crunching should be pretty easy.

Of course, you could give people a lock-out pattern for this scenario. "Just remember: enter S-S-K-K-D-D-J-J and we'll lock out your account and alert the police to the fact that you're being tortured for your password".
Was This Post Helpful? 0
  • +
  • -

#6 lordofduct  Icon User is offline

  • I'm a cheeseburger
  • member icon


Reputation: 2531
  • View blog
  • Posts: 4,631
  • Joined: 24-September 10

Re: Stronger passwords

Posted 02 August 2012 - 12:33 PM

View Postjon.kiparsky, on 02 August 2012 - 02:26 PM, said:

View Postlordofduct, on 02 August 2012 - 01:59 PM, said:

I have varying techniques for formulating my passwords depending on the level of security I care about. I won't be sharing that as well... that kind of defeats the purpose of them.


I have no problem sharing the password format I use - that's sort of the point of it. It generates passwords which are easy for me to remember and difficult for a machine to guess - and difficult for a person to guess as well. But I'm a writer: coming up with sentences nobody's ever said before is sort of my job, and typing in long sentences accurately and quickly kind of goes with the territory.


HA

I'm sorry, that was some of the most pompous trash I've read this week.

I was implying that one of my techniques is obscurity... so explaining all of them defeats one of my techniques.



Good point about the password thing though. I guess it could work if you had them play through multiple sessions, one of which has the real password in it, and it registers if you did well at it.

This post has been edited by lordofduct: 02 August 2012 - 12:35 PM

Was This Post Helpful? 0
  • +
  • -

#7 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7578
  • View blog
  • Posts: 12,742
  • Joined: 19-March 11

Re: Stronger passwords

Posted 02 August 2012 - 12:37 PM

View Postlordofduct, on 02 August 2012 - 02:33 PM, said:

I was implying that one of my techniques is obscurity... so explaining all of them defeats one of my techniques.


Yes, security through obscurity is a well-known winning formula.

This post has been edited by jon.kiparsky: 02 August 2012 - 12:37 PM

Was This Post Helpful? 0
  • +
  • -

#8 Skydiver  Icon User is online

  • Code herder
  • member icon

Reputation: 3484
  • View blog
  • Posts: 10,736
  • Joined: 05-May 12

Re: Stronger passwords

Posted 02 August 2012 - 01:52 PM

I couldn't figure out if jon.kiparsky was being sarcastic or not.

Part of me wants to agree that security through obscurity is not security at all. On the other hand, I still need to keep my private keys secret, don't I? Isn't keeping something a secret a form of obscurity? Or is keeping something secret simply denying access to the data and not obscurity? Maybe just a matter of semantics.

As for rubber hose cryptanalysis, it's something that a cryptographic scheme can't really protect against. As mentioned above, all you can do is have some measures in place that allows for "duress" password. Whether that password grants access or not is a matter of policy, not cryptography.

For passwords, I now follow the same scheme of picking a phrase that reminds me of the website, system, or facility I'm trying to access. Sometimes the phrase is in another language. The phrase words gets concatenated and I follow a formula for determining where caps, symbols, and numbers go. This is great for modern systems than allow for long passwords. It always sucks when I get to a system that has "must be no longer than 8 characters and can only be composed of letters and numbers".

This post has been edited by Skydiver: 02 August 2012 - 01:53 PM

Was This Post Helpful? 0
  • +
  • -

#9 dorknexus  Icon User is offline

  • or something bad...real bad.
  • member icon

Reputation: 1255
  • View blog
  • Posts: 4,618
  • Joined: 02-May 04

Re: Stronger passwords

Posted 02 August 2012 - 02:05 PM

Obligatory XKCD reference:
Posted Image
Was This Post Helpful? 1
  • +
  • -

#10 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7578
  • View blog
  • Posts: 12,742
  • Joined: 19-March 11

Re: Stronger passwords

Posted 02 August 2012 - 02:28 PM

The "security through obscurity" catch phrase refers to obscurity of method, not of actual encryption. Obviously, if you keep your private key private, you're "obscuring" the data encrypted with your public key. Just as obviously, anyone who's interested will know exactly how that data is encrypted.

The point is, if keeping the method safe is part of the security of the system, it's not very secure.

Quote

I couldn't figure out if jon.kiparsky was being sarcastic or not.


Only a little. Generate a long memorable sentence? Yeah, not a problem. Type it in? Also not a problem. I expect most people reading this also would find these to be easy tasks.
However, not everyone will - for them, this is not a great password system.

What's relevant, though, is this: A ten-word sentence, with spaces and punctuation, is as difficult to crack as any string of characters and punctuation of similar length. So why not use something that you can remember, instead of adding a lot of complexity that adds difficulty for you and not for the attacker?
Was This Post Helpful? 0
  • +
  • -

#11 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1138
  • View blog
  • Posts: 7,110
  • Joined: 07-September 06

Re: Stronger passwords

Posted 02 August 2012 - 03:21 PM

Yeah, I have been known to use lines of code that I thought were catchy as a password (such as: "while(!asleep())sheep++;" (NOTE - I haven't used this one in years))

I also don't use either of the ways I put forth above, but I thought of them and found it interesting so I posted to share and see what types of things others were up to with passwords.
Was This Post Helpful? 0
  • +
  • -

#12 Skydiver  Icon User is online

  • Code herder
  • member icon

Reputation: 3484
  • View blog
  • Posts: 10,736
  • Joined: 05-May 12

Re: Stronger passwords

Posted 02 August 2012 - 03:37 PM

Thanks, Jon!

And since this is the Cubicle corner where threads are known to stray, I'll throw out a another phrase and some acronyms and see what happens:

"security through legislation" "DMCA" "RIAA"

Edit after: corrected typo: through -> throw

This post has been edited by Skydiver: 03 August 2012 - 02:24 AM

Was This Post Helpful? 0
  • +
  • -

#13 BetaWar  Icon User is offline

  • #include "soul.h"
  • member icon

Reputation: 1138
  • View blog
  • Posts: 7,110
  • Joined: 07-September 06

Re: Stronger passwords

Posted 02 August 2012 - 03:45 PM

I'll reply short and simply:
"security through legislation" -> What security?
"DMCA" -> DIE!!!!!
"RIAA" -> Actually seems to work pretty nicely. At least you know you can get rid of things (such as locks) if something goes horribly wrong.
Was This Post Helpful? 0
  • +
  • -

#14 Skydiver  Icon User is online

  • Code herder
  • member icon

Reputation: 3484
  • View blog
  • Posts: 10,736
  • Joined: 05-May 12

Re: Stronger passwords

Posted 03 August 2012 - 02:29 AM

LOL!

RIAA not RAII. :lol:

To me, DMCA is an example of security through legislation. I agree that it must repealed.
Was This Post Helpful? 0
  • +
  • -

#15 lordofduct  Icon User is offline

  • I'm a cheeseburger
  • member icon


Reputation: 2531
  • View blog
  • Posts: 4,631
  • Joined: 24-September 10

Re: Stronger passwords

Posted 03 August 2012 - 06:42 AM

Obscurity may imply that the rest is not secure.

But I could be using anything behind the obscurity. And there is the point, you don't know what the fuck I do for my passwords, and it's none of your business what I do with my passwords.

It's not like I'm hiding some secret unknown technique that would shatter the security world's concept of password creation. So really, it benefits me little to share them, and benefits you little to hear them.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2