Password strength question - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > General Security Topics
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 06-09-2016, 09:04 PM   #1 (permalink)
Newb Techie
 
Join Date: Aug 2011
Posts: 4
Default Password strength question

I use LastPass for my passwords and, of course, have a master password for LastPass. I've opted to use a complex mix of characters rather than a lengthy passphrase.

While my master password is strong and complicated, I think it may be too short. I would simply like to add a multi-word passphrase inside the password to give it a lot more bits of information, but keep it easy for me to memorize.

Is it generally OK to mix complex passwords (letter cases, numbers, special characters) with passphrases? Or should I stick to one system?

Thanks!
__________________

Mojave is offline   Reply With Quote
Old 06-09-2016, 09:14 PM   #2 (permalink)
Lord Techie
 
S0ULphIRE's Avatar
 
Join Date: Mar 2007
Location: Australia
Posts: 8,232
Send a message via MSN to S0ULphIRE
Default Re: Password strength question

IMO the best password system is one that uses words not just random characters. e.g. "smokeyBACON11" or something
1.You can't use a dictionary attack on that because of the numerical content (use a symbol as well if you'd like to be even more secure)
2. The only cracking method that'd be an option is brute force. And the length of that password is way too long for that to work either.
3. It's much easier to remember than "ApB3*k32S3#@"

I take it one step further and use an algorithm to create my passwords. I use a site characteristic that I can reasonably guess, a middle part that never changes (e.g. "eNTER") and 3-4 letters on the end that depend on the site characteristic. e.g. I might say that if the site characteristic ends in a-m the letters will be 507, if it ends in n-z it will be 406. That way even if I forget the password, as long as I can guess the site characteristic I can work out my password
And unless you know what particular algorithm I've used to generate those last numbers is, you'll never be able to guess it even if you do happen to know my middle word and site characteristic.
__________________

__________________
"As a result of all this hardship, dirt, thirst, and wombats, you would expect Australians to be a sour lot. Instead, they are genial, jolly, cheerful, and always willing to share a kind word with a stranger, unless they are an American." -- Douglas Adams
S0ULphIRE is offline   Reply With Quote
Old 06-09-2016, 10:09 PM   #3 (permalink)
The strange one
 
iParanormalx's Avatar
 
Join Date: Aug 2014
Location: US
Posts: 956
Default Re: Password strength question

IMO the best passwords arent "words" they are phrases. Many of my accounts are protected by a passcode similiar to "!correctly4named3bed2post1".



Try this tool out - enter anything into it and hit "grade my password" (dont type your real password), it will show a lot of information about password strength tips
__________________

My Twitch channel: www.twitch.tv/iParanormalx
Stop by sometime!
iParanormalx is offline   Reply With Quote
Old 06-09-2016, 11:52 PM   #4 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 23,744
Default Re: Password strength question

Quote:
Originally Posted by iParanormal View Post
IMO the best passwords arent "words" they are phrases. Many of my accounts are protected by a passcode similiar to "!correctly4named3bed2post1".

*snip*

Try this tool out - enter anything into it and hit "grade my password" (dont type your real password), it will show a lot of information about password strength tips
Was just going to post this comic when I read the title, but saw you already did lol.
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is offline   Reply With Quote
Old 06-09-2016, 11:59 PM   #5 (permalink)
Lord Techie
 
S0ULphIRE's Avatar
 
Join Date: Mar 2007
Location: Australia
Posts: 8,232
Send a message via MSN to S0ULphIRE
Default Re: Password strength question

It was the exact comic I was thinking of when I said use words not random letters too
I'd still say using only lowercase actual words is a bad idea though, dictionary attacks might still be effective against that
__________________
"As a result of all this hardship, dirt, thirst, and wombats, you would expect Australians to be a sour lot. Instead, they are genial, jolly, cheerful, and always willing to share a kind word with a stranger, unless they are an American." -- Douglas Adams
S0ULphIRE is offline   Reply With Quote
Old 06-10-2016, 12:01 AM   #6 (permalink)
The strange one
 
iParanormalx's Avatar
 
Join Date: Aug 2014
Location: US
Posts: 956
Default Re: Password strength question

I've simulated some attacks against myself with no successful results so i think the method is pretty good unless the attacker is EXTREMELY determined
__________________

My Twitch channel: www.twitch.tv/iParanormalx
Stop by sometime!
iParanormalx is offline   Reply With Quote
Old 06-10-2016, 02:23 AM   #7 (permalink)
Lord Techie
 
S0ULphIRE's Avatar
 
Join Date: Mar 2007
Location: Australia
Posts: 8,232
Send a message via MSN to S0ULphIRE
Default Re: Password strength question

Hmmm I'm bored at work...lets see

According to this, the top 10,000 words contain 97.2% of all the words (based on 29.2 million words gathered from TV and movie scripts and transcripts). So we need a dictionary with just 10,000 words to have a pretty darn high success rate.

"Horse" and "correct" are in top 1000-2000 word list, "battery" is in 4000-5000, so far so good.
"staple" is in 18000-20000 so I'll give XKCD credit there for being part of the rare cases we can't crack with just our 10,000 word list. Apparently people don't say "staple" on tv very often lol

Lets use a single GTX 980 - conservatively lets say we can only do 5 billion hashes a second (though real world rates can exceed 10BH/s with this gpu pending on what hash is used)

It would take 23 days 3 hours 36 mins to guess absolutely *every* permutation in a 4-word password using the above 10,000word list.

AND luckily for us probability is a finicky ***** and we'd hardly even need to attempt 10% of that to get a massive amount of matches. https://en.wikipedia.org/wiki/Birthday_attack

So yeah, I dunno if I'd call that particularly secure

edit: for fun, lets compare that to the system I like using. Lets say 2 letters for site characteristic, 5 letters that don't change, and 3 numbers on the end. 10 characters in total.
26 upper case + 26 lowercase + 10 numbers = 62 possible characters

At the same rate as the above (5BH/s) it would take 1,942.8 days to calculate all possible permutations.
I usually use 3-5 letters for the site characteristic though, which brings days to 120,370 for 3 site chars, and 462,962,963 days for 5 chars
__________________
"As a result of all this hardship, dirt, thirst, and wombats, you would expect Australians to be a sour lot. Instead, they are genial, jolly, cheerful, and always willing to share a kind word with a stranger, unless they are an American." -- Douglas Adams
S0ULphIRE is offline   Reply With Quote
Old 06-10-2016, 07:30 AM   #8 (permalink)
Night Ninja
 
MidnightShadow's Avatar
 
Join Date: Jun 2015
Location: USA
Posts: 750
Default Re: Password strength question

Here is one of the many sites that will gauge your strength level as well... http://howsecureismypassword.net/
__________________
MidnightShadow is offline   Reply With Quote
Old 06-10-2016, 07:33 AM   #9 (permalink)
The Almighty Forensica
 
Yami's Avatar
 
Join Date: Dec 2008
Location: UK
Posts: 7,532
Default Re: Password strength question

Quote:
Originally Posted by S0ULphIRE View Post
Hmmm I'm bored at work...lets see

[snip]

So yeah, I dunno if I'd call that particularly secure
Yeah, the XKCD method was outed as terrible pretty much the day it went up. If you're just using four words for your passwords (regardless of the length of those words), you've reduced your password to four characters in length (though in an alphabet that has, as you say, tens of thousands of characters rather than the 256 extended ASCII). Random capitalisation helps a lot, and putting numbers between the words helps a bit.
__________________
Desktop i5-4440 - ASRock Z77 Extreme4 - EVGA GTX970 - 4x4GB 1600MHz - Samsung 850 EVO 250GB - Be Silent Base 800 - 3TB+1TB+1TB+640GB
Laptop i7-3740QM @ 2.7GHz, 2x4GB 1600Mhz, GT640M, OCZ Agility 3 120GB
Smartphone Galaxy S7 Edge

LinkedIn Kiera Mitchell
Yami is offline   Reply With Quote
Old 06-10-2016, 09:27 AM   #10 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 23,744
Default Re: Password strength question

Quote:
Originally Posted by S0ULphIRE View Post
Hmmm I'm bored at work...lets see

According to this, the top 10,000 words contain 97.2% of all the words (based on 29.2 million words gathered from TV and movie scripts and transcripts). So we need a dictionary with just 10,000 words to have a pretty darn high success rate.

"Horse" and "correct" are in top 1000-2000 word list, "battery" is in 4000-5000, so far so good.
"staple" is in 18000-20000 so I'll give XKCD credit there for being part of the rare cases we can't crack with just our 10,000 word list. Apparently people don't say "staple" on tv very often lol

Lets use a single GTX 980 - conservatively lets say we can only do 5 billion hashes a second (though real world rates can exceed 10BH/s with this gpu pending on what hash is used)

It would take 23 days 3 hours 36 mins to guess absolutely *every* permutation in a 4-word password using the above 10,000word list.

AND luckily for us probability is a finicky ***** and we'd hardly even need to attempt 10% of that to get a massive amount of matches. https://en.wikipedia.org/wiki/Birthday_attack

So yeah, I dunno if I'd call that particularly secure

edit: for fun, lets compare that to the system I like using. Lets say 2 letters for site characteristic, 5 letters that don't change, and 3 numbers on the end. 10 characters in total.
26 upper case + 26 lowercase + 10 numbers = 62 possible characters

At the same rate as the above (5BH/s) it would take 1,942.8 days to calculate all possible permutations.
I usually use 3-5 letters for the site characteristic though, which brings days to 120,370 for 3 site chars, and 462,962,963 days for 5 chars
The thing is, is crunching away at that one account worth 23 days to the attacker? Or is there worth somewhere else. I mean, all encryption can eventually be broken - it's just the amount of time that is the barring factor for how strong it is. If it's long enough to make it not worth the attack, wouldn't the attacker move onto something that could be more fruitful? Of course like I said, that's assuming you're not a high value target.
__________________

__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is offline   Reply With Quote
Reply

Tags
password strength

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Which PC Adapter has STRONGEST signal strength? alphacooler Computer Networking and Internet Hardware 1 07-24-2005 04:03 PM
To get signal strength. Narayana vivek Computer Networking and Internet Hardware 7 03-22-2005 01:56 PM
Industrial strength wireless?? jinexile Monitors, Printers and Peripherals 2 02-16-2005 06:19 PM
Signal strength... 4W4K3 Computer Networking and Internet Hardware 8 12-03-2004 11:49 PM
Cipher Strength Appears as 0 Bit in Internet Explorer tahrens Monitors, Printers and Peripherals 1 01-20-2004 03:48 PM


Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.