[Klug-general] password testing/cracking

Peter Childs pchilds at bcs.org
Tue Mar 26 05:58:23 UTC 2013 

The banks are quite happy with 4 digit pins so why bother. I for one am
more worrid about my money in the bank  than about what I write or somone
else might write for me on Facebook......

If people are encouraged to have long difficult to remember passwords they
write them down which is counter productive.  Ive met people with code
books are they any some how more secure. Than passwords you can store in
your head.....

The truth is the security is in variety if everyone uses the same password
its easy to crack but if everyone uses a slightly different one based on
anything its going to be harder work.

In straight maths longer passwords are better each extra character raises
the available combinations by about 40+ times.  But if everyone uses the
same combination its still just as easy to crack.....

So yes long private keys are best, but then you have to find someway to
look after the long private key so it stays secure. Passwords are short
easy to remember but difficult to guess that should NEVER be written down.
Ideally we should be using a long private key protected with a password.
And then keep that key on hmm a bit of plastic in our wallet?  Ring any
bells?

Peter
On 25 Mar 2013 23:02, "james morris" <jwm.art.net at gmail.com> wrote:

> On 25 March 2013 13:48, Karl Buckland <buckland.karl at gmail.com> wrote:
> > MD5 passwords are only particularly easy to crack because the hashing
> > algorithm is extremely fast and usually they aren't salted. This means
> you
> > can generate a rainbow table of hashes and then simply match up.
> >
> > Are you trying to ascertain what makes a secure password, or are you
> trying
> > to ascertain what makes a secure login system?
>
> More trying to _show_ insecure passwords, and secure passwords. My
> reasoning for using MD5 was that if hashcat fails to crack a password
> hashed using MD5, it's going to be secure. For instance, passwords
> stored in /etc/shadow are hashed using SHA512 (as well as salted).
>
> > As a web developer I recommend using a complicated and slow password
> > encryption scheme, such as bcrypt. On top of that, each password should
> have
> > its own salt. And on top of that, any login system should disable a users
> > account after a set number of failed logins.
> >
> > As for user passwords, I would recommend at least 8 characters and the
> > standard set of uppercase, lowercase, numeric and special characters.
> > Ideally, you should use a password manager instead and use long,
> complicated
> > (effectively impossible to remember) passwords.
>
> But I think for many non-technical people, difficult to remember
> passwords are a real problem. I wanted to experiment with much longer,
> but easy to remember passwords, looking at how difficult they were to
> crack. For instance, lines from poems or novels etc. I know using
> words straight out the dictionary is frowned upon to say the least,
> but this is where the length comes in. The very name of the term
> "password" suggests brevity.
>
> I wanted to compare the security of long easy to remember passwords
> (minimum 15 characters) with shorter difficult to remember passwords.
> The article I linked to says the time taken to crack a hashed password
> increases exponentially with each character so the theory is that easy
> to remember passwords can be secure if they are long enough.
>
>
>
> >
> > Karl
> >
> >
> > On 25 March 2013 13:01, james morris <jwm.art.net at gmail.com> wrote:
> >>
> >> (sorry for previous attempt, forgot list doesn't allow attachments)
> >>
> >> read an article about password cracking this morning:
> >>
> >>
> http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/
> >>
> >> and being curious decided to try my own passwords. it only seemed to
> >> crack the first word of two (nor the two digit number at end) in my
> >> weakest password.
> >>
> >> then i was curious about long passwords made entirely of words such as:
> >>
> >> longpassworddifficulttocrack
> >>
> >> my tests don't crack that, nor even crackmenow or hardtocrack.
> >>
> >> i'm using the rockyou.txt word list, and only encoding the passwords
> >> as MD5 so expected better results than this.
> >>
> >> here's a bash script to automate password testing to some degree:
> >> https://github.com/jwm-art-net/password_tester
> >>
> >> it starts with a file of unencoded passwords one per line, runs md5sum
> >> on them, the tries to crack the md5s.
> >>
> >> any tips for making the cracking effort more robust appreciated!
> >> cheers,
> >> james
> >>
> >> _______________________________________________
> >> Kent mailing list
> >> Kent at mailman.lug.org.uk
> >> https://mailman.lug.org.uk/mailman/listinfo/kent
> >
> >
> >
> > _______________________________________________
> > Kent mailing list
> > Kent at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/kent
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20130326/98d56aa7/attachment-0001.html>

More information about the Kent mailing list