The best password?

thnurg · 19 May 2012

Red Light said:
Nice simple algorithm for the password crackers. Easy to guess because - and here's the hint - popular songs tend to be popular. Oh and the password crackers are often foreign so the language doesn't help either. Sorry.

Right, but without knowing that this algorithm is in use, and without knowing which song has been used your only way to crack the password is brute force. And who said anything about using popular songs? For all you know I could be into Peruvian folk music. With the number of languages in the world there is a very slim chance that you picked a song in the native tongue of your attacker. Last time I scanned the logs of a server under attack the attackers were from Romania, Russia, Korea and Taiwan. So if I pick a song in Italian I have not helped any of those.

OK. Let's take the first line of "Mama Mia" as an example.
"I've been cheated by you since I don't know when"
ibcbysidkw
Add on a meaningful number, change a letter I for a bang and capitalise some of the letters and you get:
19!bcbYsIdkw77

You're not going to crack that with anything other than brute force unless I was daft enough to tell you that I used Abba songs for making passwords, and even then you've got your work cut out. I prefer more obscure songs by less popular artists.

subaqua · 19 May 2012

sleepydopeygrumpysneezyhappydocbashfullondonnine

was told i needed 7 characters a capital and a number

Red Light · 19 May 2012

thnurg said:
Right, but without knowing that this algorithm is in use, and without knowing which song has been used your only way to crack the password is brute force. And who said anything about using popular songs? For all you know I could be into Peruvian folk music. With the number of languages in the world there is a very slim chance that you picked a song in the native tongue of your attacker. Last time I scanned the logs of a server under attack the attackers were from Romania, Russia, Korea and Taiwan. So if I pick a song in Italian I have not helped any of those.

OK. Let's take the first line of "Mama Mia" as an example.
"I've been cheated by you since I don't know when"
ibcbysidkw
Add on a meaningful number, change a letter I for a bang and capitalise some of the letters and you get:
19!bcbYsIdkw77

You're not going to crack that with anything other than brute force unless I was daft enough to tell you that I used Abba songs for making passwords, and even then you've got your work cut out. I prefer more obscure songs by less popular artists.

Yes you need brute force but the number of songs and the number of letter to number mutations is far easier to crack than going through all 37 alphanumeric combinations for each position. So throw in a song based algorithm and you have cut back your computing requirements significantly. And you can narrow it down a lot by choosing the most popular songs which are the songs most people will choose. I bet Mama Mia would be a very popular choice as would O Sole Mio. As with Bletchley Park and Enigma the key to brute force is finding those clues that make less brute force necessary.

thnurg · 19 May 2012

Red Light said:
Yes you need brute force but the number of songs and the number of letter to number mutations is far easier to crack than going through all 37 alphanumeric combinations for each position. So throw in a song based algorithm and you have cut back your computing requirements significantly. And you can narrow it down a lot by choosing the most popular songs which are the songs most people will choose. I bet Mama Mia would be a very popular choice as would O Sole Mio. As with Bletchley Park and Enigma the key to brute force is finding those clues that make less brute force necessary.

I will admit that this method is not quite as good as using a computer generated random string, but I reckon it's a great way to create a password that you can easily remember without having to write it down, that is sufficiently strong.
Perhaps a better way is to use something like Keepass that will generate passwords for you and allow you to copy and paste them. You still need to create a memorable password, that should not be written down, in order to encrypt the password database. Know any good methods for generating one?

Andrew_Culture · 19 May 2012

I always prided myself on making up gibberish secure passwords, until a DCI at the Met who was investigating a hacker who put me out of business rang me up and read me a list of my 'secure obscure' passwords she had found on my attackers computer.

I still don't know how the hacker got them :confused:

Mad Doug Biker · 19 May 2012

Nigel-YZ1 said:
My current favourite is the nickname I had for a gorgeous blonde I used to work with.

GorgeousPeaches?

GordonB said:
Yeh but, it'll only give you access to my sons homework schedule!

Gordon

That's what he tells you! :whistle:

Mr Haematocrit · 19 May 2012

The biggest limitation for cracking passwords in the past was the amount of processing power it required, with the advent of cloud computing which brings vast amounts of computing power at low cost to the masses, most passwords can get done without to much issue. During Sonys security issues last year which involed the PS3 much of the decryption of the security keys was found to be done using cloud computing platforms paid for with stolen credit cards.

A NTLM password hash, not the simpler Microsoft LM hash of Bobothebuilderlikesfruitsaladveryverymuch can be cracked in about 10 minutes using hashcat and a few cloud servers... its not secure.
These days a password to gain access to a system is not enough you also need to encrypt your sensitive data.

GordonB · 20 May 2012

User269 said:
OK, Gordon, we're on to you! You'll have to find a more subtle way of getting us to reveal our passwords.

I intend my next thread to be about amusing PIN numbers you may have..........;-)

Gordon

Andrew_Culture · 20 May 2012

I think the way forward may well be systems that require a two stage verification like Google's code by sms system.

2Loose · 20 May 2012

Manonabike said:
I'm not sure that is true. Hackers rely on code that looks at known password databases and also family names, DOB, etc. Memorable phrases would fall in that category, like password1, etc. What ohnovino suggested IMHO would be much harder to hack.

As long as it is a personal phrase and not a common phrase, then a dictionary based attack will fail. Each single word may be in the attackers lexicon, but words strung together are similar in structure to individual characters strung together as far as a computer is concerned.
Eventually a brute force attack would work, but the number of characters would mean it took exponentially longer to crack than a shorter randomly generated one (or a really common phrase that may be in the attacker's dictionary).

http://xkcd.com/936/

http://lifehacker.com/5796816/why-m...ure-passwords-than-incomprehensible-gibberish

http://lifehacker.com/5893510/using...ord-useless-heres-how-to-pick-a-better-phrase

http://it.slashdot.org/story/12/03/14/1353230/multiword-passwords-secure-or-not

subaqua · 20 May 2012

GordonB said:
I intend my next thread to be about amusing PIN numbers you may have..........;-)

Gordon

8008 (.)(.) :smile:

Andrew_Culture · 20 May 2012

Ultimately if someone wants to get in, and has the time and resources then they will get in.

Fortunately 99% of us are too dull and poor to be of any interest.

Red Light · 20 May 2012

2Loose said:
As long as it is a personal phrase and not a common phrase, then a dictionary based attack will fail. Each single word may be in the attackers lexicon, but words strung together are similar in structure to individual characters strung together as far as a computer is concerned.

Yes they are but the typical vocabulary of a graduate is 12-20,000 words so a five word personal phrase has ~20,000^^5 possible combinations to try in a dictionary attack or 3.2*10exp21 combinations which is about the same as for a 14 character alphanumeric password.

Red Light · 20 May 2012

Andrew_Culture said:
Ultimately if someone wants to get in, and has the time and resources then they will get in.

The only resources you need are an old laptop running HollywoodOS . That can crack anything and always just in the nick of time so make sure you have a critical deadline when you use it. :thumbsup:

Nihal · 22 May 2012

If any of you manage to hack my profile,be sure to leave a message :thumbsup:

And i keep forgetting my passwords(except the CC password)so most of the Emails i get are about my password changes :banghead:

The best password?

thnurg

Rebel without a clue

subaqua

What’s the point

Red Light

Guest

thnurg

Rebel without a clue

Andrew_Culture

Internet Marketing bod

Mad Doug Biker

Banned from every bar in the Galaxy

Mr Haematocrit

msg me on kik for android

GordonB

Guru

Andrew_Culture

Internet Marketing bod

2Loose

Guru

subaqua

What’s the point

Andrew_Culture

Internet Marketing bod

Red Light

Guest

Red Light

Guest

Nihal

Veteran

Similar threads