Bitcoin Forum
December 10, 2016, 03:27:53 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Regarding passwords  (Read 2412 times)
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 09, 2011, 09:11:03 PM
 #21


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

Misspelling protects against dictionary attacks NOT
1481340473
Hero Member
*
Offline Offline

Posts: 1481340473

View Profile Personal Message (Offline)

Ignore
1481340473
Reply with quote  #2

1481340473
Report to moderator
You can see the statistics of your reports to moderators on the "Report to moderator" pages.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481340473
Hero Member
*
Offline Offline

Posts: 1481340473

View Profile Personal Message (Offline)

Ignore
1481340473
Reply with quote  #2

1481340473
Report to moderator
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 10, 2011, 06:04:13 PM
 #22


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

It doesn't really matter, since b1Ackb0x3!1 is not a strong password to begin with.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 11, 2011, 08:28:22 AM
 #23


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

It doesn't really matter, since b1Ackb0x3!1 is not a strong password to begin with.

That's my point. Because some guys in this thread claimed their similar passwords to be strong.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 11, 2011, 10:26:03 AM
 #24

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

If you examine the 4.9-million-word "Ultimate Password List" at http://area51archives.com/index.php?title=Ultimate_Password_List (15MB .rar file that unpacks into 6 text files), here are the alphabetical entries around "b1", which is how b1Ackb0x3!1 starts. Why would a hacker zero in on that area if he had *no information at all* about the password?

b‚vue
b's
b'tje
b-52's   
b-ball
b-dur
b-spline
b.c
b0
b1
b2
b21
b3
b4
b43
b5
b52's   
b6
b7
b8
b9
ba

I think a hacker would first use a password list like this. After failing with the password list he would resort to a brute force attack if he was *really* determined to get at that specific account using a computer-based approach and not social engineering or a rubber-hose attack. Plugging b1Ackb0x3!1 into Steve Gibson's Interactive Brute Force Password “Search Space” Calculator at https://www.grc.com/haystack.htm gives 1.83 billion centuries as the time required to exhaustively search that password's space in an online attacking scenario, 18.23 centuries in an offline fast attack scenario, and 1.83 years in a hypothetical "massive cracking array" scenario at a hypothetical one hundred trillion guesses per second.

If you are going to latch on to that "1.83 years" and say, "See, told you, it's not strong," well. . . .
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 11, 2011, 11:54:08 AM
 #25

Gibson's calculator is not a password strength meter. There is an explicit disclaimer, dude!


Quote
but I'm just interested in a "professional" view.
You prefer authority over arguments? Authorities will tell you to stop using bitcoin.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 11, 2011, 12:55:43 PM
 #26

Gibson's calculator is not a password strength meter. There is an explicit disclaimer, dude!


Quote
but I'm just interested in a "professional" view.
You prefer authority over arguments? Authorities will tell you to stop using bitcoin.

I have nothing further to add. You win. Smiley
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
July 11, 2011, 07:08:21 PM
 #27

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

You already received such an opinion and then disregarded it.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 12, 2011, 05:48:50 AM
 #28

I have nothing further to add. You win. Smiley

But I have another tip for you: You can use it as strength meter by chosing each character at random. This means each possible character must have the exact same probability and this should not depend on previous characters.

Some passwords that meet this standards:

Code:
2L~aDJS_- 2K
w/r1V`0I*U.L
:Hp$Gn7[$m+(

Misspelling protects against dictionary attacks NOT
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
July 12, 2011, 08:30:42 AM
 #29

Certain configurations of the characters are much less likely than others. It would be better to randomize each character individually.

For my master passwords, I roll physical dice to get the randomness. Less secure passwords can use /dev/random. Additional hashing isn't necessary: /dev/random is already mixed using hashing.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 12, 2011, 08:51:46 AM
 #30

Certain configurations in the characters of the characters are much less likely than others. It would be better to randomize each character individually.

Exactly. That's how I generated the example passwords. First thing you see is that special characters come pretty much more often than in most user-chosen passwords.

In plain 7-bit ASCII there are:
- 26+26 letters
- 10 digits
- 32 special characters

This means that on average only 55.3 % of characters should be letters and 34.0 % should be special characters.


Quote
For my master passwords, I roll physical dice to get the randomness. Less secure passwords can use /dev/random. Additional hashing isn't necessary: /dev/random is already mixed using hashing.

/dev/random on modern Linux systems is way better than dice you get in toy shops.

Misspelling protects against dictionary attacks NOT
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!