Re: One-line password generator
Hi.
On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> On Tue 29 Aug 2017 at 22:29:41 +0300, Reco wrote:
>
> > Hi.
> >
> > On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote:
> > > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote:
> > >
> > > > Brian wrote:
> > > > > I do not have to run faster than the bear, just faster than anyone else.
> > >
> > > (Analogies never work. Remind me not to use them again).
> > >
> > > > According to the article about the successful cracking, it is not so much
> > > > about how fast you are. The bear will not stop when it is done with eating
> > > > those behind you.
> > >
> > > Note that the article details the point at which the investigators gave
> > > up on going after what they saw as random passwords. They would never
> > > have got to
> > >
> > > my!only"reason£for$living%is^ebay
> > >
> > > no matter how low or high its entropy is.
> >
> > Sadly it only means that these investigators were to lazy to implement
> > Markov chains to generate a suitable dictionary. See this for the
> > example:
> >
> > https://hashcat.net/events/p14-trondheim/prince-attack.pdf
>
> You are blinding us with technological terms.
'Us'? Do not speak for all the list please.
Admit that you just did not read the pdf.
> How does this help with attacking the password for a login with online techniques?
Simple. You generate passwords by using adjectives, nouns and verbs from
Oxford and/or Webster dictionary. You don't put all the words together
(the result will have too much volume), you try to create grammatically
correct (although meaningless) phrases. A mathematical concept that
allows you to do so is Markov chains. An implementation of this concept
is called Prince Attack on hashcat lingua.
Overall entropy of 'my!only"reason£for$living%is^ebay' password (aka
XKCD 936 password) could be reduced significantly, leaving
'eq8GeKBhVXOTjF0dAyd0' password (aka base64 password) far superior.
Also, bruteforcing a password by feeding a list of those to the online
service of any kind is dumb (unless you have a disposable botnet
dedicated to this purpose). Smart move is to obtain a list of
(hopefully) hashed passwords, which all bad guys are doing these days.
> > > We are mesmorised by the skills of offline crackers. They dazzle us and
> > > blind us to realities. Where is someone saying that
> > >
> > > eq8GeKBhVXOTjF0dAyd0
> > >
> > > is a splendid password? It wouldn't have a chance of being forced via an
> > > online attack.
> >
> > Since it appeared in a public maillist - it is a bad password by
> > definition.
>
> It will not be used again.
>
> How easy is it to force
>
> +H3GHd8kXs8HfmRDzZ7y
Since you put it on the public maillist again - trivially.
Reco
Reply to: