Bitcoin Forum
December 03, 2016, 11:53:11 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Regarding passwords  (Read 2409 times)
Gareth Nelson
Hero Member
*****
Offline Offline

Activity: 722


View Profile
June 29, 2011, 11:12:01 AM
 #1

I'm pondering using this as a method to generate passwords, would anyone care to critique it for me?
http://sprunge.us/UKAg
1480765991
Hero Member
*
Offline Offline

Posts: 1480765991

View Profile Personal Message (Offline)

Ignore
1480765991
Reply with quote  #2

1480765991
Report to moderator
1480765991
Hero Member
*
Offline Offline

Posts: 1480765991

View Profile Personal Message (Offline)

Ignore
1480765991
Reply with quote  #2

1480765991
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480765991
Hero Member
*
Offline Offline

Posts: 1480765991

View Profile Personal Message (Offline)

Ignore
1480765991
Reply with quote  #2

1480765991
Report to moderator
luxgladius
Newbie
*
Offline Offline

Activity: 28


View Profile
June 29, 2011, 02:12:06 PM
 #2

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 02:16:49 PM
 #3

Use OpenSSL to get better (cryptographically strong) random numbers.

like this:
Code:
$ openssl rand -base64 12
VSvl9WFLu7Y7bOR8

But note that you get 6 bits of information per character, because there are 2^6 = 64 possible chars.

Misspelling protects against dictionary attacks NOT
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 29, 2011, 02:22:42 PM
 #4

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

InsanityIsGreat
Newbie
*
Offline Offline

Activity: 28



View Profile
June 29, 2011, 02:22:47 PM
 #5

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool

Donate Please (>^_^)> 1AaDgmhULgSwoTD4fvQ5zygxm3WBcfERTY <(^_^<)

http://img194.imageshack.us/img194/3321/tradehill2.png (http://www.tradehill.com/?r=TH-R19304)

I do Graphic Design for bitcoins 100% satisfaction guaranteed http://forum.bitcoin.org/index.php?topic=21948.0
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 02:27:51 PM
 #6

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

Misspelling protects against dictionary attacks NOT
thefussydutchman
Full Member
***
Offline Offline

Activity: 142


BTC- Its not a bubble.


View Profile
July 09, 2011, 02:38:23 PM
 #7

Is Lastpass.com a good idea?
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
July 09, 2011, 03:21:59 PM
 #8

Is Lastpass.com a good idea?
I've never had any problems with LastPass. I've even used the one-time password feature to access my account while traveling internationally without ever having it compromised.
fascistmuffin
Jr. Member
*
Offline Offline

Activity: 56



View Profile
July 09, 2011, 03:29:20 PM
 #9

KeePass is pretty nice for long random pass that you don't have to remember. It just needs one offline password to open your key database files, which are encrypted.
Skeenz
Newbie
*
Offline Offline

Activity: 24


Firstbits: 18n8c


View Profile WWW
July 09, 2011, 04:03:18 PM
 #10

+1 for KeePass!
You can also have it require both a key file and a password to unlock... so it's much harder (read impossible) to easily brute force.

http://bitcoogle.com/ (http://forum.bitcoin.org/index.php?topic=27354.0)
http://payb.tc/skeenz == 18n8CsbiseiXytzjJJSZwMJPWda6uh7qFP
Phoenix
Jr. Member
*
Offline Offline

Activity: 56



View Profile
July 09, 2011, 04:08:09 PM
 #11

+1 to the aboves. Keypass saved my Mt gox password once already (thank the fsm I gained some insight through the forum and changed it a few days earlier). Since keypass also accepts not only ascii keyboard inputs for the main password, it may be a nice idea to also add another non ascii keyboard language and switching to that one, write any set of words you can remember quickly (lyrics, etc) with spaces and whatnot. I am guessing that this should provide quite a safe string of characters, very easy to remember. Take care.

Until computers are built from something other than matter and occupy something other than space
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
July 09, 2011, 06:54:45 PM
 #12

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

if you look thru that list of mtgox passwords that got hacked its amazing how many derivations of that exact password there actually was.
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 09, 2011, 07:06:46 PM
 #13

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 09, 2011, 07:46:02 PM
 #14

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

Steve Gibson's site says:
Quote
It is NOT a “Password Strength Meter.”

Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

Misspelling protects against dictionary attacks NOT
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 09, 2011, 07:51:13 PM
 #15

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

It's not secure because modern password crackers assume your password will be a series of words, and try "31337 speak" combinations such as substituting 3 for e, adding a few random characters on the end, etc. This approach is much faster and can crack such a password in days or even hours.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 09, 2011, 08:00:52 PM
 #16


Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 09, 2011, 08:04:30 PM
 #17


Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?

Some passwords weren't hashed with a modern method. But the one above was.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 09, 2011, 08:16:23 PM
 #18


Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 09, 2011, 08:47:25 PM
 #19


Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 09, 2011, 08:58:19 PM
 #20


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!