Editing Talk:936: Password Strength
Please sign your posts with ~~~~ |
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
''Fix the software first.'' If you double the time it takes to enter each repeated password attempt you make brute force attacks pointless. Imagine you allowed a hurried user who screws up their own password entry w/ frozen fingers. If their system starts out with a 1 second delay, then doubles to two, then to four, etc. the time it takes to wait is 2^n. Six screw ups cost you a minute, twenty errors and you are waiting 291 hours before your next log-in attempt.... kmc 2015-05-10 {{unsigned ip|108.162.229.124}} | ''Fix the software first.'' If you double the time it takes to enter each repeated password attempt you make brute force attacks pointless. Imagine you allowed a hurried user who screws up their own password entry w/ frozen fingers. If their system starts out with a 1 second delay, then doubles to two, then to four, etc. the time it takes to wait is 2^n. Six screw ups cost you a minute, twenty errors and you are waiting 291 hours before your next log-in attempt.... kmc 2015-05-10 {{unsigned ip|108.162.229.124}} | ||
− | |||
− | |||
− | |||
You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. '''[[User:Davidy22|<u>{{Color|purple|David}}<font color=green size=3px>y</font></u><font color=indigo size=4px>²²</font>]]'''[[User talk:Davidy22|<tt>[talk]</tt>]] 09:12, 9 March 2013 (UTC) | You still have to vary the words with a bit of capitalization, punctuation and numbers a bit, or hackers can just run a dictionary attack against your string of four words. '''[[User:Davidy22|<u>{{Color|purple|David}}<font color=green size=3px>y</font></u><font color=indigo size=4px>²²</font>]]'''[[User talk:Davidy22|<tt>[talk]</tt>]] 09:12, 9 March 2013 (UTC) | ||
− | |||
No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words. | No you don't. Hackers cannot run a dictionary attack against a string of four randomly picked words. | ||
Line 83: | Line 79: | ||
* (Secondly: The "punctuation" should have 5, not 4 bits of entropy. There are 32 (2^5) ASCII punctuation characters (POSIX class [:punct:]). But I assume this is a lapse.) | * (Secondly: The "punctuation" should have 5, not 4 bits of entropy. There are 32 (2^5) ASCII punctuation characters (POSIX class [:punct:]). But I assume this is a lapse.) | ||
Can someone enlighten me? --[[Special:Contributions/162.158.91.236|162.158.91.236]] 17:31, 19 September 2015 (UTC) | Can someone enlighten me? --[[Special:Contributions/162.158.91.236|162.158.91.236]] 17:31, 19 September 2015 (UTC) | ||
− | :I have missed the sentence "Randall assumes only the 16 most common characters are used in practice (4 bits)". Hm. There is a huge list with real world passwords out there, leaking from RockYou in 2009. After some processing to remove passwords | + | :I have missed the sentence "Randall assumes only the 16 most common characters are used in practice (4 bits)". Hm. There is a huge list with real world passwords out there, leaking from RockYou in 2009. After some processing to remove UTF-8 passwords, the list contained about 14329849 unique passwords from about 32585010 accounts. The following are the number of accounts using a password containing some (ASCII) punctuation or space characters: |
<nowiki> | <nowiki> | ||
226673 . | 226673 . | ||
Line 91: | Line 87: | ||
104224 @ | 104224 @ | ||
95237 * | 95237 * | ||
− | 92802 | + | 92802 (space) |
60002 # | 60002 # | ||
36522 / | 36522 / | ||
Line 118: | Line 114: | ||
939 } | 939 } | ||
502 | | 502 | | ||
− | |||
− | |||
</nowiki> | </nowiki> | ||
:Sorry, I have no "citation". But you can play with the leaked RockYou password list yourself. Here is a way to reach that playground: | :Sorry, I have no "citation". But you can play with the leaked RockYou password list yourself. Here is a way to reach that playground: | ||
Line 125: | Line 119: | ||
$ # Download the compressed list (57 MiB; I have no idea what "skullsecurity" | $ # Download the compressed list (57 MiB; I have no idea what "skullsecurity" | ||
$ # is, it was simply the first find and I assume it's the said list): | $ # is, it was simply the first find and I assume it's the said list): | ||
− | $ wget http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2 | + | $ wget 'http://downloads.skullsecurity.org/passwords/rockyou-withcount.txt.bz2' |
− | $ # Decompress the list (243 MiB), or, | + | $ # Decompress the list (243 MiB), or, more exact spoken, it's a table: |
$ bzip2 -dk rockyou-withcount.txt.bz2 | $ bzip2 -dk rockyou-withcount.txt.bz2 | ||
Line 139: | Line 133: | ||
49952 iloveyou | 49952 iloveyou | ||
− | $ # The following command processes the table to remove lines | + | $ # The following command processes the table to remove lines having non-ASCII |
− | $ # | + | $ # characters or non-printable ASCII characters in the password, and lines |
− | $ # | + | $ # insisting that there were some accounts with no password. Moreover, the |
− | + | $ # command removes every space character not belonging to a password, makes | |
− | $ # removes every space character not belonging to a password, makes | + | $ # the rows tab-delimited and writes the result in a file called "ry" |
− | $ # tab-delimited and writes the result in a file called "ry" (161 MiB | + | $ # (161 MiB). |
− | + | $ LC_ALL=C sed -nr 's/^ *([1-9][0-9]*) ([[:print:]]+)$/\1\t\2/p' rockyou-withcount.txt > ry | |
− | $ LC_ALL=C sed - | + | |
+ | $ # The following is a shell function to build a command to sum up how many | ||
+ | $ # accounts were using passwords matching an extended regular expression and | ||
+ | $ # print the sum. | ||
+ | $ counta() { LC_ALL=C awk 'BEGIN { FS = "\t"; n = 0 } { if ($2 ~ /'"$(printf %s "$1" | sed 'sI/I\\/Ig')"'/) n += $1 } END { print n }' "$2" ;} | ||
− | $ # The following | + | $ # The following is a shell function to build a command to sum up how many |
− | $ # | + | $ # accounts were using passwords matching an extended regular expression, |
− | $ | + | $ # print the sum and also print the summands and the passwords. |
− | $ countap() { LC_ALL=C awk 'BEGIN { FS = "\t"; | + | $ countap() { LC_ALL=C awk 'BEGIN { FS = "\t"; n = 0 } { if ($2 ~ /'"$(printf %s "$1" | sed 'sI/I\\/Ig')"'/) { n += $1; print $0 } } END { print n }' "$2" ;} |
− | $ # We have reached the playground. | + | $ # We have reached the playground. Some examples for how to use the toys: |
− | |||
$ # Count how many accounts were using a password containing the string love: | $ # Count how many accounts were using a password containing the string love: | ||
$ counta 'love' ry | $ counta 'love' ry | ||
− | 671599 | + | 671599 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
$ # Count how many accounts were using a password containing at least one | $ # Count how many accounts were using a password containing at least one | ||
$ # character: | $ # character: | ||
$ counta '.' ry | $ counta '.' ry | ||
− | 32585010 | + | 32585010 |
$ # Count how many accounts were using a password containing exactly one | $ # Count how many accounts were using a password containing exactly one | ||
$ # character: | $ # character: | ||
$ counta '^.$' ry | $ counta '^.$' ry | ||
− | 144 | + | 144 |
− | $ # Count how many accounts were using a password containing exactly one | + | $ # Count how many accounts were using a password containing exactly one |
− | $ # character: | + | $ # numeric character: |
$ counta '^[0-9]$' ry | $ counta '^[0-9]$' ry | ||
− | 55 | + | 55 |
$ # Let's have a look at the distribution: | $ # Let's have a look at the distribution: | ||
Line 196: | Line 184: | ||
1 8 | 1 8 | ||
1 4 | 1 4 | ||
− | 55 | + | 55 |
− | |||
− | |||
− | |||
− | |||
$ # Count how many accounts were using a password containing at least one | $ # Count how many accounts were using a password containing at least one | ||
$ # numeric character: | $ # numeric character: | ||
$ counta '[0-9]' ry | $ counta '[0-9]' ry | ||
− | 17609065 | + | 17609065 |
$ # Count how many accounts were using a password ending with a numeric | $ # Count how many accounts were using a password ending with a numeric | ||
$ # character: | $ # character: | ||
$ counta '[0-9]$' ry | $ counta '[0-9]$' ry | ||
− | 15728238 | + | 15728238 |
$ # Count how many accounts were using a password beginning with a numeric | $ # Count how many accounts were using a password beginning with a numeric | ||
$ # character: | $ # character: | ||
$ counta '^[0-9]' ry | $ counta '^[0-9]' ry | ||
− | 6409397 | + | 6409397 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | $ # | + | $ # Count how many accounts were using a password containing that "uncommon |
− | + | $ # non-gibberish base word" in 936, with an upper or an lower case first | |
− | + | $ # letter, with or without some of the "common substitutions": | |
− | |||
$ counta '[tT]r[o0]ub[a4]d[o0]r' ry | $ counta '[tT]r[o0]ub[a4]d[o0]r' ry | ||
− | 3 | + | 3 |
− | $ # | + | $ # There are some. 14 million passwords are a lot. Let's see what exactly was |
− | $ # | + | $ # used and how often: |
$ countap '[tT]r[o0]ub[a4]d[o0]r' ry | $ countap '[tT]r[o0]ub[a4]d[o0]r' ry | ||
1 troubador1 | 1 troubador1 | ||
1 troubador | 1 troubador | ||
1 darktroubador | 1 darktroubador | ||
− | 3 | + | 3</nowiki> |
− | </nowiki> | ||
:[[Special:Contributions/162.158.91.236|162.158.91.236]] 06:23, 21 September 2015 (UTC) | :[[Special:Contributions/162.158.91.236|162.158.91.236]] 06:23, 21 September 2015 (UTC) | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |