Hans-Christian Andersen
hans.andersen at phulse.com
Tue Jul 24 02:20:43 CDT 2012
Yes and no.
Certainly, from the perspective of password cracking a password that has been hashed following all the good rules of security (applying a good hashing algorithm, salting it with a secret salt and a unique salt and then some arbitrary number of rounds (or using an adaptive hashing algorithm like bcrypt)), then yes - if some hacker is able to steal a list of password hashes, such a password would be quite difficult to hack. But this is an assumption based on current circumstances and circumstances which you may not have an knowledge or control over. It is hardly difficult to imagine that as technology progresses that hackers are able to improve brute force techniques combined with the additional computing power to comb for grammatically consistent phrases like "ilovetotravel". But, a good password is also only as good as the backend that stores it. Use a password like that on a site that doesn't hash passwords and what's the point? The game is up. And then even for sites that apply MD5 and even SHA1 suffer from collision vulnerabilities.
Then there is the issue of "what if someone is looking over your shoulder security". Perhaps that password is decently complex so that John the ripper and whatnot would find it impossible to hack, anyone looking over your shoulder would be able to quickly understand the simplicity of d0g................... And eventually be able to find the right number of dots.
I also hear people ridicule rotating passwords on a regular basis. There is a good reason for this. Should an employee write down a password or get their personal computer breached or leave the company, you minimise your exposure to having a third party get access to that and be able to take advantage of it.
So, my point is simply that there are many concerns and you need to judge what yours are. Ideally, in my opinion, there is simply no replacement to unique passwords that are (pseudo) randomly generated and making sure that you do not reuse your passwords (only use a password for one specific thing and create a new one for another site or place where you need to login). You should store your passwords in a secure place, like within an encrypted Keepassx file, for instance, or use something like LastPass or Yubikey. If you want proper security, you can't bypass it with some basic assumptions - you need judge the risk you are exposing yourself to on multiple levels and decide what works for you (ie. if you don't care if your X site login is broken into, then go ahead and reuse an easy to remember password).
Truly secure passwords are hard to crack, hard to guess and hard to remember. That's the point of security.
Best regards,
Hans-Christian Andersen
On 23 Jul 2012, at 01:32, Mark Breen <marklbreen at gmail.com> wrote:
> Hi Arthur,
>
> thanks for the email, we need more linux posts here on dba-Tech. After
> all, it is the OS of the future it is the OS of the present ;)
>
> There was another site posted here about a year ago and it allowed us to
> type in a password and it would tell us how long it would take to
> bruteforce that password. They provided three metrics, Online Attack
> Scenario, Offline Fast Attack Scenario and a Massive Cracking Array
> Scenario.
>
> What the site really demonstrated was that the longer the password the
> better, complexity helped, but password length trumped complexity.
>
> Complex passwords almost always have to be stored in a secure tool, which
> itself must be password protected and managed securely.
>
> With that in mind, I have started to move towards simpler but longer
> passwords. My assumption is they are too strong to be bruteforced or
> guessed, no dictionary attack is likely to find a match, and the user does
> not have to write them done. My longer passwords also have one added
> benefit, they are easy to type in.
>
> samples of easy to remember, easy to type are
>
> accessdbmwmotorcycles
> sausagesandbicycles
> ilovetotravel
> arthurandraspberryaregreat
>
> You see that these are impossible to bruteforce, (according to the tool we
> played with last year). Impossible to dictionary attack. Easy to type,
> easy to remember.
>
> I used to work with an old carpenter that did not like aluminium ladders,
> he only liked to work on wooden ladders. He always said "they fella that
> invented those ladders should be made walk up and down one for a day and
> see how he likes it".
>
> I have a colleague that regularly assigns me passwords. I silently take
> them, but every time he gives me a password I think "the fella that makes
> them up should be made type them in - and remember them - for a month and
> see how he likes them".
>
> Here are the links that someone posted last august
>
>
> https://www.grc.com/haystack.htm
>
>
> http://xkcd.com/936/
>
> First one is serious and the second is funny, but the first one is really
> interesting.
>
> Here is a snip from the first link.
>
> {
> The main concept can be understood by answering this question:
>
> Which of the following two passwords is stronger,
> more secure, and more difficult to crack?
>
> D0g.....................
>
> PrXyc.N(n4k77#L!eVdAfp9
>
> You probably know this is a trick question, but the answer is: Despite the
> fact that the first password is HUGELY easier to use and more memorable, it
> is also the stronger of the two! In fact, since it is one character longer
> and contains uppercase, lowercase, a number and special characters, that
> first password would take an attacker approximately 95 times longer to find
> by searching than the second impossible-to-remember-or-type password!
> }
>
> Thanks
>
> Mark
>
>
>
> On 23 July 2012 02:59, Arthur Fuller <fuller.artful at gmail.com> wrote:
>
>> I lifted the following snippet from nixCraft:
>>
>> Granted, it's intended for Linux, but I think most of us have a Linux VM
>> handy, if for nothing else but occasional experimentation You can always
>> flip to Linux to test out your various passwords:
>>
>> HowTo: Linux Check Password Strength With Cracklib-check
>> Command<http://www.cyberciti.biz/security/linux-password-strength-checker/
>>>
>>
>> Using the same password on different servers allows attackers to access
>> your accounts if cracker manage to steal your password from a less secure
>> server. This is true for online website accounts too. So solution is to
>> create unique passwords for server accounts like your email, sftp and ssh
>> accounts. General guideline to create a strong and unique password is as
>> follows:
>>
>> 1. Create a password with mix of numbers, special symbols, and
>> alphabets.
>> 2. Make sure your password is hard to guess. You can use tool such as
>> makepasswd <http://www.cyberciti.biz/faq/generating-random-password/>
>> to
>> create hard to guess password.
>> 3. Do not use simple words like "password", "123456", "123abc" or
>> "qwerty".
>> 4. Use a unique password for all your server accounts.
>> 5. A minimum password length of 12 to 14 characters should be used. See
>> how to configure CentOS / RHEL / Fedora Linux based
>> server<
>> http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-password-quality-control/
>>>
>> password
>> quality requirements.
>> 6. Generating passwords randomly where feasible. You can do this with a
>> simple shell
>> script<http://www.cyberciti.biz/faq/linux-random-password-generator/>
>> function.
>> 7. If possible use two-factor authentication.
>> 8. Use pam_crack to ensure strong
>> passwords<
>> http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html
>>>
>> and
>> to check passwords against a dictionary attack.
>>
>> But, how do you test the effectiveness of a password in resisting guessing
>> and brute-force attacks under Linux? The answer is simple use
>> cracklib-check command.
>> Say hello to cracklib-check
>>
>> This command takes a list of passwords from keyboard
>> (stdin<http://bash.cyberciti.biz/guide/Input_and_Output>)
>> and checks them using libcrack2. The idea is simple: try to prevent users
>> from choosing passwords that could be guessed by "crack" by filtering them
>> out, at source.
>> Examples
>>
>> Test a simple password like "password", enter:
>> $ echo "password" | cracklib-check
>> Sample outputs:
>>
>> password: it is based on a dictionary word
>>
>> Try sequential patterns such as "abc123456":
>> $ echo "abc123456" | cracklib-check
>> Sample outputs:
>>
>> abc123456: it is too simplistic/systematic
>>
>> Try a password with a mix of letters, numbers, and symbols:
>> $ echo 'i1oVe|DiZza' | cracklib-check
>> Sample outputs:
>>
>> i1oVe|DiZza: OK
>>
>> The above password increases the difficulty of guessing or cracking your
>> password. I used a random phrase (easy to remember) "I Love Pizza" and
>> inserted random characters to create hard a strong password -
>> "i1oVe|DiZza".
>> Putting it all together
>>
>> #!/bin/bash# A sample shell script to add user to the system# Check
>> password for strength # Written by Vivek Gite under GPL v2.x+#
>> ----------------------------------------------read -p "Enter username
>> : " userread -sp "Enter password : " passwordechoecho "Tesing password
>> strength..."echoresult="$(cracklib-check <<<"$password")"# okay awk is
>> bad choice but this is a demo okay="$(awk -F': ' '{ print $2}'
>> <<<"$result")"if [[ "$okay" == "OK" ]]then
>> echo "Adding a user account please wait..."
>> /sbin/useradd -m -s /bin/bash $user
>> echo "$user:$password" | /sbin/chpasswdelse
>> echo "Your password was rejected - $result"
>> echo "Try again."fi
>>
>>
>> Hope this helps someone.
>> --
>> Arthur
>> Cell: 647.710.1314
>>
>> Prediction is difficult, especially of the future.
>> -- Niels Bohr
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
>>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com