[conspire] Password permutations (was: Correction)
paulz at ieee.org
paulz at ieee.org
Mon Mar 30 21:29:40 PDT 2020
OK, now I'm the one who is math challenged.
Suppose there are 70 characters (upper case, lower case, numbers, etc) A 32 character password could have 32^70 or 2E105 possibilities.
If a password is made of 4 words, and there are 500 words in the dictionary 4^500 = 1E301 possibilities. English has a lot more than 500 words, but LO calc doesn't handle numbers much larger than that.
Why is the second example no good, just because someone with mal intent might have the same dictionary? There are lots of encryption schemes where the algorithm is well known, but you can't use it without knowing the key.
IMO, a good way to enhance security is to deliberately limit the number of tries per second. At some banks, more than a handful of wrong login attempts will lock the account.
On a related note, I had deliberately created different users names on different systems. It's not exactly secure, but it provides a little more difficulty. Lately I find that more and more websites want my email as user name. It's not that I don't want the site to have my email for my account. I just want the little extra security.
So where did I get this wrong?
On Monday, March 30, 2020, 3:35:02 PM PDT, Tony Godshall <tony at of.net> wrote:
On Mon, Mar 30, 2020, 1:20 PM Rick Moen <rick at linuxmafia.com> wrote:
> I would suggest that -- at least according to my own criteria and usage model, so adjust to suit -- a more-reasonable strategy is a modifiedversion of the famous/infamous XKCD 'password strength' algorithm. Partial discussion is here: https://security.stackexchange.com/questions/62832/is-the-oft-cited-xkcd-scheme-no-longer-good-advice
> To get past the otherwise-inevitable wasted-time discussion, Schneier said that the _literal_ use of the XKCD method (merely stringingtogether dictionary words) was obsolete. But that doesn't mean that the general approach if modified to foil dictionary attack doesn't have merit.
> (I'm not going to state exactly how I arrive at passwords, for the self-evident reason that I don't want the world to know exactly how Iarrive at passwords.)
I would also suggest that whatever password scheme you currently use, you periodically alter it in an arbitrary fashion, sometimes in some way that varies per site, or domain. Like inserting a punctuation mark in the 8th position, or deleting the third character, or prefixing the second letter of the domain or hostname you are connecting to. That way you can improve the nonguessability of your passwords over time, while at the same time reducing the amount you need to memorize at a time. Once the prior password becomes second nature, and all hosts have been updated, you can move onto the next permutation. Eventually your password becomes as line noise and nobody can guess that you started with a less than ideal password.
_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20200331/8904b4f3/attachment.html>
More information about the conspire
mailing list