On 30.11.2014 06:48, Nick Holland wrote:
On 11/29/14 22:06, Eric Furman wrote:
OFF TOPIC. This has nothing to do with OpenBSD,
but a lot of guys here know about this stuff.
I've done some reading, but still not sure.
OK, at the risk of looking stupid,which of these passwords is
better;
kMH65?&3
or
mylittlelambjumpedovertenredbarns
there's an XKCD comic along these lines. I'm too lazy to dig it up.
You mean this one I think http://xkcd.com/936/
"It's complicated."
Both have eight "things". The later is drawn from a much much larger
set (words (thousands), vs. characters (not 100)). So, looks like a
simple win for the second over the first, right?
Problem is the words "connect" to humans. "little" is more likely to
be
followed by "lamb" than it is "red" (though if "red" follows "little"
I
bet the next word would be "wagon"). "red" is more likely to be
followed by "barn" than "lamb". Still, there's a huge number of
choices
for each "word", so I'd say the phrases still win.
(sorta related side note: At least with names, there's some curious
clusters that are seen -- for example, a friend of mine and her two
siblings have (basically) the same names as three of Adolph Hitler's
siblings (one is a slight stretch, the other two are dead-on, which
is
impressive considering the very different ethnic backgrounds). I
don't
think my friend's parents would have permitted this had they known.
I've seen similar "groupings" of names in other families. (Did I
just
win the award for most unexpected use of "hitler" in an internet
discussion?))
Simply saying "there are X words of five letters or less and there
are
eight of them in my pw means there are X^8 PWs someone would have to
try
to get my PW" is wrong by probably several orders of magnitude.
That's
not how humans pick passwords, and if the computer does it for you,
it
might be as hard or harder than if you use random characters.
Then there is the system where it is stored. If you are working on a
stock Solaris 9 or AIX system with the default settings, only the
first
eight chars are used, so the random string is much better than
"mylittle", and if you, like most people, reuse passwords or don't
know
that the target system only uses the first eight characters, you can
end
up using a trivial pw that you thought was really good.
If the back-end storage "gives away" the length of the pw in any way
and
you see the pw is 33 chars long, you can probably bet it isn't going
to
be random characters, so you would probably set your PW guesser to
use
dictionary words rather than random characters, reducing the
advantage.
Which is easier to remember for real people? Which is easier to
type?
No contest -- and for that reason, I'd say the overall benefit is
with
the string of eight words over the string of eight random characters.
But...
Realistically, most attacks seem to be based on breaking TRIVIAL
passwords, social engineering, or use software flaws that permit
access
to things that allow access to things that allow access to things
...so
either is probably "more than sufficient" to make sure that a
password
guess of either of those accounts was NOT the reason for a security
breach.
Kinda like escaping from a hungry lion...you don't need to outrun the
lion, you just need to outrun your friend. You don't need an
unbreakable password, you just need one better than management uses,
and
you can't be able to be blamed for the breach. Anything more than
that
is probably wasted effort. If there is a breach that permits the
download of the hashed PW file, both may be similarly prone to
off-line
brute-forcing.
Yeah you can do a lot for eg. friend's computer, but then he will start
to use regular browser and JavaScript and such and then suddenly most
of that you done doesn't matter anymore
http://www.youtube.com/watch?v=0QT4YJn7oVI
:-)
Sounds cynical, but really, if you are arguing over which is the
"better" password, you are wasting time that should be spent looking
for
more likely security problems. That kinda brings it back to OpenBSD
for
you. :)
Nick.
