Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] deadmanish login?



On 02/02/2017 04:38 PM, Richard Pieri wrote:
> On 2/2/2017 2:51 PM, Kent Borg wrote:
>> Does have 40-bits of entropy, that is.
> Not really:
> https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
>

A rather terse posting, there.

You seem to be saying "Schneier agrees with me, go read this.".

And I  have read that. I presume you are referring to:

"This is why the oft-cited XKCD scheme for generating passwords -- 
string together individual words like "correcthorsebatterystaple" -- is 
no longer good advice. The password crackers are on to this trick."

It depends on where those words came from. I am not relying on some 
trick, I am relying on raw combinations.

For example, let's just take 16-bits: from /dev/urandom:

d85e

Uh, oh! Did I somehow reduce the number of possible combinations because 
I represented it in hex? Would I somehow reduce the number of possible 
combinations of I wrote it as "dee-eight-five-ee"?

No.

In my case I am using a simple program called mnencode that was 
specifically designed for making binary data pronounceable. I can run 
32-bits into mnencode and get "trade-medical-episode" and I can run 
"trade-medical-episode" through mndecode and get back the original 
32-bits. It didn't change anything, it is just a coding.

I could tell you what those original 32-bits were--but they are binary, 
to put them in an e-mail I would need to code them some other way. Would 
"d7c1 271f" be okay, or does that somehow remove entropy? Octal: 153701 
023437 okay? mnencode: trade-medical-episode? Oh, no, you don't like 
that one.

It's just another coding. But it is easy to remember and easy to type on 
an ASCII keyboard.

If someone wants to brute force it someone is going to have to run 2^32 
combinations to try them all.

How do I get 40-bits in my examples? To make it extra good I prepend 
two-hex digits: f1-sultan-joker-editor. (Also because some stupid 
systems will silently truncate passwords, it packs a little more entropy 
at the beginning.)

-kb




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org