Briantho2010 wrote:Having done some brute force password cracking this comic isn't truthful to real life from my experience. When brute forcing a password you can do various types of attacks but the larger the pool of characters for each character of a password, the higher total # of password possibilities. Example. A 5 character all lower case password provides 11,881,376 possibilities whereas a 5 character password using upper case, lower case and 0-9 produces 916,132,832 possibilities. That password would be potentially 77.10 times harder to crack using brute force methods than first example.
That's a naive brute force approach. This is dictionary-based.
BAReFOOt wrote:Again with that RETARDED “longer > complexerererer” straw man argument? *sigh*
That's not the argument at all. "correcthorsebatterystaple" _is_ complexerer than Tr0ub4dor&3. It just so happens to be longer as well, but that is not argued to be the basis of its relative strength.
BAReFOOt wrote:“correct horse battery staple” = [a-z ]^28 = 27^28, or realistically probably [a-zA-Z -]^28 = 54^28, or, at best, 64^28.
But in the REAL WORLD, that’s cracked in no time with a simple dictionary attack. Which for myspell/de_GB.dic is less than 46281^4!
46281^4 is still greater than 64^10, a typical "random" password of [[:alnum:][:punct:]]. But that's not the kind of password the comic is advising against. The undesirable kind of password is a single dictionary word with a few character substitutions and appended digits, more like 46281*(20^10), which is an order of magnitude weaker.
BAReFOOt wrote:If only ONE of those is a Unicode char, suddenly the brute force system has to be used and suddenly even 256^x doesn’t do it anymore: (remember, this is just a comparison while keeping the length)
“✔orrect horse battery staple” = realistically 109449^28 (Unicode 6.0), or even when going blindly for 16 bit, it’s still 65536^28.
If the attacker expects only one non-ASCII character, then it's not 109449^28, but (64^27)*109449*28. Or in the REAL WORLD, as you say, (46281^4)*109449*28. (*28 because he doesn't know which of the 28 chars is the unicode one.) Mixed-caps and selective character substitutions would give an equivalent or better strengthening.
gavin wrote:Everyone I know who actually deals with ethical hacking (and a few who are not so much on the ethical side of things) says that size is all that matters when it comes to password length. I was most recently taught that 15 characters (assuming it's still not a single word) completely changes the dynamic of how long it takes to hack. This is because it changes the password type.
Computers currently use two invisible boxes that contain 7 characters of the password each.
That's not any hashing function that I know of. Sounds like it could be a Windows thing.
fmobus wrote:The trick is to have the generator work with very limited entropy, so that a brute-force is actually trivial even thou the suggested passwords look random to the lay user. If you somehow manage to track who is using your generator (facebok like's, tweets, etc), you kinda have evertything you need to hack them.
Oooh, that is just... Oh!...
You are an evil genius, sir.
And an excellent advertisement for open source crypto.For me, the best password generation is still an acronym of a memorable phrase unique to me with some character substitutions.