[clug] [OT] all text passwords == secure?

Sam Couter sam at couter.id.au
Tue Aug 28 09:00:48 MDT 2012 

Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
> A dictionary attack is too easy - and it's the first attack tried. Add
> just one non alpha character to that multi word string and only brute
> force will guess it - then you have a much harder password to break.
> Much, much harder.

As I've already pointed out, the dictionary attack on long combinations
of words is expensive. Your "much, much harder" is really only a few
more bits, most likely less than adding another word, and more difficult
to remember.

> The difference between brute forcing 8 characters and brute forcing 25
> characters is greater by a large factor than the difference between
> brute forcing 8 characters and a dictionary attack on 4 words - even if
> the speed of the attack is only a million attempts per second.

Yes, it's well established that longer passwords beat more complex
passwords. But your 25 character password is unrealistic, nobody is ever
going to use or remember one. There's no point in even talking about it.

> But adding one non alpha character is apparently "too hard".

Cognitive load for that one character is higher than for one word and
doesn't provide as much benefit. It's a poor tradeoff.

> That's the
> problem - not that people are really so retarded they can't pick a non
> alpha character, remember it, and add it to all their passwords (just
> not as the last character or as a alpha substitution).

Here's something else you need to think about when determining the
strength of a password: You need to assume the cracker knows something
about how you generated your password. If everybody does what you say,
it will simply be added to dictionaries and cracking strategies. You may
also be forgetting that humans are notoriously bad at random selection,
as you've shown with "add it to all their passwords". Do you not see
that using the same character for all your passwords is not very helpful?

> Most of the math people are trotting out is just fetishism - it should
> *never* apply. Any system that allow fast password attempts (more than a
> few per minute) or a large number of failed attempts is a bad system -
> regardless of how many "developers" "need" the ability to fail all day long.

Having a limit of a thousand guesses an hour is still enough to stop
brute force attacks against even fairly weak/short passwords. Locking an
account after three attempts is paranoia. The real advantage to password
strength is offline attacks on password hashes. Account lockouts don't
help with that.

> What you are missing is that the XKCD strip is being interprete to mean
> that number of words (total of 25 characters) is *less* vulnerable to a
> brute force (try all 218 characters) attack on 8 mixed character. It is.
> What the strip misses is that in real life (not a comic strip) an attack
> would *not* be brute force - it'd be a dictionary attack.

In real life, people don't use a 218 character set. They use less than
90. I've already shown that four English words (17 * 4 = 64 bits) is much
less vulnerable even to a dictionary attack than a normal 8 character
password (8 * 6.5 = 52 bits) is to brute force.

> Do you get the point where the extra non alpha character *forces* a
> brute force attack? Whereas without it entropy doesn't apply because
> entropy is a measure of randomness - which does *not* apply to
> dictionary attacks.

A dictionary attack is already rediculously expensive against a five
word passphrase, this brute force you seem obsessed with is meaningless.

> It applies to any system that uses a standard keyboard.

... so only those systems that see less and less use these days?

> People don't type 25 characters of words into their phone - and banking
> terminals don't allow for alpha characters. Just because some systems
> suck doesn't mean all systems should be made to suck.

My KeePass database on my phone is protected by more than 25 characters.
It's a series of words (surprise) and not too difficult to type. What I
won't type on my phone is an 8 character password with punctuation, and
I'm definitely not using cursor keys to insert them.

> > Authentication is pretty integral to most applications
> > because authorisation is integral to them.
> 
> That reads like gibberish (but I think I understand what you mean).

Authorisation is "What are you allowed to do?". It means nothing without
"Who are you?", known as authentication. Authorisation is extremely
important to most systems, and you don't get it without authentication.
So most systems must necessarily handle authentication in some way, and
without cross-domain trusted credentials that means passwords.
-- 
Sam Couter         |  mailto:sam at couter.id.au
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20120829/0aed05bd/attachment.pgp>

More information about the linux mailing list