11 comments

[ 3.7 ms ] story [ 33.3 ms ] thread
I am a security layman; whenever I create a password for an account I tend to just use very long sentences. To log into my laptop, I have to type something completely unlike "oh man here i am again logging into this stupid thing".

I've always wondered if this is any less secure than some nice mixed meta characters. "SS7s$@a8" as it were.

I can remember my sentence very easily and type it far more quickly than I can henpeck the pure random mix.

Also, I am very curious - if the encrypted password ends up being a uniform length N, is there any value having a passphrase longer than length N, if by that point the correspondence between the encrypted passphrases might be many-to-one with their unencrypted counterparts?

I feel there is so much more coffee-talk understanding to cryptography I have before I could even begin the barest math essentials of understanding it. Perhaps my naivety is founded by low math self confidence. shrug

It depends.

The old method of cracking passwords was a dictionary attack. You take every 6 or 8 letter word, and all the O->0 i->1 etc variants, calculate the hashed password and store them. In this case having a 64character pass phrase makes the dictionary impractical. As did having a random "$^FD^$@l^" type passwd.

The newer technique is to use a GPU or FPGA and simply try all possible 6 or 8 char strings and calculate the hash in real time at a billion tries/second. This means the random gibberish is no better than "passwd". So even if you do have the full text of "war and peace" as your pass phrase there will be a shorter string that hashes to the same value and the GPU will find this collision first. Remember it doesn't need to find your passwd - just an equivalent one.

If there exists any 8 character string that hashes the same as your 64 character password then your hash function is pretty certainly badly broken.
OOps true ;-)

ut combine it with limits on how long a password can be and a GPU approach is feasible

I am also a layman, but I think the answer to your first question is "it depends". Specifically, it depends on the length of our mixed meta password and the length of your passphrase.

I ran the numbers for passwords up to 30 characters long and made a chart in Excel showing the total possible passwords, one to thirty characters long, given a variety of character spaces, using the form s^l (character space to the power of password length). [1] The weakest space I used was lowercase characters only (26), the most complex was "all keyboard characters" (96). (In between are various combinations of lowercase, uppercase, numerics, common punctuation, and all punctuation. It's not entirely relevant to my point though.)

One interesting point I found was that a purely lowercase password only needs to be 30 characters long to beat an "everything on the keyboard" password of 22 characters, and is a lot easier to remember.

One serious point to consider is that passphrases aren't the same thing as "lowercase-only" passwords. If you consider each word as a "character" you could use a dictionary to brute force it, meaning that rather than brute forcing the series as ["a", "b", ... "z", "aa", etc.] you could brute force it as ["an", "as", ... "an account", "an acorn", etc.].

Personally, all of my passwords but one are ridiculous mixed passwords that I don't even know. The last password is the password to my KeePass database, which is a longish passphrase (also the phrase I use doesn't make any damn sense, which is sort of the point). The idea is that long mixed passwords are hard to remember but are more secure than an identically long phrase, so I want to use those as much as possible, but because it's essential that I remember the KeePass password (because forgetting it would lock me out of everything), a passphrase works as a memorable but still complex password.

I'm not entirely sure I've done any of my work correctly, so I'll just sit here and wait for Thomas or Colin to come in and take me to school.

[1] http://i.imgur.com/4tMEX.png

Passwords do not need to be memorable. You need one very secure master pass phrase[1] and a good password safe.

[1] Use diceware to generate it. Avoid swapping words out for something easier to remember (see the article for examples) and, if you need to, write it on a piece of paper while you learn it, but treat that piece of paper like a high value item.

Perhaps the future lies more with the "something you have" form of authentication than the "something you know", like passwords, that this article complains about.

For example, Google's two-factor authentication seems very secure, even with a weak password. To log in, I need to enter the ever-changing six-digit number off my iPhone as well as my regular password. Similar to this are other schemes which use any SMS-capable phone: enter your username and password on the web site, then enter the word the system just texted to me. Some banks use this to secure the addition of a new electronic bill payee, for example.

If you think about it, password safes, client-side SSL certificates, SSH private keys, etc., are really all just "things you have."

Computers aren't getting any slower; the gap between what you can remember and what they can guess is only getting smaller.