BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Fri, 3 Feb 2017 09:15:25 -0500
- In-reply-to: <b261f072-dd42-b3e1-119e-3a380444a4dc@borg.org>
- References: <iydoKFG1q6EvZNl6T2sztfNEyMK3eE7jp_2ZXrcPTgVFK1IPE5deLwZcViB_xDQMcb16enHDIBp9gek18AIxu5VrLtdgSHK6qEOO91dh2nA=@protonmail.com> <20170131014651.GA21915@newtao.randomstring.org> <1cca093a-2f5b-c105-0288-5f435c11104e@borg.org> <e94de5ff-7644-d501-ccb4-fd4a6b32ff7a@napc.com> <565bdd82-c70e-3e64-6786-63f9b8de12da@borg.org> <e480dec0-22f0-99be-dbc0-fa3f75ddd1fe@gmail.com> <a47bda52-ca1f-15ab-2f57-3ab5d1519a48@borg.org> <ecfa4f25-9416-ddcc-d92f-7979136fdf96@borg.org> <837eb7de-a956-c4bb-63f4-e1bcfa0e3861@gmail.com> <37fde12c-5572-a9e2-0525-fb37a8400691@borg.org> <5560cbeb-9a49-b959-c28a-44a3f0145d0f@gmail.com> <b261f072-dd42-b3e1-119e-3a380444a4dc@borg.org>
On 2/3/2017 7:38 AM, Kent Borg wrote: > And if the dictionary has, let's say for round numbers 2048 words, then > it takes 2048 attempts to try them all. You randomly pick the Nth word from your list of 2K words. It happens to be the 5000th word in my 10K word list. It takes me 5 thousand tries to stumble upon your password. You intentionally pick the Nth word from your list of 2K words. It happens to be the 5000th word in my 10K word list. It takes me 5 thousand tries to stumble upon your password. How you arrive at N has little to do with the strength of your password against dictionary and combinator attacks. Password length, which is to say how many words are plucked from your word list, is what provides strength using these methods (XKCD, diceware, etc). A problem with these is that Hashcat on an 8 GPU cracking rig can perform *billions* of combinator attacks per second. Billions. A dedicated Hashcat rig can crack your prefix-plus-three-words passwords in low single digit minutes. As a practical matter, the strength of your system comes from rate limiting attacks. Even two arbitrarily chosen dictionary words becomes prohibitively expensive for an attacker when he is limited to a handful of tries per second, and even more so if you use fail2ban to shut them down. Or disable password authentication and rely on randomly generated keys which are far more secure than anything you can keep in your head. -- Rich P.
- References:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):