Our server costs ~$56 per month to run. Please consider donating or becoming a Patron to help keep the site running. Help us gain new members by following us on Twitter and liking our page on Facebook!
Current time: January 20, 2025, 7:17 am

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Changing Our Password Policy
RE: Changing Our Password Policy
(August 23, 2012 at 8:10 pm)Cthulhu Dreaming Wrote: Such passwords are easily cracked with a $2 length of iron pipe.

Explain to me your logic in that adding more characters to a password could make it easier to crack?
"Sisters, you know only the north; I have traveled in the south lands. There are churches there, believe me, that cut their children too, as the people of Bolvangar did--not in the same way, but just as horribly. They cut their sexual organs, yes, both boys and girls; they cut them with knives so that they shan't feel. That is what the Church does, and every church is the same: control, destroy, obliterate every good feeling. So if a war comes, and the Church is on one side of it, we must be on the other, no matter what strange allies we find ourselves bound to."

-Ruta Skadi, The Subtle Knife
Reply
RE: Changing Our Password Policy
It's a joke. The iron pipe is applied to the knee to crack the password.
Reply
RE: Changing Our Password Policy
I have no idea what my password is now, I've just been continually logged in =P. Your attempts to crack my password by cracking my bones are futile, foul villain!
Nemo me impune lacessit.
Reply
RE: Changing Our Password Policy
(August 23, 2012 at 8:48 pm)Stue Denim Wrote: I have no idea what my password is now, I've just been logged in perpetually for a while =P

That definitely makes you immune to the iron pipe crack. Big Grin
Reply
RE: Changing Our Password Policy
That technique is commonly known as rubber-hose cryptanalysis. The Russians call it thermo-rectal cryptanalysis.
Reply
RE: Changing Our Password Policy
(August 23, 2012 at 10:18 pm)Tiberius Wrote: That technique is commonly known as rubber-hose cryptanalysis. The Russians call it thermo-rectal cryptanalysis.

Yes, but that won't help if you're trying to brute-force a database of passwords. How long would it take to crack a 94 character password on say, a 3 GHz processor? Serious question, I'd actually like to know.
"Sisters, you know only the north; I have traveled in the south lands. There are churches there, believe me, that cut their children too, as the people of Bolvangar did--not in the same way, but just as horribly. They cut their sexual organs, yes, both boys and girls; they cut them with knives so that they shan't feel. That is what the Church does, and every church is the same: control, destroy, obliterate every good feeling. So if a war comes, and the Church is on one side of it, we must be on the other, no matter what strange allies we find ourselves bound to."

-Ruta Skadi, The Subtle Knife
Reply
RE: Changing Our Password Policy
(August 23, 2012 at 10:26 pm)AthiestAtheist Wrote: Yes, but that won't help if you're trying to brute-force a database of passwords. How long would it take to crack a 94 character password on say, a 3 GHz processor? Serious question, I'd actually like to know.
Erm, it would help. The point of rubber-hose cryptanalysis is that you physically beat the password out of the victim. I have to say though, that this:

Quote:One time I used an uncrackable 35+ character password. Though the purpose of it being so long was that it was the password to my school site where my Dad could check out my grades. It involves using all the letters on the keyboard up to the "seed" password, alternating between capital and lowercase letters, and if there are any numbers, converting them into pseudo-binary. This means that the relatively insecure password "password123456" would be "QwErTyUiOpqWeRtYuIoPaQwErTyUiOpAsQwErTyUiOpAsQwqWeRtYuIoQwErqWeRtYuIoPaSd0110001​11100000111111" Such a password is impossible to remember if you don't know the original password or the formula, requiring those who don't know it write down the password in long form, and since it's so long, it makes entering it off a piece of paper even more of a chore. Finally, since it has so many characters, it's so secure it's ridiculous! Yes, what this all goes to show you is that preventing your parents from seeing your grades will turn you into a security expert.

is rather silly. The generated password is by no means secure. Why? Because it is generated from an insecure seed value. In cryptanalysis, we always make the assumption that an attacker knows as much as possible about the system, with the exception of the secret key. In your case, the attacker will have the formula for generating the password, and I'm afraid that "password123456" is found in any good password dictionary. From there, your entire long password can be easily found via a dictionary attack. No attacker would ever do this by hand; they would have a computer program do it, so the fact that entering it off a piece of paper is a chore is completely irrelevant.

Other than that, there are a couple of flaws I can see with your formula:
  • Alternating between upper and lowercase letters removes entropy. You are limiting the number of possible generated passwords when doing this. That makes a brute-force easier.
  • Your formula produces very apparent patterns in the generated password. These patterns are so apparent they can be detected by a human brain. For instance, the word "qwerty" (in various forms) is repeated 6 times. Also, the fact that there are all numbers at the end of your seed and all numbers at the end of the generated password is probably not a coincidence.
So no, this does not make you a security expert. I suspect given time, and possibly some other seed/password examples, your formula could be determined through analysis. At that point, the security of your account is reduced to the strength of your seed, which as you've demonstrated, is practically nothing.

As to your question about how fast passwords can be cracked, have a look here:

https://www.grc.com/haystack.htm

That said, these values only apply to true brute-force attacks. A dictionary attack on your seed would crack your password in less than a second.

Update:

Now I've had more time to look at this, I can confidently say I've cracked the numerical portion of your formula.

If "123456" => "0110001​11100000111111" then it is reasonable to assume that the following is true:

"1" => "0"
"2" => "11"
"3" => "000"
"4" => "1111"
"5" => "00000"
"6" => "111111"

You are simply alternating between 0's and 1's, and displaying the same character X times where X is the original input number.

Update #2:

Again, assuming I am correct and "password" => "QwErTyUiOpqWeRtYuIoPaQwErTyUiOpAsQwErTyUiOpAsQwqWeRtYuIoQwErqWeRtYuIoPaSd".

We can split this up around the "qwerty" substrings:

QwErTy UiOp qWeRtY uIoPa QwErTy UiOpAs QwErTy UiOpAsQw qWeRtY uIoQwEr qWeRtY uIoPaSd

The non-qwerty substrings are interesting; they all seem to start with the letters (in varying cases) "uio" which I'd guess is either a constant or (more likely) some letters chosen based on the seed value. Since these values are all constant, the real puzzle is solving the values that come directly after them:

p Pa pAs pAsQw QwEr PaSd

Obviously the first 3 of these is just the first X letters of the word "password" in varying cases. Then for some reason, the word "qwerty" starts to get appended, before finally being dropped in the last value (the 'd' character possibly being taken from the end of the word "password").

Interesting to say the least. Still very insecure, since a lot of the password is simply not random.
Reply



Possibly Related Threads...
Thread Author Replies Views Last Post
  Privacy Policy Update Tiberius 1 1107 October 8, 2017 at 5:29 pm
Last Post: Silver
  Introduction subforum rules and enforcement policy - you need to read this. Jackalope 21 7841 May 1, 2014 at 5:37 pm
Last Post: Jackalope



Users browsing this thread: 21 Guest(s)