Password Length And Complexity

[C1ay]

one of my friends that posts around here theory5 uses a password generator it is pretty neet =D

 

The problem with password generators is that they produce great passwords that are very difficult to remember when you can actually make great passwords yourself that are very easy to remember.

[freeztar]

This thread reeks of paranoia! ;)

 

Do you guys really have such sensitive data that it needs to be protected with such zeal?

 

Sure, I use complex passwords for my banking/credit info, but email is pretty benign. :)

IOW, I don't view someone hacking into my yahoo account a big threat. They'll see evites and chatter amongst friends, and that's about it.

 

Of course, a little paranoia is not a bad thing. I guess I'm just not seeing the bigger picture...

 

Edumacate me! :)

[Donk]

You want edumacating? Or maybe I should leave you in happy innocence...

 

I've admitted the paranoia. Nobody is going to find anything of any use to them on my computers - not the ones connected to the internet, at least :) But when you've been part of a group who were constantly checking out each other's security, you make sure the doors are not only locked and bolted, but hidden as well. I remember the time when one member gloated that nobody could crack his machine... a few hours later a screenshot of his desktop appeared on the forum :)

 

You're probably right, freez. Most people wouldn't burgle a house even if the door was left wide open. Even fewer would check to see if it was locked; fewer still would check around the back for an open window. But I wish more people would learn just a little bit more about computer security - then maybe the internet wouldn't be so deluged in spam.

[freeztar]

You want edumacating? Or maybe I should leave you in happy innocence...

Happy innocence is ok by me (until my bank account gets hijacked :)).

I've admitted the paranoia. Nobody is going to find anything of any use to them on my computers - not the ones connected to the internet, at least ;) But when you've been part of a group who were constantly checking out each other's security, you make sure the doors are not only locked and bolted, but hidden as well. I remember the time when one member gloated that nobody could crack his machine... a few hours later a screenshot of his desktop appeared on the forum :)

I would actually love for someone to test my vulnerability. If someone could produce my desktop image, I would love it! I would not prosecute, I'd only ask, "Ok, so what am I doing wrong? How did you do it?".

 

You're probably right, freez. Most people wouldn't burgle a house even if the door was left wide open. Even fewer would check to see if it was locked; fewer still would check around the back for an open window. But I wish more people would learn just a little bit more about computer security - then maybe the internet wouldn't be so deluged in spam.

 

I agree. Unfortunately, it is not enough to request a global boycott on spam. We must also declare a global boycott on stupidity. Yeah, I know, not gonna happen. :Alien:

[alexander]

freezy, it could be arranged, you know, it would require written and signed permission from you, but a pen test is something rather fun to do, and i am sure not only myself, but some people i know would not mind performing one, if you are really serious about that...

 

also, if you happen to post the format of your password, i can run a test on approximately how long it would take me to break that hash, lets agree on how you will post your password though.

 

format can be such:

a - alphas, meaning letters

n - numerals, meaning numbers

s - symbols, meaning special symbols

e - extended, meaning extended ascii (space or anything typed with alt+)

 

PM it to me if you dont feel safe with posting it here (pm is what i would do).

 

So for example, one of the passwords that was used prior to my involvement with IT at my company was of the form aaaaann. Took about 2 and a half hours to break the hash.

 

Just so you know, exactly how i am going to test the password strength.

 

I will take a clean vm, and set the admin and user passwords to 2 i generate of the form given to me. I will then grab the hash and run it through a couple of programs for breaking passwords (and decrypting hashes), nothing anyone who might want your password would not have access to... Log the time it took to to crack each account password with each software, average it out, give you back an average time...

[C1ay]

I recommend the paranoid keep their sensitive data on a thumb drive equipped with TrueCrypt :) If you're really paranoid use a hidden volume.

[alexander]

Pssht, if you are paranoid like me, you keep your data on an IronKey, screw TrueCrypt, after 10 attempts it burns the memory chip that contains the second part of the 128 bit AES key with witch all the data on that drive is encrypted...

[freeztar]

freezy, it could be arranged, you know, it would require written and signed permission from you, but a pen test is something rather fun to do, and i am sure not only myself, but some people i know would not mind performing one, if you are really serious about that...

Hmm...I'll get back to you on that. It might be fun to try.

 

also, if you happen to post the format of your password, i can run a test on approximately how long it would take me to break that hash, lets agree on how you will post your password though.

 

format can be such:

a - alphas, meaning letters

n - numerals, meaning numbers

s - symbols, meaning special symbols

e - extended, meaning extended ascii (space or anything typed with alt+)

 

PM it to me if you dont feel safe with posting it here (pm is what i would do).

 

So for example, one of the passwords that was used prior to my involvement with IT at my company was of the form aaaaann. Took about 2 and a half hours to break the hash.

Most of my passwords take that form, aaaaaann. That only takes 2.5 hours? ;)

What about a different orientation of the same chars, say, aaanaana?

 

Just so you know, exactly how i am going to test the password strength.

 

I will take a clean vm, and set the admin and user passwords to 2 i generate of the form given to me. I will then grab the hash and run it through a couple of programs for breaking passwords (and decrypting hashes), nothing anyone who might want your password would not have access to... Log the time it took to to crack each account password with each software, average it out, give you back an average time...

 

I understand how you can run a program to list out all possible combinations of aaaaaann, but how does it apply them in the real world? In other words, say you are trying to figure out your forgotten password for your hotmail account. How would the program test each password with hotmail? Wouldn't this add a significant amount of time to the process? Wouldn't it lock the account after several false tries?

[C1ay]

Pssht, if you are paranoid like me, you keep your data on an IronKey, screw TrueCrypt, after 10 attempts it burns the memory chip that contains the second part of the 128 bit AES key with witch all the data on that drive is encrypted...

 

That's what backups are for. The sensitive data I use daily, like my accounting data, is encrypted on my thumb drive but several times a week I run a script when I'm doing my bookkeeping that PGP encrypts it and emails it to an online email account so that I have a redundant off site copy. Of course you could also hide data in something like the Mona Lisa as a web page background or logo somewhere on the web:)

[alexander]

i actually wrote a proggy back in high school to encode data into bmp images back in high school (in QuickBasic), aaah know how it works ;)

 

yes, i loves pgp, i have several 4096 and 8192 bit DSS keys myself :phones:, the only thing is, where do you store the private key ;)

 

for very sensitive stuff that i have had to keep, my algo went as such:

create a new rediculously long key pair for PGP

use the key to encrypt the data

create a new short key pair with a different algorithm

encrypt the data again

use the rediculously long key to encrypt the short key pair

take the rediculously long key and put it on the iron key (thus encrypting it with a 128 bit AES) (if paranoid, use another IronKey as backup)

take the encrypted short key and put it on any other semi-secured media, such as the kingston encrypted flash drive (once again, you may need to create a backup, so use two)

then you can freely store the encrypted information anywhere you want, as long as there are no soft copies of either private or public keys (having a public key is actually nearly 1/2 the battle, with current decryption methods for some of these algorithms, and a super computer, it may take less then weeks to decrypt a 4096 bit key, and thats not a risk i would like to take), the information is reasonably secure. Storing it in email is not a bad idea, as most online email systems, such as gmail, have ridiculous amount of levels of precautions to backing up and not loosing the data...