On 2014-06-28, Giancarlo Razzolini <[email protected]> wrote: > Em 27-06-2014 19:48, Stuart Henderson escreveu: >> "yes, cracking a stolen hash is faster, but it's not what the average user >> should worry about" >> >> I disagree, that is *exactly* what the average user should worry about. >> And knowing that some people use xkcd style passwords, who would start on >> a brute force attack before they've finished with a decent wordlist run? > > For someone to be able to stole a hash, they already got into your > machine.
1. maybe they did, in which case you don't want to make a stolen crypted password file any easier to use 2. "average user" -> OK so it's off the subject line of "root's password", but the xkcd article is talking about average users - and the most common case is probably passwords for websites. I use unique addresses for various websites so I can identify some leaked account details. There have been enough email addresses lost (online stores, forums, an estate agent given the address on paper only, even a bank) and I will assume that for many of those passwords (in whatever form they were stored, which I assume in many cases is "plaintext" or "unsalted mdt") that I don't trust any website with more than a one-off password used only for that site, which is not memorable so basically means keeping them somewhere (offline or in a file with reversible encryption), and if you're doing that anyway you might as well use fully random strings. > I believe that, at this point, you have much more to worry than > just your password being crackable. The wordlist run as you mentioned, > will get the weak passwords, based on one, two or tree small words with > special chars variations. But with four, or five big words, things start > to get a little more complicated. If you know a user population is likely to know this method for password choices (or any other particular method) you can tailor the search to it. There are a lot fewer options of ~20 character strings of words than random characters. > Specially if you throw in the mix a > foreign language word. That meme has to die - why would wordlists only be in English? >> Using a long phrase is *much* worse than an equally long string of random >> characters. But of course most people can't remember the latter. It's a trade >> off. > Yes, that was entirely the point of the comic. The trade off. But, the > entropy of a letter "a" is the same of "@". As I mentioned, and someone > asked me off list, the most modern password cracking tools, know all > these variations people use. There's nothing particularly modern about handling substitutions like a/@, e/3, 1/l, 7/t etc in words, though of course using a wide set of symbols in a fully random string does increase entropy quite a lot for a given string length.
