[Info-vax] password strength (Re: VMS humor)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Fri Jan 1 12:36:48 EST 2021
On 2021-01-01 15:33:59 +0000, Craig A. Berry said:
> On 12/31/20 2:26 PM, Some Dude wrote:
>> On Thursday, December 31, 2020 at 1:02:59 PM UTC-5, Craig A. Berry wrote:
>>
>>> But unless the entire phrase is in someone's password cracking
>>> dictionary, the fact that portions contain well-known words doesn't
>>> really make any difference, does it? If it did, delimiting with
>>> non-space characters would take care of that.
>
>> Nope. Sophisticated attacks use dictionary tokens just the same as
>> individual letters or symbols.
That's true for *shorter* passwords. Out in the range we're discussing,
that becomes untenable.
> OK. I am not a cryptographer but since the number of words in the
> dictionary is much larger than the number of letters in the alphabet,
> and they would have to guess the sequence, position, capitalization,
> and delimiters between tokens, and could not assume that all tokens are
> valid dictionary words (especially not in the same language), would an
> 8-word sentence not increase the cost of a correct guess well beyond
> that of a random sequence of 8 characters?
Ayup. Longer passwords take (far) longer to brute-force. If you're
stuck without a password manager as is the case here, longer and
memorable wins over shorter and line noise.
Attempting to brute-force past 12 characters or so is less than
feasible on a reasonable timescale with current hardware, outside of
the lists of the (tens of thousands) most common passwords, and close
dictionary matches from same. And that brute-forcing with longer
passwords involves a whole-password mix, and not a partial match.
There are various write-ups of the complexity involved for folks
considering this XKCD-style multi-word password attack, here's one from
the folks fond of the Hashcat tool:
https://hashcat.net/forum/thread-9307-post-49206.html#pid49206
For this case, I'd prefer a diceware password, and not line noise. If I
need a line-noise password, I can get that from my own password
generator.
Multi-factor authentication is another feature that various sites are
starting to or do require, as well. With OpenVMS, that's probably
easiest with the assistance of an LDAP password server, though there
are some add-ons for OpenVMS that allow that locally, whether that via
key-fob or app or otherwise.
>> Also most attacks against a compromised authorization file start with a
>> giant database of previously-obtained password hits under the theory
>> that there might be user overlap with a previously-compromised account
>> and that people are lazy.
>
> All the more reason to have people make up their own phrase or short
> sentence of nonsense that will be memorable to them but unlikely to
> appear in one of these databases.
Ayup.
For those using macOS, here's the arcana necessary to enable use of
Keychain for ssh passphrases: https://apple.stackexchange.com/a/250572
Some additional background on keypairs and usage with macOS:
https://rderik.com/blog/understanding-ssh-keys-and-using-keychain-to-manage-passphrase-on-macos/
Don't us your personal or family or company slogan, or words or phrases
related to your job, either. Best to add those words to the password
filter, along with one of the common password lists.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list