Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

edited May 2013 in Lounge

There's a neat article over at Ars about passwords.

As the guidance from Agilebits about the master password makes reference to, there are a few passwords you just have to remember (iPhone and computer logins, typically, and the 1Password master password). I wish someone would come up with a solution to that.

If only the camera were live at the login screen and the computer could read a password displayed on the iPhone screen...

Comments

  • khadkhad Social Choreographer

    Team Member

    Diceware is a great option for passwords you need to remember. :)

  • From the third page of the article, they talk very briefly about combinator attacks.

    "The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."

    The "batteryhorsestaple thing" seems a lot like Diceware. Are Diceware based passwords destined to fall before combinator attacks?

    I'm not even remotely qualified to do the math so I'd love to get more information about my Diceware passwords' actual strength in the face of these new attack techniques.

  • Xe997Xe997
    edited May 2013

    There is no complicated math involved with Diceware. It's a list of 7776 words. So if you choose four Diceware words you have 7776 * 7776 * 7776 * 7776 combinations.

    In a worst case scenario the attacker can try all these combinations. With today's hardware, four Diceware words are probably not enough. I THINK Agilebits recommends five or six words. I use more than that just in case.

    Diceware or similar methods only works if you "choose" your words randomly, that is, not choose at all but let the dice decide.

    "Thinking about" words does not result in random words. Probably you will think of everyday objects like car, horse or door, and a color.

    correcbatteryhoursestaple fails because:

    1) it's only four words
    2) the words are not random

    I have read that article by the way and I found it very interesting. I think the point of it is that the attackers are very smart, and people choosing passwords think they are smart. People creates all kinds of secret "systems" in creating passwords. Problem is they are not really secret, they all follow some patterns and can be figured out.

    With Diceware you take the whole "attacker's intelligence" out of the equation. Their knowledge of people's systems won't work on Diceware because you assume they KNOW your system. All they can do is go through all combinations. Even if they can guess billions of billions passwords per second, the earth will get eaten by the sun before they guess right, if you use a Diceware password of more than six words or so.

  • Yet another security breach...https://drupal.org/news/130529SecurityUpdate

    I guess in the case of Diceware you can think of each word as a letter in an alphabet containing 7776 "letters." I just created a password consisting of 7 diceware words. I didn't have dice....can't remember the last time I did...but there are plenty of dice apps for the iPhone!

    So that's 7776 * 7776 * 7776 * 7776 * 7776 * 7776 * 7776 combinations. It's pretty long. To help remember, I'm using the same password for both of my Macs, and 1Password. Maybe that's not a good idea but somethings got to give.

    The challenge is mainly on the iPhone. The onscreen keyboard is more challenging when working with a long password (I find the "m" particularly challenging because the backspace key is right next to it and I keep hitting it). But I have a lot of documents synced to my iPhone so I have to keep my iPhone as secure as my Mac.

    And encrypt Time Machine backups.

    Well, maybe I don't need to be so concerned about documents and can dial it back a bit there.

  • Unfortunately, dice apps are not good enough to make a Diceware password with if you are truly concerned about security. The Diceware FAQ makes this clear. Get some actual dice, or if you can't, use a coin. Or live with the somewhat lessened security of not-really-random computer dice programs. But if you're paranoid enough to have a 7 word diceware password, you really truly should be using actual physical dice (or coins).

  • Update: Apparently https://www.random.org/dice/?num=5 will give you good enough results. But seriously, don't use your iPhone dice app for this.

This discussion has been closed.