Bitcoin Forum
November 19, 2024, 06:30:16 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Regarding passwords  (Read 2774 times)
Gareth Nelson (OP)
Hero Member
*****
Offline Offline

Activity: 721
Merit: 503


View Profile
June 29, 2011, 11:12:01 AM
 #1

I'm pondering using this as a method to generate passwords, would anyone care to critique it for me?
http://sprunge.us/UKAg
luxgladius
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 29, 2011, 02:12:06 PM
 #2

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 29, 2011, 02:16:49 PM
 #3

Use OpenSSL to get better (cryptographically strong) random numbers.

like this:
Code:
$ openssl rand -base64 12
VSvl9WFLu7Y7bOR8

But note that you get 6 bits of information per character, because there are 2^6 = 64 possible chars.

Misspelling protects against dictionary attacks NOT
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
June 29, 2011, 02:22:42 PM
 #4

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 29, 2011, 02:27:51 PM
 #5

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

Misspelling protects against dictionary attacks NOT
thefussydutchman
Full Member
***
Offline Offline

Activity: 142
Merit: 100

BTC- Its not a bubble.


View Profile
July 09, 2011, 02:38:23 PM
 #6

Is Lastpass.com a good idea?
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
July 09, 2011, 03:21:59 PM
 #7

Is Lastpass.com a good idea?
I've never had any problems with LastPass. I've even used the one-time password feature to access my account while traveling internationally without ever having it compromised.
fascistmuffin
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
July 09, 2011, 03:29:20 PM
 #8

KeePass is pretty nice for long random pass that you don't have to remember. It just needs one offline password to open your key database files, which are encrypted.
Skeenz
Newbie
*
Offline Offline

Activity: 24
Merit: 0



View Profile WWW
July 09, 2011, 04:03:18 PM
 #9

+1 for KeePass!
You can also have it require both a key file and a password to unlock... so it's much harder (read impossible) to easily brute force.
Phoenix
Newbie
*
Offline Offline

Activity: 57
Merit: 0



View Profile
July 09, 2011, 04:08:09 PM
Last edit: July 09, 2011, 04:18:20 PM by Phoenix
 #10

+1 to the aboves. Keypass saved my Mt gox password once already (thank the fsm I gained some insight through the forum and changed it a few days earlier). Since keypass also accepts not only ascii keyboard inputs for the main password, it may be a nice idea to also add another non ascii keyboard language and switching to that one, write any set of words you can remember quickly (lyrics, etc) with spaces and whatnot. I am guessing that this should provide quite a safe string of characters, very easy to remember. Take care.
cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
July 09, 2011, 06:54:45 PM
 #11

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

if you look thru that list of mtgox passwords that got hacked its amazing how many derivations of that exact password there actually was.
spruce
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
July 09, 2011, 07:06:46 PM
 #12

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
July 09, 2011, 07:46:02 PM
 #13

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  Cool


That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

Steve Gibson's site says:
Quote
It is NOT a “Password Strength Meter.”

Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

Misspelling protects against dictionary attacks NOT
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
July 09, 2011, 07:51:13 PM
 #14

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

It's not secure because modern password crackers assume your password will be a series of words, and try "31337 speak" combinations such as substituting 3 for e, adding a few random characters on the end, etc. This approach is much faster and can crack such a password in days or even hours.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
spruce
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
July 09, 2011, 08:00:52 PM
 #15


Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
July 09, 2011, 08:04:30 PM
 #16


Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley
http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?

Some passwords weren't hashed with a modern method. But the one above was.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
July 09, 2011, 08:16:23 PM
 #17


Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
July 09, 2011, 08:47:25 PM
 #18


Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

Misspelling protects against dictionary attacks NOT
spruce
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
July 09, 2011, 08:58:19 PM
 #19


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
July 09, 2011, 09:11:03 PM
 #20


No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

Misspelling protects against dictionary attacks NOT
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!