Password Strength (and ease of memorizing) / Linux

you would think that but password crackers usually have flags for leetspeak so they will find those. for passwords that are practical and easy to recall, you’ve got it already i think but i will give you mine just to make sure. make a sentence and put a number or special character on the beginning or end if it makes you because you have idiots running the password requirements.

for example, <%thepasswordforthenetworkrouteris6> is a great one that i use all the time for things. then you write down %6-NtwkRtr on a yellow sticky and put it on the router. good luck to anyone who finds it and doesn’t know the pattern. sometimes i’ve been known to take a random thing like a license plate number and put it in front of a word or two for a decent one that i have to remember for a while. the words are common and you write down the plate number.

the one about the comic is, or rather was, a pretty good advice, but you have to watch out for dictionary attacks that will crack an otherwise good one in seconds. you could misspell a word to throw it off, but they have flags to catch those also, unless it’s an uncommon misspelling. i had a good dictionary i used once but lost it in a crash a few years ago, thought i had it backed up in several places but did not. throw a foreign word or two in there and you’re golden.

See this is what I don’t get about cracking passwords or “hacking” accounts - you mention flags and stuff. Take an email account for example. The service/account doesn’t give you feedback on your attempts to log in (if you enter the wrong password). If the password is Password1234, for example, and the hacker (or his software, agian, I don’t know exactly how this works - but I guess it’s not literally a human guessing 200 passwords possibilities a minute, haha) enters Password123, the email service doesn’t say “oooh that was close” or “almost, you’re one character short”. I don’t get how the “guessing” or “attempts” part works, at all. It seems like such an impossible task. Does it guess every single “one character” password, then every single “two character” password, and so on and so on. Also fast can you even possilby make sequential “guesses” ? Also-also, why don’t any of these common services (like email) have protections against this (brute force protection, correct?). Is it because it would be happening to everyone’s account constantly?

It’s kind of interesting. I know very little about it.

What you are describing is a brute force attack. If a hacker can determine a mechanism that allows for rapid testing of passwords, it is a thing. This is usually scripted and automated and many times are deployed by what are called script kiddies who just brute force attack everything they can find. The other type are the hackers who have a target in mind and spend some time to determine the best way to attack a system … whether it’s via brute force or finding another more efficient way such as phishing for information.

What we see today, on many logins whether websites or local system, are 'you have exceeded the maximum number of attempts. Please try again later". That is an example countermeasure against brute force hacking passwords. Two factor is also another.

However, hackers are sometimes able to find backdoor APIs that do not rate limit the ‘tests’. As such, they are able to test a large number of generated passwords in a short period of time.

Again, talking brute force attacks, this is where set entropy comes into play. Part of the xkcd comic above. The longer and more diverse a password, the larger the number of possible combinations, leading to a longer time to randomly discover the password. Diverse meaning utilizing a large set of tokens such as lower case characters, uppercase characters, numbers, special characters. The more characters and the more diversity in the tokens, the larger the entropy.

To take advantage of the entropy, the password much also utilize somewhat random selection of tokens out of the set of possible characters. For instance, twenty 'a’s in a row does not properly utilize the available entropy.

When they brute force attack a password, the tools are looking for a response that differs from the failed case. This indicates success. Or, if they know the system that they are attacked, they know what indicates success. In your example where nothing is returned, it timesout and continues on to the next attempt.

Brute force is generally the last method that will be utilized by a motivated attacker since it is inefficient and can take a very long time to discover the password unless the password has small entropy. Depending on how the password was generated and utilized, this can be considered a one-time pad. Surprisingly simple but the one time pad can be difficult to hack unless …

The first order of business for a hacker is to reduce the possible entropy. This may be by having other types of knowledge about the target. Or perhaps doing an attack by using a list of commonly used phrases, for instance. Or even easier, pulling the lists of previously hacked password / user combinations and then applying them to other sites … inevitably they’ll find a winner every now and then.

As far as rate limiting, another brute force attack example is on encrypted files. Such as PDF. There really is no rate limiting there and applying a high compute capable machine (e.g. with CUDA) a very high rate of tests can be performed in a relatively short period of time. 10’s of thousand tests per seconds. Add more compute and scale the rate.

They do, to an extent. IP blocking is an example. Rate limiting is another. Many different behind the scenes things are going on to improve security. However, obtrusiveness and usability are also key factors. If, for instance, everyone was required to adhere to completely random jibberish passwords, 20 digits in length, must be changed each thirty days … what will the user do. They’ll write it down on a piece of paper because they won’t be able to remember them. That violates key security fundamentals.

Hence:

Security is not easy. It doesn’t take much to compromise it from human factors to software bugs. Layered protection (ring fence) is the best way to overcome such challenges.

Everyone in this thread should watch the show Mr Robot if you haven’t seen it yet. Best show or movie I’ve seen around what it’s like to be a hacker.

HBO’s series Silicon Valley is also a great comedy show. Especially if you like Mike Judge’s other work like King of the Hill, Office Space, etc.

I watch at least some of Silicon Valley. I thought it was pretty funny. Any of these people who come from improve backgrounds are just so… creatively funny and quick witted. I didn’t even know that Mike Judge was involved in that show. I really only know his name at all from Beavis and Butthead, and then from King of The Hill.

Edit: And thanks for that information @Northern_Loki

I’ve been researching encryption options very recently too. The explaining computers youtube channel (Chris Barnatt, I think) is a great channel. I like the hardware encrypted thumb drive idea, but have been thinking of maybe trying out Veracrypt instead (maybe to use that “container” function for storing anything important - eg: financial, medical, etc., not movie and music files, haha).
Do you have any thoughts, practices, tools for encryption.

I won’t be on windows for much longer, especially after this “co-pilot / recall” insanity I just read about (like it wasn’t already enough).

or just use a strong password generator and have your browser save the password…

Any mention of using anything google is kind of missing the point, especially security information. And I’m not storing passwords in a browser. That sounds like a bad practice. No way, man.

Edit: I have been using a generator (inside of keepass) by the way. But I think part of the point of the article I posted was that pass phrases are supposedly more secure and easier to remember than these " Tr0ub4doR3# " type passwords…?

i’ve got tools that dump the browser passwords so you’re right, it’s a terrible idea. mfa is your friend (with a key fob, but text is better than nothing), with a random password generator and password manager. the method i described was to allow for a completely memorable yet almost completely unhackable password. but then again, i remember 20 digit random passwords sometimes so my memorable isn’t the same as most.

as for cracking passwords, most often it’s from a dump. the email account is plaintext but the password is hashed if you’re lucky - some still store them in plaintext or base64 encoded - and salted if they have good security. then all you have to do is feed them into a tool like john the ripper. that is where you can do all sorts of things like make it use leetspeak, search for patterns, dictionary attack, rainbow table attack, etc. the dictionary i was talking about that i lost was about 2tb if i recall. i’m actually about to get back into that sort of thing professionally, need to get a rig together to crack passwords again.