Open tobyink opened 3 years ago
tobyink
commented
3 years ago From perl@toby.ink on 2014-09-13 22:30:59 :
a MUCH easier attack compared to plain brute force.
A four word phrase generated from the "EN" dictionary has 1e16 possible combinations.
If you assume that a powerful attacker can make a million guesses per second, then it's still going to take them an average of 150 years to crack the password.
Personally I have a policy of changing my passwords every century.
tobyink
commented
3 years ago From kentnl@cpan.org (@kentfredric) on 2014-09-14 14:58:29 :
On 2014-09-14 10:30:59, TOBYINK wrote:
a MUCH easier attack compared to plain brute force.
By that I mean, if you had a 4 word password at 5 words per word, a naive brute force would be against 2 ^ 120 permutations at minimum. ( 20 characters at 64 symbols )
Knowing users have this tool in employ means they can cut the brute force down to
2 ^ 52 permutations. ( 4 "characters"(each word) with 10000 "symbols"(each permutation of word))
As I said, that's probably an acceptable compromise for the convenience it poses.
Either way, I just figured it would be cool to like to more related reading to let people decicde for themselves =)
tobyink
commented
3 years ago From perl@toby.ink on 2014-09-15 12:35:31 :
10000^4 is actually a bigger search space than, say, the search space for eight character passwords made up of random ASCII printable characters (96^8).
And many services won't even accept arbitrary ASCII characters; some restrict the allowed punctuation. 10000^4 is orders of magnitude bigger than the search space for eight character passwords made of random case-sensitive alphanumeric characters (62^8).
tobyink
commented
3 years ago From perl@toby.ink on 2014-09-15 12:38:45 :
Or to put it another way, you're comparing a, say 20 character password generated using Crypt::XkcdPassword with a 20 character random string. It's not surprising that the random string wins.
But a more realistic comparison would be to compare it with an 8 character random string, because virtually nobody would use a 20 character random string as a password - it's too long to remember.
Migrated from rt.cpan.org #98864 (status was 'open')
Requestors:
From kentnl@cpan.org (@kentfredric) on 2014-09-13 17:59:26 :
Some security people seem to think that this approach to passwords is ill advised and may leave you vulnerable to different kinds of attacks.
http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase
Though it seems purely random phrases like the one generated by this module are indeed stronger than idiomatic sentence-like phrases, and you can swing that to your advantange. =)
Also, obvious thing to mention: If this tool becomes known, and an attacker suspects you're using it to make your password, or your attacker is attacking a website they suspect there would be a rewarding percentage of users using this system, they may just use this tool to seed their dictionary, which would prove a MUCH easier attack compared to plain brute force.