Password Strength

[lxskllr]

I'm curious about password strength, especially as it relates to dictionary attacks. If this were used as a password(taken from a cereal box) "raspberrygingercrisplowfatcereal". Would it be considered strong? Rank it on a 1-10 scale with 1 being simple, and 10 being impossible, and for amateur, and professional crackers. Example...

Amateur 9
Professional 5

 

[imported_snikt]

According to M$, "raspberrygingercrisplowfatcereal" is considered weak.

Password strength

 

[lxskllr]

Originally posted by: snikt
According to M$, "raspberrygingercrisplowfatcereal" is considered weak.

Password strength

I'd be curious to know how that would get attacked. I don't know much about encryption, but it seems like a fairly random grouping of words, with unknown individual length. In addition to that, I thought it was all or nothing, not like "raspberry**************fat******"

 

[alpha88]

I make up a non-sense phrase and then permutate the characters, add a few symbols

For example:

"I Like Dirt"

to

"eyelikedirt"

to

"3y3l1k3d1rt"

to

"#y#l!k#d!rt"

 

[lxskllr]

Originally posted by: alpha88

"#y#l!k#d!rt"

MS ranked that as a medium. That's as high as my strongest password got :^D

 

[wonSR4]

Hmm, just used a current password of mine, and got strong . Added in some random stuff to get it to best, but way too many characters to be a password for me.

 

[compman25]

Just use BillGatesIsAnAss#1 and MS says you are good to go.

 

[Chiefcrowe]

hahahh!

i sometimes use goodpassword.com to generate strong ones.

 

[blackangst1]

For my truecrypt password I have a 15 character, 4 word phrase, with a few 3's instead of e, 0 instead of o, etc, plus every other letter I insert a character next to the previous letter so its not dictionary words. For example I like green eggs becomes i12ikl34Gfr34eneghgsa. Sounds complicated, but its a system I created years ago so its second nature to me now.

 

[lxskllr]

I'm having a hard time believing MS's password checker. It says this is weak "raspberrygingercrisplowfatcereal", but this is best strength "raspberrygingercrisplowfatcereal#1"

 

[seepy83]

Originally posted by: lxskllr
I'm having a hard time believing MS's password checker. It says this is weak "raspberrygingercrisplowfatcereal", but this is best strength "raspberrygingercrisplowfatcereal#1"

That's because you have added other types of characters to the password.

The most recent recommendations that I have gotten from the security industry has been the following characteristics:
-At least 15 Characters long
-Is a passphrase, not password
-Contains all of the following: Uppercase, Lowercase, Numbers, and Punctuation
-Is not based on personal information (i.e. family names, birthdates, etc)
-Should be easily remembered
-Should be realatively easy to type so that you're not "Hunting and Pecking" to find the right characters on the keyboard (so no one can watch you type it)

 

[lxskllr]

Originally posted by: seepy83

Originally posted by: lxskllr
I'm having a hard time believing MS's password checker. It says this is weak "raspberrygingercrisplowfatcereal", but this is best strength "raspberrygingercrisplowfatcereal#1"

That's because you have added other types of characters to the password.

The most recent recommendations that I have gotten from the security industry has been the following characteristics:
-At least 15 Characters long
-Is a passphrase, not password
-Contains all of the following: Uppercase, Lowercase, Numbers, and Punctuation
-Is not based on personal information (i.e. family names, birthdates, etc)
-Should be easily remembered
-Should be realatively easy to type so that you're not "Hunting and Pecking" to find the right characters on the keyboard (so no one can watch you type it)

But is the last one really that much harder to crack than the first?

 

[compman25]

Originally posted by: lxskllr

Originally posted by: seepy83

Originally posted by: lxskllr
I'm having a hard time believing MS's password checker. It says this is weak "raspberrygingercrisplowfatcereal", but this is best strength "raspberrygingercrisplowfatcereal#1"

That's because you have added other types of characters to the password.

The most recent recommendations that I have gotten from the security industry has been the following characteristics:
-At least 15 Characters long
-Is a passphrase, not password
-Contains all of the following: Uppercase, Lowercase, Numbers, and Punctuation
-Is not based on personal information (i.e. family names, birthdates, etc)
-Should be easily remembered
-Should be realatively easy to type so that you're not "Hunting and Pecking" to find the right characters on the keyboard (so no one can watch you type it)

But is the last one really that much harder to crack than the first?

For MS it is.

 

[Chiefcrowe]

The addition of a different character type exponentially increases the time needed to implement a brute force attack to guess the password, so yes it is harder to crack.

 

[Crusty]

Originally posted by: lxskllr

Originally posted by: seepy83

Originally posted by: lxskllr
I'm having a hard time believing MS's password checker. It says this is weak "raspberrygingercrisplowfatcereal", but this is best strength "raspberrygingercrisplowfatcereal#1"

That's because you have added other types of characters to the password.

The most recent recommendations that I have gotten from the security industry has been the following characteristics:
-At least 15 Characters long
-Is a passphrase, not password
-Contains all of the following: Uppercase, Lowercase, Numbers, and Punctuation
-Is not based on personal information (i.e. family names, birthdates, etc)
-Should be easily remembered
-Should be realatively easy to type so that you're not "Hunting and Pecking" to find the right characters on the keyboard (so no one can watch you type it)

But is the last one really that much harder to crack than the first?

By adding that extra character you've now added a whole extra set of characters to the list of possible choices thus making any brute force method take a much much longer time to guess it.

Obviously brute forcing isn't the most optimal solution, but in combination with a dictionary to try out various common phrases/words it's easy to find passwords that aren't complex at all. I'm talking stuff like 'love45' or 'Password'.

 

[lxskllr]

Originally posted by: Crusty

By adding that extra character you've now added a whole extra set of characters to the list of possible choices thus making any brute force method take a much much longer time to guess it.

Obviously brute forcing isn't the most optimal solution, but in combination with a dictionary to try out various common phrases/words it's easy to find passwords that aren't complex at all. I'm talking stuff like 'love45' or 'Password'.

I guess this question really isn't suitable for a enthusiast web forum. Anything beyond a basic answer I imagine requires in depth study. I can understand the adding of variables increasing complexity, but I would think the improbable group of words in my sample password would rate higher than a "weak".

 

[seepy83]

Originally posted by: lxskllr

Originally posted by: Crusty

By adding that extra character you've now added a whole extra set of characters to the list of possible choices thus making any brute force method take a much much longer time to guess it.

Obviously brute forcing isn't the most optimal solution, but in combination with a dictionary to try out various common phrases/words it's easy to find passwords that aren't complex at all. I'm talking stuff like 'love45' or 'Password'.

I guess this question really isn't suitable for a enthusiast web forum. Anything beyond a basic answer I imagine requires in depth study. I can understand the adding of variables increasing complexity, but I would think the improbable group of words in my sample password would rate higher than a "weak".

The thing is that they're all dictionary words and don't even use both Upper and Lower Case. The Info Sec Industry says that makes it easy to crack. I'll stick with the best practices recommended by the Industry until someone can prove otherwise, and get the Industry to change their recommendations.

 

[lxskllr]

Originally posted by: seepy83


The thing is that they're all dictionary words and don't even use both Upper and Lower Case. The Info Sec Industry says that makes it easy to crack. I'll stick with the best practices recommended by the Industry until someone can prove otherwise, and get the Industry to change their recommendations.

Yea, but it isn't a common phrase or anything. I could see "truelove" being easy to crack. Those two words go together, and it's only 2 words. "raspberrygingercrisplowfatcereal", really? I don't know much about brute forcing passwords, but I imagine it uses probability to go through common words and phrases before starting on the improbable. Also, you don't get partial credit for some of the words. It's all or nothing. I find it hard to believe that the above password gets the same rating as "password".

 

[shiranai]

You're not thinking about this correctly; it's a question of total number of possible combinations. A ten-character password that uses only lowercase letters has 26^10 (1.4*10^14) combinations; adding just numerical digits raises that to 36^10 (3.7*10^15), an entire order of magnitude difference. Further including uppercase letters, non-alphanumeric characters, etc. has even greater effects.

Combinations of randomly chosen dictionary words are poor password choices because they limit the number of possibilities. For a given string length, there are (far) fewer combinations of words than there are of letters; this should be intuitively obvious, as the set of all words is a subset of the set of all random character combinations.

 

[mechBgon]

You can also complexificate things by using ALT characters. For example, hold down the ALT key and type 0153 on the numeric keypad, then release ALT. Oh look, a ? symbol :evil: Granted, not so simple for you laptop users...

The idea is that it further complicates a brute-force attack. If the attacker is simply using the usual character set (upper, lower, numerals and the usual punctuation symbols on the keyboard), your password will be untouchable. If they decide to include every possible ALT character, a brute-force attack will take unimaginably longer.

 

[BTRY B 529th FA BN]

?

 

[nitromullet]

Originally posted by: mechBgon
You can also complexificate things by using ALT characters. For example, hold down the ALT key and type 0153 on the numeric keypad, then release ALT. Oh look, a ? symbol :evil: Granted, not so simple for you laptop users...

The idea is that it further complicates a brute-force attack. If the attacker is simply using the usual character set (upper, lower, numerals and the usual punctuation symbols on the keyboard), your password will be untouchable. If they decide to include every possible ALT character, a brute-force attack will take unimaginably longer.

Interesting concept from a security perspective, but it doesn't seem like it could be applicable everywhere. I just tried to type ? on a shell I have open on a FreeBSD machine I'm connected to via PuTTY, and it didn't register as anything.

 

[lxskllr]

Originally posted by: nitromullet

Originally posted by: mechBgon
You can also complexificate things by using ALT characters. For example, hold down the ALT key and type 0153 on the numeric keypad, then release ALT. Oh look, a ? symbol :evil: Granted, not so simple for you laptop users...

The idea is that it further complicates a brute-force attack. If the attacker is simply using the usual character set (upper, lower, numerals and the usual punctuation symbols on the keyboard), your password will be untouchable. If they decide to include every possible ALT character, a brute-force attack will take unimaginably longer.

Interesting concept from a security perspective, but it doesn't seem like it could be applicable everywhere. I just tried to type ? on a shell I have open on a FreeBSD machine I'm connected to via PuTTY, and it didn't register as anything.

AFAIK the special symbols are only available that way in Windows. I have a couple I use on a regular basis, and I always pull up the character map in Linux. There may be shortcuts, but I haven't taken the time to look as of yet.

 

[Scouzer]

I always wonder what crappy sites are still vulnerable to brute forcing. I thought everyone has 5 or 10 try lockouts now adays, especially websites that actually matter, like banking.

 

[RebateMonger]

It's amazing how many sites are STILL only allowing up to seven characters and no special characters. Many of those sites are banks. And don't even get me on those special "Security" questions. Ask Sarah Palin how secure those are.

As far as Windows passwords, LONG (16-plus character) passphrases with at least one mis-spelled word or other abnormality are good enough for me. All of my machines will lock out about ten billion times before those are guessed by a brute-force or dictionary attack.

While maybe not optimal, the people who get broken into are those using Security questions or common, short, passwords. Those are VERY common, even as Administrator accounts on servers. There's no reason to waste time on ten billion brute-force attempts when so many PCs, servers, and email and bank accounts have easy-to-guess passwords. Email accounts are great, since most contain emailed passwords and account information, and many folks don't consider them important enough to protect with strong passwords.