Date: Fri, 1 Sep 2017 17:44:09
From: Thomas Schmitt <scdbackup@gmx.net>
To: debian-user@lists.debian.org
Subject: Re: One-line password generator
Resent-Date: Fri, 1 Sep 2017 21:44:44 +0000 (UTC)
Resent-From: debian-user@lists.debian.org
Hi,
Brian wrote:
Here is a password
F!Vz5s19WuXa61PaA"+5
Where does the password come from? It doesn't matter.
But that's the cardboard backplane of the passwords which a human brain
can memorize: They have an origin or a memory hook.
Long passwords from a good random number generator are rock solid.
But you have to store them in an information technology device or write
them down on paper and toggle them correctly each time you use them.
It looks like brute force is the only way to go.
Yes. Enumeration is brute force. But the skilled enumerator will try
to skip the wide areas of really strong passwords in favor of those narrow
ones which a human can remember.
You need to be a very unusual person with an unusual memory to quite
surely beat the computing power of our days.
As a litmus test, i propose you google each of the ideas in the memory
hook of your password. If they all yield some valid hits, then you can
expect them to be in the enumeration pool of big attackers.
That's what fascinates me with the idea of a super slow publicly known
hash algorithm. It would annoy enumerators where it hurts them most: time.
If you at home spend 4 seconds once per login, they might have to spend
with their million CPU machine 4 microseconds a quadrillion times, just
to try the passwords that are weaker than yours. 136 years if they don't
upgrade their hardware in that time. (90 Moore's Law periods. Hopeless to
defend against the expectable progress in computation power.)
1 Quadrillion = 10 exp 15 = 2 exp 49, which i estimate is less than the
number of tries in the first article brought by Curt:
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Have a nice day :)
Thomas