|
luxgladius
Newbie
Offline
Activity: 28
Merit: 0
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
June 29, 2011, 02:12:06 PM |
|
They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
June 29, 2011, 02:16:49 PM |
|
Use OpenSSL to get better (cryptographically strong) random numbers. like this: $ openssl rand -base64 12 VSvl9WFLu7Y7bOR8
But note that you get 6 bits of information per character, because there are 2^6 = 64 possible chars.
|
Misspelling protects against dictionary attacks NOT
|
|
|
BitcoinPorn
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
June 29, 2011, 02:22:42 PM |
|
They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols. And easier to remember. QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345 I like this theory. Stoners do too.
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
June 29, 2011, 02:27:51 PM |
|
...take a phrase ie ilikepudding as an example add some caps IlikePuDDing add some numbers I8LikePuDDing8 Add some special symbols I8Lik#PuDD!ng8 Throw in an alt code or 2 §╒ª◘ I8Lik#PuDD!ng8§ If you do all that you will be legit ![Cool](https://bitcointalk.org/Smileys/default/cool.gif) That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make. You should not use such for encryption of wallets!
|
Misspelling protects against dictionary attacks NOT
|
|
|
thefussydutchman
Full Member
![*](https://bitcointalk.org/Themes/custom1/images/star.gif) ![*](https://bitcointalk.org/Themes/custom1/images/star.gif)
Offline
Activity: 142
Merit: 100
BTC- Its not a bubble.
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 02:38:23 PM |
|
Is Lastpass.com a good idea?
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 03:21:59 PM |
|
Is Lastpass.com a good idea?
I've never had any problems with LastPass. I've even used the one-time password feature to access my account while traveling internationally without ever having it compromised.
|
|
|
|
fascistmuffin
Newbie
Offline
Activity: 56
Merit: 0
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 03:29:20 PM |
|
KeePass is pretty nice for long random pass that you don't have to remember. It just needs one offline password to open your key database files, which are encrypted.
|
|
|
|
Skeenz
Newbie
Offline
Activity: 24
Merit: 0
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 04:03:18 PM |
|
+1 for KeePass! You can also have it require both a key file and a password to unlock... so it's much harder (read impossible) to easily brute force.
|
|
|
|
Phoenix
Newbie
Offline
Activity: 57
Merit: 0
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 04:08:09 PM Last edit: July 09, 2011, 04:18:20 PM by Phoenix |
|
+1 to the aboves. Keypass saved my Mt gox password once already (thank the fsm I gained some insight through the forum and changed it a few days earlier). Since keypass also accepts not only ascii keyboard inputs for the main password, it may be a nice idea to also add another non ascii keyboard language and switching to that one, write any set of words you can remember quickly (lyrics, etc) with spaces and whatnot. I am guessing that this should provide quite a safe string of characters, very easy to remember. Take care.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 06:54:45 PM |
|
They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols. And easier to remember. QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345 I like this theory. Stoners do too. if you look thru that list of mtgox passwords that got hacked its amazing how many derivations of that exact password there actually was.
|
|
|
|
spruce
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 07:06:46 PM |
|
...take a phrase ie ilikepudding as an example add some caps IlikePuDDing add some numbers I8LikePuDDing8 Add some special symbols I8Lik#PuDD!ng8 Throw in an alt code or 2 §╒ª◘ I8Lik#PuDD!ng8§ If you do all that you will be legit ![Cool](https://bitcointalk.org/Smileys/default/cool.gif) That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make. You should not use such for encryption of wallets! A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries. How is a password like this not secure?
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 07:46:02 PM |
|
...take a phrase ie ilikepudding as an example add some caps IlikePuDDing add some numbers I8LikePuDDing8 Add some special symbols I8Lik#PuDD!ng8 Throw in an alt code or 2 §╒ª◘ I8Lik#PuDD!ng8§ If you do all that you will be legit ![Cool](https://bitcointalk.org/Smileys/default/cool.gif) That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make. You should not use such for encryption of wallets! A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries. How is a password like this not secure? Steve Gibson's site says: It is NOT a “Password Strength Meter.” Somebody had a similar password on MtGox and was cracked: Man, I seriously underestimated the power of GPU password crackers! I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked. I'm pretty sure I didn't succumb to any phishing attempts. Good thing I use 20+ characters for passphrases. ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif) http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468
|
Misspelling protects against dictionary attacks NOT
|
|
|
error
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 07:51:13 PM |
|
A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries. How is a password like this not secure? It's not secure because modern password crackers assume your password will be a series of words, and try "31337 speak" combinations such as substituting 3 for e, adding a few random characters on the end, etc. This approach is much faster and can crack such a password in days or even hours.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
spruce
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 08:00:52 PM |
|
Somebody had a similar password on MtGox and was cracked: Man, I seriously underestimated the power of GPU password crackers! I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked. I'm pretty sure I didn't succumb to any phishing attempts. Good thing I use 20+ characters for passphrases. ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif) http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 08:04:30 PM |
|
Somebody had a similar password on MtGox and was cracked: Man, I seriously underestimated the power of GPU password crackers! I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked. I'm pretty sure I didn't succumb to any phishing attempts. Good thing I use 20+ characters for passphrases. ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif) http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't? Some passwords weren't hashed with a modern method. But the one above was.
|
Misspelling protects against dictionary attacks NOT
|
|
|
spruce
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 08:16:23 PM |
|
Some passwords weren't hashed with a modern method. But the one above was.
If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 08:47:25 PM |
|
Some passwords weren't hashed with a modern method. But the one above was.
If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method? No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.
|
Misspelling protects against dictionary attacks NOT
|
|
|
spruce
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 08:58:19 PM |
|
No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.
OK, thank you. Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?
|
|
|
|
bcearl
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
July 09, 2011, 09:11:03 PM |
|
No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.
OK, thank you. Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify? Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.
|
Misspelling protects against dictionary attacks NOT
|
|
|
|