Which is the better password & 4 facts about passwords

tonyshowoff

During a password cracking contest years ago we were able to crack multiple word passwords of considerable length, sometimes even faster than the more complex shorter passwords.

However, passwords like this with a number in the middle of the word or even slightly misspelled proved to basically be nearly impossible. I also use a lot of Serbian or Hungarian words mixed in my passwords. For example, a temporary password I created for one of my employees yesterday was:

%Kalendardishwasherbiber25

Percent sign, calendar (with a K, which funnily is the original spelling), dashwasher, and the Serbian word for Pepper, which hilarious is also the Serbian spelling for Justin Bieber's last name.

This was just a temporary one. The kind I would use, using this one as the base, would be something like:

%Kalendard1shwasherbiber255555

Similar idea, but I replaced one of the letters with a number, still had 25, but did the 5 five times. This is a more complex version though, typically I just do one of these things, but most of the time it's typically three, four, or five words depending on length with at least 1 number stuck in the middle and some at the end, and one of the words misspelled.

The words typically are always a mix too of English, Serbian, Hungarian, and sometimes Arabic words, but I don't speak Arabic fluently so they're usually religious or traditional words.

BRRABill

@Dashrender said:

Time to switch it to OneDrive right now!

After being escalated to three levels, still no resolution.

Strangely enough I think the third level (who English was not his first language) was the worst. He kept called Google Chrome "Google dot com"

scottalanmiller

@Dashrender said:

The problem that I have with SevenTimesSevenEqualsEleven is that those are each a work in the dictionary. If you treat each word as a single character, you now have a 5 character password.

Five characters with 171,000 possibilities each in English alone, not including spelling variations, or capitalization variations. So very, very different than how you are thinking of characters.

Also, you do NOT have a five character set unless the attacker already knows that you are using specific formats and only English language words. To think of this as a reduced set requires you do have the majority of the password already broken (set reduction.) You never hear people applying this same logic to "complex" passwords even though it exists there, too.

scottalanmiller

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

No complexity has been added, that's not what complexity means. All you have done is increased the length by one character. That alone increases security, but adding one character, but nothing more.

scottalanmiller

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

That's a huge assumption. If you do lockouts like that with a lot of things they become a vector for DDoS attacks. Don't like someone at work, lock them out all the time. Don't like someone on the Internet, lock them out forever. Can't always do that. It's a great idea but...

1. Can't be used in all cases.
2. Isn't used in all cases regardless of if it should be.
3. If we are talking about compromised hardware, they will just disable the lock out.

scottalanmiller

@wirestyle22 said:

If a device were stolen I would remote wipe though, right?

You are relying on easily bypassed mechanisms. How do you remote wipe a stolen device that is offlline or in a faraday cage? How do you remote quite your stolen laptop, desktop or server? How do you remote wipe a hard drive that isn't in a computer any longer?

scottalanmiller

@Dashrender said:

Because it's no longer a pure dictionary attack. The letter X (I don't think) isn't in the dictionary because it's not a word).

You are depending on the hacker knowing the kind of password that it is. If they know that, none of this matters. Basically you are assuming that the attackers knows a huge portion of the password already in order to determine how effective an attack will be. Assuming real world and the attacker does not already know the password set (when would this ever happen?) the added X makes no difference.

Also X would be in any attack (not English) dictionary.

scottalanmiller

@Dashrender said:

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Lots of services upload pictures immediately as they are taken. It's the default for many of them.

scottalanmiller

@Dashrender said:

Not to mention that you'll still want a contact list on there. So are you saying you never add a phone number/email address/etc via the phone? You only do it via another device? cause if you do it via the phone, then you do want/need backups/syncing.

Those go directly elsewhere as well. Exchange, iCloud, etc.

scottalanmiller

@Dashrender said:

@BRRABill said:

@Dashrender said:

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Goes right to iCloud.

technically a backup.

Only if the phone continues to be the primary storage device. Technically, it's the iPhone that is the backup, not the cloud storage. And only if you keep that stuff on your phone, I do not.

Dashrender

@scottalanmiller said:

@Dashrender said:

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Lots of services upload pictures immediately as they are taken. It's the default for many of them.

That's still a backup though - so, yes there was/is important data on there, and you're choosing to instantly back it up when possible, making the device and it's local storage much less of an issue, but the idea that there is no valuable data on it is just wrong.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Lots of services upload pictures immediately as they are taken. It's the default for many of them.

That's still a backup though - so, yes there was/is important data on there, and you're choosing to instantly back it up when possible, making the device and it's local storage much less of an issue, but the idea that there is no valuable data on it is just wrong.

I wouldn't use the term backup. The phone might have a duplicate copy temporarily but the term backup implies intentionality, which is lacking here. That would be a point of semantics worth discussing, but the idea is that it is clear from the mobile device almost immediately. No intention of it remaining there.

Dashrender

Yep semantics -

Your phone deletes the picture locally once it confirms that the picture in the cloud? Is that an option in iPhones with iCloud?

I don't haven an option like that on Windows Phone with OneDrive - auto backup, yes, auto backup then delete local, no.

scottalanmiller

@Dashrender said:

Yep semantics -

Your phone deletes the picture locally once it confirms that the picture in the cloud? Is that an option in iPhones with iCloud?

I don't haven an option like that on Windows Phone with OneDrive - auto backup, yes, auto backup then delete local, no.

No, I delete as soon as it uploads. I upload manually, I delete manually. But it is a standard, repeated process all done at once. I upload, verify, delete.

scottalanmiller

Oddly, I'm running this very process while we discuss it. Uploading everything on my phone from today to Flickr right now. And they will be deleted as soon as that finishes.

Dashrender

@scottalanmiller said:

@Dashrender said:

Yep semantics -

Your phone deletes the picture locally once it confirms that the picture in the cloud? Is that an option in iPhones with iCloud?

I don't haven an option like that on Windows Phone with OneDrive - auto backup, yes, auto backup then delete local, no.

No, I delete as soon as it uploads. I upload manually, I delete manually. But it is a standard, repeated process all done at once. I upload, verify, delete.

Then, only because of your process, it's not a backup.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Yep semantics -

Your phone deletes the picture locally once it confirms that the picture in the cloud? Is that an option in iPhones with iCloud?

I don't haven an option like that on Windows Phone with OneDrive - auto backup, yes, auto backup then delete local, no.

No, I delete as soon as it uploads. I upload manually, I delete manually. But it is a standard, repeated process all done at once. I upload, verify, delete.

Then, only because of your process, it's not a backup.

Well yes, but that is the process being discussed. When you don't use the phone as storage. For most of us, it would fill up pretty quickly so not much of an option.

Dashrender

Even so - I think most people would say "you're backing up to Flickr" then you're deleting from the phone.

Though I certainly understand that you consider it just copying to Flickr before deleting it from local.

JaredBusch

@Dashrender said:

Even so - I think most people would say "you're backing up to Flickr" then you're deleting from the phone.

Though I certainly understand that you consider it just copying to Flickr before deleting it from local.

Most people would be using the wrong terms too. He is uploading to Flickr, not backing up to it.