|
Oh, I see. It depends on having the full glyph sequence from watching someone input a password. For some reason I was thinking it was more complicated than that and looked right past the obvious answer.
|
# ? Nov 9, 2016 02:51 |
|
|
# ? May 13, 2024 10:45 |
|
Hello goons, something just occurred to me today. If "correct horse battery staple" is a good format for a password, couldn't you easily use quotes as something just as individual, secure, and even more memorable? It seems like subbing it with, say, one of my favorite sayings from Voltaire, gives me 150 bits of entropy to the horse's 107.
|
# ? Nov 14, 2016 18:13 |
|
Cup Runneth Over posted:Hello goons, something just occurred to me today. If "correct horse battery staple" is a good format for a password, couldn't you easily use quotes as something just as individual, secure, and even more memorable? It seems like subbing it with, say, one of my favorite sayings from Voltaire, gives me 150 bits of entropy to the horse's 107. Yes? e: using quotes is fine, but change the words around or the order of them, use complex characters, keep it long CLAM DOWN fucked around with this message at 18:44 on Nov 14, 2016 |
# ? Nov 14, 2016 18:18 |
|
Cup Runneth Over posted:couldn't you easily use quotes as something just as individual, secure, it wouldn't be because you're not choosing the words randomly. someone could do a dictionary attack seeded on a book of quotations https://www.google.co.uk/search?q=ce1194512322f2d9b1a85e11f6602c14
|
# ? Nov 14, 2016 18:25 |
|
well no. limited amount of 'unique' quotes/lyrics if it's a random word list then each word is functionally a character when bruteforcing (given a public list)
|
# ? Nov 14, 2016 18:25 |
|
Cup Runneth Over posted:Hello goons, something just occurred to me today. If "correct horse battery staple" is a good format for a password, couldn't you easily use quotes as something just as individual, secure, and even more memorable? It seems like subbing it with, say, one of my favorite sayings from Voltaire, gives me 150 bits of entropy to the horse's 107. Well, now that you've posted this from glancing at wikiquote's maybe 100 quotes on its voltaire page its more like 6 bits. I guess I'll be nice and give you the french too increasing that to 7 bits.
|
# ? Nov 14, 2016 18:31 |
|
hobbesmaster posted:Well, now that you've posted this from glancing at wikiquote's maybe 100 quotes on its voltaire page its more like 6 bits. I guess I'll be nice and give you the french too increasing that to 7 bits. I wouldn't actually use that any more than CHBS. But it's not like Voltaire quotes are the only ones you can use as passwords. Goodreads currently has hundreds of thousands of quotes on its site. How many bits is that? Wiggly Wayne DDS posted:well no. limited amount of 'unique' quotes/lyrics Technically limited, perhaps, but functionally infinite. Using a Voltaire quote would kind of be like using "password." I'm just pointing out that by using quotes in general, you can create something more easily memorable since we remember quotes all the time, and it often ends up being higher entropy.
|
# ? Nov 14, 2016 18:45 |
|
we just went over how 'higher entropy' ignores that you're changing the construction of your password inherently
|
# ? Nov 14, 2016 18:48 |
|
Cup Runneth Over posted:Goodreads currently has hundreds of thousands of quotes on its site. How many bits is that?
|
# ? Nov 14, 2016 19:02 |
|
Forgall posted:Less then 20. An equivalent of 3 character password. Okay, just curious.
|
# ? Nov 14, 2016 19:09 |
|
Cup Runneth Over posted:I wouldn't actually use that any more than CHBS. People had your exact idea for "brainwallet" in bitcoins but pretty much the bots win no matter how obscure. People post about obscure poetry in local non-English dialects being used. Of course, bitcoin's not exactly always secure to begin with.
|
# ? Nov 14, 2016 20:37 |
|
Trabisnikof posted:People had your exact idea for "brainwallet" in bitcoins but pretty much the bots win no matter how obscure. People post about obscure poetry in local non-English dialects being used. Of course, bitcoin's not exactly always secure to begin with. The flaws in it make sense. What about making up your own quotes? A sentence still seems more memorable than four random words, but if they're not assembled in any dictionary already then they're not any more vulnerable to a brute force attack, correct?
|
# ? Nov 14, 2016 20:43 |
|
welcome to passphrases, for when you can't use a password manager
|
# ? Nov 14, 2016 20:46 |
|
e: nm
|
# ? Nov 14, 2016 21:06 |
|
Wiggly Wayne DDS posted:welcome to passphrases, for when you can't use a password manager The real fun is figuring out which websites are silently truncating your pass phrase and what the real length is.
|
# ? Nov 14, 2016 22:40 |
|
If they're storing your password correctly using something like Bcrypt, it could be truncated at 55 characters. It's a bit more complicated than that but yeah
|
# ? Nov 14, 2016 22:58 |
|
Measuring a password is simple: with every piece you add, consider how unlikely adding that piece was, and be pessimistic. Once you start a famous quote, continuing it is very likely, so it's almost useless to password strength. If you make up your own quote, common words are not very useful, and related words are not very useful. Your best shot at a secure passphrase is to randomly select words from a list, and then add filler to make it easier to remember. A word list sidesteps the problem of humans being terrible at randomness and at estimating randomness. Also, a random word is only about as useful as two random characters. The CHBS comic explains that it has 44 bits of entropy. It's not 107. You can't count it like characters, because they're not random characters.
|
# ? Nov 14, 2016 23:49 |
|
Dylan16807 posted:Measuring a password is simple: with every piece you add, consider how unlikely adding that piece was, and be pessimistic. Once you start a famous quote, continuing it is very likely, so it's almost useless to password strength. If you make up your own quote, common words are not very useful, and related words are not very useful. Using the most common 5000 words in the english language covers something like 97% of human speech. If you know it's a pass phrase somehow, you can reduce the possible entropy from 37^65 to 30000^4, going from 'will never be guessed' to 'I sure hope you didn't pick Correct horse battery staple'. I want to ride my bike -> common sentence, easy to guess, bad passphase Lexicon puckin horse linguist -> Doesn't follow english rules, less structured and therefore better entropy, uses words that are uncommon or unique
|
# ? Nov 15, 2016 01:03 |
|
Methylethylaldehyde posted:Using the most common 5000 words in the english language covers something like 97% of human speech. If you know it's a pass phrase somehow, you can reduce the possible entropy from 37^65 to 30000^4, going from 'will never be guessed' to 'I sure hope you didn't pick Correct horse battery staple'. Adding a punctuation sign(s), capitalizing a few letters and misspelling some words would further improve on this, wouldn't it?
|
# ? Nov 15, 2016 02:26 |
|
Methylethylaldehyde posted:reduce the possible entropy from 37^65 to 30000^4, going from 'will never be guessed' to 'I sure hope you didn't pick Correct horse battery staple'. The right answer is that random letters vs. random words is entirely up to taste. It doesn't matter unless you're hitting a length limit. As an arbitrary example, let's say you want 180 bits of entropy. You can choose between the following: 38 random lowercase letters 27 random letters+numbers+symbols 16 random common words 12 random uncommon words <16 random words with junk, depends on junk Whatever is easiest to memorize.
|
# ? Nov 15, 2016 03:07 |
|
Or you could just use a password manager.
|
# ? Nov 15, 2016 03:38 |
|
Methylethylaldehyde posted:I want to ride my bike -> common sentence, easy to guess, bad passphase That second one pretty much does follow English rules, assuming "puckin" is being used as a verb. I don't know exactly what a lexicon-pucking horse linguist is, but as a phrase it sounds fine Point is there are patterns to English phrasing, combining nouns and modifiers with particular positioning, and there's statistical data on which words are used and how often it's as a verb, or a noun, etc. "Random" phrases aren't as random as people think, and a password cracker doesn't care if they make sense or not I don't know how much this affects the entropy, but you'd probably at least want machines generating random phrases (maybe with a made-up word or two) instead of letting people put words together, subconsciously following the rules of language that shape their expression and thinking. Same goes for letting them reject random passphrases until they get one they 'like'
|
# ? Nov 15, 2016 03:59 |
|
baka kaba posted:That second one pretty much does follow English rules, assuming "puckin" is being used as a verb. I don't know exactly what a lexicon-pucking horse linguist is, but as a phrase it sounds fine Puckin - n - an orange gourd worth murdering children over.
|
# ? Nov 15, 2016 04:43 |
|
OSI bean dip posted:Or you could just use a password manager.
|
# ? Nov 15, 2016 05:24 |
|
Sorry, I only store my hashed password database on an encrypted flash drive stuffed in my rectum that requires a specific sequence of hot peppers at random Scoville values to dislodge. [Edit: Sorry, I'm not actually sure if this is a serious thread or not at this point.]
|
# ? Nov 15, 2016 06:16 |
|
Internet Explorer posted:Sorry, I only store my hashed password database on an encrypted flash drive stuffed in my rectum that requires a specific sequence of hot peppers at random Scoville values to dislodge. Infosec is a joke.
|
# ? Nov 15, 2016 06:24 |
|
OSI bean dip posted:Or you could just use a password manager. There are still passwords you can't store in the manager: the password for the manager itself, the password for your work account if any, and the passwords for your computer accounts. What you could do is generate a password using the diceware list, then write down a hint for it on a piece of paper and keep it in your wallet. Once you're satisfied you memorized it, destroy the hint by burning it, disintegrating it in water, eating it, whatever you want.
|
# ? Nov 15, 2016 06:30 |
|
Internet Explorer posted:Sorry, I only store my hashed password database on an encrypted flash drive stuffed in my rectum that requires a specific sequence of hot peppers at random Scoville values to dislodge. KeepAss, literally.
|
# ? Nov 15, 2016 06:34 |
|
https://youtu.be/kDPARWIaOdw People have already done the research for what you are talking about. The research discussed in this talk is a good jumping off point if you're interested in the "why not use a quote for a passphrase?" and "why not just use a user-provided passphrase?" questions. If your threat model involves someone with resources messing with you specifically, assume that they'll look at the things you like and the things you write to find things to make dictlists.
|
# ? Nov 15, 2016 07:56 |
|
cheese-cube posted:KeepAss, literally.
|
# ? Nov 15, 2016 08:57 |
|
How dangerous would something like PoisonTap be, if inserted into an office computer in a corporate building? https://www.youtube.com/watch?v=Aatp5gCskvk
|
# ? Nov 21, 2016 18:45 |
|
Depends on whether the endpoints are locked down via Group Policy to only accept specific devices...
|
# ? Nov 21, 2016 19:00 |
|
cheese-cube posted:Depends on whether the endpoints are locked down via Group Policy to only accept specific devices... Which is basically never. That poo poo is interesting and I plan on using it to scare customers into locking down USB.
|
# ? Nov 21, 2016 19:10 |
|
apropos man posted:How dangerous would something like PoisonTap be, if inserted into an office computer in a corporate building? If you have some form of USB port protection in place, it's not dangerous at all. If you don't, well....
|
# ? Nov 21, 2016 19:19 |
|
psydude posted:Which is basically never. Where I work it certainly is, across the entire fleet, and I'm not even in a particularly high-sec industry (Well...yeah). It's very easy to implement and surprisingly unobtrusive unless you've got some real garbo devices. Of course that won't block things like the Rubber Ducky but if you're worried about that then you've already epoxied the USB ports on all endpoints. In fact if you're worried about about PoisonTap which requires direct access then you'd be jamming two-part in all visible holes... Pile Of Garbage fucked around with this message at 19:32 on Nov 21, 2016 |
# ? Nov 21, 2016 19:23 |
|
cheese-cube posted:jamming two-part in all visible holes
|
# ? Nov 21, 2016 19:26 |
|
|
# ? Nov 21, 2016 19:30 |
|
First one, then the other.
|
# ? Nov 21, 2016 19:31 |
|
CLAM DOWN posted:If you have some form of USB port protection in place, it's not dangerous at all. If you don't, well.... Does the windows built in USB protection prevent DMA type exploits?
|
# ? Nov 21, 2016 21:32 |
|
|
# ? May 13, 2024 10:45 |
|
Methylethylaldehyde posted:Does the windows built in USB protection prevent DMA type exploits? Good question, I've never used it. I've used Bit9 and Check Point mainly.
|
# ? Nov 21, 2016 21:41 |