Whats your logic behind that? Most brute-forcing is done through dictionary attacking, hence, aN@ndt3ch wouldn't be in a given word list, IN ADDITION to the variation in caps.
It wouldn't be very hard to use a dictionary attack in which it takes a group of words and attacks with all word on the lists in variations of 3-6 words per guess.
Whats your logic behind that? Most brute-forcing is done through dictionary attacking, hence, aN@ndt3ch wouldn't be in a given word list, IN ADDITION to the variation in caps.
It wouldn't be very hard to use a dictionary attack in which it takes a group of words and attacks with all word on the lists in variations of 3-6 words per guess.
Perhaps I'm wrong here, but it seems it would be a bit too much to take EVERY dictionary word and try all forms of capitalization, as well as all forms of l33t speak in combination with caps for every single word. Plus, most logins are more tight on security these days with policies such as only x # of attempts.
Back in my days of cracking porn site logins in my younger years, it took a shitload just to go through a simple combolist. Plus it was a pain trying to find enough proxies as well
I remember reading an article a while back that said with today's computing power, it is safer and easier to remember to have a website that makes you enter 2 or 3 passwords that aren't restricted instead of 1 long one.
So it would load a page like
Login: *****
Password 1: ***
Password 2: ****
instead of having 1 long ass password like they require at my work which looks like
Login: *******
Password: ABcdghi!@123
Why haven't we moved over to a 2 or 3 password log in yet if it is safer?
Password1
Password2
Those secret questions essentially do that now.
Passwords just need to die, entirely. Just, none. Multiple short ones, complex long ones... the average person will simply try to find ways to meet the bare minimum complexity requirements, and in doing so, continue to create exceptionally weak passwords.
Multi-factor with biometrics needs to become the standard.
Whats your logic behind that? Most brute-forcing is done through dictionary attacking, hence, aN@ndt3ch wouldn't be in a given word list, IN ADDITION to the variation in caps.
It wouldn't be very hard to use a dictionary attack in which it takes a group of words and attacks with all word on the lists in variations of 3-6 words per guess.
Do you use periods at the end? Do you use caps? First cap only or cap each word? Are all words from a single language? Do we have slang? Do we have numbers? Are there spaces?
Ippon means 1 point! or without spaces (easy enough to remember not to use spaces)
IpponMeans1Point!
How do we hit this with a dictionary any faster than
Ippon1Point! which most password checks say is a very secure password.
It's trivially easy, especially if you're using gpus/clusters. It's not someone pounding a web login. They're crunching numbers against a leaked database.
Check different passwords here to see how it fares against a dictionary attack:
https://apps.cygnius.net/passtest/
It's not definitive by any means, but I find the way it works fascinating. It breaks your password into what it sees as pieces, and calculates the entropy per piece with the assumption of each piece being a brute force or dictionary attackable piece.
Whats your logic behind that? Most brute-forcing is done through dictionary attacking, hence, aN@ndt3ch wouldn't be in a given word list, IN ADDITION to the variation in caps.
It wouldn't be very hard to use a dictionary attack in which it takes a group of words and attacks with all word on the lists in variations of 3-6 words per guess.
What's the difference between:
password1: asdf2
password2: ty7eu
And a single password: asdf2ty7eu??
I guess it's the best you can do when you're using a security system that's thousands of years old.I never understand the logic of required password changes. There 98% of people are GUARANTEED going to just add 1 to their passwords. No question. The human brain can't keep up with a new worded password every 60 days, in addition to adding it to the HUGE vault of different password requirements that they already have to remember.
"Congratulations, your password wasn't in the dictionary. Wasn't."Check different passwords here to see how it fares against a dictionary attack:
https://apps.cygnius.net/passtest/
It's not definitive by any means, but I find the way it works fascinating. It breaks your password into what it sees as pieces, and calculates the entropy per piece with the assumption of each piece being a brute force or dictionary attackable piece.
What school? l;je45wgfQ#@F%Secret questions are shit.
"What school did you go to?"
"What was your mother's maiden name?"
Gee, I'm sure nobody on the planet could figure those things out...
I guess they want to make it easy for your friends and family to break into your stuff?
I guess it's the best you can do when you're using a security system that's thousands of years old.
"Congratulations, your password wasn't in the dictionary. Wasn't."
What school? l;je45wgfQ#@F%
Maiden name? Massive iPhone
No one said you have to answer those questions honestly.
This is like people 100 years ago discussing if mechanical horses should be made of wood or iron.
In the eighties and nineties there was a project at MIT that was called "Kerberos".
From the wiki-page: "Kerberos /ˈkərbərəs/ is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner".
The goal is very simple.
When you log into your computer, you type your password once. Your computer talks to a Kerberos-server, and gets a ticket. A ticket is cryptographic information that is used when you authenticate to other computers or services. Suppose you want to log in into a website, cryptographic information is exchanged between your computer, your Kerberos-server, the website and the website's Kerberos-server. All done in an encypted way, that can not be replayed, etc. Basically once logged in, you can access all services you are entitled to, without ever having to retype your password. (Unless specifically asked).
I used to think this was the direction we were moving in. But it turns out we have made zero progress towards better and easier authentication. Microsoft has used Kerberos for their Windows authentication. (And I must admit, I hate Windows authentication. But not because of the underlying architecture, but probably because of the implementation and terrible documentation and UI). But besides Microsoft, I don't think Kerberos didn't go anywhere. And there do not seem to be new projects that have a similar goal. Such a shame.
In the nineties we developed protocols for the Internet.
Protocols that could be used for free by all people in the world, and all companies in the world.
I think this is the basis for the success of the net.
Those days are over.
Nowadays we only see individual companies developing their own service and product.
A few become successful (facebook, twitter). Most fail. But in all cases, the technology and the protocols are owned by individual companies. It might seem cool that you can post a twitter message. But in fact, technology-wise we are regressing back into the dark ages.
That sounds like the combination an idiot would have on his luggage!
Check different passwords here to see how it fares against a dictionary attack:
https://apps.cygnius.net/passtest/
It's not definitive by any means, but I find the way it works fascinating. It breaks your password into what it sees as pieces, and calculates the entropy per piece with the assumption of each piece being a brute force or dictionary attackable piece.
These websites should never be trusted. As I'm sure a good majority of them save the passwords and sell them.
"Congratulations, your password wasn't in the dictionary. Wasn't."
What school? l;je45wgfQ#@F%
Maiden name? Massive iPhone
No one said you have to answer those questions honestly.