Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Passwords; Length vs complexity/randomness


  • Please log in to reply
16 replies to this topic

#1 superking75

superking75

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 29 May 2018 - 05:34 PM

This is an in general question that I've been curious about.

 

If you were to choose one or the other which in theory would be stronger:

 

Length: 301RandomHelloRandomHellorandomhellorandomhello^ 

Randomness/Complexity:  Dn79$%@2n 

 

Obviously, it would be ideal to have both, but most can't memorize one let alone multiple passwords 30+ characters in length.

 

 

If my logic is flawed, please say so.


Edited by superking75, 29 May 2018 - 05:34 PM.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 29 May 2018 - 06:26 PM

I'm thinking it could be length but I am not sure about your example with the repeating of the phrase.

 

An interesting read.

 

https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

 

Personally, I use KeePass for Password Storage.


Edited by JohnC_21, 29 May 2018 - 06:40 PM.


#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:39 AM

Posted 29 May 2018 - 07:30 PM

There has been lots of research that indicates, pretty conclusively, that length has a far better protective quality than complexity because most password compromises aren't the result of someone guessing, but someone writing code to do brute force probing until they succeed.  It's much easier to try every possible character for every position of an 8-character password than it is for a 15, 20, 25, 30, etc. character password.

 

If you use a pass phrase (which is what I would consider your example, but you omit the spaces) think about how difficult even a 5-word one would be to guess or do a brute force crack on.

 

It's also pretty amazing how quickly they can be typed if you pick a good one for yourself.  As a theoretical example, lets say your childhood home address was 1521 Main Street, the first city you moved to was New Paltz and you did so in 1973, and you used 1973NewPaltz123MainStreet that's mighty long, but you've probably typed 123 Main Street (or 123 Main St) untold times and it rolls right off of the fingers and something like 1973NewPaltz will, too.

 

I don't even go that far, length wise.  I use what I call the portmanteau method, using something from my childhood that no one would ever guess, plus a 2 digit random number (but not random to me), plus something related to what's being logged in to that I can easily remember, plus one special character.  I challenge anyone to say that something like Cox1267BleepingComputer!, where Cox, 1267, and the terminal '!', are fixed elements and the "BleepingComputer" is site specific (in some way, could be as short as 'BC', or BleepCompu [first 5 characters of each word]) is an "easy to guess or easy to crack" password.

 

Even though I use the portmanteau method for my passwords, I still use a password manager.  In my case it's Password Safe and its Android port, with the encrypted password safe file stored on my Google Drive and used as the repository accessed both from my PCs and my smartphone, so all remain "in sync".


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:39 AM

Posted 30 May 2018 - 05:04 PM

Password Resources
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 30 May 2018 - 05:12 PM

Depends on what kind of password cracking methods the attacker will use.

 

If an attack is chosen that works on combinations of characters, then the longest password is more resistant to this attack.

If an attack is chosen that works on combinations of words plus a couple of random prefix and suffix characters, then the shortest password is more resistant to this attack (depending on the right choice of the word dictionary).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:39 AM

Posted 30 May 2018 - 05:26 PM

(depending on the right choice of the word dictionary).

 

And that's an incredibly important proviso.   The probability of 'right choice of word dictionary' without some kind of significant prior knowledge is exceedingly small.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 rp88

rp88

  • Members
  • 3,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:39 AM

Posted 02 June 2018 - 03:30 PM

That said the choice words in use in the english language overall is vastly smaller than the number of possible random sets of characters. The best passwords try to be long, but also to be composed in some places of things which are not dictionary words, even if that just means throwing some numbers and punctuation marks into the middle of words. "1973NewPaltz123MainStreet" actually seems pretty good, but best not to use real details like where you actually lived incase someone finds out, then maybe substitue some letters for numbers or punctuation, and don't just substitute for punctuation/numbers which look like the letter they replace, because I'm sure I heard somewhere that tools have been made which automatically try punctuation/numbers that look like letters.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 03 June 2018 - 08:21 AM

The password cracking community is very adept at discovering patterns in "human-generated" passwords, to improve the efficacy of their tools and techniques.

Knowing/supposing that a password was "created" by a human, e.g. not truly random, gives you an advantage. Knowing that said human speaks English, gives you more advantage.

 

For example, it's well known that the words "hello" and "random" used by the OP appear often in passwords. That is illustrated by their high-ranking presence on password lists, like John the Ripper's password list.

 

John the Ripper also comes with word mangling rules that can do what rp88 is alluding too (punctuation/numbers that look like letters, aka leetspeak). Here is an example for the word "hello" using John the Ripper's l33t rules:

 

 

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run>echo hello | john.exe --pipe --rules:l33t --stdout
h3llo
he11o
he77o
he||o
he!!o
H3llo
He11o
He77o
He||o
He!!o
hell0
Hell0
h311o
h377o
h3||o
h3!!o
h3ll0
H311o
H377o
H3||o
H3!!o
H3ll0
h311o
h377o
h3||o
h3!!o
he110
he770
he||0
he!!0
H311o
H377o
H3||o
H3!!o
He110
He770
He||0
He!!0
h3ll0
he110
he770
he||0
he!!0
H3ll0
He110
He770
He||0
He!!0
h3110
H3110
50p 0:00:00:00 0.00% 364.9p/s H3110

 

As can be seen from the report, a single word was transformed into 50 words, all to be used as candidate passwords in the password cracking process.


Edited by Didier Stevens, 03 June 2018 - 08:22 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 03 June 2018 - 08:45 AM

If you want to use a word in your password, you can get an idea how popular that word is with users for password usage with the following website: https://haveibeenpwned.com/Passwords

This is Troy Hunt's website, a fellow Microsoft MVP that I trust.

 

Of course, his website uses a database of known passwords, e.g. it's a database of password leaks and breaches.

 

Most of my passwords are long (20+ characters) and random (generated by a password manager). I don't memorize them, they are stored in my password manager.


Edited by Didier Stevens, 03 June 2018 - 09:06 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 JohnC_21

JohnC_21

  • Members
  • 24,291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 AM

Posted 03 June 2018 - 08:57 AM

I still think using the Diceware list is the way to go if you need to memorize the password otherwise I use Keepass to generate long passwords. 

 

In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they’ll pick your passphrase each try.

At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.

Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize. Compare that to “d07;oj7MgLz’%v,” a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 03 June 2018 - 09:20 AM

I would like to add to JohnC_21's advice, that there are also Diceware lists for other languages than English, should English not be your native tongue:

http://world.std.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline


Edited by Didier Stevens, 03 June 2018 - 09:24 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:39 AM

Posted 03 June 2018 - 09:48 AM

We're back to what's possible (but very highly unlikely) versus probable.

 

If people compose a portmanteau password, in their native language, out of 5 or 6 elements from their own life, many of which it is well-nigh impossible for a random hacker to know, they'll have an awfully secure pass phrase.

 

Anyone who succeeds in figuring out what one of my childhood nicknames was or the name of my very first pet (which died before 1970 and did have a wildly unusual name) deserves to have a better chance at cracking my password.

 

If you start including things like the house number of your grandparents' home address, your favorite Aunt and Uncle's names, concatenated and capitalized, and the like you really are creating something that, when mixed with other "weird" and idiosyncratic elements, creates a strong password.

 

People do two or three things that virtually doom them to having passwords that are easy to crack.  Using things like abc123 or "hello" with a digit before or after is just simply guessable.  Writing down passwords on "carry with" scraps of paper for important things like online banking.  Or choosing things from their own past when making complex pass phrases that are simple to look up online. 

 

Since I come from a family where both Mom & Dad had 7 siblings, and all of those siblings had families with at least 2 children, picking the names of two or three cousins (particularly full married names for the women) along with a mix of other random "mental lint from my life" creates a pass phrase that, if sufficiently long, would be awfully hard to crack.  Something like Winterthur129*BleepingComputerAlexis@$ would be darned difficult to "dictionary pick" and very simple to remember if everything but the "site name" portion in this example is something meaningful to the person using those elements to create a consistent portmanteau where the only thing that changed was the "site name" portion (which need not be "site name" but something the individual can easily associate with the thing for which they're creating the password).  People want something that's easy for them to remember and that is not random to them but would be to virtually anyone else on the planet.

 

There is a balance to be struck, and if what security experts keep insisting people do is something that for very good reason (impracticality) people will not do then they are contributing to the continuance of the very problems they decry.   If you want people to do something routinely, and change their behavior, then you've got to pick something doable.  This has been demonstrated so repeatedly that I do not understand why it is not routinely taken into consideration, but it routinely isn't.

 

Even my favorite password generation method is "too much" for many people, so the idea that most will use something like Dicewords is something beyond "pie in the sky."  I wouldn't bet a single cent on acceptance of that or of people in general using only passwords generated by password managers that they cannot possibly recall if they needed to when access is needed but whatever device(s) their password manager can be accessed from just isn't available.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#13 Replicator

Replicator

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:05:39 PM

Posted 03 June 2018 - 10:22 AM

Everyone seems to focus on password strength, whats stronger, whats memorable, whats better!

 

This is rather 90's mentality now as most Web application 'User Authentication' (worth its salt) today, has greatly surpassed this basic protocol with the rise of Biometrics and 2 factor authentication among other security layers which are fast becoming the norm. 

 

Iris and facial recognition software technology is expanding rapidly.

 

Heart rate authentication is gaining momentum because unlike fingerprinting, it can be done as a background process without you even noticing.

A company that has already developed this technology to replace the password is Nymi, creators of the Nymi Band bracelet that identifies people based on the heart rate measured at their wrist.

 

The mind boggles, but i guess until this new tech is at the forefront, we are stuck with password managers.

 

The future is approaching lads! 


Edited by Replicator, 03 June 2018 - 10:29 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#14 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:39 AM

Posted 03 June 2018 - 10:33 AM

Replicator,

 

           I wish I shared your enthusiasm and your belief that the technologies you name will gain wide acceptance.  Alas, I do not.

 

           There is already a clear indication that a great many people do not trust biometrics (and, given the highly personal data that's involved in using them, they have a point) and that is going to really forestall their widespread acceptance.

 

            Most biometric identification methods feel very "big brotherish" and that's going to be the ultimate barrier to their widespread acceptance in my opinion.

 

           The number of demonstrations of, "The best technology is not necessarily what is the most widely accepted or commercially viable," is massive, and particularly in the computing and electronics worlds, but also elsewhere.


Edited by britechguy, 03 June 2018 - 10:34 AM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#15 Replicator

Replicator

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:05:39 PM

Posted 03 June 2018 - 10:40 AM

Im forced to use two-factor authentication to log in to my Crypto-currency exchange.....thats a good thing as it matters not, how weak my password is!

 

Majorgeeks.com even use it for a simple forum login today!

 

Bio-metrics may not be an ideal solution, but others are fast approaching.

 

:thumbup2:  


The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users