[Klug-general] password testing/cracking

Tue Mar 26 07:07:42 UTC 2013

Another method for password creation is to create a long memorable sentence
and then take the 1st letter of each word. This results in a easy to
remember password which looks completely random to other people.

Also by using capital letters for peoples names and/or places or finding a
way to incorporate currency signs is even better.

Something like.

Cyprus are the latest victims in the Euro zone

Could create a password

Catlvit€z

The only cravat is you remember the sentence. But this could be family
related like a sentence that contains your children's/parents birthdays

Gary
On 26 Mar 2013 05:58, "Peter Childs" <pchilds at bcs.org> wrote:

> The banks are quite happy with 4 digit pins so why bother. I for one am
> more worrid about my money in the bank  than about what I write or somone
> else might write for me on Facebook......
>
> If people are encouraged to have long difficult to remember passwords they
> write them down which is counter productive.  Ive met people with code
> books are they any some how more secure. Than passwords you can store in
> your head.....
>
> The truth is the security is in variety if everyone uses the same password
> its easy to crack but if everyone uses a slightly different one based on
> anything its going to be harder work.
>
> In straight maths longer passwords are better each extra character raises
> the available combinations by about 40+ times.  But if everyone uses the
> same combination its still just as easy to crack.....
>
> So yes long private keys are best, but then you have to find someway to
> look after the long private key so it stays secure. Passwords are short
> easy to remember but difficult to guess that should NEVER be written down.
> Ideally we should be using a long private key protected with a password.
> And then keep that key on hmm a bit of plastic in our wallet?  Ring any
> bells?
>
> Peter
> On 25 Mar 2013 23:02, "james morris" <jwm.art.net at gmail.com> wrote:
>
>> On 25 March 2013 13:48, Karl Buckland <buckland.karl at gmail.com> wrote:
>> > MD5 passwords are only particularly easy to crack because the hashing
>> > algorithm is extremely fast and usually they aren't salted. This means
>> you
>> > can generate a rainbow table of hashes and then simply match up.
>> >
>> > Are you trying to ascertain what makes a secure password, or are you
>> trying
>> > to ascertain what makes a secure login system?
>>
>> More trying to _show_ insecure passwords, and secure passwords. My
>> reasoning for using MD5 was that if hashcat fails to crack a password
>> hashed using MD5, it's going to be secure. For instance, passwords
>> stored in /etc/shadow are hashed using SHA512 (as well as salted).
>>
>> > As a web developer I recommend using a complicated and slow password
>> > encryption scheme, such as bcrypt. On top of that, each password should
>> have
>> > its own salt. And on top of that, any login system should disable a
>> users
>> > account after a set number of failed logins.
>> >
>> > As for user passwords, I would recommend at least 8 characters and the
>> > standard set of uppercase, lowercase, numeric and special characters.
>> > Ideally, you should use a password manager instead and use long,
>> complicated
>> > (effectively impossible to remember) passwords.
>>
>> But I think for many non-technical people, difficult to remember
>> passwords are a real problem. I wanted to experiment with much longer,
>> but easy to remember passwords, looking at how difficult they were to
>> crack. For instance, lines from poems or novels etc. I know using
>> words straight out the dictionary is frowned upon to say the least,
>> but this is where the length comes in. The very name of the term
>> "password" suggests brevity.
>>
>> I wanted to compare the security of long easy to remember passwords
>> (minimum 15 characters) with shorter difficult to remember passwords.
>> The article I linked to says the time taken to crack a hashed password
>> increases exponentially with each character so the theory is that easy
>> to remember passwords can be secure if they are long enough.
>>
>>
>>
>> >
>> > Karl
>> >
>> >
>> > On 25 March 2013 13:01, james morris <jwm.art.net at gmail.com> wrote:
>> >>
>> >> (sorry for previous attempt, forgot list doesn't allow attachments)
>> >>
>> >> read an article about password cracking this morning:
>> >>
>> >>
>> http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/
>> >>
>> >> and being curious decided to try my own passwords. it only seemed to
>> >> crack the first word of two (nor the two digit number at end) in my
>> >> weakest password.
>> >>
>> >> then i was curious about long passwords made entirely of words such as:
>> >>
>> >> longpassworddifficulttocrack
>> >>
>> >> my tests don't crack that, nor even crackmenow or hardtocrack.
>> >>
>> >> i'm using the rockyou.txt word list, and only encoding the passwords
>> >> as MD5 so expected better results than this.
>> >>
>> >> here's a bash script to automate password testing to some degree:
>> >> https://github.com/jwm-art-net/password_tester
>> >>
>> >> it starts with a file of unencoded passwords one per line, runs md5sum
>> >> on them, the tries to crack the md5s.
>> >>
>> >> any tips for making the cracking effort more robust appreciated!
>> >> cheers,
>> >> james
>> >>
>> >> _______________________________________________
>> >> Kent mailing list
>> >> Kent at mailman.lug.org.uk
>> >> https://mailman.lug.org.uk/mailman/listinfo/kent
>> >
>> >
>> >
>> > _______________________________________________
>> > Kent mailing list
>> > Kent at mailman.lug.org.uk
>> > https://mailman.lug.org.uk/mailman/listinfo/kent
>>
>> _______________________________________________
>> Kent mailing list
>> Kent at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/kent
>>
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20130326/e00167b6/attachment.html>