New Posts  All Forums:Forum Nav:

Password Haystacks

post #1 of 5
Thread Starter 
I was listening to Security Now and Steve Gibson had come with a technique called a password haystack.

It's basically a different way to create a password that would be extremely difficult to brute force...ie

Typical Password: P@$$W0rd

Haystacked: ...../////P@$$W0rd...../////

you pad your password with a pattern that you come up with, in my case five ..... and five ///// .

Supposedly this makes a brute force attack almost impossible.

Source: https://www.grc.com/haystack.htm




Thoughts?
post #2 of 5
Just another mechanism to increase length. Each extra character takes exponentially more time to brute force. Although, if your super secret padding haystack pattern gets figured out it essentially loses the effectiveness of the extra string length.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #3 of 5
Thread Starter 
Your right if the pattern gets compromised your done, but I've been thinking about setting this up with a real easy word in center of the pad so my wife can easily remembered the password, say ..::..M0us3..::..

Does a brute force even try ... and :::

I'm just trying to figure out an easy way for her to remember passwords that are somewhat secure and thought the idea of the Haystack was interesting.

Thanks!
post #4 of 5
Thats a good idea for people who are not good at coming up with complex enough passwords.

I'm more worried about the server not salting+hashing my password than someone brute forcing it.
post #5 of 5
Quote:
Originally Posted by ShamrockMan;13729949 
Thats a good idea for people who are not good at coming up with complex enough passwords.

I'm more worried about the server not salting+hashing my password than someone brute forcing it.

You're kinda missing the point. The whole idea is that password length is far more important than password complexity. As long as your password is not something that could be obtained through a dictionary or rainbow table attack, the only resort is a brute-force attack.

With the example given on the website, in a brute-force attack scenario, a low-entropy 24 character password is 95 times harder to crack than a high-entropy 23 character password, simply due to the amount of time needed.

Edit: I should point out though, by no means am I trying to imply that a longer password does not need to be complex; it's just that at some point, more and more entropy really isn't going to help as much as a having a longer password, even if the entropy is much lower.
Edited by DataX - 6/2/11 at 9:39pm
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security