Re: One-line password generator
On Wed 30 Aug 2017 at 15:47:35 +0200, Thomas Schmitt wrote:
> Gene Heskett wrote:
> > Well, that easy to remember method just went down in flames. Sigh...
>
> That's the first diffuse but significant wisdom we found in this thread:
>
> If you can memorize it without the help of publicly knowable details of
> your life, then it's too easy to enumerate with nowadays' hardware.
But the crackers would likely not be in possession of a leaked password
(Uld4dFpYSkdkV1J3ZFdOclpYSUsK) but of a hash of it. The article Curt
referenced relates how attacking the hashes with brute force for any
password with over six random characters was only looked at selectively.
And that was with MD5 hashes. With the much slower bcrypt the effort to
crack anything more might have been too much.
The example generated password is 28 characters. How random they are I
do not know, but the article indicates it was not put to the test. Maybe
Gene Heskett's password does not have all the criteria for being complex
and completely random, but for now it looks like it would escape
unscathed from brute force probing.
The password does not contain any memorable words so word lists do not
look an inviting prospect. Without the password one cannot begin to
examine how it was created.
Suppose
echo "ElmerFudpucker" | base64 | base64
became
echo "ElmerFudpucker" | <some_bcrypt_processing> | base64 | base64
which is as memorisable as previously,
I am not saying the problem becomes insurmountable for attackers, but
slowing them down considerably cannot be bad. (That's assuming they are
in possession of the hashes and are after *your* Twitter account. You
really don't believe that, do you?)
--
Brian.
Reply to: