Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: Reco <recoverym4n@gmail.com>
Date: Thu, 31 Aug 2017 22:36:59 +0300
Message-id: <[🔎] 20170831193657.6v4ggyhwje3mqp3x@p5k.home>
In-reply-to: <[🔎] 31082017193232.740b2afe9e0a@desktop.copernicus.org.uk>
References: <[🔎] 27082017183649.6a8cb22c69d4@desktop.copernicus.org.uk> <[🔎] 14197755380912304411@scdbackup.webframe.org> <[🔎] 20170829191459.GL15649@copernicus.org.uk> <[🔎] 20170829192939.2absqn3eawjqeg76@p5k.home> <[🔎] 29082017203928.1751959b3c53@desktop.copernicus.org.uk> <[🔎] 20170829215914.tr5dcfvum7fv2k55@p5k.home> <[🔎] 31082017193232.740b2afe9e0a@desktop.copernicus.org.uk>

	Hi.

On Thu, Aug 31, 2017 at 08:00:54PM +0100, Brian wrote:
> On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote:
> 
> > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> > 'Us'? Do not speak for all the list please.
> 
> It is a construct; intended to involve everyone in the conversation.
> 
> > Admit that you just did not read the pdf.
> 
> It is not concerned with online cracking. That is obvious. Why should I
> spend time in reading its each and every detail

Admitting something, especially in public takes courage.
I applaud you for admitting it, and adjust my further explanations as
clearly your talents lie outside of security field.


> > > How does this help with attacking the password for a login with online techniques?
> > 
> > Simple. You generate passwords by using adjectives, nouns and verbs from
> > Oxford and/or Webster dictionary. You don't put all the words together
> > (the result will have too much volume), you try to create grammatically
> > correct (although meaningless) phrases. A mathematical concept that
> > allows you to do so is Markov chains. An implementation of this concept
> > is called Prince Attack on hashcat lingua.
> > 
> > Overall entropy of 'my!only"reason£for$living%is^ebay' password (aka
> > XKCD 936 password) could be reduced significantly, leaving
> > 'eq8GeKBhVXOTjF0dAyd0' password (aka base64 password) far superior.
> > 
> > Also, bruteforcing a password by feeding a list of those to the online
> > service of any kind is dumb (unless you have a disposable botnet
> > dedicated to this purpose). Smart move is to obtain a list of
> > (hopefully) hashed passwords, which all bad guys are doing these days.
> 
> Services accept numerous failed *online* logins without doing anything
> about it?

You'd be surprised how many services do exactly nothing about failed
logins (ssh out of the box for starters). Even if they did - there's
nothing a hypothetical service could do against 10^5-10^6 unique IPs
('disposable botnet' comes here) each attempting 2-3 logins.

Besides, why bother with online logins if you can dump password
database ('dumb' and 'smart' come here)?

Reco

Reply to:

References:
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: "Thomas Schmitt" <scdbackup@gmx.net>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Reco <recoverym4n@gmail.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Reco <recoverym4n@gmail.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: One-line password generator
Next by Date: Re: lilypond workaround against lilypond-removal
Previous by thread: Re: One-line password generator
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread