Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] deadmanish login?



On 2/3/2017 7:38 AM, Kent Borg wrote:
> And if the dictionary has, let's say for round numbers 2048 words, then 
> it takes 2048 attempts to try them all.

You randomly pick the Nth word from your list of 2K words. It happens to
be the 5000th word in my 10K word list. It takes me 5 thousand tries to
stumble upon your password.

You intentionally pick the Nth word from your list of 2K words. It
happens to be the 5000th word in my 10K word list. It takes me 5
thousand tries to stumble upon your password.

How you arrive at N has little to do with the strength of your password
against dictionary and combinator attacks. Password length, which is to
say how many words are plucked from your word list, is what provides
strength using these methods (XKCD, diceware, etc). A problem with these
is that Hashcat on an 8 GPU cracking rig can perform *billions* of
combinator attacks per second. Billions. A dedicated Hashcat rig can
crack your prefix-plus-three-words passwords in low single digit minutes.

As a practical matter, the strength of your system comes from rate
limiting attacks. Even two arbitrarily chosen dictionary words becomes
prohibitively expensive for an attacker when he is limited to a handful
of tries per second, and even more so if you use fail2ban to shut them down.

Or disable password authentication and rely on randomly generated keys
which are far more secure than anything you can keep in your head.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org