• (disco) in reply to ben_lubar
    ben_lubar:
    There's a finite number of possible passwords that will fit in memory

    Right, which is why the idea is to choose your password randomly from a space of possibilities that's larger than any feasible memory address space (i.e. an address space limited only by physical constraints) could possibly become. The fact that the number of possible passwords is by-definition finite is of no consequence whatsoever when total dedication of the entirety of civilization's digital storage to holding password hash databases would not even cover an octillionth of the possibilities.

    That is to say: the difference between infinity (unlimited in principle) and very very large (unlimited in practice) is a difference that makes a difference only in principle, not in practice.

  • (disco) in reply to ben_lubar

    Btw, while the number is definately finite it may not be feasible for them store all the combination.

    Take normal GUID (2^122 combinations) for example. It's said that this is enough to generate a GUID for each particle in the universe. Now squares it (2^244) and you can be pretty sure that it's impossible for all machines in this universe to be able to store it's precomputed hash.

  • (disco) in reply to flabdablet

    Sure, but there's a lot of company not doing that.

    In my current company, I have to explain a few hours to let my boss agree with "adding salt to generate password hash is better idea than not".

  • (disco) in reply to cheong
    cheong:
    definately

    unfinished

  • (disco)

    So.... You have a "...realistic password strength estimator..." online that is clearly in somebody's Dropbox User Space which is fun to "play" with because it gives you nice stats on the potential strength of a password. Even if the underlying code is open source / industrial standard / whatever. Are you going to tell me that you did not type your favourite password in? Just to see...

    Let's just see what you did there?

    1. Provided your IP address, Browser and System details.
    2. Provided a list of passwords

    INB4: But it was HTTPS, so it must be OK....

  • (disco) in reply to cheong

    That was a few hours well spent on your part. It's a pity that sometimes education has to be applied with a lump hammer, but it's better than not applying it at all :-)

  • (disco) in reply to loose
    loose:
    Provided a list of passwords

    No you didn't. Check your Network tab; everything is done client-side and no data leave the browser after the initial load.

  • (disco) in reply to loose
    loose:
    Let's just see what you did there?
    1. Provided your IP address, Browser and System details.
    2. Provided a list of passwords

    ...to my own browser, which has access to all those details anyway, after personally verifying via Wireshark that nothing goes over the wire as a result of typing stuff into the zxcvbn demo page. All the password strength checking is done in-browser; the only network involvement is initial collection of the script.

  • (disco)

    @Maciejasjmj, @flabdablet Then you are lucky.

    So you loaded a Browser Extension, and that ran on your machine (which seems, somehow, worse). Did you sniff the network traffic - not what the Browser told you what it was transmitting?

    It's not that I am saying that there is any malicious intent behind "this", and I certainly didn't investigate any further than loading the "main" page. But it seems so ironic when everybody is bleating on about "how secure" their password(s) and storage of them are over "somebody else's".

    I have created my own two-way encryption executable. I wrote it in C or C++ (I forget now, but I do remember that [at the time] it could not be [usefully] decompiled. The source code for it still exists but it has been heavily disguised and buried in with a load of junk [I must find out if I still have it]). By it's nature, the User had to have a local copy of it, and it only existed to allow then to encrypt loac files to upload to thier website for processing. The point I am making here is this: Once a security measure / technicue is in the public domian, sooner or later it's relative effectivness is compromised. There was a time that the concept of "dictionaries" did not exist. This applied to just about everything. - first there is nothing, then it exists, then it becomes improved and eventually superseded.

    When I read this post, I had some empathy for the topic. Yes passwords are becoming an increasing issue to keep secure. So much so that there are "special" applications to store and mange them for you - because the way that Browser do it is sooooooooooooo unsecure (does anybody actually know how, and can they demonstrate the "weakness" NOTE THIS IS NOT A CHALLENGE, not that you shouldn't accept it as such, it's just that I will not respond to such an acceptance - think of it as a rhetorical question.There was a time when 8 letters were considered to be the best (see above). The latest "fad" is to use passphrases, it won't be long before effective means to "defeat" them will be developed.

    INB4: For the purposes of argument, I am ignoring the "human effect" (e.g. choosing 1234 as their PIN Code, or the "clever" 9510)

    I rarely, if ever, use third party open source applications directly through any of my internet delivered "projects". If I do, I try to not use default security / location settings (sometimes I do but they are sacrificial diversions). The efforts I go to depend on the level of security desired. My development and live servers are sterile i.e. they only do what they are supposed to do. I even use separate browsers to test and research (This means I have to do my research using IE....shudder) Although there are additional reasons why I do this - mostly so I can zap the browser to ensure that there is "no history"

    Hmmm, small rant essay produced I have (2nd of the day). Out of bed the wrong side I got today.

  • (disco) in reply to loose
    loose:
    Did you sniff the network traffic - not what the Browser told you what it was transmitting?

    I think "verifying wia Wireshark" is sniffing network traffic, though.

  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    The 9-character one, because ꜷ and æ are one character each.

    I wonder how many sites actually let you use "Tsꜷkpætra". Otherwise you might claim it's a 9 letter name, but expressed with 11 characters still.

  • (disco) in reply to loose
    loose:
    So you loaded a Browser Extension, and that ran on your machine (which seems, somehow, worse). Did you sniff the network traffic - not what the Browser told you what it was transmitting?

    No. zxcvbn is not a browser extension. It's a javascript library, and the zxcvbn demo page is a minimal skeleton that loads that library and provides an input box to exercise it with.

    And yes, I did sniff the network traffic (with Wireshark; thought you'd recognize the name as that of a packet sniffer) using some dummy passwords, and I looked through the zxcvbn code by eye for anything that looked like networking, before trying it out on real passwords.

    I think it would pay you to let go of the notion that everybody you talk to around here is best assumed by default to be incompetent at their job.

  • (disco) in reply to flabdablet
    flabdablet:
    I think it would pay you to let go of the notion that everybody you talk to around here is best assumed by default to be incompetent at their job.

    Yeah, it's just most of us!!! :smiley:

  • (disco) in reply to flabdablet

    Oh this is going to be fun. Not.

    flabdablet:
    I think it would pay you to let go of the notion that everybody you talk to around here is best assumed by default to be incompetent at their job.

    :hanzo: Edit. Although I intended to "isolate" a quote (of the original) it would appear to have put @dkf in a bad light, for which I apologise. Sorry.

    I make no assumption or have any notions about anybody here, and that includes those that are pilloried without any real opportunity to defend or explain (assuming, of course, that any explanation is actually heard).

    The fundamental reason why I actually got involved with this Site, after spending years "leeching" (and learning), and reason why I posted what I did, as I did. Is to try and highlight the increasing intolerance, bigotry and sheer outright duality of most of what is expressed.

    We are ALL / HAVE BEEN / WILL BE guilty of that we seek to ridicule here.

    The highlighted irony of my post still seems to be missed. It would seem that the only assumption being made is to the effect that "because I say it, it is true" with the subtext being "so I don't have to prove, demonstrate or otherwise justify". whilst not extending that curtsey or consideration to what is stated by others.

    In a similar manner it appears to be assumed that everybody knows everything about everything by the mere fact that it is "mentioned". So much so that the possibility that somebody does not know or recognise a reference causes such offence that the only possible response, is that of abuse.

  • (disco) in reply to loose
    loose:
    it would appear to have put @dkf in a bad light

    Use more a bit more blue next time, and a touch more green. ;)

  • (disco) in reply to loose
    loose:
    Oh this is going to be fun. Not.

    Oh, I agree.

    loose v.tr.

    1. To stump somebody with an incomprehensible wall of text masquerading as an argument. Man, he totally loose'd me in that flamewar. v.intr.
    2. To engage in posting incomprehensible arguments. Have you been drinking? Because it seems like you're loose'ing a lot today.

    Filed under: see also: xaade

  • (disco) in reply to loose
    loose:
    Oh this is going to be fun. Not.
    flabdablet:
    I think it would pay you to let go of the notion that everybody you talk to around here is best assumed by default to be incompetent at their job.
    ... I make no assumption or have any notions about anybody here

    When your first contribution to a discussion about password strength estimators is to claim that the one I have been recommending is most likely some kind of https://ha.ha.feed.me.all.your.passwords.suckr.com phishing site, and when you address this contribution explicitly to myself and @maciejasjmj, it's hard not to draw the conclusion that you are not only assuming but suggesting that both of us are complete fucking rubes. I can't speak for Maciej, but as a working netadmin responsible for maintaining the security of a school network, frankly I find that suggestion insulting.

    And when it's pointed out to you that we know because we have checked that the mechanism you say we are recommending - the shipping off of live passwords to some rando elsewhere for evaluation - is not in fact happening, and your response is to double down and insist that it might be, this amounts to repetition and amplification of exactly the same insulting accusation of incompetence.

    If the delivery of sarcastic insults was not in fact your intent, then I think it would pay you to make a regular practice of waiting five minutes between composing your comments and hitting Reply.

  • (disco) in reply to loose
    loose:
    Once a security measure / technicue is in the public domian, sooner or later it's relative effectivness is compromised

    That's one side of the old debate security by obscurity vs. Kerckhoffs' principle. Both have their drawbacks, and being in the public domain just shortens the time of security as well as the time until flaws are detected, the question being by how much each.

  • (disco) in reply to flabdablet
    [image]

    On the other hand, perhaps he's right :-(

  • (disco) in reply to flabdablet
    flabdablet:
    it might be
    1. Load the page
    2. Unplug the bloody 'net cable
    3. Marvel at the black magic making the site work without the NSAinternet connection
    loose:
    because the way that Browser do it is sooooooooooooo unsecure

    I don't think anybody claims that.

    loose:
    There was a time when 8 letters were considered to be the best (see above).

    Yes, and the average hacker had a sheet of paper and a pen.

    loose:
    The latest "fad" is to use passphrases, it won't be long before effective means to "defeat" them will be developed.

    And pray tell, what would those effective means of undermining the basic principles of mathematics be?

    loose:
    The point I am making here is this: Once a security measure / technicue is in the public domian, sooner or later it's relative effectivness is compromised.

    You have no idea how security works, do you? That your method of encryption relied on obscurity doesn't mean all of them do. Yes, there might be some weakness in SHA or other algorithm, but that doesn't mean there necessarily is one and we just don't see it.

    loose:
    Although there are additional reasons why I do this - mostly so I can zap the browser to ensure that there is "no history"

    Incognito mode, do you use it?

  • (disco) in reply to Maciejasjmj
    Maciejasjmj:
    Marvel at the black magic making the site work without the NSAinternet connection

    I know, right? Do you think it might be that newfangled Windows 10 wireless leeching thing?

  • (disco) in reply to ben_lubar

    I use long strings of random letters for those answers. It's backfired once: I had to read the whole sequence over the phone by individual letters, but I'm still not about to pick something that's easy to guess.

  • (disco) in reply to flabdablet

    Note sure, I heard that Windows 10 shares your passwords to all your contacts (and vice versa), and if they can do that, they can certainly just keep them on their servers!

  • (disco)

    The encryption program, for which I had a need approximately 10 years ago, was a software simulation of a hardware "dongle" I had developed some 20 years prior to that. It had, what is know know as a private key and a public key, so you could not use you key for other peoples files. The "key" length was unspecified and could be infinite (subject to hardware limitations). The only reason it did not get out of prototype was the the "demand" evaporated with the advent of 286's and the like. By the time the "explosion" of their use occurred (SCO unix, 8 way serial IF for PC's etc) I had moved on to other things.

    Had I a Tag or Avatar at the time, and had I gone public with it: It could have been know as LOOSE1 (a la blowfish et al).

    As for security through obscurity: What you don't know cannot help you. If you know how it was encoded you are halfway to decoding it. Whilst I may, one day, offer an anonymous encrypted file to be "cracked", it won't be here.

    As for this minor brush fire of this desired flame-war: I repeat: It would seem that there is an issue concerning the duality of Poster's and Replier's privileges, rights and expectations.

    On a technical level: @mentioning two or more @mentions (sometime referred to as "paging" or poking" - which has very specific and literal meanings and intentions) is how (by context and observation - in the absence of a detailed "manual") you reply to multiple Posts. The require for which I have seen mentioned elsewhere, IIRC.

    I am sorry that you believe that it was a personal attack, as that was not the intent - you just happened to be collateral damage resulting from the coarseness of my general assault. Perhaps I should use something (I am sooo tempted to say smarter, but I can just image what you could do with that - talk about friendly fire....Not!).

  • (disco) in reply to flabdablet
    flabdablet:
    Actually, most password strength estimators severely down-rate correcthorsebatterystaple for no better reason than that it contains nothing but lowercase letters; you can verify this by observing that a truly strong password like kfczpxudhkmwtwyehgngnaxpu scores a similarly low rating from the same estimator.

    This stuff is all dependent on the method used to attack the password. I'm always reminded of learning about countable vs uncountable infinities and how easy it could be to get the wrong answer by taking the wrong approach. Like, trying to count all "words" and starting with the 'A's...you never get out of them so you might (incorrectly) conclude that letter combinations were uncountably infinite.

    Likewise with password crackers. In what order do they try things? That could have a major difference in something that's supposedly "instant" vs takes days to weeks to never. Presumably, they'd focus on the easy / lazy stuff. Is throwing in a single numeral enough to fuck that sort of search over? I have no idea.

    I didn't see anything in the zxcvbn page about validation (but I didn't really click past the initial links you posted, either). Has anyone done anything to validate them against something like John the Ripper?

  • (disco) in reply to loose
    loose:
    the coarseness of my general assault

    It's not the coarseness that's making you look like a dick right now. It's the way, after having been shown to have posted a bunch of alarmist crap about something it would have taken you all of five minutes to check, you're avoiding a simple "oops, my bad" by retreating into bluster and blather.

    As for your security-by-obscurity encryption method: unless you subjected it to review by people skilled in the cryptographic arts, I have almost zero interest in it. Any fool can design crypto primitives they can't themselves figure out how to break. Hell, I've done it myself.

  • (disco) in reply to loose
    loose:
    It had, what is know know as a private key and a public key, so you could not use you key for other peoples files.

    Not sure what the phrases "know know" or "peoples files" mean, but I presume the following is a valid correction to this gibberish:

    loose:
    It had, what is know known as a private key and a public key, so you could not use you key for other peoples' files.

    loose:
    On a technical level: @mentioning two or more @mentions (sometime referred to as "paging" or poking" - which has very specific and literal meanings and intentions) is how (by context and observation - in the absence of a detailed "manual") you reply to multiple Posts.

    Or you could just quote the relevant posts. It's a wonder of forum software.

  • (disco) in reply to boomzilla
    boomzilla:
    This stuff is all dependent on the method used to attack the password.

    True. And to some extent the old principle about not needing to be able to run faster than a bear, only faster than your fellow hikers, is applicable.

    But if you're generating your passwords with a CSPRNG then there can in general be no better method of attack than brute force, and if the number of bits of entropy they embody is relatively large (say 100 bits or more) then there is not now and never will be a sufficient amount of brute force available.

    So just do that, and you can take offline crackers off your list of things to worry about and concentrate on avoiding keyloggers - which also, as it happens, threaten passwords kept in-skull - instead.

  • (disco) in reply to flabdablet

    Totally agree. I'm just intellectually curious about the ratings and especially the estimated times.

  • foobar (unregistered)

    p@ss w0rd That's not a word. That's a phrase.

  • eric bloedow (unregistered)

    this reminds me of another story: someone wondered why it tool so long to change passwords at his company...he eventually found out that their usernames were MEANINGLESS, and the passwords were the actual usernames! this "security" system required every password to be unique to work...

Leave a comment on “What's The Password?”

Log In or post as a guest

Replying to comment #:

« Return to Article