[Dshield] password security

Dr. Daniel Carras dr.astrom42 at gmail.com
Thu Feb 5 04:07:03 GMT 2009 

Yes - some do (dictionary crackers). I agree that eeqmc2, would be easy, 
but the lower limit of security. posed by the original question was when 
there is a limit of 6 characters, and I'm assuming that the passwords 
(under this condition) would restricted to letters and numbers. Under 
the limited condition, eeqmc2 (or some variation, thereof) would be 
attempted after the dictionary runs through all words. Now some sites, 
while they allow longer length passwords, only allow alphanumeric 
characters. In which, case the eecqmc2 would be extrapolated to larger 
size passwords. The goal here to choose a password outside the typical 
range of crackers. At this point, crackers would give way to trojans, 
worms, and spyware used to find password files on a system.

John Hardin wrote:
> On Wed, 4 Feb 2009, Dr. Daniel Carras wrote:
>
>   
>> Brute Force dictionary crackers would have "10 Bottles of Beer", they 
>> wouldn't have eeqmc2, this would require a different algorithm. However, 
>> any increasing number account hacks look for password files on the users 
>> system.
>>     
>
> Dictionary crackers do multi-word passphrases?
>
> And, "eeqmc2" would be very easy to brute force due to its limited length 
> and small universe of characters. Actually, the *source* of your example 
> password would be stronger, assuming the site allowed it: [e = mc^2] has a 
> mixture of punctuation marks, spaces, letters and numbers. It's still 
> dangerously short, though.
>
> Components to a good password:
>   Length
>   Size of universe of source characters
>    (don't limit yourself to lowercase ASCII)
>   Memorability (so you don't have to write it down)
>
> What I usually recommend is:
>
> Figure out some rules that you will use for changing a plaintext phrase 
> into a password, trivially for example: convert all letters "o" to numeral 
> "0" or punctuation marks "()" or a specific accented "o" non-US-ASCII 
> character (though that may be difficult to type in some situations...)
>
> Take your source phrase and apply those rules to get your password.
>
> Of course, the source phrase must then be memorable. Ideally it would be 
> suggested by the site so that you can have a different passphrase per 
> site. For example, you might use the source phrase "Microsoft sucks" as a 
> starting point for passwords for Microsoft sites if you didn't 
> particularly like them... :)
>
> And if the site expires passwords (or if you do so proactively to improve 
> security) then have some sort of rule for generating a sequence of 
> passwords from that phrase, for example (again trivially) by appending the 
> name of the month to the source phrase when you change your password. 
> (That, of course, assumes you remember *when* you changed the password...)
>
> That might give you a password for a physics site that looks like:
>
>    #1n5t#1n s#z: #=m(^2
>
> Start with "Einstein says: E=mc^2" for the physics site;
> Apply rules:
>    says -> sez
>    E -> #
>    i -> !
>    s -> 5
>    c -> (
>
>

More information about the Dshield mailing list