SoylentNews is people
SoylentNews
The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 2) by edIII on Friday August 19 2016, @10:51PM
It probably isn't. What's difficult to see is that the phrases are actually a reduction in keyspace. The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters. Superficially, those 38 characters are stronger. Another way to look at it though, is that is just 6 words with consistent capitalization. So the permutations are not really a whopping 38^52, but the number of possible words raised to the 6th power.
A quick search [quora.com] for the number of words an average English speaker knows revealed that at age 12 it was only around 12,000 words. A college graduate may understand 23,000, and the average Millennial American now may know as many as 1,000 I think, and can spell half of them....
30,000 raised to the 6th power is actually less than your difficult 9 character password by about 60 orders of magnitude. You want those words to not only be random, but to be gibberish in a sentence. Your phrase is actually correct. The interspersing of a few number sequences raises the permutations quite significantly, while not making it all that much more difficult. We can remember 7 digit numbers fairly easily, and do so all the time.
It's not about up to my standards at all. MATH. That's it. The only standard. Higher permutations and lower probabilities are always better, so my standard is whatever will ultimately increase keyspace, in the most user friendly manner I can find.
Hehe. That's pretty much what 90% of us here do I bet. Challenge is that it's a bit more sophisticated, and not as easy to maintain when you're not a power user. I do agree though, it would be kickass if the browsers would start supporting SSH key management. You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though. At the moment I suspect most of us the challenge/response with SSH to establish encrypted tunnels that have access to administrative systems, those not even being accessible from the Internet at all. Which is fairly critical in a lot of cases, and the last the use case saved my butt. The web management was hacked for a popular piece of equipment and many people were being owned, unless you had web management blocked with IP tables and only allowed tunnel'd SSH sessions to access it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by fnj on Saturday August 20 2016, @12:04AM
Oopsie. Doesn't compute. 30,000 raised to the 6th power is 2.43E+22. 96 raised to the 9th power is 5.73E+19. Sorry, but 6 words picked randomly from a set of 30,000 represents MORE entropy than 9 characters picked randomly from a set of 96. Isn't math wonderful? And astonishing?
You need to revisit the concept of orders of magnitude. 60 orders of magnitude spans the range from 1 to 1E+60. It is an almost unimaginably vast range. The number of atoms in the UNIVERSE is only estimated to be about 1E78 to 1E82.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:00AM
Not to mention that if you apply similar reduction to the complexity of Sw0rdF!s#, it is just one of maybe 30,000 words plus nine opportunities at maybe a half dozen variations (that is really being overly generous). With those assumptions, its entropy is only about 1.2E12, or forty bits.
(Score: 2) by edIII on Saturday August 20 2016, @01:11AM
Funny thing is, I used a calculator. Still should have sanity checked the value, but I was writing the post while also sysadmin'n ;) Please be gentle...
Thank you very much for checking the math. I certainly fat fingered the 96 ^ 9 for sure. I saw an exponent of 72 instead of 17. Go figure.
Can you check that again? :D
I got 7.29 * 10 ^ 26 [duckduckgo.com].
I think it's contagious. You're welcome.....
P.S - Also interesting to note that an average person with 15,000 word vocabulary is only about 1 order of magnitude less than Shakespeare. I keep feeling that there really is a loss of keyspace because words literally do reduce the keyspace away from just random letters. That's why I feel adding the numbers in there and shifting the words in between them significantly increases keyspace.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by theluggage on Saturday August 20 2016, @12:16PM
The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters.
Trouble is, even if your math is correct (and a couple of people above have challenged it) you're basing it on false assumptions about the world - in particular that the password is randomly chosen and that the cracker will resort to a dumb "infinite monkey" technique to guess it. The "keyspace" of words that users are likely to pick is far, far smaller than the number of possible permutations.
"Sw0rdF!s#" isn't "9 characters expressed across a possible minimum of 72 characters" - its a commonly used password [wikipedia.org] that will be on many lists of "bad passwords" with a couple of predictable "readable" letter-symbol substitutions thrown in (CamelCase, O=0, i=! etc) - which is precisely what you are going to get if you simply force people to use "At least 1 upper case character, 1 symbol and 1 number".
Any self respecting "rainbow table" or other cracking tool will surely include some of these common permutations. Also, you somewhat assume that the cracker is trying to crack one specific password: more likely, they've got 100,000 password hashes from somewhere and they'll be happy if 10 of them turn out to be "$3cr3t" or "Pa55w0rd". Or that they know your Facegoog password is "Sw0rdF1sh" and are trying to guess which minor variation is your Twitbook password. Any system that lets hackers brute-force passwords by making repeated login attempts has more urgent problems than its password policy.
You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though.
Yet every half-decent terminal emulator or file-transfer utility supports it for SSH.... and HTTPS effectively does the reverse to authenticate the site. All the crypto code needed is out there, it just needs the protocol and UI.