Regarding passwords

[error]

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

It doesn't really matter, since b1Ackb0x3!1 is not a strong password to begin with.

[1714191874]

1714191874

[1714191874]

1714191874

[1714191874]

1714191874

[bcearl]

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

It doesn't really matter, since b1Ackb0x3!1 is not a strong password to begin with.

That's my point. Because some guys in this thread claimed their similar passwords to be strong.

[spruce]

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

If you examine the 4.9-million-word "Ultimate Password List" at http://area51archives.com/index.php?title=Ultimate_Password_List (15MB .rar file that unpacks into 6 text files), here are the alphabetical entries around "b1", which is how b1Ackb0x3!1 starts. Why would a hacker zero in on that area if he had *no information at all* about the password?

b‚vue
b's
b'tje
b-52's   
b-ball
b-dur
b-spline
b.c
b0
b1
b2
b21
b3
b4
b43
b5
b52's   
b6
b7
b8
b9
ba

I think a hacker would first use a password list like this. After failing with the password list he would resort to a brute force attack if he was *really* determined to get at that specific account using a computer-based approach and not social engineering or a rubber-hose attack. Plugging b1Ackb0x3!1 into Steve Gibson's Interactive Brute Force Password “Search Space” Calculator at https://www.grc.com/haystack.htm gives 1.83 billion centuries as the time required to exhaustively search that password's space in an online attacking scenario, 18.23 centuries in an offline fast attack scenario, and 1.83 years in a hypothetical "massive cracking array" scenario at a hypothetical one hundred trillion guesses per second.

If you are going to latch on to that "1.83 years" and say, "See, told you, it's not strong," well. . . .

[bcearl]

Gibson's calculator is not a password strength meter. There is an explicit disclaimer, dude!

but I'm just interested in a "professional" view.

You prefer authority over arguments? Authorities will tell you to stop using bitcoin.

[spruce]

Gibson's calculator is not a password strength meter. There is an explicit disclaimer, dude!

but I'm just interested in a "professional" view.

You prefer authority over arguments? Authorities will tell you to stop using bitcoin.

I have nothing further to add. You win.

[error]

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

You already received such an opinion and then disregarded it.

[bcearl]

I have nothing further to add. You win.

But I have another tip for you: You can use it as strength meter by chosing each character at random. This means each possible character must have the exact same probability and this should not depend on previous characters.

Some passwords that meet this standards:

Code:

2L~aDJS_- 2K
w/r1V`0I*U.L
:Hp$Gn7[$m+(

[theymos]

Certain configurations of the characters are much less likely than others. It would be better to randomize each character individually.

For my master passwords, I roll physical dice to get the randomness. Less secure passwords can use /dev/random. Additional hashing isn't necessary: /dev/random is already mixed using hashing.

[bcearl]

Certain configurations in the characters of the characters are much less likely than others. It would be better to randomize each character individually.

Exactly. That's how I generated the example passwords. First thing you see is that special characters come pretty much more often than in most user-chosen passwords.

In plain 7-bit ASCII there are:
- 26+26 letters
- 10 digits
- 32 special characters

This means that on average only 55.3 % of characters should be letters and 34.0 % should be special characters.

For my master passwords, I roll physical dice to get the randomness. Less secure passwords can use /dev/random. Additional hashing isn't necessary: /dev/random is already mixed using hashing.

/dev/random on modern Linux systems is way better than dice you get in toy shops.