dcsimg
www.webdeveloper.com
Results 1 to 8 of 8

Thread: How to create an ACTUAL secure password (in light of recent events)

  1. #1
    Join Date
    Jul 2016
    Posts
    13

    How to create an ACTUAL secure password (in light of recent events)

    https://www.youtube.com/watch?v=3NjQ9b3pgIg

    This video is really great for showing you both how to create a nearly uncrackable password, and also why it works.

    to TL;DR the video, here is what I learned from it:

    - your password should always be at least 9 characters, not 8, as mathematically brute force attacks become next to useless after 9 characters
    - use uncommon words that have nothing to do with you, the site you're on, or each other, and use at least 3 (something like unethicalstandpointsyndrome). this protects you from dictionary attacks where a hacker will try to string together random words in a "brute force" manner, generally starting with the most commonly used words
    - for good measure, throw in a symbol in the MIDDLE of one of your words, and it must be totally random, not a l33t sp34k style character (ex. unethi_calstandpointsyndrome). this way even if a dictionary attack eventually generated your exact password, it almost definitely wouldn't have that random symbol in it, and thus wouldn't match

    To expand on the first point, if the hacker was including lowercase letters, uppercase letters, numbers and symbols, it would take multiple years to brute force a 9 character password, as opposed to an 8 character password which would take a matter of days. Source: http://www.password-depot.com/know-h...ce-attacks.htm

    Ultimately, using more characters is more effective than using a combination of different characters, but if you sprinkle a few different characters in there, you're really setting yourself up for success. "disproportionatelyglutenizedmeridian" is an infinitely better password than "4$yI9+(m", and is easier to remember too, if you can deal with typing it on a mobile device...

    I'd love to hear any other opinions on password security, or rebuttals/arguments against what I've said.

  2. #2
    Join Date
    Jul 2016
    Posts
    13
    I just noticed I put "reset" events in the title instead of "recent" events. Bit of a Freudian slip there ;D

    * moderator note * Title now corrected.
    Last edited by jedaisoul; 08-11-2016 at 10:43 AM.

  3. #3
    Join Date
    Oct 2013
    Location
    Sheboygan, Wisconsin
    Posts
    892
    Pay attention to the "Massive Cracking Array Scenario::
    https://www.grc.com/haystack.htm

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    21,569
    It's actually kind of interesting how many sites make a big deal out of requiring that you use upper-/lower-case plus numbers plus symbols, when the length of the password can have a bigger impact on the possible permutations (even before considering that the cracker doesn't often doesn't know how long your password was, so would have to try all possible lengths up to your length). For instance, a somewhat simplistic test:
    PHP Code:
    /**
     * @param $pwd
     * @return string
     */
    function pwdx($pwd)
    {
        
    $charsets = array(
            
    '/[a-z]/' => 26,
            
    '/[A-Z]/' => 26,
            
    '/\d/' => 10,
            
    '/[^a-zA-Z0-9]/' => 10// kludge for any other characters!
        
    );
        
    $chars 0;
        foreach (
    $charsets as $regex => $num) {
            
    $chars += preg_match($regex$pwd) ? $num 0;
        }
        return 
    bcpow($charsstrlen($pwd));
    }

    // TEST:
    $words = array(
        
    "1234",
        
    "abcd",
        
    "ab12",
        
    "A1b2"
    );
    for(
    $i=1$i<=4$i++)
    {
        foreach(
    $words as $key => $pwd)
        {
            echo 
    "'$pwd':".PHP_EOL.'  '.pwdx($pwd).PHP_EOL;
            
    $words[$key] .= substr($pwd04);
        }

    Output:
    Code:
    $ php pwdx.php
    '1234':
      10000     // possible permutations using just 0-9
    'abcd':
      456976    // possible permutations using just a-z
    'ab12':
      1679616   // possible permutaions using a-z and 0-9
    'A1b2':
      14776336  // possible permutations using A-Z, a-z, and 0-9
    '12341234':
      100000000
    'abcdabcd':
      208827064576
    'ab12ab12':
      2821109907456
    'A1b2A1b2':
      218340105584896
    '123412341234':
      1000000000000
    'abcdabcdabcd':
      95428956661682176
    'ab12ab12ab12':
      4738381338321616896
    'A1b2A1b2A1b2':
      3226266762397899821056
    '1234123412341234':
      10000000000000000
    'abcdabcdabcdabcd':
      43608742899428874059776
    'ab12ab12ab12ab12':
      7958661109946400884391936
    'A1b2A1b2A1b2A1b2':
      47672401706823533450263330816
    This ignores dictionary look-ups, heuristics that suggest which characters people are more likely to use, etc. -- it just considers possible characters and length.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    21,569
    And, of course:

    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  6. #6
    Join Date
    Jul 2016
    Posts
    13
    Quote Originally Posted by NogDog View Post
    And, of course:

    The issue with that password "correcthorsebatterystaple" is that because those are very common words, though nonsensical, a dictionary attacker would sooner try groupings of 4+ words like those, that are very common, as opposed to a grouping of 3 words that are extremely uncommon. Something like preposteroussingularitydebacle would be more effective!

  7. #7
    Join Date
    Oct 2013
    Location
    Sheboygan, Wisconsin
    Posts
    892
    correcthorsebatterystaple
    Massive Cracking Array Scenario:
    7.83 hundred billion centuries
    https://www.grc.com/haystack.htm

    At 73 myself, if my password under that Scenerio shows 50 years or more, I am happy.

  8. #8
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    21,569
    Quote Originally Posted by EricSartor View Post
    The issue with that password "correcthorsebatterystaple" is that because those are very common words, though nonsensical, a dictionary attacker would sooner try groupings of 4+ words like those, that are very common, as opposed to a grouping of 3 words that are extremely uncommon. Something like preposteroussingularitydebacle would be more effective!
    "The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use," per http://www.oxforddictionaries.com/us...glish-language

    Unless you restrict your cracking word list to a very, very small sub-set of those words (like 1%?), there are going to be way more possible words than characters. And the cracker has no reason to know that you used precisely 4 words, as opposed to "s#23asdf^xy" as your password, nor whether you used CamelCase, under_scores, hy-phens, etc. (The hash in the user DB is going to be the same number of pseudo-random characters regardless of the password used.) And you can use more than 4 words -- as long as the web site doesn't have some silly restriction on the size of the password you enter (since it doesn't store the password, just the hash [hopefully!]).
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles