Those just encode normal numbers/letters/data. You could, if you wanted, print out a sheet of one-time passwords as bar codes and scan them in as necessary.
“My hovercraft is fool of EELS!”
I’d like to think a million others would think of that phrase.
Fascinating article! Thanks for posting it.
(puts on old guy hat) I remember back in the day (mid to late 90s), when my employer purchased a spreadsheet system from a vendor. It included macros that unprotected/protected cells, unhid/hid sheets, etc. Well, to do that, it had to unprotect the workbook. The version of Excel at the time (pre-97) stored the macros in its proprietary language in text. All I had to do was open the file in a text editor, search for “password=”, and the password was there. My boss was shocked when I gave him copies of the underlying tables. Ah, the good ol’ days.
What is a “normal phrase”?
Is, “MydogDaisyisthebestestgirl!22” a “normal phrase”? How is that easy to brute force?
And what’s with all of the runtogetherphrases? Space is usually an acceptable character, even if it’s not on the list. Spaces make pass phrases a bit more natural to type, and add extra length. Replacing the space with numbers and special characters is a convenient way to meet those criteria: “correct$hoRse battery8staple”
(Unless you’re dealing with a broken system that is splitting strings on white space and “correct horse battery staple” is silently just read as “correct”, but if that’s the case, I suggest using password');DROP TABLE Users;-- as your password.)
wouldn’t putting in spaces make it easier for a dictionary-based cracker?
No. If the cracker can try phrases with spaces, it can try phrases without spaces just as easily.
This highlights a misconception about dictionary based password attacks.
It’s impossible to crack part of a password. The hash function that is stored as a representation of the password is based on the entire password and gives no feedback for anything less than a 100% match.
It’s not like movies, where they seem to be attacking each character in simultaneous parallel.
I think it was Microsoft Lanman protocol, or something like it, that stored passwords in 7 character chunks. So a password of ABCD1234 was really two passwords of ABCD123 and 4. Guessing a single character password at the time took a few seconds. A 7 character password only took a day or two to brute force.
This was at a time period when Unix passwords were generally limited to 8 characters, but the search space for 8 characters was essentially impossible to brute force.
Anyway, (hopefully) this is just a historical footnote, and you’re 99% correct, but never underestimate people’s ability to get security wrong.
I should have caveated my post with “in modern and widespread password systems”. Your example is actually among a few in the “In Real Life” section of that TVTropes page.
I’ve been in GIS before is was called GIS. It was called AM/FM. Automated Mapping and Facilities Management. Very much confused me at the time to see AM/FM awards on the wall - umm, what, we are in broadcast radio too???
That was the late 80’s. About an hour ago, I realized just how long I’ve been doing this. 35 years in digital mapping. 40 years in mapping if you include pen and ink, and literally hand painting maps (this was quite a bit before you could spit one out of an inkjet).
31 years with my current place of work. Next Tuesday, I volunteered to help tear down part of our department for a move/new cubes or whatever. I’ll be sure to ask my third boss if this counts as ‘team building’.
Not complaining at all. Sorry for the hi-jack, but it just blows me away.
Interesting site that tells you how long a computer would take to crack a password: you can type something in, and it’ll tell you roughly how long. I don’t know how up-to-date its figures are - e.g. a 5 year old computer might take an hour and a new one might take 2 minutes - but it’s interesting to play with.
I tried inputting “correct battery horse staple” and got something like 15 octillion years. Of course, that’s gonna be an average - it might get lucky and guess it within minutes, or go through all the possibilities and take 30 octillion years.
"Passw0rd: would take an hour. “Password” would take 22 minutes. P@ssW0rd would take 8 hours.
One issue with passphrases is that some password tools will choke on anything with spaces. I got locked out of my work laptop for a week, due to brand-new corporate guidance saying we should start using passphrases. I set up something like “Mary H@d A L1ttle Lamb”… it worked twice, then locked me out. Tech support said they’d had several calls like mine, and their theory was that it was the spaces.
Well, that all depends on what is the original dictionary of words and in what order, and what subsequent rules are applied (try combining words, with or without spaces, capitalizing characters, leet substitutions, any/all of the above, etc) and in what order.
It sounds as though the best method of password security is that people have different techniques for generating them.
If everyone followed the xkcd method, then that makes it a bit easier for hackers, especially if people are coming up with their own passwords. I expect that 90% of the passwords would draw from the most common couple thousand words, and 5000^4 is not that large a space to search.
But if you are doing the xkcd method, and I’m doing the first letter of a movie line method, and there are dozens of other methods that people use, it’s going to be much harder.
I know there is a fine line between over simplification and getting too far into the technical side, but how do they get the corresponding hashes for each possible password?
I know absolutely nothing about computer security, so I apologize for the stupid question.
Wouldn’t each system create hashes in a manner unique to each system? Or is the algorithm shared by many systems?
There are a number of algorithms used, but it’s not like each site creates their own. Just looking about, I’d say there’s about a dozen or so in regular use. I don’t know if some are more popular than others, though. I’m not sure, but it’s likely that if a hacker has access to the hashed passwords, they can probably tell what algorithm is used, or at least narrow it down.
Which is why a salt is useful, as that is something that would be unique to each system.
There are only a few hash algorithms that one would trust. Designing a cryptographically secure algorithm is non trivial. By this we mean one that is computationally infeasible to reverse. The ones in use have had a huge amount of analysis done on them, and are generally trusted. Trying to roll your own is a short trip to failure.
The salt is also know to a hacker, as it is stored with the hashed result. It isn’t a secret, but the nature of a good hash means that knowing the salt doesn’t help. The password system picks a random salt for each password hash. It simply adds it to the end of the user’s password before hashing it. If the salt can have say 64 thousand different values then a rainbow table needs to be 64 thousand times bigger. (Or you select from one of 64 thousand rainbow tables, which is only very slightly better. )
Critically, you can’t tell if two users have the same password if a salt is used. That is its most important use.
Doesn’t it also have to save the unhashed (plain-text) salt along with the hashed password?
Yes, one of the main recommendation about 10 years ago was “TURN OFF BACKWARD LAN-MAN COMPATIBILIY!!!” Now fortunately it is not even an option.
I got a copy of Lophtcrack once upon a time (2000 or so) and ran it against our NT domain of a few hundred users as a test. Using a Pentium it took maybe 20 minutes - before I stopped it - to crack maybe a third of the passwords with brute force. Plus those with more than 8 characters (or was it 7?) - if I saw a user like, say, Sam Westhouse with their second half of the password “OUSE” it wasn’t hard to guess the rest. LANMAN cleverly stored a hashed all-caps version of the password in separate 8-character (7?) chunks. Not needing to try both caps and lower case and all combinations thereof speeds up the brute force.