• Val (unregistered)

    One Password to rule them all, One Password to find them, One Password to bring them all and in the darkness bind them

  • (cs) in reply to Hand-E-Food
    Hand-E-Food:
    My mother worked at a bank in the late 80s when banks still had monochrome green terminals.

    She set up her password for her login. She quickly typed 6 characters and hit ENTER. Nothing happened, so she hit ENTER again and the password was accepted. And every time she entered her password she would have to hit ENTER twice for the password to be accepted.

    It turned out that passwords were 7 characters fixed length. Her password included a CR as the last character.

    There was a big possibility that the password was being checked by every single character, and as soon as a wrong character was entered, it would reject it.

  • gnasher729 (unregistered) in reply to hot dog
    hot dog:
    I thought they realised this pretty early on, and one of the changes they made was to allow mapping back to itself (I think via the plugboard?)

    No. Any Enigma machine, in any possible state, always produced a permutation of the 26 letters consisting of thirteen 2-cycles, that is there were always thirteen pairs of letters that would get exchanged.

  • (cs) in reply to Jibble
    Jibble:
    chubertdev:
    are you really complaining that a free service won't let you use it if you block their ads?

    No, but maybe they could just tell you that instead of making you sit there for an hour trying to figure out why you can't reset your own password.

    I think that frustrating users that are trying to consume resources yet block ad revenue is brilliant!

  • Windows NT (unregistered) in reply to Evan
    Evan:
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I do.

    It's not a proof, but here the number of 14 character passwords as well as 1-13 character passwords for both a 62-character choice (alphanum) and an 85-character choice:

    But that's not the number of hashes you'll need.

    http://en.wikipedia.org/wiki/LM_hash

    [akismet]Wikipedia is a spam site[/akismet]

  • Kasper (unregistered) in reply to Windows NT
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I'm in. Here you have a plain md5 hash of my 14 character alphanumeric password. You tell me, what the password is: b7bc4508ff73ccd4399fc5b52569a4f8
  • Kasper (unregistered) in reply to Chris
    Chris:
    Many, many websites and services truncate passwords when you set them but do not truncate them when you try to use them.
    That's more user friendly than doing it the other way around.
  • Kasper (unregistered) in reply to BeenThereDoneThat
    BeenThereDoneThat:
    One more, just for fun:

    https://www.grc.com/haystack.htm

    That was fun. According to that test, a password consisting of 16 spaces is actually going to take multiple centuries to break.

  • Kasper (unregistered) in reply to watcher
    watcher:
    But then, how should it be done?
    I would say tell the client what the salt is, then let the client use password and salt as seed for a PRNG. The output from the PRNG is then used as input for generating an asymmetrical key pair (such as RSA). Once the client has computed the key pair it uses a sigma protocol to prove towards the server, that it knows the secret key.

    The server only need to know salt and public key.

    Login is a bit CPU heavy for the client. That is just an additional advantage, because it would slow down brute force attacks on the password.

    If it turns out to be too CPU intensive to generate an RSA key pair from a password the way I described above, the salt could be picked such that the PRNG outputs a prime in first go.

    Be warned, it takes a skilled cryptographer to figure out, if the above approach has subtle security problems. Don't implement it, unless there is a formalized description which has been peer-reviewed.

  • Windows NT (unregistered) in reply to Kasper
    Kasper:
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I'm in. Here you have a plain md5 hash of my 14 character alphanumeric password. You tell me, what the password is: b7bc4508ff73ccd4399fc5b52569a4f8
    That doesn't count. You have to give me the LM hashes of the two 7 character halves of your password.
  • John (unregistered) in reply to Windows NT
    Windows NT:
    Kasper:
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I'm in. Here you have a plain md5 hash of my 14 character alphanumeric password. You tell me, what the password is: b7bc4508ff73ccd4399fc5b52569a4f8
    That doesn't count. You have to give me the LM hashes of the two 7 character halves of your password.

    Sure it counts as nothing in the story every suggested we were specifically talking about LM hashes and neither did my post. Come one now its only 14 chars, and you don't have to deal with the 1-13 length possibilities. Should be easy. So show us!

  • Windows NT (unregistered) in reply to John
    John:
    Windows NT:
    Kasper:
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I'm in. Here you have a plain md5 hash of my 14 character alphanumeric password. You tell me, what the password is: b7bc4508ff73ccd4399fc5b52569a4f8
    That doesn't count. You have to give me the LM hashes of the two 7 character halves of your password.
    Sure it counts as nothing in the story every suggested we were specifically talking about LM hashes and neither did my post. Come one now its only 14 chars, and you don't have to deal with the 1-13 length possibilities. Should be easy. So show us!
    You're lucky you only have to deal with me, where a 14 character password can be brute forced by two 7 character halves using a weak algorithm. Some of my best pals store their customers' passwords in plain text, where your 14 character password isn't protected at all.

    Sure, some entities know how to protect passwords. Even my own grandchildren can do it. My point is, sometimes you gotta deal with me, and 14 characters don't even buy you a shitem id.

  • Kasper (unregistered) in reply to Windows NT
    Windows NT:
    sometimes you gotta deal with me
    Sure, I have an mkfs.ext4, and I am not afraid to use it.
  • Catfeeder (unregistered)

    I bought Buffalo airstation last year; and for some stupid reason decided to switch from the preinstalled OpenWrt to the "Buffalo-owned" firmware. And I ran into a similar problem:

    Only the help text will tell you that the password is restricted to 8 characters:

    • you can specify a new password with more than 8 chars
    • when asked for the password, you can enter more than 8 chars

    But when doing exactly that, you are not able to log in. The stupid firmware stores only the first 8 characters - and only if you do the same, login will work.

    ( and just to ask the obvious question: the reason to switch FROM openwrt was the fact, that the Buffalo-firmware comes with a built-in torrent client. To be precise: a torrent client, that will only start downloading about 1 in 15 torrents you ask it to download )

  • IworkATanISP (unregistered) in reply to Vindictive
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    It's an ISP. If the connection is PPP with CHAP, they have no choice - CHAP requires plain-text passwords at the RADIUS server.

    Welcome to the internet - where everything is a bodge, based on technology from the 80's.

  • Kemp (unregistered) in reply to IworkATanISP
    IworkATanISP:
    rootkit:
    TRWTF is storing a password in PLAIN FUCKING TEXT instead of a hashed value like SHA1(salt(password))

    It's an ISP. If the connection is PPP with CHAP, they have no choice - CHAP requires plain-text passwords at the RADIUS server.

    Welcome to the internet - where everything is a bodge, based on technology from the 80's.

    It's been quite a while since I looked at any of this, but (if I recall correctly) the appropriately named PAP goes a step further and has one side spam the password in plain text continuously until someone replies. How people come up with these I have no idea.

  • Cthon98 (unregistered) in reply to Kasper
    Kasper:
    Windows NT:
    John:
    If I tell you my password is 14 characters long, yes you save some time not having to computer hashes for lengths 1-13, but the number of hashes you will need to brute the entire 14 char keyspace is bigger than 1-13 combined anyway.
    Wanna bet?
    I'm in. Here you have a plain md5 hash of my 14 character alphanumeric password. You tell me, what the password is: b7bc4508ff73ccd4399fc5b52569a4f8

    Here, I'll copy paste that hash and you'll see your password: hunter2

    I'll now go grab my robe and wizard hat.

  • (cs)

    My bank needed a login password and so I gave them a seven character password. The error message said that the password must be at least eight characters. So I added "FY" to the end of it, and the error message said that the password must be no longer than eight characters. Why couldn't they just say the first time that the password has to be exactly eight characters? Anyway, that's why my password ends in "F". You can guess what the "Y" stands for.

  • eric bloedow (unregistered)

    i've read several stories about the Enigma, and one point stuck in my head: it had a secondary code set, consisting of 26 plugs and 26 outlets...which the Germans NEVER USED! they simply plugged A>A, B>B, and so on! someone who escaped from Poland told Allied intelligence about this...

Leave a comment on “Security by Password”

Log In or post as a guest

Replying to comment #:

« Return to Article