Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Multiple dictionary words password = effective?
New Posts  All Forums:Forum Nav:

Multiple dictionary words password = effective? - Page 3

post #21 of 28
Quote:
Originally Posted by Plan9 View Post

There are already known issues with some implementations of some ciphers. IIRC I centred around SSL and other such certificate / key based encryption methods where keys were based on random characters. The issue is computers cannot do random numbers (they fake randomness using arbitrary calculations against the current date and time) and thus some certs used a predictable set of "random" characters and thus could be cracked.

I absolutely hate this technique for critical stuff that is SSL.
Another one I hate is people using GUIDs as random data!

On another note why the hell would you guys even type your passwords into that site? Rainbow table generator behind the scenes anyone?! (Although it looks as if the calculation is done entirely on the client...which might invalidate my point).
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
post #22 of 28
Quote:
Originally Posted by Plan9 View Post

There are already known issues with some implementations of some ciphers. IIRC I centred around SSL and other such certificate / key based encryption methods where keys were based on random characters. The issue is computers cannot do random numbers (they fake randomness using arbitrary calculations against the current date and time) and thus some certs used a predictable set of "random" characters and thus could be cracked.

Yeah, the psudeo-random number generator (PRNG) is a big limitation.

However, computers can do RNG through hardware though.
http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide/
http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #23 of 28
Thread Starter 
Quote:
Originally Posted by obsidian86 View Post

I have most of my main passwords similar to that but my phrase is in 3 languages
afrikaans
english
zulu
I like this idea.
"Oh sorry, you're using the wrong dictionary, you'll want to add a few."
Be even better if we could add characters from other language systems like kanji and calligraphy. Even just common Japanese language uses 2K - 3K different characters, but the total number available is 100K+. (Assuming Wikipedia is accurate.) Even though they're not used anymore, you could toss in things ancient Egyptian hieroglyphics or Norse runes and have even more fun.
Quote:
Originally Posted by Plan9 View Post

Passwords, on the whole, are a crappy way of authentication. We've basically painted ourselves into a corner where we're forced to use non-memorable passwords and encouraged to use different passwords for different authentication requests (websites, ftp, PC logins, etc) - which exponentially compounds the already tricky situation of having to memories all these access codes. So people are forced to do the worst thing imaginable, and write them all down.
We really need a better, unified system for authentication. Perhaps a central key agent (like Facebook, but using keys instead of passwords - and not held by Facebook as their track record for security is laughable).
This is another reason why I love SSH so much. You can have 1 SSH key that cannot cracked by any known attack, add a decent passphrase to further protect you in case the unlikely situation happens were your keys are stolen, and then import them into your key agent for reuse during your session.
Sadly these days, most people are 'secured' by obscurity frown.gif
[edit]
oh, and don't get me started on websites that use easily searched information for password recovery. I remember closing one online bank account because they used "what was your first pets name" as a security question. I'd laugh if I wasn't so scared that my money was being looked after by those morons.

Apparently there are alot of things logins should be doing for security that they aren't . . .


In addition to increasing password strength, I'd also like to see better encryption, especially with the U.S. government's NSA building that Utah Data Center . . .
post #24 of 28
Quote:
Originally Posted by Sebiale View Post

I like this idea.
"Oh sorry, you're using the wrong dictionary, you'll want to add a few."
Be even better if we could add characters from other language systems like kanji and calligraphy. Even just common Japanese language uses 2K - 3K different characters, but the total number available is 100K+. (Assuming Wikipedia is accurate.) Even though they're not used anymore, you could toss in things ancient Egyptian hieroglyphics or Norse runes and have even more fun.

Interesting idea. Might be tricky getting it to be reproducible, but!
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
post #25 of 28
Quote:
Originally Posted by Sebiale View Post

I like this idea.
"Oh sorry, you're using the wrong dictionary, you'll want to add a few."
I suspect they use multiple dictionaries from the start as I've use Japanese words on English servers before and have been warned by the password checkers that my chosen password is a dictionary word.
Quote:
Originally Posted by Sebiale View Post

Be even better if we could add characters from other language systems like kanji and calligraphy. Even just common Japanese language uses 2K - 3K different characters, but the total number available is 100K+. (Assuming Wikipedia is accurate.) Even though they're not used anymore, you could toss in things ancient Egyptian hieroglyphics or Norse runes and have even more fun.
That's really no different to using other symbols like !"£$%^&*() - except you'd want to be damn sure the authenticating server supports unicode before you set that password else you may find you'd lock yourself out due to errors in character maps / character conversion.
Quote:
Originally Posted by Sebiale View Post

I'd also like to see better encryption,
Better encryption? the current ones we have cannot be cracked via maths yet, so why re-invent the wheel?
Edited by Plan9 - 9/13/12 at 7:40am
post #26 of 28
Thread Starter 
Quote:
Originally Posted by Plan9 View Post

I suspect they use multiple dictionaries from the start as I've use Japanese words on English servers before and have been warned by the password checkers that my chosen password is a dictionary word.
That's really no different to using other symbols like !"£$%^&*() - except you'd want to be damn sure the authenticating server supports unicode before you set that password else you may find you'd lock yourself out due to errors in character maps / character conversion.
The system isn't really changed, no, but I don't see how increasing the number of possibilities that crackers need to check against isn't helpful. At least not until we've achieved a better form of authentication.
Quote:
Better encryption? the current ones we have cannot be cracked via maths yet, so why re-invent the wheel?
As in the linked article--the threat of exaflops and higher. Even if it's not something the average cracker can do any time soon, I don't like the idea. Why not keep the headstart we have? Or even widen it further?
Edited by Sebiale - 9/13/12 at 10:21am
post #27 of 28
Quote:
Originally Posted by Sebiale View Post

The system isn't really changed, no, but I don't see how increasing the number of possibilities that crackers need to check against isn't helpful. At least not until we've achieved a better form of authentication.
I wasn't disagreeing with that, I was just saying that you can already use such characters if you chose to. The character sets are already in place, you just have to hope that passwords are stored in the database in unicode.But these days there's little reason not to use unicode.
Quote:
Originally Posted by Sebiale View Post

As in the linked article--the threat of exaflops and higher. Even if it's not something the average cracker can do any time soon, I don't like the idea. Why not keep the headstart we have? Or even widen it further?
That doesn't change what I said though. Current encryption methods cannot be cracked mathematically - thus that are already "the best" that we need them. What you're talking about is brute force attacks and that's unrelated to encryption.

The problem is, if you have some method of verifying a result is correct, then you can check every combination until you get a correct result. So no improvement in encryption is fix that. I will grant you that sometimes heavier encryptions are used because they deliberately use more processing power - thus slow down the rate at which a brute force attack can go at, but the issue there is it also has a heavy impact on the legitimate authentication servers as well. And the cost of that isn't always worth the slight gain that they're slowing attackers down.

This is where password salts and adaptive firewalling comes into place. In the case of the former, you deliberately tamper the input data by adding additional data to it (called a salt) which means that attackers cannot check output against a known "hash table". With firewalling, you can monitor failed access attempts and automatically blacklist that IP from your server.

Security has to work on all fronts; you can't just reply on encryption to save you.
post #28 of 28
Quote:
Originally Posted by Plan9 View Post

I wasn't disagreeing with that, I was just saying that you can already use such characters if you chose to. The character sets are already in place, you just have to hope that passwords are stored in the database in unicode.But these days there's little reason not to use unicode.
That doesn't change what I said though. Current encryption methods cannot be cracked mathematically - thus that are already "the best" that we need them. What you're talking about is brute force attacks and that's unrelated to encryption.
The problem is, if you have some method of verifying a result is correct, then you can check every combination until you get a correct result. So no improvement in encryption is fix that. I will grant you that sometimes heavier encryptions are used because they deliberately use more processing power - thus slow down the rate at which a brute force attack can go at, but the issue there is it also has a heavy impact on the legitimate authentication servers as well. And the cost of that isn't always worth the slight gain that they're slowing attackers down.
This is where password salts and adaptive firewalling comes into place. In the case of the former, you deliberately tamper the input data by adding additional data to it (called a salt) which means that attackers cannot check output against a known "hash table". With firewalling, you can monitor failed access attempts and automatically blacklist that IP from your server.
Security has to work on all fronts; you can't just reply on encryption to save you.

Initialization vector = goodbye biggrin.gif
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
Ol' Sandy
(28 items)
 
"Zeus"
(12 items)
 
Elite Preview
(6 items)
 
CPUMotherboardGraphicsRAM
Intel Xeon E3-1230v3 Gigabyte GA-Z97X-UD5H-BK MSI Gaming GTX 980 Kingston 32GB (4x8) 
Hard DriveHard DriveHard DriveHard Drive
Plextor PX-256M5S 256GB Samsung EVO 1TB Hitachi HDS721010CLA332 Hitachi HDS723020BLA642 
Hard DriveHard DriveHard DriveOptical Drive
Hitachi HDS723020BLA642 Hitachi HUA722010CLA330 WDC WD10EARS-00Z5B1 TSSTcorp CDDVDW SH-S223B 
CoolingCoolingOSMonitor
Phanteks PH-TC14PE with TY-140's Lamptron FCv5 (x2) Windows 8 Pro 64-bit Dell U2412M 
MonitorMonitorMonitorKeyboard
Dell U2412M Dell U2212HM Dell U2713HM Topre Realforce 87UB | Ducky DK9087 G2 Pro 
PowerCaseMouseMouse Pad
Corsair AX-750 Corsair Obsidian 650D Logitech G700 XTRAC Ripper XXL 
AudioAudioAudioAudio
Beyerdynamic DT-770 Pro 250ohm Schiit Bifrost DAC Schiit Asgard 2 HiVi Swan M50W 2.1 
CPUMotherboardRAMHard Drive
Intel Xeon E5-2620 Super Micro X9SRL-F-B 128GB 1333MHz LSI 9271-8i 
OSPowerCase
VMware ESXi 5.5 SeaSonic SS-400FL2 Fractal Define R3 
CPUMotherboardGraphicsRAM
Intel Core i5-3437U HP EliteBook Folio 9470m  Intel HD Graphics 4000  16GB DDR3 SDRAM 
Hard DriveOS
256GB SSD Windows 10 Insider Preview 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Multiple dictionary words password = effective?