[Info-vax] password strength (Re: VMS humor)

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri Jan 1 12:36:48 EST 2021


On 2021-01-01 15:33:59 +0000, Craig A. Berry said:

> On 12/31/20 2:26 PM, Some Dude wrote:
>> On Thursday, December 31, 2020 at 1:02:59 PM UTC-5, Craig A. Berry wrote:
>> 
>>> But unless the entire phrase is in someone's password cracking 
>>> dictionary, the fact that portions contain well-known words doesn't 
>>> really make any difference, does it? If it did, delimiting with 
>>> non-space characters would take care of that.
> 
>> Nope.  Sophisticated attacks use dictionary tokens just the same as 
>> individual letters or symbols.

That's true for *shorter* passwords. Out in the range we're discussing, 
that becomes untenable.

> OK. I am not a cryptographer but since the number of words in the 
> dictionary is much larger than the number of letters in the alphabet, 
> and they would have to guess the sequence, position, capitalization, 
> and delimiters between tokens, and could not assume that all tokens are 
> valid dictionary words (especially not in the same language), would an 
> 8-word sentence not increase the cost of a correct guess well beyond 
> that of a random sequence of 8 characters?

Ayup. Longer passwords take (far) longer to brute-force. If you're 
stuck without a password manager as is the case here, longer and 
memorable wins over shorter and line noise.

Attempting to brute-force past 12 characters or so is less than 
feasible on a reasonable timescale with current hardware, outside of 
the lists of the (tens of thousands) most common passwords, and close 
dictionary matches from same. And that brute-forcing with longer 
passwords involves a whole-password mix, and not a partial match.

There are various write-ups of the complexity involved for folks 
considering this XKCD-style multi-word password attack, here's one from 
the folks fond of the Hashcat tool: 
https://hashcat.net/forum/thread-9307-post-49206.html#pid49206

For this case, I'd prefer a diceware password, and not line noise. If I 
need a line-noise password, I can get that from my own password 
generator.

Multi-factor authentication is another feature that various sites are 
starting to or do require, as well. With OpenVMS, that's probably 
easiest with the assistance of an LDAP password server, though there 
are some add-ons for OpenVMS that allow that locally, whether that via 
key-fob or app or otherwise.

>> Also most attacks against a compromised authorization file start with a 
>> giant database of previously-obtained password hits  under the theory 
>> that there might be user overlap with a previously-compromised account 
>> and that people are lazy.
> 
> All the more reason to have people make up their own phrase or short 
> sentence of nonsense that will be memorable to them but unlikely to 
> appear in one of these databases.

Ayup.

For those using macOS, here's the arcana necessary to enable use of 
Keychain for ssh passphrases: https://apple.stackexchange.com/a/250572
Some additional background on keypairs and usage with macOS: 
https://rderik.com/blog/understanding-ssh-keys-and-using-keychain-to-manage-passphrase-on-macos/ 


Don't us your personal or family or company slogan, or words or phrases 
related to your job, either. Best to add those words to the password 
filter, along with one of the common password lists.




-- 
Pure Personal Opinion | HoffmanLabs LLC 




More information about the Info-vax mailing list