Jan K.
Suspended / Banned
- Messages
- 1,533
- Edit My Images
- Yes
Is this considered a safe password?
If you think yes, then maybe this is an interesting read, from an article by Dan Goodin on arstechnica.
For a graphic example of passphrase weakness, consider the string "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" (minus the quotes). With a length of 51 and a 95-character set containing upper- and lowercase letters, numbers, and special characters, its entropy is 284.9 bits. The total number of combinations required to brute-force crack it would be 9551, making such a technique impossible on any sort of computer known to exist today. What's more, the string isn't found in any language dictionary. No wonder password strength meters like this one use words such as "overkill" to describe it.
Chrysanthou had no trouble cracking the SHA1 hash that corresponded to the string for one simple reason. This is a fictional occult phrase from the H. P. Lovecraft short story "The Call of Cthulhu"
From the comments:
How about ",fnfhtqrf_ijrjkflrf" then? How did that one get cracked?
Answer:
"When in doubt, Google!
In this case, Google answers it easily by itself: "Did you mean: батарейка шоколадка" - so it seems to be just two Russian words typed on English keyboard."
Just great! but what is the best advice then?
Dan Goodin:
"Instead of thinking up schemes that look tough for you, but are easily replicated by computer, just use password manager or a password generator - if you don't trust them to store your passwords, they have all kinds of "readable, but random" generation schemes."
From GDwarfWise, Aged Ars Veteran:
"Every time Ars publishes something about passwords, the comments get flooded by people who are certain that they have a new, easy-to-use way to generate a password that is easy to remember but impossible to brute force.
Let me be clear: No, you don't.
If your passwords are simple enough that you can remember more than one of them then they're too simple. Full stop. No exceptions.
I do not care if your system involves a dozen steps and the phase of the moon: If the result is an easy-to-remember password then it can be guessed. If it's not easy to remember then you've got yourself a different problem.
There is one, and only one, current way to have strong passwords, and that is a password manager which can generate truly random strings. You may not like using them, and that's your choice, but there is no silver bullet that can replace them in the modern world."
http://arstechnica.com/security/201...ing-the-next-frontier-of-password-cracking/2/
A list of sample passwords all cracked... http://arstechnica.com/security/2013/10/izmy-p55w0rd-saph/
A note on the Adobe hacking from Hold Security:
"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."
http://arstechnica.com/security/201...stomer-data-stolen-in-sustained-network-hack/
So... passwords... seems I need to look for a manager?
If you think yes, then maybe this is an interesting read, from an article by Dan Goodin on arstechnica.
For a graphic example of passphrase weakness, consider the string "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" (minus the quotes). With a length of 51 and a 95-character set containing upper- and lowercase letters, numbers, and special characters, its entropy is 284.9 bits. The total number of combinations required to brute-force crack it would be 9551, making such a technique impossible on any sort of computer known to exist today. What's more, the string isn't found in any language dictionary. No wonder password strength meters like this one use words such as "overkill" to describe it.
Chrysanthou had no trouble cracking the SHA1 hash that corresponded to the string for one simple reason. This is a fictional occult phrase from the H. P. Lovecraft short story "The Call of Cthulhu"
From the comments:
How about ",fnfhtqrf_ijrjkflrf" then? How did that one get cracked?
Answer:
"When in doubt, Google!
In this case, Google answers it easily by itself: "Did you mean: батарейка шоколадка" - so it seems to be just two Russian words typed on English keyboard."
Just great! but what is the best advice then?
Dan Goodin:
"Instead of thinking up schemes that look tough for you, but are easily replicated by computer, just use password manager or a password generator - if you don't trust them to store your passwords, they have all kinds of "readable, but random" generation schemes."
From GDwarfWise, Aged Ars Veteran:
"Every time Ars publishes something about passwords, the comments get flooded by people who are certain that they have a new, easy-to-use way to generate a password that is easy to remember but impossible to brute force.
Let me be clear: No, you don't.
If your passwords are simple enough that you can remember more than one of them then they're too simple. Full stop. No exceptions.
I do not care if your system involves a dozen steps and the phase of the moon: If the result is an easy-to-remember password then it can be guessed. If it's not easy to remember then you've got yourself a different problem.
There is one, and only one, current way to have strong passwords, and that is a password manager which can generate truly random strings. You may not like using them, and that's your choice, but there is no silver bullet that can replace them in the modern world."
http://arstechnica.com/security/201...ing-the-next-frontier-of-password-cracking/2/
A list of sample passwords all cracked... http://arstechnica.com/security/2013/10/izmy-p55w0rd-saph/
A note on the Adobe hacking from Hold Security:
"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."
http://arstechnica.com/security/201...stomer-data-stolen-in-sustained-network-hack/
So... passwords... seems I need to look for a manager?
and if there is enough money in there pick me one up as well 
