Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: taxcontrol

All very interesting. Password management has become a bit oppressive, when one has numerous web sites that require a password as well as a username, not to mention the accessory questions designed to supposedly keep your data safe.

I live in fear of the 90 day password change or the six month password change. Why? because I have 21 pages of hand entry passwords and usernames, that require exacting accuracy and I rarely need access except annually. So is all this leading to a question? Would not having four or more cracking servers reduce the time to a point that no password would be safe?

Hence password phrasing and just how many of my password entities have the structure that allow phrasing? So, last question, a small explanation of what benefits phrasing brings to the table and is it usable for any site requiring a password?


16 posted on 04/25/2018 6:06:39 AM PDT by wita (Always and forever, under oath in defense of Life, Liberty and the pursuit of Happiness.)
[ Post Reply | Private Reply | To 14 | View Replies ]

To: wita

Given infinite money and time, no password is safe. And yes, cracking rigs can be clustered to reduce the time necessary to crack passwords. Back in 2012 it was demonstrated that a special built cracking rig (cluster of 25 GPUs) of about $25,000 can crack the NTLM 8 character space in under 6 hours. Today, that same power can be built for about $12,000. As hardware (graphics cards) get cheaper and more powerful, it will be easier to construct a cracking rig.

The tools to counter this are stronger HASH algorithms NTLM relies on the old MD5 hash. Other hash algorithms include Blake-256, SHA-256, SHA-3 and others. These hashes make it harder to come up with a guess so it slows the computer down in it’s brute force attack. So fewer guesses per second.

The second vector is the use of complexity, or more starting characters. Other than requiring a password contain one or more special characters at the time of creation, this really does not have any additional value as there is a limit to the number of special characters.

That leaves us with length. We all know that we should have longer passwords but because they are difficult to remember, we dont like them. Sentences are a whole ‘nuther ballgame.

For example:
Denver Bronco’s #1 fan
22 characters / Uppercase / lower case / digits / specials

brute force would be 88^22 or roughly 6 x 10^42
By comparison an 8 character password is 88^8 or 3.7 x 10^12

However, this all requires acceptance of longer passwords. The NIST standard calls for a minimum of 8 and a maximum of 64. Do all applications follow that standard ... no


23 posted on 04/25/2018 12:42:19 PM PDT by taxcontrol (Stupid should hurt)
[ Post Reply | Private Reply | To 16 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson