On Password Strength

[Cinjin]

I use to use password as my password too, but someone told me I was a dumb redneck so I changed my password to access


ha ha checkmate hackers!!!

[Jackalope]

OK, I guess I'm not up on what exactly a "hash" is.

Passwords are typically stored as a "hash", which is a one-way cryptographic algorithm that takes a set of data (such as a password) and creates what is essentially a "fingerprint" of the data. This operation is one way - the hash can be derived from the plain text, but the plain text cannot (easily) be derived from the hash. In theory, a good hashing algorithm will produce a unique hash for every unique input plain text.

A user-entered password can be compared against a stored hashed password by hashing the user input using the same algorithm used to hash the stored passwords and comparing the hashes.

One weakness of hashed passwords is that if the password hash is known (by compromising the password storage mechanism), that hash can be compared against a pre-generated "rainbow table" (a dictionary of plain text phrases and thier hash equivalent).

[Tiberius]

A hash is how a lot of sites store your password in their databases. Instead of storing the password as plaintext, or encrypting it, they will apply a hash function that transforms the password into a certain value.

Hash functions (like MD5, SHA, etc) have the property of being non-reversible; that is, you can calculate the hash of a password, but it is very hard to calculate the password from the hash.

For instance, this is easy:

MD5("password") = 5f4dcc3b5aa765d61d8327deb882cf99

This is not:

unMD5("8500f5f9f0043dec7f9725a214e8a8c2") = ...???

---

One weakness of hashed passwords is that if the password hash is known (by compromising the password storage mechanism), that hash can be compared against a pre-generated "rainbow table" (a dictionary of plain text phrases and thier hash equivalent).

That is why we use salts.

[Doubting Thomas]

OK I get it now. So if they see the "5f4dcc3b5aa765d61d8327deb882cf99" hash they can look that up in their rainbow dictionary and see that the password "password" works out to the same hash. But if you used a password that's not quite that easy to guess it will be stored as some uncommon, hard-to-work-out hash.

Well, that's why I generally use passwords which mean something to me but not really the general public. Plus I combine passwords while separating them with random punctuation characters as well as some numbers. Plus I never use the same password twice, and try to remember to change them every so often.

[Rob]

this comes to mind;


My password here is a random string as generated by the automated password reset form.
It is insecure as it was emailed to me over an unencrypted channel.
However, i don't think im compromised.

[Tiberius]

Yes, I based my method somewhat on Randall's, but mine isn't susceptible to what should probably be termed "known-method attacks". In essence, if an attacker knows something about your password, then generally speaking it is easier to attack it. For instance, if I knew that someone's password was using Randall's method, I wouldn't run a bog-standard brute-force algorithm at it. Instead, I'd get a large dictionary of words, and then just run through all possible combinations of 4 words.

Of course, the chances of an attacker knowing you use Randall's method are quite remote (at least, they should be), so his method is still "more secure" in a pure brute-force scenario. However, the fact that known-method attacks exist, and could potentially break one of Randall's passwords is less time than a standard password should be worrying. Hence, my method tries to protect against these sorts of attacks, by using the element of randomness, but putting it into a proper sentence form. So you still have words from the dictionary, but some of them might be capitalised, and others might be followed by some punctuation symbol, etc. The number of brute-force attempts thus becomes the number of possible sentences that you can have, making such attacks infeasible.

[KichigaiNeko]

So have you broken my password yet?? or you just been too busy?

[Tiberius]

So have you broken my password yet?? or you just been too busy?

I have no reason to break your password. Someone malicious might. I could give it a go if you wanted me to.

[KichigaiNeko]

So have you broken my password yet?? or you just been too busy?

I have no reason to break your password. Someone malicious might. I could give it a go if you wanted me to.

might be interesting...would you like to?? the password for this forum?? Or for the Gmail account it is linked to?? How long do I give you until I change the password?? 24 hours??

Interesting exercise...and a demonstration to all that Internet security IS an issue??

Go for Tiberius!!

[Tiberius]

I would go from the position that our database had been compromised, and thus would have as long as I wanted to break it. Changing your password wouldn't change anything, since we would be assuming that you wouldn't know an attack was taking place, and therefore have no reason to worry.

I will start trying next week. If I do crack it I'll PM you with it first and let you change it before I do anything else :-)

---

Edit: the password for this forum. I'm not attacking Google!