A tip for password creation

[CaffeineAddict]

I'm currently working on huge collection of password wordlists and noticed one trend that all wordlists share in common.

wordlist creators have scripts which they use to optimize wordlists suchs as removing duplicates, non-pritable characters, emails, comments and similar things because these often mean either a mistake or not a password one would normally make.

So your password should:

1. start with a hash # symbol, because wordlists optimization scripts optimize out comments which means your password is less likely to be in the wordlist.
2. start or end with a space, for same reason because scripts optimize these away.
3. contain a number with spaces around it, especially at the beginning because many wordlists exist which put password count at the beginning as a measure of password frequency.

This way if your password or hash ever gets exposed you're less likely to be a victim of dictionary attack.

 

[KGIII]

Spaces aren't a bad idea, though not all software will accept spaces in your password. More and more software does. I consider that a good thing. I think the lack of support stems from ye olden days when a space might represent a null character and thus end up doing strange things in some database operations. As modern passwords should be salted and hashed, that shouldn't actually be a problem anymore.

As for the spaces, they're handy for making pass phrases.

There's some benefit to using 'pass phrases' rather than 'passwords'. This is a classic XKDE:

That's old. Even a minimally spec'ed computer can process more than 1,000 guesses per second. You can crack the first password much quicker these days.

 

[CaffeineAddict]

Even a minimally spec'ed computer can process more than 1,000 guesses per second. You can crack the first password much quicker these days.

Biggest bottleneck from my XP seems to be R/W speed of a drive, because since large wordlist can't fit into memory it has to be read from disk.
Maybe I'm wrong, didn't benchmark yet.

 

[KGIII]

Biggest bottleneck from my XP seems to be R/W speed of a drive, because since large wordlist can't fit into memory it has to be read from disk.
Maybe I'm wrong, didn't benchmark yet.

That'll depend on your system, I suppose. Read speeds could matter, depending on how fast you shovel them into the RAM and how fast the CPU can process the cracking attempt.

When that comic was drawn, we were still using P4s with a GB of RAM (if you were lucky). A few folks had slightly better machines. I think that comic was from the 2010 to 2011 range though I'm not sure how to look it up. The advances in hardware are many since then, including an SSD and very, very fast RAM. CPUs have also increased their speed quite a bit but their ability to have on-chip cache would also impact this.

The speeds would be even more impressive if you had an NVMe M.2 SSD and enough RAM to load the entire word list into it at once. RAM can use some compression techniques which would likely help to some extent. These days, I just spent $20 on 32 GB of DDR4 RAM not long ago.

That there can hold a huge amount of plain text.

But, yeah, even a decade old i5 is going to crunch some serious numbers - and do so for not a lot of money.

 

[osprey]

I'm currently working on huge collection of password wordlists and noticed one trend that all wordlists share in common.

wordlist creators have scripts which they use to optimize wordlists suchs as removing duplicates, non-pritable characters, emails, comments and similar things because these often mean either a mistake or not a password one would normally make.

So your password should:

1. start with a hash # symbol, because wordlists optimization scripts optimize out comments which means your password is less likely to be in the wordlist.
2. start or end with a space, for same reason because scripts optimize these away.
3. contain a number with spaces around it, especially at the beginning because many wordlists exist which put password count at the beginning as a measure of password frequency.

This way if your password or hash ever gets exposed you're less likely to be a victim of dictionary attack.

Without providing any tips for passwords, nor having any experience with cracking or wordlists on the subject, I looked into the idea of length as a variable for password creation on a few websites that offer checking facilities for passwords.

The results follow showing the proposed passwords at the beginning of the lines, and the website responses following the dashes: ---.

The website: https://www.security.org/how-secure-is-my-password/
provides estimated time that a password could be cracked by software:

hello --- instantly
hellohello --- 58 minutes
hellohellohello --- 1000 years
hellohellohellohello --- 15 billion years

The website: https://www.passwordmonster.com/
provides estimated times as well:

hello --- 0 seconds
hellohello --- 0.15 seconds
hellohellohello --- 7.87 seconds
hellohellohellohello --- 7.09 minutes
hellohellohellohellohello --- 6 hours
hellohellohellohellohellohello --- 14 days
hellohellohellohellohellohellohello --- 2 years
hellohellohellohellohellohellohellohello --- 115 years

Noteworthy is the significant difference in estimations of the times taken for cracking:
For the password: hellohellohello, one is estimating 1000 years and the other, 7.87 seconds.

The website: https://haveibeenpwned.com/Passwords
shows the number of times that a password has been seen before:

hello --- seen 397,599 times before
hellohello --- seen 67,482 times before
hellohellohello --- seen 3,688 times before
hellohellohellohello --- seen 392 times before
hellohellohellohello --- seen 1 time before
hellohellohellohellohello --- seen 6 times before
hellohellohellohellohellohello --- no pwnage found
hellohellohellohellohellohellohello --- seen 10 times before
hellohellohellohellohellohellohellohello --- no pwnage found

The website: https://bitwarden.com/password-strength/
also provides estimated times for cracking passwords. In the case of the word "hello", and any number of repetitions of it, as in the above examples, it output:
"less than a second".
This website facility appeared sensitive to pattern, as well as length.

To test further on the bitwarden website, the following findings were output for a relatively simple sentence:

mymother --- less than a second
mymotherrides --- 2 hours
mymotherridesa --- 2 days
mymotherridesabicycle --- 44 years
mymotherridesabicyleto --- centuries
mymotherridesabicyletowork --- centuries

Checking the same sentence on https://haveibeenpwned.com/Passwords, yielded the following results:

mymother --- 49,927 times seen before
mymotherrides --- no pwnage found
mymotherridesa --- no pwnage found
mymotherridesabicycle --- no pwnage
mymotherridesabicyleto --- no pwnage found
mymotherridesabicyletowork --- no pwnage found

I guess the conclusion from these findings supports length plus absence of pattern, as a significant factor for "good" password creation. The question arises as to the relative simplicity of a longish unique sentence having some appeal compared to a shorter password that has a more complex construction with the use of a combination of the many keyboard characters available. I guess it may be a bit naive, but fun nonetheless.

 

[Condobloke]

haveivbeenpwned......the last line reads: helloheelohellohellohellohellohellohello --- no pwnage found
Was this deliberate or a typo?...it may have influenced the result

 

[CaffeineAddict]

provides estimated time that a password could be cracked by software:

wordlists don't list long passwords, it's considered a waste of CPU cycles and you can't cover much of them, so having a long password even if it's easy memorable is good way to protect vs dictionary attacks.

 

[dos2unix]

I often use pwgen.

pwgen -sync 14 1
;B8)EiWa[NS`(A

pwgen -sync 17 1
Bz>=OExgN01X)B_jz

 

[osprey]

haveivbeenpwned......the last line reads: helloheelohellohellohellohellohellohello --- no pwnage found
Was this deliberate or a typo?...it may have influenced the result

Thanks for the acute observation! The error, now corrected, was in transcription here, but not made on the pwned website, so the results given are the actual outputs provided at the time I accessed the facilities.

 

[Condobloke]

That below, generated by Bitwarden. 123 characters, inclusive of 3 spaces

^6ABIgA6%8TA&1UPjktILN6b&Woy*tSGbEJiGpnp6F&v$guG8*T@F$KrNEnlpT6^Ck@ @hF9t7s27Vk WDxv$1NaWB FC^@^5!n%26k@ k7KB5a4XbBPEfz%UiH

 

[theLegionWithin]

The website: https://www.security.org/how-secure-is-my-password/
provides estimated time that a password could be cracked by software:

that was neat, thanks for the link! ran a few of my passwords through it, 44 to 100 billion years

 

[Condobloke]

crack it yourself?....more security?....

GitHub - prxcode/simple-pass-cracker: Simple Password Cracker (Brute-Force)

Simple Password Cracker (Brute-Force). Contribute to prxcode/simple-pass-cracker development by creating an account on GitHub.

github.com

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

github.com

How To Protect Against Brute Force Attacks?

Brute Force Attack involves multiple attempts to guess a password. This guide will teach Brute Force Attack prevention in 4 steps.

www.10duke.com

 

[Trynna3]

Hi, not an expert, but hearing the news about the Chinese new quantum computer (relatively new), it should sort out a billion years worth of computing in minutes.
One defense could be to limit the number of guess passes by the targeted system, so whatever capacity of the hacking computer would be, it wouldn't let it guess more than like 5 passwords per minute and then go idle for 20 minutes after getting it wrong 3x, like I have it at work LOL.

 

[theLegionWithin]

quantum computing "could" do that, but you have to remember that the majority of us arent important enough to have that level of computing power leveraged against us. it'd be a horrible waste of resources.

 

[KGIII]

Also, quantum computing is a potential more than anything tangible. Yes, they exist. No, they don't really do anything all that useful at this time. They may never be all that useful outside of specific problems.

Recently, one of the quantum computers performed some math that would have taken 2 billion years to do on a regular computer...

Or so they claimed...

See, we effectively need 2 billion years to see if the output was correct. We have no way of knowing if the computations were correct, we just know that it spit out some data in a short amount of time. Of course, we can eventually use other quantum computers to at least see if they form a consensus.

To be clear, the people working on them know this. If you read what they wrote, it was made pretty obvious. However, the journalists don't know this. Very few journalists even understand the topic. Sadly, we don't really fund a whole lot of good journalism anymore, but I digress.

We're a long way from doing useful work with one. We're getting closer and I'm optimistic. I picture the massive number of factors that can be included for traffic modeling. We could have a real-time system (which means a whole lot of monitoring) that was extremely optimized based on real-world environments.

 

[MikeRocor]

We're a long way from doing useful work with one. We're getting closer and I'm optimistic. I picture the massive number of factors that can be included for traffic modeling. We could have a real-time system (which means a whole lot of monitoring) that was extremely optimized based on real-world environments.

Ugh. I'd rather tolerate a whole lot of poor traffic modeling than have that level of monitoring hooked up to that (purported) level of computational power. Although surely no government would ever to abuse that in any way.

 

[KGIII]

Ugh. I'd rather tolerate a whole lot of poor traffic modeling than have that level of monitoring hooked up to that (purported) level of computational power. Although surely no government would ever to abuse that in any way.

Of course you would. So wouldn't a large percentage of the population.

It's going to happen in the name of safety and efficiency and there's not much you can do about it except to move to a very rural area and hope you're dead before the tech reaches you.

They're already doing real time traffic shaping based on live information, but it's done by hand without much automatiion.

 

[Mike-BTU]

Also, quantum computing is a potential more than anything tangible. Yes, they exist. No, they don't really do anything all that useful at this time. They may never be all that useful outside of specific problems.

Recently, one of the quantum computers performed some math that would have taken 2 billion years to do on a regular computer...

Or so they claimed...

See, we effectively need 2 billion years to see if the output was correct. We have no way of knowing if the computations were correct, we just know that it spit out some data in a short amount of time. Of course, we can eventually use other quantum computers to at least see if they form a consensus.

To be clear, the people working on them know this. If you read what they wrote, it was made pretty obvious. However, the journalists don't know this. Very few journalists even understand the topic. Sadly, we don't really fund a whole lot of good journalism anymore, but I digress.

We're a long way from doing useful work with one. We're getting closer and I'm optimistic. I picture the massive number of factors that can be included for traffic modeling. We could have a real-time system (which means a whole lot of monitoring) that was extremely optimized based on real-world environments.

I fully agree.

I have a directory of URLs that is labeled Quantum Nonsense. A sampling:

Quantum Physics Falls Apart without Imaginary Numbers

Imaginary numbers—the square roots of negative numbers—are an inescapable part of quantum theory, a study shows

www.scientificamerican.com

Origin of Einstein quote "Quantum mechanics: Real Black Magic Calculus"

The description of the 1993 English translation of The Quantum Dice, by Ponomarev and Kurchatov, as well as one of the quotes for chapter 2 of Quantum Computation and Quantum Information, by Nielse...

hsm.stackexchange.com

Quantum mechanics distilled

A detailed explanation of the core principles of quantum mechanics, and their startling implications

quantum.country

I see that some are now behind a paywall, and one is now a 404. But basically, they are supporting evidence that back up your above statements.

 

[KGIII]

I have a directory of URLs that is labeled Quantum Nonsense.

There's a big difference between quantum physics and quantum computing. Your computer uses quantum physics. Your CPU is shunting around individual electrons. Our understanding is very much incomplete but what we do know is useful.

If you're really curious, look into 'quantum smell' That's a fun one to get your head around.

And, LOL... Umm, yeah, we use imaginary numbers all the time. We've been using them since the 1500s, as I recall. They're extremely useful. They're even used in classic physics.