17 Jun
2009
17 Jun
'09
9 p.m.
The definition of "hard password" is
generally one that is resistant
to dictionary or social attack. By that definition you've failed to
demonstrate that the passphrase I supplied in my previous example is
any more vulnerable that "C0pp3rB0tt0m" or "i013ac$Z". In the
absence
of the ability to conduct a successful dictionary attack the
difficulty of brute-forcing a passsphrase is a direct function of the
length of the passphrase and the character space from which the
passphrase is chosen. In such a context passphrases have a clear
advantage, as it's easier for humans to remember sequences of words as
opposed to semi-random collections of characters, thus encouraging a
much longer length while discouraging the tendency to write down
passwords that are difficult to remember.
I disagree and would say that's not correct either.
the definition of "hard password" generally includes things that are not easily
cracked by brute-force, eg "1234567890" while long, wouldn't be hard.
brute-forcing a passphrase is not necessarily a function of the length
especially where windows is concerned, or if another system, where there are weaknesses
in
the cryptographic functions themselves.
one portion of windows password stores saves the password as an 8 character uppercase
string,
that's hardly very secure and can easily provide clues as to the true password.
and you just reinforced my suggestion, the methods I've been using.
the password generators I've written produce not only hardened passwords,
and also passwords which are next to impossible to remember,
BUT are incredibly easy for the user to type in.
this does several things
it means the user never has to write them down,
they can never give out their password
however, the user has no issues logging in.
they're based on the natural flow of the users hands as they type.
not keyboard patterns, but a function of how words are formed
across the hands and fingers, combinations of left and right hand typing.
FWIW, you're the one who introduced Windows into
this discussion;
Gene's original comment had precisely nothing to do with Windows and
while your comments are valid relative to Windows that's not the
context for the conversation.
windows was an example, but it's not to say there are not other systems
with equally or similarly weak cryptographic functions
and FWIW, you started out (I believe) making the comparison of linux vs windows
and saying they were equally strong (which is not correct).
but that's water under the bridge now, it's purely for point of providing
an example everyone is familiar with.
You seem to be confusing a bad implementation of the
translation of
plaintext to cryptotext and the poor storage of said cryptotext with
the relative security of passphrases vs. passwords. The two are
utterly distinct.
no, I'm not, and they are not necessarily distinct, dependent on the system.
any good security person has to take the system as a whole, there are
many "paths" to finding ways through the system, flaws in implementation,
weaknesses in cryptography, the human element, and of course, others.
You cannot truly understand a system unless you look at it holistically.
In order to produce a partial password the program in
question must
either have access to the resulting cryptotext for the password in
question or have the Great Karnack module installed which allows it to
know things without having any way to know them. For the purposes of
the point that Gene raised getting hung up on Windows (or, for that
matter, Unix v7 or anything else that makes encrypted authentication
information visible) as a counterexample is useless. Any
authentication system designed in the past decade by anyone with
intelligence exceeding that of a pine martin is going to employ a
relatively sophisticated transform (i.e., not crypt() and not an
MD5sum) and isn't going to allow you to see the stored cryptotext,
meaning that you're actually going to have to submit each password to
the system for authentication rather than have some program magically
spew it out to you.
This doesn't apply, at least in the case of windows (and perhaps others).
On windows systems I've seen it decrypt the first (or second) half of a password,
or the first 8 characters, I've seen it do portions in sections.
all this with no access to cleartext.
I'd have to double-check if this has any similarity for md5 passwords, I don't
recall, though I doubt it.
windows is a good example because it is (still) the most used OS in the world,
and a large percentage of people have a false sense of security in using it.
The above includes Vista.
Users should never be lured into a false sense of security, having a good password
is only one piece of the whole security policy that should be in place.
Dan.
_________________________________________________________________
Create a cool, new character for your Windows Live? Messenger.
http://go.microsoft.com/?linkid=9656621