Changing Our Password Policy

[Tiberius]

Yes, but that won't help if you're trying to brute-force a database of passwords. How long would it take to crack a 94 character password on say, a 3 GHz processor? Serious question, I'd actually like to know.

Erm, it would help. The point of rubber-hose cryptanalysis is that you physically beat the password out of the victim. I have to say though, that this:

One time I used an uncrackable 35+ character password. Though the purpose of it being so long was that it was the password to my school site where my Dad could check out my grades. It involves using all the letters on the keyboard up to the "seed" password, alternating between capital and lowercase letters, and if there are any numbers, converting them into pseudo-binary. This means that the relatively insecure password "password123456" would be "QwErTyUiOpqWeRtYuIoPaQwErTyUiOpAsQwErTyUiOpAsQwqWeRtYuIoQwErqWeRtYuIoPaSd0110001​11100000111111" Such a password is impossible to remember if you don't know the original password or the formula, requiring those who don't know it write down the password in long form, and since it's so long, it makes entering it off a piece of paper even more of a chore. Finally, since it has so many characters, it's so secure it's ridiculous! Yes, what this all goes to show you is that preventing your parents from seeing your grades will turn you into a security expert.

is rather silly. The generated password is by no means secure. Why? Because it is generated from an insecure seed value. In cryptanalysis, we always make the assumption that an attacker knows as much as possible about the system, with the exception of the secret key. In your case, the attacker will have the formula for generating the password, and I'm afraid that "password123456" is found in any good password dictionary. From there, your entire long password can be easily found via a dictionary attack. No attacker would ever do this by hand; they would have a computer program do it, so the fact that entering it off a piece of paper is a chore is completely irrelevant.

Other than that, there are a couple of flaws I can see with your formula:

• Alternating between upper and lowercase letters removes entropy. You are limiting the number of possible generated passwords when doing this. That makes a brute-force easier.
  
• Your formula produces very apparent patterns in the generated password. These patterns are so apparent they can be detected by a human brain. For instance, the word "qwerty" (in various forms) is repeated 6 times. Also, the fact that there are all numbers at the end of your seed and all numbers at the end of the generated password is probably not a coincidence.
  

So no, this does not make you a security expert. I suspect given time, and possibly some other seed/password examples, your formula could be determined through analysis. At that point, the security of your account is reduced to the strength of your seed, which as you've demonstrated, is practically nothing.

As to your question about how fast passwords can be cracked, have a look here:

https://www.grc.com/haystack.htm

That said, these values only apply to true brute-force attacks. A dictionary attack on your seed would crack your password in less than a second.

Update:

Now I've had more time to look at this, I can confidently say I've cracked the numerical portion of your formula.

If "123456" => "0110001​11100000111111" then it is reasonable to assume that the following is true:

"1" => "0"
"2" => "11"
"3" => "000"
"4" => "1111"
"5" => "00000"
"6" => "111111"

You are simply alternating between 0's and 1's, and displaying the same character X times where X is the original input number.

Update #2:

Again, assuming I am correct and "password" => "QwErTyUiOpqWeRtYuIoPaQwErTyUiOpAsQwErTyUiOpAsQwqWeRtYuIoQwErqWeRtYuIoPaSd".

We can split this up around the "qwerty" substrings:

QwErTy UiOp qWeRtY uIoPa QwErTy UiOpAs QwErTy UiOpAsQw qWeRtY uIoQwEr qWeRtY uIoPaSd

The non-qwerty substrings are interesting; they all seem to start with the letters (in varying cases) "uio" which I'd guess is either a constant or (more likely) some letters chosen based on the seed value. Since these values are all constant, the real puzzle is solving the values that come directly after them:

p Pa pAs pAsQw QwEr PaSd

Obviously the first 3 of these is just the first X letters of the word "password" in varying cases. Then for some reason, the word "qwerty" starts to get appended, before finally being dropped in the last value (the 'd' character possibly being taken from the end of the word "password").

Interesting to say the least. Still very insecure, since a lot of the password is simply not random.