Author Topic: password strength philosophy  (Read 1002 times)

andy_5995

  • Moderator
  • Ornithopter
  • ********
  • Posts: 457
  • Debian Linux user
    • View Profile
    • Andy Alt's home page
password strength philosophy
« on: 15 January 2016, 01:13:14 »
Opinions on this?

Quote
Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

Password Haystacks

jammyjamjamman

  • Horseman
  • ****
  • Posts: 189
    • View Profile
Re: password strength philosophy
« Reply #1 on: 13 November 2016, 03:24:00 »
Good password-security software should allow ANY UTF-8 character for each character in your password. The software should also store your password by performing an irreversible, collision-free hash on it (and do other things like salting). Consider the two passwords created using my theoretical good password software:

adba
.3gV

Which is stronger? The answer is, they're both equally strong. Why? Because the software uses UTF-8 encoding for each character in the password, and has processed the passwords using an irreversible hash. This means as far as the hacker is concerned, the number of possible characters for each character is 256*, for both passwords, regardless of the variety of characters used. To increase the strength of the password, you have to add more characters, not increase the variety.

The problem is, not everyone is very good at writing software :P . Some password-software devs block the use of special characters and/ or numbers, thus reducing the number of possible characters per character. Also, if the security software uses partially-reversible/ reversible hashing (*cough cough ADOBE*), then using numbers and special characters can still sometimes prevent your password from being cracked.

The most common way a hacker cracks a password these days is by either (a) phishing/ social engineering or (b) by guessing your password. (a) can be avoided by being careful about whom and where you give it to. (b) is avoided by not picking predictable passwords (e.g. "password" or "password1234" or "passw0rd" or making the password and username the same; There are many other examples to avoid).

Another idea is to use some piece of software which creates ridiculously long passwords + stores them hashed, and requires a master password, created by the user to decrypt them. Maybe in the future if we can get some trustworthy biometrics we won't need to worry about all this :P .

*note that if you use certain UTF-8 characters, depending on the software you can increase the number of possible characters per character to 2^64.
"All right, I've been thinking. When life gives you lemons? Don't make lemonade. Make life take the lemons back! Get mad! 'I don't want your damn lemons! What am I supposed to do with these?'" ~Cave Johnson, Portal 2