Regarding passwords

[Gareth Nelson]

I'm pondering using this as a method to generate passwords, would anyone care to critique it for me?
http://sprunge.us/UKAg

[luxgladius]

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

[bcearl]

Use OpenSSL to get better (cryptographically strong) random numbers.

like this:

Code:

$ openssl rand -base64 12
VSvl9WFLu7Y7bOR8

But note that you get 6 bits of information per character, because there are 2^6 = 64 possible chars.

[BitcoinPorn]

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

[bcearl]

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  

That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

[thefussydutchman]

Is Lastpass.com a good idea?

[justusranvier]

Is Lastpass.com a good idea?

I've never had any problems with LastPass. I've even used the one-time password feature to access my account while traveling internationally without ever having it compromised.

[fascistmuffin]

KeePass is pretty nice for long random pass that you don't have to remember. It just needs one offline password to open your key database files, which are encrypted.

[Skeenz]

+1 for KeePass!
You can also have it require both a key file and a password to unlock... so it's much harder (read impossible) to easily brute force.

[Phoenix]

+1 to the aboves. Keypass saved my Mt gox password once already (thank the fsm I gained some insight through the forum and changed it a few days earlier). Since keypass also accepts not only ascii keyboard inputs for the main password, it may be a nice idea to also add another non ascii keyboard language and switching to that one, write any set of words you can remember quickly (lyrics, etc) with spaces and whatnot. I am guessing that this should provide quite a safe string of characters, very easy to remember. Take care.

[cypherdoc]

They're undoubtedly (probably) secure passwords, but they seem hard to remember. I mentioned this in another thread, but another option aside from including uppercase, lowercase, numbers and symbols is to create a long password with just plain English words, which are much easier to remember. Check out http://www.diceware.com for example. Long passwords result in exponential growth in complexity, rather than just polynomial growth by including more symbols.

And easier to remember.

QWERTY12345 when you can remember a formula of "QWERTY12345x3" knowing the password is QWERTY12345QWERTY12345QWERTY12345

I like this theory.  Stoners do too.

if you look thru that list of mtgox passwords that got hacked its amazing how many derivations of that exact password there actually was.

[spruce]

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  

That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

[bcearl]

...take a phrase ie ilikepudding as an example

add some caps

IlikePuDDing

add some numbers

I8LikePuDDing8

Add some special symbols

I8Lik#PuDD!ng8

Throw in an alt code or 2

§╒ª◘


I8Lik#PuDD!ng8§

If you do all that you will be legit  

That's not secure. That would work for an online login, because it can limit the number of trials an attacker can make.

You should not use such for encryption of wallets!

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

Steve Gibson's site says:

It is NOT a “Password Strength Meter.”

Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

[error]

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

It's not secure because modern password crackers assume your password will be a series of words, and try "31337 speak" combinations such as substituting 3 for e, adding a few random characters on the end, etc. This approach is much faster and can crack such a password in days or even hours.

[spruce]

Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?

[bcearl]

Somebody had a similar password on MtGox and was cracked:

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?

Some passwords weren't hashed with a modern method. But the one above was.

[spruce]

Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?

[bcearl]

Some passwords weren't hashed with a modern method. But the one above was.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

[spruce]

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

[bcearl]

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.