FAQ: How can I generate good strong passwords?

But might well be vulnerable to some other form of attack. Since GUID isn't designed and tested for security, it's dangerous to make such assumptions, and thus not a good idea to use it.

on 10/13/2005 1:52 PM John Navas said the following:

True, but for WPA my understanding is that the better the password, the less often you have to change it. For a medium to low security environment that could be only if compromised. For high security environments, why give wireless access anyway?

Yes, you're probably right. Yet, that's how it's done for WPA on the wireless cards. If I understand this thread correctly it was about WPA passwords, not passwords generally.

Proving that if you have physical access to the box, all bets are off. But it is certainly amazing how many folks leave things unprotected and make it easy for those "guests".

We had a long chat at home about the XP ability to require the user to login again after the screensaver is activated. I was told that it was a pain and why can't we turn that off? The prevailing argument, mine, is that it ain't much security, but do you *really* want to give access to anyone who walks by?

Well ultimately I suspect any password can be cracked given enough CPU poser and time. With that in mind, any password will be a weak point in security. Seems I recall seeing an article on /. some months back about the FBI being able to crack passwords in minutes to a few hours. Again though I am not trying to suggest a GUID is perfect nor invulnerable, judt the routine I offered is an easy way to generate a fairly good random password without going nuts over the issue. I like you though recommend Password Safe as perhaps the best solution within reason.

fundamentalism, fundamentally wrong.

The point is that a word-based passphrase of over 20 characters is sufficiently robust to withstand even determined attack, so there's no good reason to use anything less convenient.

It's always a good idea to change all passwords regularly. I change mine whenever daylight savings time kicks in or out, just as I do the batteries in my smoke detectors.

If you follow the recommendations, that's very unlikely. You might as well worry about being hit by a meteor. ;)

Some passwords, sure, but according to experts not good ones. Regardless, the FBI (or even the NSA) probably isn't the likely threat to us, now is it? ;)

It's obviously *not* random.

Good.

on 10/13/2005 4:39 PM John Navas said the following:

Ok, now I'll change my passwords more often! Since about 100 tons of space junk per day falls to earth, maybe we should worry!

(don't panic: Only about 500 per year actually make it to the surface without burning up in the atmosphere. So far, only one person is known to have been hit by a meteorite)

Cheers, and wear a hat

JH

Well lets see. people's working vocabulary is arount 2000 words. and they will average say 5 characters. So 20 character passphrase is about 4 words as you have. So that is 2000^4= 10^13 different passphrases. Now, an 8 letter passphrase randomly generated, lets say all upper and lower case is

Ie a 20 character set of words is not that great a passphrase. Of course you might say use more than your base vocabulary of 2000 words. But that is hard to remember, and when asked to , most will come up with precisely the kind of four word string you did, all of which fall comfortably into the 2000 word vocabulary.

yes, they found mind reading equipment in area 15 and are using that to get the passwords. Makes as much sense as what you are saying. The password is far from the weak point in security if a modicum of care is taken. there are far far easier ways of getting the information in almost all cases than breaking the password.

Not true, your calculations notwithstanding. That's only one of many ways to generate the passphrase, something that's not known in advance. Likewise the length of the passphrase. Thus it's actually far more difficult to attack a long passphrase than you suggest, making a brute force attack on your 8 character passphrase more likely to be successful.

Should you still have doubts about this, check good cryptography literature, like the references I've cited; e.g., .

... Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ...

Note that 96 bits is considerably more than your 8 letter claim. It's still "larger" because it takes more than 20 hex digits to express 96 bits.

Yep, the most common issues being lack of physical security and human error.

While not a direct hit (well maybe a fish ) I think the dinosaurs were relatively carefree in their time...

fundamentalism, fundamentally wrong.

I don't necessarily consider it a 'user' error if on a network for example the admin requires 20 character passwords with digits etc. No one (well very few) can remember such so they get written down and sticky noted to the monitor. How smart is that password policy then? Of course on a wireless net it is only a onw time thing, but passwords in general are a vulnerability, to be easy enough to remember renders them easy to attack, the ones hard to attack get written down...

fundamentalism, fundamentally wrong.

The latest thinking is that mass extinctions (not just the dinos) were caused by CO2, not space junk -- see:

"Boost to CO2 mass extinction idea"

"The implication of our study is that elevated CO2 is sufficient to lead to inhospitable conditions for marine life and excessively high temperatures over land would contribute to the demise of terrestrial life," Jeffrey Kiehl and colleagues write in Geology.

"Great extinction came in phases"

This adds considerable urgency to the issue of global warming.

The point of 20+ character passphrases is that real words can be used that are relatively easy to remember as compared to shorter pseudo-random passwords while still being highly resistant to attack. Another case of, "Size matters!" I'd personally call that smart. YMMV.

If you have an unecrypted copy of one of the files in the encrypted zip, they claim to be able to recover the password used inside the zip, and then, if there are other files of interest, it is estimated that the other files might have the same password.

I only have one file in my zip. If I had a plaintext copy I wouldn't need the crack, so I didn't try that one.

There is also a claim that if there are five or more files in the zip with the same key, the key can be recovered.

I only have one file in the zip, so I didn't try that one.

There is a claim, including John's, that you can recover a zip if you know some portion of plain text.

I ran unzip -c password.zip |grep nytimes

This gave me a line of plaintext that I could use to feed to the tool. It wasn't at the start of the file, but it was a good "guess".

I downloaded two cracking tools, archpr, from the referenced web site, and pkcrack.

pkcrack took 9 hours to report "No solutions found. You must have chosen the wrong plaintext."

Archpr took 3 hours 28 minutes to report no passwords found.

This was 36 characters of plaintext out of a file of 3679 characters. The undiscovered password was 1234.

So you know, my "claim" is based on having actually done it, many times, professionally.

Well, if we aren't talking about how the dinos secured their networks, thenn we are WAY OT. ;-)

...

Can you make it so that the displayed text can be copied to the Windows clipboard?

My choice solutions to this problem is to use an old church hymn book, taking the page number, followed by the first letters from the words in one of the verses, followed by the hymn number. I doubt this would be easily broken by any hacker. The key point here is that I can memorize it in a few seconds, and key it in whenever needed, without having to keep it written down on a piece of paper. Yet, it would be almost infinitely hard for any cracker software to unravel it.